Open/Save MRU
Description:
In the simplest terms, this key tracks les that have been
opened or saved within a Windows shell dialog box. This
happens to be a big data set, not only including web
browsers like Internet Explorer and Firefox, but also a
majority of commonly used applications.
Location:
XP NTUSER.DAT\Software\Microsoft\Windows\
CurrentVersion\Explorer\ComDlg32\OpenSaveMRU
Win7 NTUSER.DAT\Software\Microsoft\Windows\
CurrentVersion\Explorer\ComDlg32\
OpenSavePIDlMRU
Interpretation:
• The “*” key – This subkey tracks the most recent les of
any extension input in an OpenSave dialog
• .??? (Three letter extension) – This subkey stores le info
from the OpenSave dialog by specic extension
Skype History
Description:
• Skype history keeps a log of chat sessions and les
transferred from one machine to another
• This is turned on by default in Skype installations
Location:
XP C:\Documents and Settings\<username>\
Application\Skype\<skype-name>
Win7 C:\Users\<username>\AppData\Roaming\
Skype\<skype-name>
Interpretation:
Each entry will have a date/time value and a Skype
username associated with the action.
Downloads.sqlite
Description:
Firefox has a built-in download manager application
which keeps a history of every le downloaded by the user.
This browser artifact can provide excellent information
about what sites a user has been visiting and what kinds of
les they have been downloading from them.
Location: Firefox
IE %userprole%\Application Data\Mozilla\ Firefox\
Proles\<random text>.default\downloads.sqlite
Win7 %userprole%\AppData\Roaming\Mozilla\ Firefox\
Proles\<random text>.default\downloads.sqlite
Interpretation:
Downloads.sqlite will include:
• Filename, Size, and Type
• Download from and Referring Page
• File Save Location
• Application Used to Open File
• Download Start and End Times
E-mail Attachments
Description:
The e-mail industry estimates that 80% of e-mail data
is stored via attachments. E-mail standards only allow
text. Attachments must be encoded with MIME / base64
format.
Location: Outlook
XP %USERPROFILE%\Local Settings\Application Data\
Microsoft\Outlook
Win7 %USERPROFILE%\AppData\Local\Microsoft\
Outlook
Interpretation:
MS Outlook data les found in these locations include
OST and PST les. One should also check the OLK and
Content.Outlook folder, which might roam depending
on the specic version of Outlook used. For more
information on where to nd the OLK folder this link has
a handy chart: http://www.hancockcomputertech.com/
blog/2010/01/06/nd-the-microsoft-outlook-temporary-
olk-folder
Index.dat/ Places.sqlite
Description:
Not directly related to “File Download”. Details stored for
each local user account. Records number of times visited
(frequency).
Location: Internet Explorer
XP %userprole%\Local Settings\History\ History.IE5
Win7 %userprole%\AppData\Local\Microsoft\Windows\
History\History.IE5
Win7 %userprole%\AppData\Local\Microsoft\Windows\
History\Low\History.IE5
Location: Firefox
IE %userprole%\Application Data\Mozilla\ Firefox\
Proles\<random text>.default\places.sqlite
Win7 %userprole%\AppData\Roaming\Mozilla\ Firefox\
Proles\<random text>.default\places.sqlite
Interpretation:
Many sites in history will list the les that were opened
from remote sites and downloaded to the local system.
History will record the access to the le on the website
that was accessed via a link.
RunMRU Start->Run
Description:
Whenever someone does a Start -> Run command, it will
log the entry for the command they executed.
Location: NTUSER.DAT HIVE
NTUSER.DAT\Software\Microsoft\Windows\
CurrentVersion\Explorer\RunMRU
Interpretation:
The order in which the commands are executed is listed in
the RunMRU list value. The letters represent the order in
which the commands were executed.
Win7 Jump Lists
Description:
• The Windows 7 task bar (Jump List) is engineered
to allow users to “jump” or access items they have
frequently or recently used quickly and easily. This
functionality cannot only include recent media les;
it must also include recent tasks.
• The data stored in the AutomaticDestinations folder
will each have a unique le prepended with the
AppID of the associated application.
