I will be in Montreal from July 6 thru July 10th. If anyone wants to get together for dinner one evening then let me know. You can contact me at mark dot mckinnon at sbcglobal dot net and we can set something up.
Friday, June 20, 2008
Wednesday, June 18, 2008
What Does This Tell You - The Answer
And the answer is ......... a program called "Advanced Registry Fix" was run on the system. I saw this program advertised in Bits Du Jour which I blogged about here. There is a free download for the program so I thought I would download it and try it out seeing what it actually did to the regstry.
One of the things I found is that to "Clean" up the registry what it does for the MRUList is to see if the files still exist on the system. If they do not then it removes the file name from the MRUList (a and b were removed), the thing is that it does not remove the entry from the MRUList for that item so that is why Harlans RegRipper displayed 2 blank lines, it expected entries there becuase the MRUList said there were suppose to be entries there, I was not sure how RegRipper would handle this when I first saw what Advanced Registry Fix did, and was happy to see how it handled it (great job Harlan).
Here is the before image of the registry
a                 REG_SZ     F:\methodology_form_blank.pdf
b                 REG_SZ     F:\report_blank.pdf
c                 REG_SZ     C:\Mark\dc3_challenge\methodology_form_blank.pdf
d                 REG_SZ     C:\Mark\dc3_challenge\report_blank.pdf
MRUList   REG_SZ     cdba
Where the F:\ drive was a usb thumb drive.
Here is the after image of the registry after running "Advanced Registry Fix"
c                 REG_SZ     C:\Mark\dc3_challenge\methodology_form_blank.pdf
d                 REG_SZ     C:\Mark\dc3_challenge\report_blank.pdf
MRUList   REG_SZ     cdba
Another thing I did find out is that once you open a program that will write to the MRUList it will correct everything (MRUList will have the non existant entries removed).
This just goes to show you how a $10 (price on Bits du Jour) to $20 (retail price) piece of software can really throw you for a loop and get you thinking that someone was deliberatly trying to hide something when they were not, they were just trying to keep their system running in an optimal state by using valid system maintenance software.
Thoughts/Questions/Comments????
Posted by Mark McKinnon at 6:24 AM
Labels: Advanced Registry Fix, Harlan Carvey, Registry, RegRipper
Friday, June 13, 2008
What does this tell you
I have been doing some testing with Harlan Carvey's RegRipper which is a pretty cool tool and I ran accross this entry after running it against my ntuser.dat file.
ComDlg32\OpenSaveMRU
**All values printed in MRUList order.
Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU
LastWrite Time Wed Jun 11 18:48:27 2008 (UTC)
..
..
Subkey: pdf
LastWrite Time Fri Jun 13 12:41:16 2008 (UTC)
MRUList = cdba
c -> C:\Mark\dc3_challenge\methodology_form_blank.pdf
d -> C:\Mark\dc3_challenge\report_blank.pdf
b ->
a ->
..
..
I cut out the stuff before and after the pdf subkey. Now after looking at this what do you think it is telling you. Is this some kind of Anti Forensics tool that was run. Why are there entries missing. I will hold of the answer until next week to see if someone wants to throw an answer out there.
Questions/Comments/Thoughts?
Posted by Mark McKinnon at 11:57 AM
Labels: Anti Forensics, Harlan Carvey, Registry, RegRipper
Thursday, June 12, 2008
What's in your Ipod........
Ok so I stole the title and tweaked it a little. The question of the day is what type of music do you listen to when you are doing forensic work. Are you like Hugh Jackman in SwordFish jamming out as your fingers fly accross the keyboard? Besides the big name individuals or groups ( I like Bob Seger, Tom Petty, The Eagles, 3 Doors Down, John Melloncamp and many more) have you found some local musical group that you like to listen to when you need to do some heads down forensic work. Now are you willing to share that with the rest of us? I will go first, the Four Lincolns out of Grand Rapids Michigan, you can check out their myspace page and listen to there tunes. So who else is willing to share there favorite local band/musician or other big name group with the rest of us and add some more music selections to our ipods?
Bits du Jour
Over on the Bits du Jour website you can find daily deals on software you may never have heard of. You can subscribe to there daily deals and get an email every day. This is an excellent way to stay current on software that is low cost and something you may come across in your travels
For example I have seen wiping programs, partition managers, photo hiding and spying software being sold on this site. All the software offers a free demo as well as being low cost. Another excellent way to acquire software to evaluate and research.
This is just one more way to keep you informed of what may be out there.
Questions/Comments/Thoughts?
Professional Investigator License in Michigan
This is another example of how the government in the state of Michigan is trying to screw with it's residents. They have already done enough harm to this state I am not sure why they wanted to do more. I will only hit on a few things here. If you want to read the whole thing you can find it here
Now according to the new law it takes effect immediately. Now what does this do to your current case load. Do you go and find a PI that will allow you to go under there license? If you want to still practice you will. There is a lead time of aprox 12 weeks in order to get thru the process. The funny thing is as of yesterday they do not have the new application to use to apply for the license. Now how can a law go into effect and there be no lead time in order to get your affairs together? Brilliant thinking on the Legislature's part
Now for those that do happen to read this bill here is the intro to it:
"An act to license and regulate professional investigators; to provide for certain powers and duties for certain state agencies and local officials; to provide for the imposition for certain fees; to protect the general public against unauthorized,
unlicensed and unethical operations by professional investigators; to provide for immunity for certain persons under certain circumstances; to provide for penalties and remedies; and to repeal acts and parts of acts."
Now reading the law they have there standard requirements about age, felonies but here is where it gets interesting:
"A graduate of an accredited institution of higher education with a baccalaureate or postgraduate degree in the field of police administration, security management, investigation, law, criminal justice, or computer forensics or other computer forensic industry certificated study that is acceptable to the department."
Now I can have a degree in Police Administration, investigation or Criminal Justice and practice forensics? Yep that is what it says. So do I really need to know anything about computer forensics to practice if I have a 4 year degree in CJ? I can easily go purchase any of the packages and hang my shingle out and state I practice Computer Forensics. So that being said I do not see where this has helped out the general public except to put decent forensic examiners out of work until they can get there license, which without the proper applications being made available may take some time if they even get them out there.
Now do not get me wrong I think regulation is fine, as an industry we probably should be regulated but not with laws like this. But in true State of Michigan fashion lets do a crappy job and not think things thru. For being a full time Legislature you would think they would do a better job.
Living and practicing in the State of Michigan I am waiting for the proper applications to be made available so I can apply. We will see how it goes. I hope I meet their criteria to be able to practice Computer Forensics.
Questions/Comments/Thoughts??
Posted by Mark McKinnon at 10:35 AM
Labels: Michigan, PI, Private Investigator, Professional Investigator