Monday, 2 June 2008

Install dates and shutdown times found in the registry

My friend Chris over at Cy4or told me about a case recently where a suspect had stated that he repeatedly had problems with his OS (XP) that he resolved by formatting and re-installing.

Chris was tasked with looking for evidence of this and came up with searching for the Install Date registry key in live (Software hive and restore points) registry files and within unallocated clusters. This proved to be a neat idea because a number of different Install Dates were located.

In encase the GREP \x04\x00\x00\x00\x01\x00\x00\x00\x49\x6E\x73\x74\x61\x6C\x6C\x44\x61\x74\x65 finds the Install Date string and just prior to this can be seen a Unix 32 bit date which when decoded is the Install Date. On all our test boxes this was consistent- your mileage may vary.



We also looked at whether the same method would locate multiple shutdown times but found that the shutdown time at HKLM\System\Current Control set\Control\Windows\ShutdownTime stored as a 64 bit Windows File Time is often not co-located with the ShutdownTime string.

Whilst looking at this we did find that the registry key HKLM\System\Current Control set\Control\Watchdog\Display\ShutdownCount was exactly what it says on the tin - it maintains a count of the number of times the OS has been shutdown.

4 comments:

H. Carvey said...

Assuming that the string you're looking for is the Registry value name, I'd like to suggest the following reference:

http://home.eunet.no/pnordahl/ntpasswd/WinReg.txt

Look for the heading "Der vk-Record".

Based on this, the value of 0x04 is the type of the data, which as we would expect for a 32-bit Unix time_t value, is a DWORD. However, the DWORD preceding that is the offset to the data, rather than the value data itself. That offset is computed from the beginning of the first hbin block in the hive file.

While that DWORD does translate into a time value, it may not be a correct assumption that it is the actual Install Date.

H. Carvey said...

Hey, thanks for mentioning the ShutDownCount value...I've created a plugin and added it to RegRipper...

ForensicGod said...

Ran this on a box with a mixture of Win 2000, XP and Vista and used a slightly modified GREP

\x04\x00\x00\x00\x01\x00\x69\x00\x49\x6E\x73\x74\x61\x6C\x6C\x44\x61\x74\x65

DC1743 said...

The link Harlan posted is now changed to
http://pogostick.net/~pnh/ntpasswd/WinReg.txt