Location:
Win7 C:\Users\<user>\AppData\Roaming\Microsoft\
Windows\Recent\ AutomaticDestinations
Interpretation:
• First time of execution of application.
- Creation Time = First time item added to the AppID
le.
• Last time of execution of application w/le open.
- Modication Time = Last time item added to the
AppID le.
• List of Jump List IDs -> http://www.forensicswiki.
org/wiki/List_of_Jump_List_IDs
Last-Visited MRU
Description:
Tracks the specic executable used by an application to
open the les documented in the OpenSaveMRU key. In
addition, each value also tracks the directory location for
the last le that was accessed by that application.
Example: Notepad.exe was last run using the
C:\Users\<Username>\Desktop folder
Location:
XP NTUSER.DAT\Software\Microsoft\Windows\
CurrentVersion\Explorer\ComDlg32\
LastVisitedMRU
Win7 NTUSER.DAT\Software\Microsoft\Windows\
CurrentVersion\Explorer\ComDlg32\
LastVisitedPidlMRU
Interpretation:
Tracks the application executables used to open les in
OpenSaveMRU and the last le path used.
Application Compatibility Cache
Description:
• Windows Application Compatibility Database is used by Windows to identify
possible application compatibility challenges with executables.
• Tracks the executables le name, le size, last modied time, and in Windows
XP the last update time
Location:
XP SYSTEM\CurrentControlSet\Control\SessionManager\AppCompatibility\
Win7 SYSTEM\CurrentControlSet\Control\Session Manager\AppCompatCache
Interpretation:
Any executable run on the Windows system could be found in this key. You
can use this key to identify systems that specic malware was executed on. In
addition, based on the interpretation of the time-based data you might be able
to determine the last time of execution or activity on the system.
• Windows XP contains at most 96 entries
- LastUpdateTime is updated when the les are executed
• Windows 7 contains at most 1024 entries
- LastUpdateTime does not exist on Win7 systems
Tool to parse:
MANDIANT’s ShimCacheParser
Prefetch
Description:
• Increases performance of a system by pre-loading
code pages of commonly used applications. Cache
Manager monitors all les and directories referenced
for each application or process and maps them into a
.pf le. Utilized to know an application was executed
on a system.
• Limited to 128 les on XP and Win7
• (exename)-(hash).pf
Location:
Win7/XP C:\Windows\Prefetch
Interpretation:
• Each .pf will include last time of execution, number
of times run, and device and le handles used by the
program
•
Date/Time le by that name and path was rst executed
- Creation Date of .pf le (-10 seconds)
•
Date/Time le by that name and path was last executed
- Embedded last execution time of .pf le
- Last modication date of .pf le (-10 seconds)
Services Events
Description:
• Analyze logs for suspicious services
running at boot time
• Review services started or stopped
around the time of a suspected
compromise
Location:
All Event IDs reference the System Log
7034 – Service crashed unexpectedly
7035 – Service sent a Start / Stop control
7036 – Service started or stopped
7040 – Start type changed
(Boot | On Request | Disabled)
Interpretation:
• A large amount of malware and worms
in the wild utilize Services
• Services started on boot illustrate
persistence (desirable in malware)
• Services can crash due to attacks like
process injection
Open/Save MRU
Description:
In the simplest terms, this key tracks les
that have been opened or saved within a
Windows shell dialog box. This happens
to be a big data set, not only including
web browsers like Internet Explorer and
Firefox, but also a majority of commonly
used applications.
Location:
XP NTUSER.DAT\Software\Microsoft\
Windows\CurrentVersion\Explorer\
ComDlg32\OpenSaveMRU
Win7 NTUSER.DAT\Software\Microsoft\
Windows\CurrentVersion\Explorer\
ComDlg32\OpenSavePIDlMRU
Interpretation:
• The “*” key – This subkey tracks the
most recent les of any extension
input in an OpenSave dialog
• .??? (Three letter extension) – This
subkey stores le info from the
OpenSave dialog by specic
extension
Recent Files
Description:
Registry Key that will track the last les and folders opened
and is used to populate data in “Recent” menus of the Start
menu.
