Thursday, June 10, 2010


This post from the Digital Detective site discusses how to manually identify the time zone of a system from the image. This information is maintained in the Registry, and RegRipper has a plugin for this (as part of the default distro).

I saw this post recently on the SANS ISC blog, which has to do with software restriction policies on a system. I thought...hey, that's pretty cool, AND there's a Registry key listed. From there it was a simple matter to research the MS site and see what other information I could find, and I began to see the possible value of the data derived from the DefaultLevel value (called a "key" in the blog post) to an analyst. In a matter of minutes, I had a functioning RegRipper plugin.

Interestingly enough, the more I research this, the more I see the CodeIdentifiers key being of some level of importance, not only to forensic analysts, but also to system administrators. After all, if it weren't, why would so many bits of malware be modifying or deleting entries beneath this key?


Stefan said...


thanks for sharing this information. The CodeIdentifiers key seems to be quite interesting indeed. A search on and the like reveals a number of malware samples that delete the key or create sub-keys.

Wrt the DefaultLevel value, however, it is important to recognize that on many Windows systems DWORD:40000 seems to be its default setting. So this fact on its own doesn't hint towards malware.


Keydet89 said...


True, but that's why more research is needed.

Anonymous said...

Harlan, I found a book on Amazon that looks like it has a lot of potential. Can you give any more details on it?

Keydet89 said...


Don't know how I'd be able to...

Keydet89 said...

What I mean to say is that the book hasn't been written yet, and since I don't know what details you're looking for, I could literally write for an hour and never answer your question.