Lab 14 - Windows Registry Analysis

Hi to all,

Inside Lab4 I noticed that there is no solution provided for the question No 6 “When was this system last shutdown?” of TASK 1.
In fact, the answer to question 6 is the answer related to “Check the system’s firewall and see if RDP was enabled or not.”.
Ok given that, the solution should be that the last shutdown occurred on “mon, 20 June 2016 18:34:49 -0700” (decoded from value 715EAA195DCBD101), right?
But another question is: if the system was installed on “Tue, 21 June 2016 01:37:45 -07: 00” how could the “mon, 20 June 2016 18:34:49 -0700” be turned off (one day before installation)? it’s not very clear to me …

what do you think about it dimitrios

Thanks

Original post by mart12


I had to consult with the author of the course sorry for waiting.

  1. Shutdown time is found in: SYSTEM\ControlSet001\Control\Windows\ShutdownTime

It is a Windows FILETIME (64 bit)

Answer = 2016-06-21 01:34:49 (UTC)

Answer = Tue Jun 21 01:34:49 2016 (UTC)

Answer = Tue Jun 21 08:34:49 2016 (UTC-7/Local Time)

  1. To find the Installation date, we need to check the following: SAM\Domains\Account\F

Offset 8-15 holds value

It is using Windows FILETIME (64 bit)

Answer = 2013-08-22 14:45:11 (UTC)

The InstallDate or other registry keys no longer are valid to use as an Installation date, since they only reflect the time of updates/upgrades/etc/long story short.

Original reply by dimitrios


Thanks dimitrios, I will take this answer as an integration of the course slides.

However, this clarification should be included as an update in the slides.

Original reply by mart12