Location: NTUSER.DAT
NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\
Explorer\RecentDocs
Interpretation:
• RecentDocs – Overall key will track the overall order of the
last 150 les or folders opened. MRU list will keep track of
the temporal order in which each le/folder was opened.
The last entry and modication time of this key will be the
time and location the last le of a specic extension was
opened.
•
.??? – This subkey stores the last les with a specic
extension that were opened. MRU list will keep track of
the temporal order in which each le was opened. The last
entry and modication time of this key will be the time and
location of the last le of a specic extension was opened.
• Folder – This subkey stores the last folders that were
opened. MRU list will keep track of the temporal order
in which each folder was opened. The last entry and
modication time of this key will be the time and location
of the last folder opened.
Shell Bags
Description:
• Can track user window viewing preferences to Windows
Explorer
• Can be utilized to tell if activity occurred in a folder
• In some cases, you can see the les from a specic folder as
well
Location:
XP NTUSER.DAT\Software\Microsoft\Windows\Shell\Bags
XP NTUSER.DAT\Software\Microsoft\Windows\Shell\BagMRU
XP NTUSER.DAT\Software\Microsoft\Windows\ShellNoRoam\
Bags
XP NTUSER.DAT\Software\Microsoft\Windows\ShellNoRoam\
BagMRU
Win7 USRCLASS.DAT\Local Settings\Software\Microsoft\
Windows\Shell\Bags
Win7 USRCLASS.DAT\Local Settings\Software\Microsoft\
Windows\Shell\BagMRU
Win7 NTUSER.DAT\Software\Microsoft\Windows\Shell\BagMRU
Win7 NTUSER.DAT\Software\Microsoft\Windows\Shell\Bags
Interpretation:
Store information about which folders were most recently
browsed by the user.
Last-Visited MRU
Description:
Tracks the specic executable used by
an application to open the les docu-
mented in the OpenSaveMRU key. In
addition, each value also tracks the
directory location for the last le that
was accessed by that application.
Example: Notepad.exe was last run
using the C:\Users\Rob\
Desktop folder
Location:
XP NTUSER.DAT\Software\
Microsoft\Windows\
CurrentVersion\Explorer\
ComDlg32\ LastVisitedMRU
Win7 NTUSER.DAT\Software\
Microsoft\Windows\
CurrentVersion\
Explorer\ComDlg32\
LastVisitedPidlMRU
Interpretation:
Tracks the application executables
used to open les in OpenSaveMRU
and the last le path used.
Oce Recent
Files
Description:
MS Oce programs will track their
own Recent Files list to make it
easier for users to remember the
last le they were editing.
Location:
NTUSER.DAT\Software\Microsoft\
Oce\VERSION
• 14.0 = Oce 2010
• 12.0 = Oce 2007
• 11.0 = Oce 2003
• 10.0 = Oce XP
Interpretation:
Similar to the Recent Files, this
will track the last les that were
opened by each MS Oce
application. The last entry added,
per the MRU, will be the time the
last le was opened by a specic
MS Oce application.
Shortcut (LNK) Files
Description:
• Shortcut Files automatically created by Windows
- Recent Items
- Opening local and remote data les and documents
will generate a shortcut le (.lnk)
Location:
XP C:\Documents and Settings\<username>\Recent\
Win7 C:\Users\<user>\AppData\Roaming\Microsoft\
Windows\Recent\
Win7 C:\Users\<user>\AppData\Roaming\Microsoft\
Oce\Recent\
Note these are primary locations of LNK les. They can
also be found in other locations.
Interpretation:
• Date/Time le of that name was rst opened
- Creation Date of Shortcut (LNK) File
• Date/Time le of that name was last opened
- Last Modication Date of Shortcut (LNK) File
• LNKTarget File (Internal LNK File Information) Data:
- Modied, Access, and Creation times of the target le
- Volume Information (Name, Type, Serial Number)
- Network Share information
- Original Location
- Name of System
Prefetch
Description:
• Increases performance of
system by pre-loading code
pages of commonly used
applications. Cache Manager
monitors all les and directo-
ries referenced for each
application or process and
maps them into a .pf le.
