Solved

Windows Registry tcp ip forensics

Posted on 2014-03-11
2
2,115 Views
Last Modified: 2014-03-14
Does anyone know of way to find dns entries and/or ip connection history within offline registry files?

I am try to find some information on someone that gained remote access to a computer via social engineering and caused some considerable damage.
0
Comment
Question by:Vontech615
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
2 Comments
 
LVL 23

Assisted Solution

by:Patrick Bogers
Patrick Bogers earned 150 total points
ID: 39920447
Place to start is event viewer -> security and look for remote connections which come from an outside ip address.
But how to find data about altering offline registry files sounds like a no go unless you have captured all network traffic during this attack.
0
 
LVL 64

Accepted Solution

by:
btan earned 350 total points
ID: 39928240
assuming only the registry hive then probably couple of areas to check is the
a) s/w last ran (what types of files or applications have been accessed on a particular system),
b) wireless connections (determine if a user connected to specific wireless access point, the timeframe, and their IP address they were assigned by the DHCP server),
c) LAN PC connected (determining whether or not a user was connected to certain computers or belonged to a specific LAN),
d) USB - to see USB device whether or not has been connected to other Windows systems and may lead where other possible area this device is reused etc (data exfiltration etc ),
e) Web trails (use of p2p and browser)

http://www.forensicfocus.com/a-forensic-analysis-of-the-windows-registry

Nice summary in pdf here too

Some useful tools such as Regdecoder and Regripper
0

Featured Post

[Webinar] Learn How Hackers Steal Your Credentials

Do You Know How Hackers Steal Your Credentials? Join us and Skyport Systems to learn how hackers steal your credentials and why Active Directory must be secure to stop them. Thursday, July 13, 2017 10:00 A.M. PDT

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If you get continual lockouts after changing your Active Directory password, there are several possible reasons.  Two of the most common are using other devices to access your email and stored passwords in the credential manager of windows.
The Windows functions GetTickCount and timeGetTime retrieve the number of milliseconds since the system was started. However, the value is stored in a DWORD, which means that it wraps around to zero every 49.7 days. This article shows how to solve t…
The viewer will learn how to successfully download and install the SARDU utility on Windows 8, without downloading adware.
The Task Scheduler is a powerful tool that is built into Windows. It allows you to schedule tasks (actions) on a recurring basis, such as hourly, daily, weekly, monthly, at log on, at startup, on idle, etc. This video Micro Tutorial is a brief intro…

724 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question