The registry and Pr...
 
Notifications
Clear all

The registry and Proof of usage

17 Posts
7 Users
0 Likes
1,174 Views
(@youcefb9)
Posts: 38
Eminent Member
Topic starter
 

Hi,
How can we prove that a particualr applicaiton was used using the Windows Registry analysis.

For instance a user installed IM app (like Kazaa), used it, and then uninstalled it. the uninstall left some keys on the registry which could be used to prove that the user did use install the application, but how can we push assumption further and prove that he did indeed used it.

I've tried to look for traces in the followings keys but with no avail

HKCU\Sotware\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32
HKCU\Sotware\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU\exe

any other pointers that may help (I am interseted in the registry only and not the file system).

regards

youcef

 
Posted : 03/11/2005 4:47 pm
sachin
(@sachin)
Posts: 28
Eminent Member
 

Have u tried collecting information about MRU-Run MRU?
I don't know will it serve ur purpose….

 
Posted : 03/11/2005 5:01 pm
keydet89
(@keydet89)
Posts: 3568
Famed Member
 

youcefb9,

It might be helpful if you could provide more information.

First off, specifically which application was used? Include not only the name, but the version number, as well. This is important, and may make a significant difference.

Second, which operating system (ie, which version of Windows) are we talking about?

H. Carvey
"Windows Forensics and Incident Recovery"
http//www.windows-ir.com
http//windowsir.blogspot.com

 
Posted : 03/11/2005 6:23 pm
(@ashay)
Posts: 6
Active Member
 

I do not think it is prudent just to isolate the Registry as a possible source of history. As Harlan mentoned, it is essential that you elaborate on which OS you are examining as a variety of OS's have differing artefacts.

 
Posted : 04/11/2005 1:09 am
(@youcefb9)
Posts: 38
Eminent Member
Topic starter
 

The Application in question is Kazaa v3.0 and the OS is Win2kSp4 (latest patch).
Sachin, can you tell what exatcly are the keys you referring to as MRU-RUN MRU?

regards

youcef

 
Posted : 04/11/2005 2:52 am
(@ashay)
Posts: 6
Active Member
 

Kazaa uses dbb files to maintain records of what has been available for sharing via the program. It does not neccessarily mean that the user was sharing, it is merely the repository for files thats that could have been available.

If you are using forensic software, select all the case, sort by file extension and ascertain if you have files similar or equal to 1024.dbb or 2048.dbb If you find the files you will need some sofware like Kazalyser to correctly output the information.

If you do not find the files try searching across the UC for ' My Shared Folder' and make sure you do this in Unicode also. If this fails,try doing a text search for '1331' without quotes, which is the Record Signature.

 
Posted : 04/11/2005 4:34 am
(@youcefb9)
Posts: 38
Eminent Member
Topic starter
 

Thanks everyone for their feedback.

For you info I managed to gather the evidential material of usage by just looking at the registry. The mystery key was HKCU\Software\Microsoft\Windows\CurrentVerson\Explorer\UserAssist.

The trick is that all entries in this key are ROT13 encrypted that's why doing a search on the keyword kazaa wouldnt return anything useful.

regards

youcef

 
Posted : 04/11/2005 3:18 pm
keydet89
(@keydet89)
Posts: 3568
Famed Member
 

youcefb9,

Have you been able to determine what conditions cause an entry to be made beneath either UserAssist key?

 
Posted : 08/11/2005 10:24 pm
mark777
(@mark777)
Posts: 101
Estimable Member
 

If you look in the registry files for the specific user you should see Kazaa details in there (Under software if i remember right) in clear language. This will tell you a massive amount of data including the settings for downloads and uploads etc, default shared folder and any others shared by user and if you are lucky to have the right version of Kazaa the last twenty search terms used by the user. It will also give you the username used, e mail address given etc. Wont tell you what you want i.e yes it was used but if he has changed his download and upload settings from the default and there are search terms it is a good pointer that it was .

Hope this helps a little bit.

 
Posted : 09/11/2005 7:34 am
andy1500mac
(@andy1500mac)
Posts: 79
Trusted Member
 

Hi all,

The keys mentioned in the post piqued my interest as I hadn't
visited them before and wasn't aware of what they contained.

For those in the same boat here is an interesting link.
http//www.utdallas.edu/~jeremy.bryan.smith/articles/explorer_spy.html

Does anyone know if each entry is timestamped, in effect letting an examiner know when the file, url,link, etc was accessed and is there a utility that can decode the keys and export them into a file to make viewing easier?

While examining the keys I essentially decoded them one at a time which obviously isn't practical..

Andrew-

 
Posted : 09/11/2005 6:03 pm
Page 1 / 2
Share: