Page 1 of 2 12 LastLast
Results 1 to 10 of 11

Thread: registry key creation time/date stamp?

  1. #1
    Senior Member
    Join Date
    Aug 2003
    Posts
    1,018

    registry key creation time/date stamp?

    Ok, is it possible to find the date that a registry key was created without having installed a 3rd party software ahead of time? Regedit doesn't do it (unless I am completely missing something), and I can't seem to find any documentation that states otherwise.

    There's a time/date stamp for file modification/access/creation, I would think there is something similar for registry keys...but I keep running into dead ends...

    Why is this in the forensics section? Let's say hypothetically a program was installed on my computer, and I know the approximate date, but not the program...

    So someone please tell me, am I just having a huge case of aggravated stupidity?

  2. #2
    Senior Member nihil's Avatar
    Join Date
    Jul 2003
    Location
    United Kingdom: Bridlington
    Posts
    17,188
    Why is this in the forensics section? Let's say hypothetically a program was installed on my computer, and I know the approximate date, but not the program

    If that were the case, you are already owned?

    Registry Prot, Win Patrol should have already warned you..............OK I do use a checksummer, but it will only complain if something changes?

    If you let them in, you are history.................you HAVE to stop them at the perimeter?

    I am not aware of any way within windows of determining Registry Key amendment dates. But I am not a real expert in that area

    Good Luck

  3. #3
    Nice one man sems like everyone has gone away to search 4 an answer.

  4. #4
    Senior Member
    Join Date
    Aug 2003
    Posts
    1,018
    lol...thanks nihil...yes, you are correct, I would indeed be owned...

    From a forensics standpoint though, let's say I have an employee whom I suspect is stealing company secrets...he manages to install a keylogger on my system...if I were able to coroborate the time a keylogger was installed, with my event logs, or my firewall logs, or my video surveillance, then I would have stronger evidence against the employee.

    Files have dates of creation, dates modified, and dates accessed....it was logical to me that the registry would have the same information....again, I'm looking at it from a forensics standpoint, not a prevention standpoint...

    If I can narrow my search parameters, then I save time....

  5. #5
    Senior Member nihil's Avatar
    Join Date
    Jul 2003
    Location
    United Kingdom: Bridlington
    Posts
    17,188
    Hi Groovicus,

    I think that you would have to find the keylogger application and its files. A tool such as "Keylogger Hunter" should do this:

    http://www.styopkin.com

    I am not aware of Windows holding registry change dates, except possibly in the security & activity logs in Win2K and XP??? I haven't found anything in Win98 and Me, but that is hardly surprising?

    Third party checksumming and registry protection software may also give you the information:

    For example Registry Prot:

    Yes, RegistryProt appends to the HISTORY.LOG file (in your RegistryProt directory). RegistryProt will log as many details as it can, including the time, the event, full registry path, and before/after settings when available.
    Your scenario is a nightmare though, given that the perp has physical access?

    Cheers

  6. #6
    Senior Member
    Join Date
    Aug 2003
    Posts
    1,018
    As per your recommendation, I have been using Registry Prot. Somehow I missed the logging capabilities...hmmm...need to revisit that...

    I did find that Regmon by sysinternals ( http://www.sysinternals.com/ntw2k/source/regmon.shtml ) will display the date of the last time a key was modified, and that is helpful.

  7. #7
    Senior Member nihil's Avatar
    Join Date
    Jul 2003
    Location
    United Kingdom: Bridlington
    Posts
    17,188
    I forgot to mention:

    From a forensics standpoint though, let's say I have an employee whom I suspect is stealing company secrets...he manages to install a keylogger on my system...if I were able to coroborate the time a keylogger was installed, with my event logs, or my firewall logs, or my video surveillance, then I would have stronger evidence against the employee.

    I guess the time has come to "fight fire with fire" as in load your own keylogger and catch the perp using his one.........hence the importance of finding it first. Loading illicit software would be grounds for dismissal? but you would have to prove usage to launch any sort of criminal action? not sure of your laws here.