Utilized to know an applica-
tion was executed on a system.
• Limited to 128 les on XP and
Vista/Win7
• (exename)-(hash).pf
Location:
Win7/XP C:\Windows\Prefetch
Interpretation:
• Can examine each .pf le to
look for le handles recently
used
• Can examine each .pf le
to look for device handles
recently used
Index.dat le://
Description:
• A little known fact about the IE History
is that the information stored in the
history les is not just related to Internet
browsing. The history also records local
and remote (via network shares) le
access, giving us an excellent means for
determining which les and applications
were accessed on the system, day by day.
Location: Internet Explorer
XP %userprole%\Local Settings\History\
History.IE5
Win7 %userprole%\AppData\Local\
Microsoft\Windows\History\
History.IE5
Win7 %userprole%\AppData\Local\
Microsoft\Windows\History\Low\
History.IE5
Interpretation:
• Stored in index.dat as:
le:///C:/directory/lename.ext
• Does not mean le was opened in
browser
Timezone
Description:
Identies the current system time zone.
Location: SYSTEM Hive
SYSTEM\CurrentControlSet\Control\TimeZoneInformation
Interpretation:
• Time activity is incredibly useful for correlation of activity
• Internal log les and date/timestamps will be based on
the system time zone information
• You might have other network devices and you will need
to correlate information to the time zone information
collected here.
Browser Search Terms
Description:
Records websites visited by date and time. Details stored
for each local user account. Records number of times
visited (frequency). Also tracks access of local system les.
This will also include the website history of search terms in
search engines.
Location: Internet Explorer
XP %userprole%\Local Settings\History\History.IE5
Win7 %userprole%\AppData\Local\Microsoft\Windows\
History\History.IE5
Win7 %userprole%\AppData\Local\Microsoft\Windows\
History\Low\History.IE5
Location: Firefox
XP %userprole%\Application Data\Mozilla\Firefox\
Proles\<random text>.default\places.sqlite
Win7 %userprole%\AppData\Roaming\Mozilla\Firefox\
Proles\<random text>.default\places.sqlite
VISTA/Win7 Network History
Description:
• Identify networks that the computer has been connected to
• Networks could be wireless or wired
• Identify domain name/intranet name
• Identify SSID
• Identify Gateway MAC Address
Location: SOFTWARE HIVE
• SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Signatures\Unmanaged
• SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Signatures\Managed
• SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Nla\Cache
Interpretation:
• Identifying intranets and networks that a computer has connected to is incredibly
important
• Not only can you determine the intranet name, you can determine the last time the
network was connected to based on the last write time of the key
• This will also list any networks that have been connected to via a VPN
• MAC Address of SSID for Gateway could be physically triangulated
Cookies
Description:
Cookies give insight into what websites have been visited
and what activities may have taken place there.
Location: Internet Explorer
XP %userprole%\Cookies
Win7 %userprole%\AppData\Roaming\Microsoft\
Windows\Cookies
Win7 %userprole%\AppData\Roaming\Microsoft\
Windows\Cookies\Low
Location: Firefox
XP %userprole%\Application Data\Mozilla\Firefox\
Proles\<random text>.default\cookies.sqlite
Win7 %userprole%\AppData\Roaming\Mozilla\Firefox\
Proles\<random text>.default\cookies.sqlite
Key Identication
Description:
Track USB devices plugged into a machine.
Location:
• SYSTEM\CurrentControlSet\Enum\USBSTOR
• SYSTEM\CurrentControlSet\Enum\USB
Interpretation:
• Identify vendor, product, and version of a USB device
plugged into a machine
• Identify a unique USB device plugged into the machine
• Determine the time a device was plugged into the
machine
• Devices that do not have a unique serial number will
have an “&” in the second character of the serial number.
User
Description:
Find User that used the Unique USB Device.
