Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
?
Solved

Windows Registry tcp ip forensics

Posted on 2014-03-11
2
Medium Priority
?
2,484 Views
Last Modified: 2014-03-14
Does anyone know of way to find dns entries and/or ip connection history within offline registry files?

I am try to find some information on someone that gained remote access to a computer via social engineering and caused some considerable damage.
0
Comment
Question by:Vontech615
2 Comments
 
LVL 23

Assisted Solution

by:Patrick Bogers
Patrick Bogers earned 600 total points
ID: 39920447
Place to start is event viewer -> security and look for remote connections which come from an outside ip address.
But how to find data about altering offline registry files sounds like a no go unless you have captured all network traffic during this attack.
0
 
LVL 65

Accepted Solution

by:
btan earned 1400 total points
ID: 39928240
assuming only the registry hive then probably couple of areas to check is the
a) s/w last ran (what types of files or applications have been accessed on a particular system),
b) wireless connections (determine if a user connected to specific wireless access point, the timeframe, and their IP address they were assigned by the DHCP server),
c) LAN PC connected (determining whether or not a user was connected to certain computers or belonged to a specific LAN),
d) USB - to see USB device whether or not has been connected to other Windows systems and may lead where other possible area this device is reused etc (data exfiltration etc ),
e) Web trails (use of p2p and browser)

http://www.forensicfocus.com/a-forensic-analysis-of-the-windows-registry

Nice summary in pdf here too

Some useful tools such as Regdecoder and Regripper
0

Featured Post

Upgrade your Question Security!

Your question, your audience. Choose who sees your identity—and your question—with question security.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Assume you have an outside contractor who comes in seasonally or once a week to do some work in your office, but you only want to give him access to the programs and files he needs and keep all other documents and programs private. Can you do this o…
When you try to extract and to view the contents of a Microsoft Update Standalone Package (MSU) for Windows Vista, you cannot extract the files from the MSU. Here we are going to explain how to extract those hotfix details without using any third pa…
The goal of this Micro Tutorial is to help navigate beginning users with the app store on Windows 8. It will explain exciting features how to maximize your PC through these apps. This will be demonstrated using Windows 8 operating system.
With the advent of Windows 10, Microsoft is pushing a Get Windows 10 icon into the notification area (system tray) of qualifying computers. There are many reasons for wanting to remove this icon. This two-part Experts Exchange video Micro Tutorial s…
Suggested Courses
Course of the Month15 days, 9 hours left to enroll

581 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question