Solved

Windows Registry tcp ip forensics

Posted on 2014-03-11
2
1,875 Views
Last Modified: 2014-03-14
Does anyone know of way to find dns entries and/or ip connection history within offline registry files?

I am try to find some information on someone that gained remote access to a computer via social engineering and caused some considerable damage.
0
Comment
Question by:Vontech615
2 Comments
 
LVL 19

Assisted Solution

by:Patricksr1972
Patricksr1972 earned 150 total points
ID: 39920447
Place to start is event viewer -> security and look for remote connections which come from an outside ip address.
But how to find data about altering offline registry files sounds like a no go unless you have captured all network traffic during this attack.
0
 
LVL 62

Accepted Solution

by:
btan earned 350 total points
ID: 39928240
assuming only the registry hive then probably couple of areas to check is the
a) s/w last ran (what types of files or applications have been accessed on a particular system),
b) wireless connections (determine if a user connected to specific wireless access point, the timeframe, and their IP address they were assigned by the DHCP server),
c) LAN PC connected (determining whether or not a user was connected to certain computers or belonged to a specific LAN),
d) USB - to see USB device whether or not has been connected to other Windows systems and may lead where other possible area this device is reused etc (data exfiltration etc ),
e) Web trails (use of p2p and browser)

http://www.forensicfocus.com/a-forensic-analysis-of-the-windows-registry

Nice summary in pdf here too

Some useful tools such as Regdecoder and Regripper
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Today, still in the boom of Apple, PC's and products, nearly 50% of the computer users use Windows as graphical operating systems. If you are among those users who love windows, but are grappling to keep the system's hard drive optimized, then you s…
By default the complete memory dump option is disabled in windows . If we want to enable the complete memory dump for a diagnostic purpose, we have a solution for it. here we are using the registry method to enable this.
This Micro Tutorial will teach you how to change your appearance and customize your Windows 7 interface to your unique preference. This will be demonstrated using Windows 7 operating system.
With the advent of Windows 10, Microsoft is pushing a Get Windows 10 icon into the notification area (system tray) of qualifying computers. There are many reasons for wanting to remove this icon. This two-part Experts Exchange video Micro Tutorial s…

863 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

28 Experts available now in Live!

Get 1:1 Help Now