Daily Blog #497: Forensic Lunch Test Kitchen 10/4/18 - TypedPaths Overwrite Mystry and $OBJID:$O Parser

TypedPaths Overwrite Mystry and $OBJID:$O Parser



Hello Reader,

        Another test kitchen! Tonight we went back to the TypedPaths overwrite mystery while Matthew finishes his $OBJID:$O parser to show tomorrow on the forensic lunch. We got YARP installed on our Windows 10 test VM and performed the same test of opening multiple file explorer windows, going to unique paths and watching the TypedPaths key get overwritten. We then extracted the registries and parsed them with YARP in an attempt to find the previously written TypedPaths files.

Here is what we learned:

  • YARP has a series of new utility scripts, we used yarp-print and yarp-timeline
  • YARP will automagically attempt to find and replay any transactions logs in the same directory as the registry file you opened
  • YARP did not find the prior TypedPaths values
More testing next week, make sure to tune into the forensic lunch tomorrow!

Here is the video:


Also Read: Daily Blog #496

Post a Comment