SYSTEM artifacts SECURITY artifacts SOFTWARE artifacts NTUSER.DAT Windows Registry 3 SYSTEM artifacts SECURITY artifacts SOFTWARE artifacts NTUSER.DAT

The SYSTEM registry file SYSTEM is a root key in HKEY_LOCAL_MACHINE hive Contains system settings, hardware configurations boot up information device driver configurations Connected hardware operating system settings Three control sets (001,003,CurrentControSet) One as backup One volatile, Current ControlSet Current Control Four subkeys Control: boot and startup options Enum: device and driver configurations Hardware profiles: specific info to booted hardware Services: list drivers, file system information Backup Volatile Current Control Set

The SYSTEM registry file The CurrentControlSet Is a symbolic link to the ControlSet that are used of the live machine Volatile Forensic Importance: ControlSet ### Enum FloppyDiskDrivers – FDC IDE Drivers – IDE (Integrated Drive Electronics) LPT – Printer Info – LPTENUM Storage Drivers – STORAGE

System\ControlSet###\Enum\IDE IDE – Device model name and device identifier associated here. Shows HDD Includes CDROM drives Lists drives by manufacturer/model number Provides a device Identifier for each Western Digital HDD

The SYSTEM\Select subkey The Select subkey defines which control set is active The Select subkey contains the values Default, defines which control set will be used Current, which of the two control sets that was used to boot last time Failed, the control set that last failed to boot LastKnownGood, the control set for the last successful logon

Time zone information Time zone information is important for forensic investigations Data and times can be handled in different ways of the OS The settings have to be determined prior to forensics analysis Windows uses the time zone settings to convert UTC times to the local time before displaying NTFS file systems store time in UTC UTC, Universal Coordinated Time UTC is also known as GMT or Greenwich Mean Time. FAT file systems store time as local time One way to correct the time-settings is to set the investigation machine to the same time zone settings as the suspect’s computer has.

Time Zone Settings in Access Data Current time zone settings are find in CurrentControlSet\Control\TimeZoneInformation Bias the difference, in minutes, between UTC and local time StandardName name associated with the standard time StandardBias the difference between standard time and local time translations, normal zero StandardStart start of the “winter time” DaylightBias the value that is added to the standard time to get “summer time” ActiveTimeBias The currently active time bias

Time Zone Settings in Registry The bias is the difference in minutes between UTC and local time. Used during local time translation. String assotiated with standard time on operating system. EST=Eastern Standard Time – can be empty.

Time Zone Settings for examination Two pieces of information needed before setting up the examination machine: Time zone setting of the suspect machine Check for the autocorrect the daylight saving time. System key shows TimeZoneInformation: ControlSet###\Control\TimeZoneInformation

Time Zone Settings Important: You are determining whether DST was in use at all, not if it was in effect at the time of seizure! Daylight Savings Time was being used DisableAutoDaylightTimeSet If this value is present, and set to 1, the user has turned off the auto settings of daylight time In Vista the value always exist and you have to examinate the value. 0 = auto detect / 1 = disabled

Time Zone Settings If investigative machine was set to Eastern Time and the suspect system was set to pacific Time, there would be potentially a three-hour discrepancy from the actual time on the suspect system to what is displayed on the inestigative machine. FAT system store the date and time in local time as set by the system clock. NTFS volume store the date and time after first translating it to UTC, based on the current setting of the machine. FTK prompts the user to select a time zone and indicate whether or not daylight saving time is being used. Every NTFS volume have the time stored with no adjustment made.

Computer Name ControllSet###\Control\ComputerName\ComputerName ControllSet###\Services\EventLog\ComputerName (XP) The Date and Time user registered for installation of the system Computer Name

When is the last shutdown time? From Forensic examination point of veiw Normal shutdown Catastrophic shutdown (crash, pulled plug, other loss of power) ControlSet###\Control\Windows\ShutdownTime User’s NTUSER.DAT (last modified date and time) Regf and first hbin block SFTWARE (file update) SYSTEM (file update)

Identification of an USB device USB devices have two assigned numbers for identification Unique instance identifier that exists on the hardware device itself. It identifies the device to the USBSTOR subkey. ParentIdPrefix (PIP) Number Generated by Windows XP Appears generally as a 7& or 8& number followod by seven or eight hexadecimal digits 7& OR 8& Hexadecimal

USB devices USB removable storage device footprints: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Enum\USBSTOR Setupapi.log Mounted Device Manager

