- MAC file times
- Registry key LastWrite times
- Event Logs
- Other logs (ie, setupapi.log, schedlgU.txt, etc.)
- INFO2 files
Are there any other sources that should be added?
On a side note, does anyone have any credible/supported information regarding which Registry key maintains the audit policy? This may be something that's very important to check.
Been a long time, but I thought I remembered the audit policy was stored in a .pol file? Perhaps that was way back i n the earlier days though.
ReplyDeleteAnother good source I don't see listed is Internet History. Gotta love when people claim to not be at their computer, their they log into their Yahoo!/AOL webmail and don't have a saved password.
Wow that was bad grammar. Gotta stop doing so many things at once.
ReplyDeleteGrammar aside, what were you trying to say? They log into Yahoo or AOL and don't have a saved password? Can you elaborate?
ReplyDeletePeople that try to claim they were not at their computer at a given time. Yet their internet history shows them logging into their webmail account at a given time/date. They have no saved password for the site.
ReplyDeleteYou asked for additional (useful) sources of timestamps. Internet History.
Yet their internet history shows them logging into their webmail account at a given time/date.
ReplyDeleteI get that...what I'm asking to have someone post here for the benefit of everyone else is exactly what to look for. What are you looking for, exactly, in the Internet History, that shows that a user logged into their webmail account at a given time/date?
I found this article on Microsoft's web site:
ReplyDelete"How To Determine Audit Policies from the Registry"
Looks like HKEY_LOCAL_MACHINE\Security\Policy\PolAdtEv is the main entry. With your registry parser, it seems like this information would be easy to grab.
Thanks for the link!
ReplyDeleteWith your registry parser, it seems like this information would be easy to grab.
Exactly!
By default, the Administrators group has no access to the HKEY_LOCAL_MACHINE\Security subkey.
ReplyDeleteUsing Regedit, highlight the subkey, and from the Regedit menu bar, select Edit | Permissions and grant Administrators Full control. Close the Permissions, refresh (F5) the Regedit screen, and voila!
The Prefetch directory? (Application $x was run at date/time)
ReplyDeleteBy default, the Administrators group has no access to the HKEY_LOCAL_MACHINE\Security subkey.
ReplyDeleteTrue...but on an imaged system, it doesn't really matter. Tools like lsreg.pl can be used to search the Security file offline...or it's cousin, regp.pl can be used to simply dump it.
The Prefetch directory?
File MAC times, my friend! But an excellent thought to add it from that perspective!
Perhaps it would be useful to check for time service settings(depends on the environment, I suppose):
ReplyDeletehttp://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/TechRef/b43a025f-cce2-4c82-b3ea-3b95d482db3a.mspx
And, thanks for sharing your hard work!
Steve,
ReplyDeletePerhaps it would be useful to check for time service settings...
Can you elaborate on how you'd use this information? This is different from time zone settings, so how would you see an investigator using the information?
My thought was to use a time source as verification of the local system clock for those that like to monkey with system time. Simply a way to show when the local chain of events happened in real world time. Or, it could be useful to prove a restricted domain member could NOT have changed his system time. And did anyone mention "NtfsDisableLastAccessUpdate"?
ReplyDelete