Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

Windows Registry tcp ip forensics

Posted on 2014-03-11
2
Medium Priority
?
2,338 Views
Last Modified: 2014-03-14
Does anyone know of way to find dns entries and/or ip connection history within offline registry files?

I am try to find some information on someone that gained remote access to a computer via social engineering and caused some considerable damage.
0
Comment
Question by:Vontech615
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
2 Comments
 
LVL 23

Assisted Solution

by:Patrick Bogers
Patrick Bogers earned 600 total points
ID: 39920447
Place to start is event viewer -> security and look for remote connections which come from an outside ip address.
But how to find data about altering offline registry files sounds like a no go unless you have captured all network traffic during this attack.
0
 
LVL 65

Accepted Solution

by:
btan earned 1400 total points
ID: 39928240
assuming only the registry hive then probably couple of areas to check is the
a) s/w last ran (what types of files or applications have been accessed on a particular system),
b) wireless connections (determine if a user connected to specific wireless access point, the timeframe, and their IP address they were assigned by the DHCP server),
c) LAN PC connected (determining whether or not a user was connected to certain computers or belonged to a specific LAN),
d) USB - to see USB device whether or not has been connected to other Windows systems and may lead where other possible area this device is reused etc (data exfiltration etc ),
e) Web trails (use of p2p and browser)

http://www.forensicfocus.com/a-forensic-analysis-of-the-windows-registry

Nice summary in pdf here too

Some useful tools such as Regdecoder and Regripper
0

Featured Post

Important Lessons on Recovering from Petya

In their most recent webinar, Skyport Systems explores ways to isolate and protect critical databases to keep the core of your company safe from harm.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Detailed instructions on how to install an Access add-in in recent versions of Office and Windows (with screen shots)
The recent Microsoft changes on update philosophy for Windows pre-10 and their impact on existing WSUS implementations.
This Micro Tutorial will go in depth within Systems and Security in Windows 7 and will go into detail regarding Action Center, Windows Firewall, System, etc. This will be demonstrated using Windows 7 operating system.
With the advent of Windows 10, Microsoft is pushing a Get Windows 10 icon into the notification area (system tray) of qualifying computers. There are many reasons for wanting to remove this icon. This two-part Experts Exchange video Micro Tutorial s…
Suggested Courses

604 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question