Unallocated Cluster...
 
Notifications
Clear all

Unallocated Clusters, in Registry, in Restore Point Question

4 Posts
2 Users
0 Likes
230 Views
(@englishgit)
Posts: 22
Eminent Member
Topic starter
 

I've been asked as part of an investigation to look for specific files the user is believed to have downloaded/shared. The original files are not there, but filenames have shown up in unicode in restore points.

These filenames appear to be in the unallocated space of the NTUSER registry hive for a specific Windows user, following some kind of unique identifier. The files are all listed together following words such as "MRUListEx", "NodeSlot", and "Address". It's a Windows XP system. From what I can find out it's not a (former) recent file bit of the registry. I can't figure out where these have come from and could do with explaining this as these are the only references to most of these file names.

Any clues? All theories welcome, however ridiculous or obvious they may seem!

 
Posted : 27/06/2008 7:30 pm
keydet89
(@keydet89)
Posts: 3568
Famed Member
 

I've been asked as part of an investigation to look for specific files the user is believed to have downloaded/shared. The original files are not there, but filenames have shown up in unicode in restore points.

These filenames appear to be in the unallocated space of the NTUSER registry hive for a specific Windows user, following some kind of unique identifier. The files are all listed together following words such as "MRUListEx", "NodeSlot", and "Address". It's a Windows XP system. From what I can find out it's not a (former) recent file bit of the registry. I can't figure out where these have come from and could do with explaining this as these are the only references to most of these file names.

Any clues? All theories welcome, however ridiculous or obvious they may seem!

No clues, just questions…for example

"These filenames appear to be in the unallocated space of the NTUSER registry hive for a specific Windows user…"

Are you saying here that you got a hit on the physical contents of the hive file itself, but opening the hive file in a Registry viewer, you're not seeing that filename/search term anywhere? If that's the case, what are you using for your initial search, and what are you using to open/view/search the hive file itself?

 
Posted : 27/06/2008 7:55 pm
(@englishgit)
Posts: 22
Eminent Member
Topic starter
 

The initial keyword search that found the entries was in encase 6. I mounted the hive in there and found nothing, unmounted, copied it out, searched using accessdata's registry viewer, then remounted the hive in encase, calculating unallocated space. I then found the text in that unallocated space.

Any further thoughts from anyone?

 
Posted : 30/06/2008 1:50 am
keydet89
(@keydet89)
Posts: 3568
Famed Member
 

When you mount a file in EnCase 6 and 'calculate unallocated space', you're essentially dealing with the physical sectors occupied by the file, correct? Would the 'unallocated space' then be file slack? I ask b/c your subject line mentions "unallocated clusters", rather than unallocated cells within the Registry hive bins themselves.

 
Posted : 07/07/2008 6:27 pm
Share: