I was asked to take a recent flurry of Tweets and turn them into an Insights post with more detail. So, here goes!
We have spent some time at Arsenal looking at particularly important Windows Registry keys which are sometimes only found, in their most recent state, within Fast Boot hibernation and/or Registry hive transaction logs. In other words, these are important Registry keys that you may not find in their most recent state within active hives. We focused on important keys because it makes the situation more relatable to our colleagues in digital forensics. In this Insights post, we are further focusing on the following key from the SOFTWARE hive:
Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles
Profiles subkeys represent particular networks, and the information they contain is quite useful for digital forensics practitioners. For example, the “DateLastConnected” value provides a SYSTEMTIME date/time which indicates when the system last connected to that network. You can see more Profiles subkey values in Registry Recon’s “Recon View” from sample SANS evidence in the following screenshot:
Now let’s move on to an actual case. When did our suspect’s laptop last connect to a (very important) network represented by GUID 8DF661DF-89AC-4762-A343-4D099E63BBAF? We could use lots of words to describe the situation, but let’s use a concise spreadsheet instead:
Some of our takeaways from analysis of important Registry keys generally, and Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles\{8DF661DF-89AC-4762-A343-4D099E63BBAF} in this case specifically, include:
A digital forensics practitioner looking only at the active SOFTWARE hive may conclude the suspect’s laptop last connected to a very important network on 4/26 (and, be wrong)
A digital forensics practitioner also looking at the SOFTWARE hive carved from Fast Boot hibernation may conclude the suspect’s laptop last connected to a very important network on 5/2 (and, still be wrong)
A digital forensics practitioner looking at the active SOFTWARE.log1 hive transaction log may conclude the suspect’s laptop last connected on 5/3 (and, be right)
Maybe obvious to some, but not to others – Registry updates may not be pushed from the hive transaction logs to active hives not for seconds, minutes, or hours – but days
Incorporating active and backed-up hive transaction log data into Registries rebuilt by Registry Recon is near the top of our development queue
Fast Boot hibernation should not be ignored. More on that, and upcoming Hibernation Recon functionality, soon…
On a parting note, since we know digital forensics practitioners are curious folks who may be interested in recent Windows startup/shutdown activity on the computer in question:
I hope you enjoyed this Insights post! Please let us know if there are any topics you would like addressed in the future.