Tuesday, October 9, 2018

Daily Blog #502: Forensic Lunch Test Kitchen 10/9/18

Hello Reader,
           Another night of testing on the test kitchen! This evening we revisited the TypedPath key and registry transaction logs as Maxim Suhanov pointed out I did not wait a full 60 seconds, instead I just let the clock roll over to the next minute. The timing is important as transaction logs are written to 60 seconds after the change occurred and I assumed that was every 60 seconds not 60 seconds since change. To rectify this error I made a timer in Windows 10 for 90 seconds to make sure between each action I left enough time for the system to record the change.

The only real variable left now is that I'm doing this in a VM, when this is all done I'll do it on the host OS as well to make sure there are no differences.

Here is what we learned:

  • The TypedPaths key is not being deleted and recreated, the individual keys appear to be overwritten
  • Looking into the slack space of the registry value for the entries you can see the end of the prior TypedPaths entry if it was longer than the replaced value
  • If a typedpaths entry (url(some number)) isn't present in the key that is overwriting it, then the left over values are deleted
  • The deleted values can be recovered and seen in yarp
  • The overwritten values cannot be seen in yarp even though it was my assumption the transaction logs would contain them
I'll be uploading the registry hives to the GitHub page tomorrow.

You can watch the video here: