5. NTFS last access time on/off
The Misconception: One common misconception about last access timestamps is that they solely indicate the last time a file was opened or accessed by a user. However, this oversimplification overlooks the fact that these timestamps can be updated for reasons other than user interaction. For instance, a file may have its last access timestamp modified simply by being "touched" by the system, without any actual opening or viewing by a user.
Variables Impacting Last Access Timestamps: Several variables can impact the accuracy and reliability of last access timestamps. One significant factor is the operating system's settings.
For instance, Microsoft disabled updates to last access timestamps in Windows Vista and subsequent versions for NTFS file systems to enhance performance. However, it's crucial to note that this setting only affects NTFS file systems, while other file systems like ExFAT and FAT continue to update access timestamps normally.
Granularity and Enabling Last Access Timestamps: Last access timestamps typically have a loose granularity, often accurate only to within one hour. Users can choose to enable last access timestamps if needed for applications that rely on them. However, enabling this feature may come with performance implications and should be considered carefully based on the specific forensic scenario.
Importance in Forensic Analysis: Despite their limitations, They can help investigators determine when files were accessed by the system, shedding light on user activity and potential evidence trails.
System Hive:
SYSTEM\CurrentControlSet\Control\FileSystem
Cmd :
reg query HKLM\System\ CurrentControlSet\Control\Filesystem
6: Network interfaces:
This key contains a plethora of invaluable details, including TCP/IP configurations, IP addresses, gateways, and DHCP-related information. For machines configured with DHCP, it reveals the assigned IP address, subnet mask, and DHCP server's IP address.
Significance in Forensic Investigations: Network interface information plays a crucial role in cases involving network-based evidence. It provides investigators with essential insights into how a system was connected to a network—be it wired, wireless, 3G, or Bluetooth. Moreover, the interface GUID serves as a valuable identifier for correlating additional network profile data stored in registry keys, enhancing the depth of investigation.
Exploring Historical IP Information: On Windows 7 through Windows 10 systems, multiple subkeys under each interface provide historical IP information. These records, stemming from DHCP assignments, offer insights into previous IP address assignments. While not exhaustive, they contribute valuable context to investigative analyses. The last connected IP for each interface is particularly noteworthy, as it relates to the parent GUID key.
System Hive:
SYSTEM\CurrentContro1Set\Services\Tcpip\Parameters\Interfaces
Cmd:
reg query HKLM\System\Controlset001\Services\Tcpip\Parameters\Interfaces
usefulness
• Lists network interfaces of the machine
• Can determine whether machine has a static IP address or whether it is configured
by DHCP
• Ties machine to network activity that was logged
• Obtain interface GUID for additional profiling in network connections
7. Historical network-network list keys:
Understanding NLA Functionality: NLA operates by aggregating network information for each network interface a PC is connected to and generating a globally unique identifier (GUID) for each network. These identifiers, known as network profiles, facilitate the application of appropriate firewall rules based on the network's characteristics. For instance, different firewall profiles may be applied for public, home, or managed networks, allowing for tailored security configurations
Forensic Significance of NLA: From a forensic standpoint, NLA presents a wealth of valuable information. By accessing NLA records, investigators can obtain a list of all networks a machine has ever connected to, identified by their DNS suffixes. This capability is instrumental in identifying intranets and external networks, offering crucial context for investigative analysis.
Geo-Location Insights: One of the most compelling aspects of NLA for forensic investigators is its potential to provide geo-location insights. By examining the networks a device has connected to and the associated timestamps, investigators can infer the geographical locations where the device has been used. This information can be pivotal in reconstructing timelines, establishing alibis, or corroborating witness statements in digital investigations
Registry Details: NLA-related information is primarily stored in the Windows Registry under specific locations:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\NetworkList
SOFTWARE\Microsoft\ Windows NT\ CurrentVersion \NetworkList\Signatures\ Unmanaged
SOFTWARE\Microsoft\ Windows NT\ CurrentVersion \NetworkList\Signatures\Managed
Historical data, including connection times, can be found under the Cache key:
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Nla\Cache
Utilizing ProfileGuid: One challenge in NLA analysis is determining the first and last time a network was connected to. Investigators can overcome this obstacle by leveraging the ProfileGuid, a unique identifier associated with each network, and mapping it to connection times stored in the Registry. Write down profile GUID
Usefulness
• Identifying intranets and networks that a computer has connected to is incredibly important
• First and last time a network connection was made
• This will also list any networks that have been connected to via a VPN
• MAC Address of SSID for Gateway could be physically triangulated
Will Continue on next post................
Akash Patel
Comments