1- USB Removable Storage Devices USB removable storage device footprints: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Enum\USBSTOR A device class identifier is created the first time the type of device is connected to the computer A unique instance identifier needs to be created for the specific device That is the serialnumber of the USB-device

USB Devices serial number The serial number for USB device can also be found in the Windows Device Manager Right click MyComputer and select Properies=>Hardware=>Device Manager=> UniversalSerialBusController=>Details, or run devmgmt.msc as a command to open this page

USB Devices serial number If you choose Disk Drivers in the Device Manager you will find the manufacturer name of the device If you select Storage Volumes in the Device Manager you will find the ParentIdPrefix for the device. Look in Details The serial number

2- Setupapi.log Another place that USB device leaves track of device and driver. C:\WINDOWS\SETUPAPI.LOG C:\WINNT Includes Values: Drive Identifier ParentIDPrefix HardwareID CompatibleIDs ClassGUID Note: A log file can be manipulated.. . A trace after an installation of a USB thumb drive [2009/01/16 11:11:39 1120.7 Driver Install] . : #-166 Device install function: DIF_INSTALLDEVICE. #I123 Doing full install of "USBSTOR\DISK&VEN_KINGSTON&PROD_DATATRAVELER_2.0&REV_1.00\89900000000000006CB02AC4&0". . : #I121 Device install of "USBSTOR\DISK&VEN_KINGSTON&PROD_DATATRAVELER_2.0&REV_1.00\89900000000000006CB02AC4&0” finished successfully.

3- Mounted Device Manager Drive Letter: When a USB removable storage device is connected to a Windows system, it is assigned a drive letter system\MountedDevices Two types of links \??\Volume{GUID} GUID, Globally Unique Identifier The link remains even after that the device has been removed \DosDevices\A: Links with drive letters are uppdated to the most recent device that has been assigned the drive letter

Last time the device was connected, method 1 system\ControlSet###\Control\DeviceClasses Find a Device ID (drive letter): {53f56307-b6bf-11d0-94f2-00a0c91efb8b} Identifying the device with PIP of ”7&1bdff45a” as having the last USB in drive. Key with the GUID for the disk interface as name Choose the subkey that contains the serial number of the USB-device ##?#USBSTOR#Disk&Ven_Kingston&Prod_DataTraveler_2.0&Rev_1.00#000000000000000000000C18&0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} The LastWrite time of this key corresponds to the last time the device was connected to the system

Last time the device was connected, method 2 system\ControlSet###\Control\DeviceClasses Find a dos drive by {53f5630d-b6bf-11d0-94f2-00a0c91efb8b} Key with the GUID for the volume device interface name Choose the subkey that contains the PIP of the USB-device ##?#STORAGE#RemovableMedia#8&39056034&0&RM#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b} The LastWrite time of this key corresponds to the last time the device was connected to the system

USB-device and its drive letter If the device is removed from the G: drive and an other device is inserted that use the G: drive, the previous information vill be overwritten Driver letter The last used device PIP In Vista the PIP isn’t used. The device id is used instead.

Mounted Device There are \DosDevices entries (in particular \DosDevices\C: ) whose data is only 12 bytes (3 DWORD) Partition offset in little endian First 4byte is for drive signature or volume ID offset 0x1b8 within the Master Boot Record (MBR) of the hard drive

Has the HardDrive been connected to the computer? Search for the harddrive identifier, MBR, offsets 440-443 Compare with system\MountedDevices\DosDevices\C: Partition offset in little endian If a physical device was divided Into multiple volumes, each \DosDevice\<drive letter> would be identified with the same four-byte identity This two are from same physical device

Other types of USB devices (Camera) Every type of USB mass storage device will give simulary traces in the registry A device class identifier for a Konica Minolta Dimage Z20 camera

4- System\Enum\IDE system\ConrolSet###\Enum\IDE contains information about units that has been connected to the computer USBSTOR, USB devices FDC, Floppy Disk Controller LPTENUM, printers connected through the LPT port USBPRINT, printers connected through a USB port IDE, hardware IDE .. .

IDE: Hard disk drives system\ConrolSet###\Enum\IDE Show the harddisk drives attached to the system Device type, manufactorer and model information The device identifier does not associate to the system\MountedDevices subkey This is accomplished through another identifier stored in the physical drive’s Master Boot Record (MBR)

System\Enum\IDE system\ConrolSet###\Enum\IDE Hard disk drives connected to system

TCP IP parameters In Services TCPIP subkey, information about network connections is saved ControlSet###\Services\Tcpip\Parameters