Monday, September 19, 2005

Sources for timeline analysis

I just wanted to take a moment and list out some of the sources for timeline analysis on a Windows system:
  • MAC file times
  • Registry key LastWrite times
  • Event Logs
  • Other logs (ie, setupapi.log, schedlgU.txt, etc.)
  • INFO2 files

Are there any other sources that should be added?

On a side note, does anyone have any credible/supported information regarding which Registry key maintains the audit policy? This may be something that's very important to check.

14 comments:

Ryan Sommers said...

Been a long time, but I thought I remembered the audit policy was stored in a .pol file? Perhaps that was way back i n the earlier days though.

Another good source I don't see listed is Internet History. Gotta love when people claim to not be at their computer, their they log into their Yahoo!/AOL webmail and don't have a saved password.

Ryan Sommers said...

Wow that was bad grammar. Gotta stop doing so many things at once.

Keydet89 said...

Grammar aside, what were you trying to say? They log into Yahoo or AOL and don't have a saved password? Can you elaborate?

Anonymous said...

People that try to claim they were not at their computer at a given time. Yet their internet history shows them logging into their webmail account at a given time/date. They have no saved password for the site.

You asked for additional (useful) sources of timestamps. Internet History.

Keydet89 said...

Yet their internet history shows them logging into their webmail account at a given time/date.

I get that...what I'm asking to have someone post here for the benefit of everyone else is exactly what to look for. What are you looking for, exactly, in the Internet History, that shows that a user logged into their webmail account at a given time/date?

Anonymous said...

I found this article on Microsoft's web site:

"How To Determine Audit Policies from the Registry"

Looks like HKEY_LOCAL_MACHINE\Security\Policy\PolAdtEv is the main entry. With your registry parser, it seems like this information would be easy to grab.

Keydet89 said...

Thanks for the link!

With your registry parser, it seems like this information would be easy to grab.

Exactly!

John said...

By default, the Administrators group has no access to the HKEY_LOCAL_MACHINE\Security subkey.

Using Regedit, highlight the subkey, and from the Regedit menu bar, select Edit | Permissions and grant Administrators Full control. Close the Permissions, refresh (F5) the Regedit screen, and voila!

Jesse Kornblum said...

The Prefetch directory? (Application $x was run at date/time)

Keydet89 said...

By default, the Administrators group has no access to the HKEY_LOCAL_MACHINE\Security subkey.

True...but on an imaged system, it doesn't really matter. Tools like lsreg.pl can be used to search the Security file offline...or it's cousin, regp.pl can be used to simply dump it.

The Prefetch directory?

File MAC times, my friend! But an excellent thought to add it from that perspective!

Steve said...

Perhaps it would be useful to check for time service settings(depends on the environment, I suppose):
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/TechRef/b43a025f-cce2-4c82-b3ea-3b95d482db3a.mspx

And, thanks for sharing your hard work!

Keydet89 said...

Steve,

Perhaps it would be useful to check for time service settings...

Can you elaborate on how you'd use this information? This is different from time zone settings, so how would you see an investigator using the information?

Steve said...

My thought was to use a time source as verification of the local system clock for those that like to monkey with system time. Simply a way to show when the local chain of events happened in real world time. Or, it could be useful to prove a restricted domain member could NOT have changed his system time. And did anyone mention "NtfsDisableLastAccessUpdate"?

Dominicans resources said...

::FREE BLOGS AND FREE WORDPRESS BLOG HOSTING - CREATE UNLIMITED BLOGS NOW ALL FREE ::

Free photo blogging hosting speicalist