EnCase EnScript to quickly sort last written timestamps on registry keys
One of the many analysis techniques that I use when looking at compromised computers is to analyze registry keys and the last written date on the various keys. If I have a time frame that I am focusing on based on some other type of artifact, I commonly look at all the registry keys that have a last written date near my target date.
I wrote an EnCase EnScript to mount the registry hives and then dump all the registry keys and their last written dates into a Bookmark Log Record view so I could then sort them, export them, print them or whatever. Commonly I used to just mount the registry hives and then select the "show all" and then sort the files and registry keys at the same time and in the same view. That method is still a valuable one, but I wrote this so I could make bookmarks and separate the registry keys into their own bookmark area for closer analysis.
To use this EnScript, copy to your EnCase EnScript folder and then refresh your EnScript folder in EnCase (if EnCase is currently running). Simply double-click on the EnScript and it will mount the registry hives and dump the data in the bookmark tab, log records subtab.
*Note that the Bookmarks->Log Records tab has a hard-coded column named "Last Accessed", although registry keys only have a last written timestamp. I have populated that column with the last written timestamps.
Download Here
2 comments:
Hey Lance - Does this EnScript parse registry hives in restore points?
Thanks Lance this EnScript helped me to trace 2 Trojans files evading our Enterprise AV
Post a Comment