• Content count

  • Joined

  • Last visited

Community Reputation

1 Neutral

About pssquiet

  • Rank
    Will I break 10 posts?

Profile Information

  • Gender

Contact Methods

  • Yahoo

Recent Profile Visitors

293 profile views
  1. Thanks for all your help! Cleaning out prefetch and temp is easy enough with CCleaner and CleanAfterMe. Clearing the event logs seems harder. I suppose I could rely on security through obscurity - there are lots of logs and lots of entries in each one, so without knowing exactly what to look for evidence might be hard to find. Still that seems chancy. Is there any way to edit the event logs without leaving a log entry to show they were edited?
  2. Just to be clear, for my own purposes I'm not specifically interested in configuring the machine to catch this, but more in covering tracks - preventing future users/examiners from detecting it. However you've put out a lot of useful tips that anyone else who sees that subject line will appreciate.
  3. Thanks! It looks as though it would take some custom coding/scripting, set up in advance on the target system? (newbie here, remember) Is there any way for someone to come in after the fact - without setting up a "trapper" to catch target processes - and determine that a program was run from USB in the past?
  4. Suppose that an executable such as Portable Firefox is run on Computer A from a USB drive. In theory, the executable should not write to the HDD on Computer A, but rather should write only to the USB. Despite this, is there any way for forensic analysis to determine that the executable was run on Computer A? If so, how could one prevent that?
  5. Here's some more information. I tried the following: I exported a key as a .reg file. I right-clicked on the exported file and selected "Edit". This opened the file in a way that I could cut and paste. The data thus revealed was as follows: Windows Registry Editor Version 5.00[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\StreamMRU]"MRUListEx"=hex:00,00,00,00,ff,ff,ff,ff"0"=hex:14,00,1f,78,40,f0,5f,64,81,50,1b,10,9f,08,00,aa,00,2f,95,4e,00,00I tried pasting the "=hex" data into the HEX-to-ASCII utilities I've been using. The paste was successful this time, which is an improvement, but the utilities were still unable to convert it to ASCII. I get an "invalid entry" error. So I've confirmed that the data I'm looking at is HEX, and I've pasted it successfully into the utilities, but I still don't have ASCII.
  6. @tekio: The utilities on the page you linked are the ones I found initially. I've tried two of them, and neither worked, but the failure mode was odd enough that I can't tell if the problem is with the utilities or not. In regedit I navigated to the key of interest, double-clicked, and got a window containing HEX data. I copied the data, intending to paste it into the Hex-to-ASCII utilities, but when I went to paste it I was unable to do so. I even tried opening a Notepad file and pasting there, but no joy. Even stranger, I went back to regedit and tried CUTTING the data out of the window rather than copying. I still couldn't paste it into either the utilities or Notepad - it was as if my clipboard was simply empty, even though the information disappeared from the regedit window just as it normally does when I cut something. This is puzzling because Iron Geek refers to this so casually - as though it's a basic operation that anyone ought to know about. But it seems surprisingly complex. EDIT: I was unable to find regedit32 in Win 7. I did run regedit as an administrator, but I'm still getting the odd behavior described above.
  7. In an excellent article here, Iron Geek talks about various Win 7 items of interest to security. In his discussions of data in the registry, he says many times, "Values are in HEX, but readable if you open them in ASCII view." I'm trying to figure out how to do this. There's no obvious mechanism in Regedit for reading registry data in ASCII. My efforts on Google led me to a few rather old utilities that don't seem to work as advertised. Any advice would be appreciated.
  8. Hello. I'm just barely getting my feet wet in computer security. I was referred here by IronGeek.