Daily Blog #495: Forensic Lunch Test Kitchen 10/2/18 - ObjectID Testing and Research

Forensic Lunch Test Kitchen 10/2/18 - ObjectID Testing and Research by David Cowen - Hacking Exposed Computer Forensics Blog



Hello Reader,
          Another night, another test kitchen. Tonight we continued our ObjectID testing and research to see if sequence numbers would reliably increment on reboots allowing us to find evidence of changes to the system clock and in what actual order files were created (windows 10) or opened (all other windows). Here is the summary of what we learned:


  • Sequence numbers are set in the Software registry under SOFTWARE\Microsoft\RPC\UUIDSequenceNumber
  • Windows.old backups now appear to include the users directory and are deleted after a week by a scheduled task
  • Sequence numbers will increment on each reboot, irregardless of timeset
  • Sequence numbers can jump and then settle back on the original sequence, working to understand how and why

You can watch the broadcast here:


Also Read: Daily Blog #494

Post a Comment