Unique Windows Registry data in Fast Boot hibernation and hive transaction logs

Mark Spencer

February 27, 2018

I was asked to take a recent flurry of Tweets and turn them into an Insights post with more detail. So, here goes!

We have spent some time at Arsenal looking at particularly important Windows Registry keys which are sometimes only found, in their most recent state, within Fast Boot hibernation and/or Registry hive transaction logs. In other words, these are important Registry keys that you may not find in their most recent state within active hives. We focused on important keys because it makes the situation more relatable to our colleagues in digital forensics. In this Insights post, we are further focusing on the following key from the SOFTWARE hive:

Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles

Profiles subkeys represent particular networks, and the information they contain is quite useful for digital forensics practitioners. For example, the “DateLastConnected” value provides a SYSTEMTIME date/time which indicates when the system last connected to that network. You can see more Profiles subkey values in Registry Recon’s “Recon View” from sample SANS evidence in the following screenshot:

Now let’s move on to an actual case. When did our suspect’s laptop last connect to a (very important) network represented by GUID 8DF661DF-89AC-4762-A343-4D099E63BBAF? We could use lots of words to describe the situation, but let’s use a concise spreadsheet instead:

Some of our takeaways from analysis of important Registry keys generally, and Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles\{8DF661DF-89AC-4762-A343-4D099E63BBAF} in this case specifically, include:

  1. A digital forensics practitioner looking only at the active SOFTWARE hive may conclude the suspect’s laptop last connected to a very important network on 4/26 (and, be wrong)
  2. A digital forensics practitioner also looking at the SOFTWARE hive carved from Fast Boot hibernation may conclude the suspect’s laptop last connected to a very important network on 5/2 (and, still be wrong)
  3. A digital forensics practitioner looking at the active SOFTWARE.log1 hive transaction log may conclude the suspect’s laptop last connected on 5/3 (and, be right)
  4. Maybe obvious to some, but not to others – Registry updates may not be pushed from the hive transaction logs to active hives not for seconds, minutes, or hours – but days
  5. Incorporating active and backed-up hive transaction log data into Registries rebuilt by Registry Recon is near the top of our development queue
  6. Fast Boot hibernation should not be ignored. More on that, and upcoming Hibernation Recon functionality, soon…

On a parting note, since we know digital forensics practitioners are curious folks who may be interested in recent Windows startup/shutdown activity on the computer in question:

I hope you enjoyed this Insights post! Please let us know if there are any topics you would like addressed in the future.

 


 

Please support us, as we work to make maximum exploitation of electronic evidence more accessible, by learning more about the powerful and unique functionality our tools provide. You can learn more about our tools at https://ArsenalRecon.com/#products. Thank you!

Related Articles

Arsenal Image Mounter and Virtual Machine Inception

Arsenal Image Mounter and Virtual Machine Inception

While we recommend that Hyper-V and AIM be run on “bare metal” (particularly when launching virtual machines), we have recently heard from our customers that they have successfully run both Hyper-V and AIM within VMware.

Arsenal Image Mounter (AIM) Walkthrough

Arsenal Image Mounter (AIM) Walkthrough

This article will briefly summarize the features of AIM’s Free and Professional Modes, explain the requirements for running AIM, and demonstrate how to launch virtual machines and mount Volume Shadow Copies (VSCs) from AIM-mounted disk images.

Arm Yourself!

Join our mailing list to arm yourself with updates about Arsenal tools, training, and research. Our mailing list is double opt-in so you will need to check your email and confirm your subscription before receiving our mailings.

Chelsea, Massachusetts

sales@ArsenalRecon.com

(617) ARSENAL

or (617) 277-3625

Site Map

\

Home

\

Products

\

Pricing

\

Training

\

Testimonials

\

Insights

\

Contact

\

FAQ

Legal

\

Privacy Policy

\

Terms & Conditions

\

Cookie Policy

Follow Us

LinkedIn

Twitter

Facebook

Share This