Saturday, March 8, 2014

Daily Blog #259: Sunday Funday 3/9/14

Hello Reader,
      The fun of forensics is discovering new artifacts that were always there, just previously unknown in inaccessible. If you watched the forensic lunch you heard Mark Spencer talk about registry recon and my questions about how it functions. Let's see how well you understood the answer and whats possible in this weeks Sunday Funday challenge.

The Prize:
A 32GB USB3 Kangaruu thumbdrive w/ write protection loaded with our Multiboot Image



The Rules:
  1. You must post your answer before Monday 3/10/14 2AM CST (GMT -5)
  2. The most complete answer wins
  3. You are allowed to edit your answer after posting
  4. If two answers are too similar for one to win, the one with the earlier posting time wins
  5. Be specific and be thoughtful 
  6. Anonymous entries are allowed, please email them to dcowen@g-cpartners.com
  7. In order for an anonymous winner to receive a prize they must give their name to me, but i will not release it in a blog post

The Challenge:
The idea of recovering deleted registry entries from within a registry is well known and implemented well in Harlan's perl scripts and yara. To show you understanding of what Mark Spencer and his team discovered answer the following questions:

1. How is it possible that registry recon can recover deleted registry entries from unallocated space
2. Where do these recoverable registries come from?
3. What additional analysis points can you determine from these recoverable keys?