@port139 Blog

基本的にはデジタル・フォレンジックの技術について取り扱っていますが、記載内容には高確率で誤りが含まれる可能性があります。

Deleted Registry KEY and Timestamp

Note:I translated Japanese into English using Google Translate.
Thank you, Google.  

Delete the registry key and check the time stamp.
Create sample registry keys and values under SYSTEM.

f:id:hideakii:20181209143420p:plain

Last write timestamp:2018-12-09 05:33:00(UTC)

f:id:hideakii:20181209144258p:plain

Delete the registry key and check the time stamp. The timestamp has not changed.
Last write timestamp:2018-12-09 05:33:00(UTC)

f:id:hideakii:20181209145137p:plain

Next, we create a key with several subkeys.

f:id:hideakii:20181209145527p:plain

f:id:hideakii:20181209145915p:plain

EVIDENCE002: Last write timestamp:2018-12-09 05:54:22(UTC)
EVIDENCE003: Last write timestamp:2018-12-09 05:54:31(UTC)
EVIDENCE004: Last write timestamp:2018-12-09 05:54:49(UTC)

Delete the parent's EVIDENCE002 key and check the time stamp.

f:id:hideakii:20181209150412p:plain

EVIDENCE002: Last write timestamp:2018-12-09 06:01:00(UTC)
EVIDENCE003: Last write timestamp:2018-12-09 06:01:00(UTC)
EVIDENCE004: Last write timestamp:2018-12-09 05:54:49(UTC)

 

The timestamp of EVIDENCE 002 and 003 has been updated.
What changed?, Compare Technical details.

 

EVIDENCE003(Before deleting)

Size: 0x60
Relative Offset: 0x327848
Absolute Offset: 0x328848
Signature: nk
Flags: CompressedName

Name: EVIDENCE003

Last Write Timestamp: 12/9/2018 5:54:31 AM +00:00

Is Free: False

Debug: 0x0

Maximum Class Length: 0x0
Class Cell Index: 0x0
Class Length: 0x0

Maximum Value Data Length: 0x0
Maximum Value Name Length: 0x0

Name Length: 0xB
Maximum Name Length: 0x16

Parent Cell Index: 0x327970
Security Cell Index: 0x64B3D0

Subkey Counts Stable: 0x1
Subkey Lists Stable Cell Index: 0xA489A8

Subkey Counts Volatile: 0x0

User Flags: 0x00000000
Virtual Control Flags: 0x00000000
Work Var: 0x0

Value Count: 0x0
Value List Cell Index: 0x0

Padding: 00-63-14-FE-E9


Security key
Size: 0x108
Relative Offset: 0x64B3D0
Absolute Offset: 0x64C3D0
Signature: sk
Is Free: False

Forward Link: 0x138C70
Backward Link: 0x64B8F0

Reference Count: 7

Security descriptor length: 0xF0

Security descriptor: Revision: 0x1
Control: SeDaclPresent, SeDaclAutoInherited, SeSaclAutoInherited, SeSelfRelative

Owner offset: 0xC4
Owner SID: S-1-5-32-544
Owner SID Type: BuiltinAdministrators

Group offset: 0xD4
Group SID: S-1-5-21-3032502310-280463001-373959476-513
Group SID Type: DomainUsers

Dacl Offset: 0x14
DACL: ACL Revision: 0x2
ACL Size: 0xB0
ACL Type: Discretionary
Sbz1: 0x0
Sbz2: 0x0
ACE Records Count: 6

------------ Ace record #0 ------------
ACE Size: 0x18
ACE Type: AccessAllowedAceType
ACE Flags: ContainerInheritAce, InheritedAce
Mask: QueryValue, EnumerateSubkeys, Notify, ReadControl
SID: S-1-5-32-545
SID Type: BuiltinUsers
SID Type Description: S-1-5-32-545: A built-in group. After the initial installation of the operating system, the only member is the Authenticated Users group. When a computer joins a domain, the Domain Users group is added to the Users group on the computer.

------------ Ace record #1 ------------
ACE Size: 0x18
ACE Type: AccessAllowedAceType
ACE Flags: ContainerInheritAce, InheritedAce
Mask: FullControl
SID: S-1-5-32-544
SID Type: BuiltinAdministrators
SID Type Description: S-1-5-32-544: A built-in group. After the initial installation of the operating system, the only member of the group is the Administrator account. When a computer joins a domain, the Domain Administrators group is added to the Administrators group. When a server becomes a domain controller, the Enterprise Administrators group also is added to the Administrators group.

------------ Ace record #2 ------------
ACE Size: 0x14
ACE Type: AccessAllowedAceType
ACE Flags: ContainerInheritAce, InheritedAce
Mask: FullControl
SID: S-1-5-18
SID Type: LocalSystem
SID Type Description: S-1-5-18: An account that is used by the operating system.

------------ Ace record #3 ------------
ACE Size: 0x14
ACE Type: AccessAllowedAceType
ACE Flags: ContainerInheritAce, InheritOnlyAce, InheritedAce
Mask: FullControl
SID: S-1-3-0
SID Type: CreatorOwner
SID Type Description: S-1-3-0: A placeholder in an inheritable access control entry (ACE). When the ACE is inherited, the system replaces this SID with the SID for the object's creator.

------------ Ace record #4 ------------
ACE Size: 0x18
ACE Type: AccessAllowedAceType
ACE Flags: ContainerInheritAce, InheritedAce
Mask: QueryValue, EnumerateSubkeys, Notify, ReadControl
SID: S-1-15-2-1
SID Type: AllAppPackages
SID Type Description: S-1-15-2-1: All applications running in an app package context.

------------ Ace record #5 ------------
ACE Size: 0x38
ACE Type: AccessAllowedAceType
ACE Flags: ContainerInheritAce, InheritedAce
Mask: QueryValue, EnumerateSubkeys, Notify, ReadControl
SID: S-1-15-3-1024-1065365936-1281604716-3511738428-1654721687-432734479-3232135806-4053264122-3456934681
SID Type: UnknownOrUserSid
SID Type Description: SID does not map to a common SID or this is a user SID

  

Subkeys

Key name: EVIDENCE004, Value count: 1, Subkey count: 0
Key name: New Key #1, Value count: 0, Subkey count: 0

 EVIDENCE003(Deleted)

Size: 0xB0
Relative Offset: 0x327848
Absolute Offset: 0x328848
Signature: nk
Flags: CompressedName

Name: EVIDENCE003

Last Write Timestamp: 12/9/2018 6:01:00 AM +00:00

Is Free: True

Debug: 0x0

Maximum Class Length: 0x0
Class Cell Index: 0x0
Class Length: 0x0

Maximum Value Data Length: 0x0
Maximum Value Name Length: 0x0

Name Length: 0xB
Maximum Name Length: 0x0

Parent Cell Index: 0x327970
Security Cell Index: 0xFFFFFFFF

Subkey Counts Stable: 0x0
Subkey Lists Stable Cell Index: 0x0

Subkey Counts Volatile: 0x0

User Flags: 0x00000000
Virtual Control Flags: 0x00000000
Work Var: 0x0

Value Count: 0x0
Value List Cell Index: 0x0


Subkeys

Key name: New Key #1, Value count: 0, Subkey count: 0
Key name: EVIDENCE004, Value count: 1, Subkey count: 0

  

Verification environment: Windows 10 1803

Reference URL:

 

f:id:hideakii:20181209142935j:plain