Investigating Last Shutdown
20/08/2022 Saturday
Windows Registry is an essential component of Windows operating systems. It maintains a wealth of information related to the user activity on the system, default settings, configurations and more. last shutdown is one of these registry artifacts that stored in the system hive and it keeps a timestamped record of of last shutdown.
Digital Forensics Value of Last Shutdown Artifact
Windows registry stores system-wide configurations and changes. The last shutdown date and time are stored on the Windows registry. Capturing the last shutdown value from the registry key can provide valuable information during computer forensics investigations. This post will go through the Last Shutdown artifact on Windows systems.
Location and Structure of Last Shutdown Artifact
The last Shutdown artifact is located at:
HKLM\SYSTEM\CurrentControlSet\Control\Windows\ShutdownTime
The figure below shows the details of the ShutdownTime key. The ‘ShutdownTime’ value is the binary date-time value of the latest shutdown of the system.
Analyzing Last Shutdown Artifact with ArtiFast Windows
This section will discuss how to use ArtiFast Windows to extract the Last Shutdown artifact from Windows machines and what kind of digital forensics insight we can gain from the artifact.
After you have created your case and added evidence for the investigation, at the Artifact Selection phase, you can select the Last Shutdown artifact:
Once ArtiFast parser plugins complete processing the artifact for analysis, it can be reviewed via “Artifact View” or “Timeline View,” with indexing, filtering, and searching capabilities. Below is a detailed description of the Last Shutdown artifact in ArtiFast.
Last Shutdown:This artifact shows the system’s last shutdown date/time. The details you can view include:
- Value Path - Last Shutdown Time value path in the registry hive.
- Last Shutdown Date - Last Shutdown Date
For more information or suggestions please contact: [email protected]
