I was tooling around the Internet last night and ran across the "Forensics from the sausage factory" blog...and to be honest, my first thought was, "Oh, snap!"...it sounded like another one of those blogs that starts out being technical and interesting and then pretty soon the author starts posting personal or political stuff...
Anyway, I did find some pretty interesting posts, like this one. Like a fish, I'm easily distracted by shiny objects...in this case, anything that has to do with forensic analysis and the Registry. This post mentioned the following value:
HKLM\System\CurrentControlSet\Control\Watchdog\Display\ShutdownCount
Interesting. According to the post, this maintains a count of how many times the system was shut down. Most of the information regarding this value that I've been able to find via Google has to do with CastleCops and spyware scans...not sure why. I did find some info at MS on this, but it has to do with a Watchdog timer for video display drivers.
Any thoughts?
Any other keys/values of interest? If so, it's usually helpful to state why the key/value is of interest to forensic examiners (or incident responders).
Yes, I created a plugin for this value. ;-)
11 comments:
Looks like an XP only value. I could not find it in Vista.
(re: brian) In Vista, I couldn't seem to find a key or value that had Shutdown in its name that seems analogous to ShutdownCount.
To please my curiosity, I executed systeminfo capturing Registry operations with Process Monitor (filtered view on RegQueryValue). A decent amount of queries are made that result in some information that might be relevant to FA/IR....
Jason...
Such as...??
Seeing this value on spyware sites is probably just from people posting their HijackThis logs after an infection. You can see a tutorial on the output here.
".it sounded like another one of those blogs that starts out being technical and interesting and then pretty soon the author starts posting personal or political stuff..."
If someone wants to post personal or political "stuff" on their blog, they are well within their right to do so. What's wrong with that? Should we all subscribe to the HC censorship mantra? ;P
Where'd you get "censorship"? Simply not being interested in something isn't "censorship".
Easy to take potshots when you're anonymous...
i was the anonymous post; i was on a network where i didnt feel comfortable logging in, sorry :)
to clarify... suggesting one should talk about one topic, but not talk about another topic implies censoring. Taking a potshot at bloggers that do this would at first glance appear to be suggesting they cease this activity and thus be censored.
sippy
@Harlan,
Page File Location:
HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management\PagingFiles
I also posted some more thoughts on my blog:
http://nssadoc.blogspot.com/2008/07/registry-analysis-1.html
Kind of off topic, but I found a Perl program you might be interested in. It can create a timeline from various sources, including the registry.
http://www.sans.org/reading_room/whitepapers/forensics/32767.php
I liked his topic on Windows FE. I think Windows FE is the greatest thing ever, ever. Except maybe your book, whose registry chapter alone is worth the price.
Post a Comment