We just got back from the amazing Open Source Digital Forensics Conference in Chantilly, VA (the greater, greater D.C. area). It was great fun with some amazing talks. 504ENSICS Co-Founder, Dr. Lodovico Marziale, gave a talk entitled “Advanced Registry Forensics with Registry Decoder,” in front of a packed house.
The talk focused on some interesting investigative techniques that Registry Decoder (RD) supports. By managing several “sets” of registry files in one framework we can perform two types of analysis that are difficult or impossible with other tools. By loading the current set of registry files and backups from either restore points or volume shadow copies from a single machine, we can determine changes to a system over time. For example, searching for artifacts of some specific malware infection across several sets of registry files from a single machine, we can determine a range of dates when that malware hit the system. Similarly, we can use this type of analysis to determine software usage patterns (with Userassist), historical document accesses (with MRU lists) changes to firewall settings, new services installed and a wealth of other fun artifacts. Another type of analysis we can perform makes use of sets of registry files from several machines in some infrastructure. Using these, when we conduct the same search from above for some artifact of a malware infection, we can now determine how far it has spread. Similarly, we could leverage USBSTOR info to determine what machines in a network have has the same USB drive inserted, or MRU lists to determine shared access to documents. These types of analysis can also be useful to compare the state of a system now with a copy of the originally distributed system image to focus analysis only on changes since the machine was put into service. In all, I think some folks found it interesting which is nice.
Mad thanks to Brian Carrier and the folks at Basis for putting it on – can’t wait for next year!