±Forensic Focus Partners

Become an advertising partner

±Your Account


Username
Password

Forgotten password/username?

Site Members:

New Today: 0 Overall: 36763
New Yesterday: 2 Visitors: 179

±Follow Forensic Focus

Forensic Focus Facebook PageForensic Focus on TwitterForensic Focus LinkedIn GroupForensic Focus YouTube Channel

RSS feeds: News Forums Articles

±Latest Articles

±Latest Videos

±Latest Jobs

Need for Registry references

Computer forensics discussion. Please ensure that your post is not better suited to one of the forums below (if it is, please post it there instead!)
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
Page Previous  1, 2 
  

hogfly
Senior Member
 

Re: Need for Registry references

Post Posted: Dec 06, 05 19:12

Harlan,
Indeed, more than just a list is necessary, and I do intend to complete the list and the contents of the keys so they are useful. All this list was intended to be was flagging potentially revealing keys so I could go back and dig deeper in to the what,when,how of the values. I should have *some* free time in the next month or so to develop the list in to something useful. As for credibility of the resources....know anyone at Microsoft? Smile  
 
  

keydet89
Senior Member
 

Re: Need for Registry references

Post Posted: Dec 06, 05 21:21

> know anyone at Microsoft?

I do...but haven't gotten anything out of them. Kind of like the whole "blood from a stone" thing.

When I sat down and was thinking about the format for a Registry reference, I also thought about how to handle submissions. As far as "credible references" go, two things came to mind: (a) links to MS KB articles, and other credible sites (NIST, etc.), and (b) verifiable, repeatable testing. An example of this might be:

1. Run the first half of the InControl5 two-phase process.
2. Initiate monitoring via Regmon.
3. Perform a single, atomic action (double-click a JPG image, either on the local hard drive or on a USB-connected removable storage device).
4. Halt Regmon capture.
5. Complete the InControl5 process.
6. Submit Registry key with description, test procedure, and results.

The basic idea is that if someone else uses the testing procedure, and performs the same action as in step 3, they should get the same results.

An additional step might be to query the LastWrite time of the key in question before step 1 and again after step 4.

Sound reasonable?  
 
  

hogfly
Senior Member
 

Re: Need for Registry references

Post Posted: Dec 06, 05 21:32

It does sound reasonable. However, what about keys and values that are user configured such as the telephony key(s)? In that case, I'd say step 3 needs to be expanded to include the configuration of a single field (or the entire dialog window) in a user configurable utility.  
 
  

keydet89
Senior Member
 

Re: Need for Registry references

Post Posted: Dec 06, 05 21:37

Is the Telephony key directly user configurable? Does the user open RegEdit to modify the key, or is the action taken through a wizard or some part of the shell/GUI?

What I provided in my list of steps is an example. I think it applies to most, if not all, cases...particularly the part of step 3 that says, "Perform a single, atomic action"...this pertains to the action a user would take, such as interacting with a Wizard, the shell, a GUI dialog, etc. This includes the configuration of a single field.  
 

Page 2 of 2
Page Previous  1, 2