    In the UK you find that employees have to sign up to the AUP (Approved Usage Policy) of the organisation, which invariably cites violation as an instant dismissal offence.

    In your scenario you may want the perp to go further, and find out the competitor who is paying for the exercise?

    /me keep them out at the perimeter, and sack anyone who takes the piss

    Cheers

  8. #8
    Senior Member
    Join Date
    Aug 2003
    Posts
    1,018
    Not that I am any kind of expert when it comes to legal hair-splitting, but Court TV (and Law and Order reruns) tell me that all evidence needs to be coroborated...the more evidence the better...

    As part of the forensics toolbox tutorial I am working on, I'm just exploring the various available tools and methods.

    I have come across a few interesting things that maybe someone else will find interesting also. If I have a warrant to grab a computer, my warrant will probably be limited to searching for information within a specific timeframe, hence the question about timestamps on registry keys.... in this instance, there is no user policy to be enforced. It comes down to what I can find within the scope of the warrant. From the standpoint of designing a secure OS, I personally would want that capability (registry date stamp)...I haven't found anything yet that suggests it is possible.

    Also, the Master File Table is almost ignored in every tutorial I have read, even though it contains almost as much interesting info as the registry (and does include timestamps)...I have researched what it does, and how it does it, but I have not yet found a way to parse that information in an "easy to digest" form, or a way to make it presentable..but I'm still looking.

    Using a keylogger to catch a keylogger, that is a delicious suggestion...I wouldn't have thought of it. Your suggestion is one of a system administrator, or security specialist..my view in this field is as an outsider looking in...

    ****the things I do when waching the snow fly by :P

  9. #9
    Senior Member nihil's Avatar
    Join Date
    Jul 2003
    Location
    United Kingdom: Bridlington
    Posts
    17,188
    My problem with logs is that they generally tell you what, and even when, but they generally don't tell you who OK you have the machine ID and the user's logon ID, but people are human, and will walk away from their machines leaving them logged on.

    Its a bit like a motor car? I can prove that it was yours, I can prove that you were driving it that day, but can I prove that it was YOU driving it when the offence was comitted? (Chappaquidick or something like that comes to mind?)

    I do have software that lets me change Windows file date and time stamps as well

    Try looking at http://www.RuntimeWare.com they have some interesting products, including Sentinel.

    I am not sure about the warrant bit either? if you replace the original HDD with an exact replica (copy all data) then you should have as long as you need?

    Cheers

  10. #10
    Senior Member
    Join Date
    Aug 2003
    Posts
    1,018
    ..and the other problem with logs is that they can be altered...as usual, you cut right to the essence of the problems facing computer forensics "technicians"...

    /I think you have the makings of a defense attorney, btw

    Short of having a picture of the person sitting at the computer at the exact time a crime is commited, I would wager that it is indeed quite difficult. However, prosecutors prove guilt all the time with a preponderance of evidence...all it takes to convict is to convince a jury that the person had access, motive, and the skills necessary.

    As far as the warrant is concerned, let's do another hypothetical, and I'll try to keep it focused. I know that a large sum of money was transferred to an off shore bank from a computer I am investigating. I know by bank records the exact day and time it was done. I obtain a warrant to search the computer, but the courts are only going to allow me to gather evidence that pertain to that crime only....that means I can only look for evidence pertaining to activity on that day. If the judge signing the warrant is feeling magnanimous, I may even be allowed to search for evidence leading up to the crime, such as emails...however, I will be limited to maybe the previous month only.

    If while I am examining data, I find evidence the two months before, he was fu.. ummm...fornicating with the boss's wife, that evidence would probably not be allowed, unless it directly related to the crime at hand....a conspiracy to run away to somewhere warm perhaps.

    At any rate, warrants tend to be very specific. An investigator is not allowed carte blanche to dig up whatever he wants. (not if he wants it admitted in court, anyway)

    Finally, yes software exists to change date stamps... however, if I am understanding correctly, the Master File Table keeps track of accesses and changes...

    As far as my research goes, it is not possible to completely secure a system. The flip side is that it is nigh impossible to completely erase your tracks...

    Oh, and thanks for the link!

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •