±Forensic Focus Partners

Become an advertising partner

±Your Account


Username
Password

Forgotten password/username?

Site Members:

New Today: 0 Overall: 36779
New Yesterday: 2 Visitors: 141

±Follow Forensic Focus

Forensic Focus Facebook PageForensic Focus on TwitterForensic Focus LinkedIn GroupForensic Focus YouTube Channel

RSS feeds: News Forums Articles

±Latest Articles

±Latest Videos

±Latest Jobs

The registry and Proof of usage

Computer forensics discussion. Please ensure that your post is not better suited to one of the forums below (if it is, please post it there instead!)
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
Page 1, 2, 3  Next 
  

youcefb9
Member
 

The registry and Proof of usage

Post Posted: Nov 03, 05 17:47

Hi,
How can we prove that a particualr applicaiton was used using the Windows Registry analysis.

For instance a user installed IM app (like Kazaa), used it, and then uninstalled it. the uninstall left some keys on the registry which could be used to prove that the user did use install the application, but how can we push assumption further and prove that he did indeed used it.

I've tried to look for traces in the followings keys but with no avail:

HKCU\Sotware\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32
HKCU\Sotware\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU\exe

any other pointers that may help (I am interseted in the registry only and not the file system).

regards

youcef  
 
  

sachin
Member
 

Re: The registry and Proof of usage

Post Posted: Nov 03, 05 18:01

Have u tried collecting information about MRU-Run MRU?
I don't know will it serve ur purpose....
_________________
sachin 
 
  

keydet89
Senior Member
 

Re: The registry and Proof of usage

Post Posted: Nov 03, 05 19:23

youcefb9,

It might be helpful if you could provide more information.

First off, specifically which application was used? Include not only the name, but the version number, as well. This is important, and may make a significant difference.

Second, which operating system (ie, which version of Windows) are we talking about?

H. Carvey
"Windows Forensics and Incident Recovery"
www.windows-ir.com
windowsir.blogspot.com  
 
  

ASHAY
Newbie
 

Re: The registry and Proof of usage

Post Posted: Nov 04, 05 02:09

I do not think it is prudent just to isolate the Registry as a possible source of history. As Harlan mentoned, it is essential that you elaborate on which OS you are examining as a variety of OS's have differing artefacts.  
 
  

youcefb9
Member
 

Re: The registry and Proof of usage

Post Posted: Nov 04, 05 03:52

The Application in question is Kazaa v3.0 and the OS is Win2kSp4 (latest patch).
Sachin, can you tell what exatcly are the keys you referring to as MRU-RUN MRU?


regards

youcef  
 
  

ASHAY
Newbie
 

Re: The registry and Proof of usage

Post Posted: Nov 04, 05 05:34

Kazaa uses dbb files to maintain records of what has been available for sharing via the program. It does not neccessarily mean that the user was sharing, it is merely the repository for files thats that could have been available.

If you are using forensic software, select all the case, sort by file extension and ascertain if you have files similar or equal to 1024.dbb or 2048.dbb If you find the files you will need some sofware like Kazalyser to correctly output the information.

If you do not find the files try searching across the UC for ' My Shared Folder' and make sure you do this in Unicode also. If this fails,try doing a text search for '1331' without quotes, which is the Record Signature.  
 
  

youcefb9
Member
 

Re: The registry and Proof of usage

Post Posted: Nov 04, 05 16:18

Thanks everyone for their feedback.

For you info I managed to gather the evidential material of usage by just looking at the registry. The mystery key was HKCU\Software\Microsoft\Windows\CurrentVerson\Explorer\UserAssist.

The trick is that all entries in this key are ROT13 encrypted that's why doing a search on the keyword kazaa wouldnt return anything useful.


regards

youcef  
 

Page 1 of 3
Page 1, 2, 3  Next