/ Insights

Unique Windows Registry data in Fast Boot hibernation and hive transaction logs

February 17th, 2018
Mark Spencer
Registry Recon NetworkList Profiles

I was asked to take a recent flurry of Tweets and turn them into an Insights post with more detail. So, here goes!

We have spent some time at Arsenal looking at particularly important Windows Registry keys which are sometimes only found, in their most recent state, within Fast Boot hibernation and/or Registry hive transaction logs. In other words, these are important Registry keys that you may not find in their most recent state within active hives. We focused on important keys because it makes the situation more relatable to our colleagues in digital forensics. In this Insights post, we are further focusing on the following key from the SOFTWARE hive:

Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles

Profiles subkeys represent particular networks, and the information they contain is quite useful for digital forensics practitioners. For example, the “DateLastConnected” value provides a SYSTEMTIME date/time which indicates when the system last connected to that network. You can see more Profiles subkey values in Registry Recon’s “Recon View” from sample SANS evidence in the following screenshot:

Now let’s move on to an actual case. When did our suspect’s laptop last connect to a (very important) network represented by GUID 8DF661DF-89AC-4762-A343-4D099E63BBAF? We could use lots of words to describe the situation, but let’s use a concise spreadsheet instead:

Some of our takeaways from analysis of important Registry keys generally, and Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles\{8DF661DF-89AC-4762-A343-4D099E63BBAF} in this case specifically, include:

  1. A digital forensics practitioner looking only at the active SOFTWARE hive may conclude the suspect’s laptop last connected to a very important network on 4/26 (and, be wrong)

  2. A digital forensics practitioner also looking at the SOFTWARE hive carved from Fast Boot hibernation may conclude the suspect’s laptop last connected to a very important network on 5/2 (and, still be wrong)

  3. A digital forensics practitioner looking at the active SOFTWARE.log1 hive transaction log may conclude the suspect’s laptop last connected on 5/3 (and, be right)

  4. Maybe obvious to some, but not to others – Registry updates may not be pushed from the hive transaction logs to active hives not for seconds, minutes, or hours – but days

  5. Incorporating active and backed-up hive transaction log data into Registries rebuilt by Registry Recon is near the top of our development queue

  6. Fast Boot hibernation should not be ignored. More on that, and upcoming Hibernation Recon functionality, soon…

On a parting note, since we know digital forensics practitioners are curious folks who may be interested in recent Windows startup/shutdown activity on the computer in question:

I hope you enjoyed this Insights post! Please let us know if there are any topics you would like addressed in the future.

Published in: Registry Recon

Join the List

Arm yourself with updates about Arsenal tools, training, and research. Our mailing list is double opt-in so you will need to check your email and confirm your subscription before receiving our mailings.