Registry

OpenSaveMRU and LastVisitedMRU

By Chad Tilbury on April 2, 2010 in Computer Forensics, Windows Registry — Leave a comment

Note: This post originally appeared on the SANS Forensics blog

Talking with a colleague the other day reminded me of just how nuanced many of the forensic artifacts are that we rely upon.  Nowhere is this more true than in the Windows Registry.  With no specification and even Microsoft products not following any data storage methodology, it is about as haphazard and irregular as they come.  As an example, let’s look at the OpenSaveMRU and LastVisitedMRU Registry keys.  Both have been documented for years and are frequently cited in examinations.  That being said, I would bet many examiners have not investigated the keys deeply enough to understand everything they are telling us.  Here is a quick rundown on what we can glean from these keys.

Continue Reading…

exFAT File System

By Chad Tilbury on March 9, 2010 in Computer Forensics — Leave a comment
Awesome paper on exFAT filesystem. When will our forensic tools be compatible? http://bit.ly/aFE2M5
March 9, 2010 8:27 pm via webReplyRetweetFavorite
@chadtilbury
Chad Tilbury

Tableau ImagerTableau Imager: First Look

I haven’t paid much attention to write blocking technology for the last few years.  As long as I was able to validate that the device worked as expected and it had a high speed connection (Firewire 800 / eSATA), I was happy.  But I spent some time with Tableau’s founder, Robert Botchek at the end of last year and he impressed upon me how much room for innovation still exists in the write-blocker market.  We are up against some major hurdles in the digital forensics world that are rapidly changing the way we do business.  With 2TB drives on the shelves, the decision to take a full forensic image is no longer obvious.   If a user has to be without their computer or a server has to be down for 2 days, that significantly changes the equation.  That’s why I was excited to see Tableau enter the imaging software space with Tableau Imager (TIM).

Continue Reading…

Posted on February 16, 2010 In Tool Review
 permalink Leave a comment
Flash

Flash Cookie Forensics

By Chad Tilbury on August 28, 2009 in Computer Forensics — Leave a comment
Flash cookies have been a hot topic lately with the release of an excellent research paper titled Flash Cookies and Privacy.  Flash Cookies, or local Shared Objects in Macromedia parlance, are a great example of a forensic artifact that has existed for a long time but was virtually ignored until someone decided to shine some light on it.  Whenever I see new research about problematic privacy controls, I immediately get out my notepad, because I know that I am going to find some great artifacts that can help in my forensic investigations.

De-mystifying Defrag : Identifying When the Windows Defragmenter Has Been Used for Anti-Forensics (Part 2 – Vista / Windows 7)

By Chad Tilbury on August 17, 2009 in Computer Forensics, Incident Response, Windows Registry — 2 Comments

Note: This post originally appeared on the SANS Forensics blog

In Part 1 of this post, we explored defragmenter usage in Windows XP, specifically trying to gain more information about user activity when we see the following in the Prefetch directory:

Figure 1: Defrag entries shown from C:WindowsPrefetch directory
Figure 1: Defrag entries shown from C:\\Windows\\Prefetch directory

Vista made many file system changes, modifying some of  the XP artifacts we relied upon in Part 1 and adding some artifacts that can greatly simplify our investigation.  Importantly, Vista ships with a default scheduled task for a full volume defragmentation every Wednesday evening at 1am.    This is in addition to the limited defrags conducted by the Prefetch / Superfetch components.   Thus we should expect to see even more defragmenter activity on a Vista machine.  Taking this into consideration, we will perform the same analysis that we did for Windows XP.

We will focus on the two primary methods a user can invoke the Windows Defragmenter tool:

  1. Running defragmenter from a graphical user interface (GUI)
  2. Running defrag from the command line using defrag.exe

Continue Reading…

De-mystifying Defrag: Identifying When Defrag Has Been Used for Anti-Forensics (Part 1 – Windows XP)

By Chad Tilbury on August 5, 2009 in Computer Forensics, Incident Response, Windows Registry — Leave a comment

I have seen the following Windows Prefetch entries in nearly every Windows XP / Vista machine that I have reviewed over the past several years. Their existence always reminds me of the imperfect nature of information gained via individual artifacts. Does this mean that a user ran the Microsoft Defragmenter application on July 16, 2009 at 1:19PM? Or was the defragmenter started automatically by Windows? The defragmenter tool has been used very effectively as an anti-forensic tool since it was first introduced. In cases where data spoliation could be important, it is critical for the examiner to be able to identify any overt actions by a user. Complicating this is that starting with Windows XP, the operating system conducts limited defragmentation approximately every three days. [1] This post seeks to identify forensic artifacts which can help us determine if a user initiated the defrag application.

 

Figure 1: Defrag entries in C:\Windows\Prefetch directory

Figure 1: Defrag entries in C:\Windows\Prefetch directory

We will focus on two primary methods a user can invoke the Windows Defragmenter tool:

  1. Running defragmenter from a graphical user interface (GUI)
  2. Running defrag from the command line using defrag.exe

 

Continue Reading…