Not only does it not parse it and display it in a more readable manner, but it doesn’t properly read the data within the hive so that it can be exported from the hive and parsed with another tool. Now, there aren’t many values that have “big data” there is one that many forensic analysts look to (the ShimCache or “AppCompatCache” data, which we will discuss in greater detail in chapter Analyzing the System Hives) for clues, and it’s clear that WRR doesn’t handle that data. What I mean by “big data” is binary value data types that are larger than 2 or 3 KB. This functionality can be very useful, if you are aware of what data is being retrieved, and from which hive file.Īnother drawback of WRR is that it doesn’t handle “big data” at all. Some of the buttons will display “no information found” if the hive file does not contain the information that the function is attempting to retrieve. What I mean by that is that if you open a Software hive in WRR and click the “Services and Drivers” button, you will be presented with a “Services” and a “Drivers” tab, both of which will be empty. There have also been times where I’ve discovered information about other Registry keys and values that were unrelated to the case at hand but may be useful during future analysis.Īs mentioned, a drawback of WRR is that there is nothing that identifies to which hives the specific data extraction applies. For example, in one instance, I found that specific information about a particular model of cell phone had data stored within the Software hive of the system to which it had been connected, and that information included the electronic serial number, among other things. This is usually a less specific approach, but often results in interesting findings that I can incorporate into other, future analysis. I’ve also used WRR to browse through a hive file after other analysis processes have completed, looking for data that may be of use. Knowing that a key was modified at a specific time is very helpful, but it can be even more helpful to understand either what values and data are beneath that key, or what was actually modified. Perhaps my most prevalent use of WRR is to use it in conjunction with other analysis processes, such as to view the values and data within a specific key of interest during timeline analysis (more information regarding timeline analysis will be presented later in the chapter). Something else that’s very useful about WRR is that with the “Raw Data” view open, you can right-click on a key, choose “Properties,” and view information about the key, such as the index, the relative offset of the key structure within the hive file, and the LastWrite (or “Date Modified”) time. I’ve used this search functionality to look for globally unique identifiers (GUIDs), key and value names, as well as portions of text that may occur within value data. When the search is complete, any hits will be displayed in the bottom-most pane in the WRR user interface, and double-clicking on any of the hits will cause that location to be opened for viewing. Depending upon how large the hive file is, the search can take several minutes. Once the dialog is open, enter your search term, select what structures you want searched (keys, values, data), and click “Find Next”. Nicole Ibrahim has conducted research about MTP devices as a series of blog posts, which can be found at. Check your computer forensic tool feature list for such functions. However, there are some forensic tools that can reveal such connected devices. What we want to conclude from this brief discussion is that USB devices connected through a MTP connection do not leave traces on the previously mentioned USB storage device registry keys. If Windows ® requests a file, the phone will respond by sending the file over the MTP connection. Instead the Android device will only allow Windows ® to have access to a short list of media files that Windows ® can see. For example, when an Android smartphone is connected to a computer running Windows ® using the MTP, the Android device will not expose its contents to Windows ® as USB mass storage, allowing it to have access to its raw file system. New Android versions, Windows phones, and Blackberry all use this protocol, which does not leave traces in Windows registry keys we already talked about. Some modern USB devices use a media transfer protocol (MTP) when connecting with computers. Note that not all USB devices are connected and leave traces in Windows registry as we already described. The second date appears: Created Date represents the last time that the same device was attached to the system. This date does not change when the same device is repeatedly reinserted. 6.49, the Last Plug/Unplug Date represents the first time that the device was connected to the system. Using USBDeview to view USB hard drive artifacts.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |