tag:blogger.com,1999:blog-9518042.post2237498263687217814..comments2024-03-19T07:46:20.437-05:00Comments on Windows Incident Response: Evading Investigators and AnalystsUnknownnoreply@blogger.comBlogger2125tag:blogger.com,1999:blog-9518042.post-36984966771907522382011-07-21T08:45:10.893-05:002011-07-21T08:45:10.893-05:00Neil,
Good point. This is covered in Windows For...Neil,<br /><br />Good point. This is covered in <i>Windows Forensic Analysis</i>, as well as in <i>Windows Registry Forensics</i>...H. Carveyhttps://www.blogger.com/profile/08966595734678290320noreply@blogger.comtag:blogger.com,1999:blog-9518042.post-23310420418957440312011-07-21T08:29:38.152-05:002011-07-21T08:29:38.152-05:00"For example...asking why all (in one case, 2..."For example...asking why all (in one case, 20 or more) device keys listed beneath the USBStor subkey have the same LastWrite time..."<br /><br />There's a dangerous knowledge gap in that question. Timestamps are stored on a per-key basis and not a per-value basis. If you're not paying attention, it's easy to assume that a particular value was written at the LastWrite timestamp.Neilhttps://www.blogger.com/profile/14453929318164707477noreply@blogger.com