Location:
• Look for GUID from SYSTEM\MountedDevices
• NTUSER.DAT\Software\Microsoft\Windows\
CurrentVersion\Explorer\MountPoints2
Interpretation:
This GUID will be used next to identify the user that
plugged in the device. The last write time of this
key also corresponds to the last time the device was
plugged into the machine by that user. The number
will be referenced in the user’s personal mountpoints
key in the NTUSER.DAT Hive.
Drive Letter and
Volume Name
Description:
Discover the drive letter of the USB Device when it was
plugged into the machine.
Location: XP
• Find ParentIdPrex
- SYSTEM\CurrentControlSet\Enum\USBSTOR
• Using ParentIdPrex Discover Last Mount Point
- SYSTEM\MountedDevices
Location: Win7
• SOFTWARE\Microsoft\Windows Portable Devices\Devices
• SYSTEM\MountedDevices
- Examine Drive Letter’s looking at Value Data Looking
for Serial Number
Interpretation:
• Identify the USB device that was last mapped to a
specic drive letter
Volume Serial Number
Description:
Discover the Volume Serial Number of the Filesystem Partition
on the USB (NOTE: This is not the USB Unique Serial Number,
this is created when a lesystem is initially formatted).
Location:
• SOFTWARE\Microsoft\Windows NT\CurrentVersion\
ENDMgmt
• Use Volume Name and USB Unique Serial Number to nd
• Last integer number in line
• Convert Decimal Serial Number into Hex Serial Number
Interpretation:
• Knowing both the Volume Serial Number and the Volume
Name you can correlate the data across SHORTCUT File
(LNK) analysis and the RECENTDOCs key.
• The Shortcut File (LNK) contains the Volume Serial Number
and Name
• RecentDocs Registry Key, in most cases, will contain the
volume name when the USB device is opened via Explorer
Shortcut (LNK) Files
Description:
Shortcut les automatically created by Windows
• Recent Items
• Open local and remote data les and documents will generate a
shortcut le (.lnk)
Location:
XP C:\Documents and Settings\<username>\Recent\
Win7 C:\Users\<user>\AppData\Roaming\Microsoft\Windows\Recent\
Win7 C:\Users\<user>\AppData\Roaming\Microsoft\Oce\Recent\
Interpretation:
• Date/Time le of that name was rst opened
- Creation Date of Shortcut (LNK) File
• Date/Time le of that name was last opened
- Last Modication Date of Shortcut (LNK) File
• LNKTarget File (Internal LNK File Information) Data:
- Modied, Access, and Creation times of the target le
- Volume Information (Name, Type, Serial Number)
- Network Share information
- Original Location
- Name of System
P&P Event Log
Description:
When a Plug and Play driver install is
attempted, the service will log an ID 20001
event and provide a Status within the event.
It is important to note that this event will
trigger for any Plug and Play-capable device,
including but not limited to USB, Firewire,
and PCMCIA devices.
Location: System Log File
Win7 %system root%\System32\winevt\
logs\System.evtx
Interpretation:
• Event ID: 20001 – Plug and Play driver
install attempted
• Event ID 20001
• Timestamp
• Device information
• Device serial number
• Status (0 = no errors)
History
Description:
Records websites visited by date and time. Details stored
for each local user account. Records number of times
visited (frequency). Also tracks access of local system les.
Location: Internet Explorer
XP %userprole%\Local Settings\History\ History.IE5
Win7 %userprole%\AppData\Local\Microsoft\Windows\
History\History.IE5
Win7 %userprole%\AppData\Local\Microsoft\Windows\
History\Low\History.IE5
Location: Firefox
XP %userprole%\Application Data\Mozilla\Firefox\
Proles\<random text>.default\places.sqlite
Win7 %userprole%\AppData\Roaming\Mozilla\Firefox\
Proles\<random text>.default\places.sqlite
Cache
Description:
• The cache is where web page components can be stored locally to speed up subsequent visits
• Gives the investigator a “snapshot in time” of what a user was looking at online
- Identies websites which were visited
- Provides the actual les the user viewed on a given website
- Cached les are tied to a specic local user account
- Timestamps show when the site was rst saved and last viewed
Location: Internet Explorer
XP %userprole%\Local Settings\Temporary Internet Files\Content.IE5
Win7 %userprole%\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5
Win7 %userprole%\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5
Location: Firefox
XP %userprole%\Local Settings\Application Data\Mozilla\ Firefox\Proles\<random text>.default\Cache
Win7 %userprole%\AppData\Local\Mozilla\ Firefox\Proles\<random text>.default\Cache
Flash & Super Cookies
Description:
Local Stored Objects (LSOs), or Flash Cookies, have become ubiquitous on most systems due to the
extremely high penetration of Flash applications across the Internet. LSOs allow a web application
to store information that can later be accessed by that same application (or domain). They tend to
be much more persistent because they do not expire, and there is no built-in mechanism within the
browser to remove them. In fact, many sites have begun using LSOs for their tracking mechanisms
because they rarely get cleared like traditional cookies.
