Monday, September 19, 2005

Sources for timeline analysis

I just wanted to take a moment and list out some of the sources for timeline analysis on a Windows system:
  • MAC file times
  • Registry key LastWrite times
  • Event Logs
  • Other logs (ie, setupapi.log, schedlgU.txt, etc.)
  • INFO2 files

Are there any other sources that should be added?

On a side note, does anyone have any credible/supported information regarding which Registry key maintains the audit policy? This may be something that's very important to check.

13 comments:

Anonymous said...

Been a long time, but I thought I remembered the audit policy was stored in a .pol file? Perhaps that was way back i n the earlier days though.

Another good source I don't see listed is Internet History. Gotta love when people claim to not be at their computer, their they log into their Yahoo!/AOL webmail and don't have a saved password.

Anonymous said...

Wow that was bad grammar. Gotta stop doing so many things at once.

H. Carvey said...

Grammar aside, what were you trying to say? They log into Yahoo or AOL and don't have a saved password? Can you elaborate?

Anonymous said...

People that try to claim they were not at their computer at a given time. Yet their internet history shows them logging into their webmail account at a given time/date. They have no saved password for the site.

You asked for additional (useful) sources of timestamps. Internet History.

H. Carvey said...

Yet their internet history shows them logging into their webmail account at a given time/date.

I get that...what I'm asking to have someone post here for the benefit of everyone else is exactly what to look for. What are you looking for, exactly, in the Internet History, that shows that a user logged into their webmail account at a given time/date?

Anonymous said...

I found this article on Microsoft's web site:

"How To Determine Audit Policies from the Registry"

Looks like HKEY_LOCAL_MACHINE\Security\Policy\PolAdtEv is the main entry. With your registry parser, it seems like this information would be easy to grab.

H. Carvey said...

Thanks for the link!

With your registry parser, it seems like this information would be easy to grab.

Exactly!

Anonymous said...

By default, the Administrators group has no access to the HKEY_LOCAL_MACHINE\Security subkey.

Using Regedit, highlight the subkey, and from the Regedit menu bar, select Edit | Permissions and grant Administrators Full control. Close the Permissions, refresh (F5) the Regedit screen, and voila!

Anonymous said...

The Prefetch directory? (Application $x was run at date/time)

H. Carvey said...

By default, the Administrators group has no access to the HKEY_LOCAL_MACHINE\Security subkey.

True...but on an imaged system, it doesn't really matter. Tools like lsreg.pl can be used to search the Security file offline...or it's cousin, regp.pl can be used to simply dump it.

The Prefetch directory?

File MAC times, my friend! But an excellent thought to add it from that perspective!

Anonymous said...

Perhaps it would be useful to check for time service settings(depends on the environment, I suppose):
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/TechRef/b43a025f-cce2-4c82-b3ea-3b95d482db3a.mspx

And, thanks for sharing your hard work!

H. Carvey said...

Steve,

Perhaps it would be useful to check for time service settings...

Can you elaborate on how you'd use this information? This is different from time zone settings, so how would you see an investigator using the information?

Anonymous said...

My thought was to use a time source as verification of the local system clock for those that like to monkey with system time. Simply a way to show when the local chain of events happened in real world time. Or, it could be useful to prove a restricted domain member could NOT have changed his system time. And did anyone mention "NtfsDisableLastAccessUpdate"?