Daily Blog #501: Forensic Lunch Test Kitchen 10/8/18 - Registry Transaction Logs

Registry Transaction Logs by David Cowen - Hacking Exposed Computer Forensics Blog

Hello Reader,
           It's Monday and it's time for another test kitchen! Tonight I tested Maxim Suhanov's assertion that waiting 60 seconds would allow the changes I made to the registry by closing file explorer would allow the transaction logs to be written to. So I did that test and even waited two minutes prior to exiting.

Here is what we learned:

  • After waiting two minutes between closing the two file explorer windows the live registry showed the second windows entries. The transaction logs and registry showed the first windows entries but no record of the second.
  • Re-extracting the registry from the disk a few minutes later cause the second windows entries to show up, but the first windows entries were lost again
  • Parsing the registry without the transaction logs does not show either windows changes initially, but did after the second registry extraction
More to test, more to learn! 

You can watch the video below:

Also Read: Daily Blog #500

Post a Comment