Location: Internet Explorer
XP %APPDATA%\Macromedia\Flash Player\
XP %APPDATA%\Macromedia\Flash
XP %APPDATA%\Macromedia\Flash Player\macromedia.com\support\ashplayer\sys
Win7 %APPDATA%\Roaming\Macromedia\Flash Player\
Win7 %APPDATA%\Roaming\Macromedia\Flash Player\#SharedObjects\<random prole id>
Win7 %APPDATA%\Roaming\Macromedia\Flash Player\macromedia.com\support\ashplayer\sys
Interpretation:
• Websites visited
• User account used to visit the site
• When cookie was created and last accessed
Session Restore
Description:
Automatic Crash Recovery features built into the browser.
Location: Internet Explorer
XP %userprole%/Local Settings/Application Data/
Microsoft/Internet Explorer/Recovery
Win7 %userprole%/AppData/Local/Microsoft/Internet
Explorer/Recovery
Location: Firefox
XP %userprole%\Application Data\Mozilla\Firefox\
Proles\<random text>.default\sessionstore. js
Win7 %userprole%\AppData\Roaming\Mozilla\Firefox\
Proles\<random text>.default\sessionstore. js
Interpretation:
• Historical websites viewed in each tab
• Referring websites
• Time session ended
• Modied time of .dat les in LastActive folder
• Time each tab opened (only when crash occurred)
• Creation time of .dat les in Active folder
Cookies
Description:
Cookies give insight into what websites have been visited
and what activities may have taken place there.
Location: Internet Explorer
XP %userprole%\Cookies
Win7 %userprole%\AppData\Roaming\Microsoft\
Windows\Cookies
Win7 %userprole%\AppData\Roaming\Microsoft\
Windows\Cookies\Low
Location: Firefox
XP %userprole%\Application Data\Mozilla\Firefox\
Proles\<random text>.default\cookies.sqlite
Win7 %userprole%\AppData\Roaming\Mozilla\Firefox\
Proles\<random text>.default\cookies.sqlite
XP Search – ACMRU
Description:
You can search for a wide range of information
through the search assistant on a Windows XP
machine. The search assistant will remember a
user’s search terms for lenames, computers, or
words that are inside a le. This is an example of
where you can nd the “Search History” on the
Windows system.
Location: NTUSER.DAT HIVE
NTUSER.DAT\Software\Microsoft\Search
Assistant\ACMru\####
Interpretation:
• Search the Internet – ####=5001
• All or part of a document name – ####=5603
• A word or phrase in a le – ####=5604
• Printers, Computers and People – ####=5647
Last-Visited MRU
Description:
Tracks the specic executable used by an
application to open the les documented in the
OpenSaveMRU key. In addition, each value also
tracks the directory location for the last le that
was accessed by that application.
Location:
XP NTUSER.DAT\Software\Microsoft\
Windows\CurrentVersion\Explorer\
ComDlg32\ LastVisitedMRU
Win7 NTUSER.DAT\Software\Microsoft\
Windows\CurrentVersion\Explorer\
ComDlg32\ LastVisitedPidlMRU
Interpretation:
Tracks the application executables used to open
les in OpenSaveMRU and the last le path used.
Vista/Win7 Thumbnails
Description:
On Vista/Win7 versions of Windows, thumbs.db does not exist.
The data now sit under a single directory for each user of the
machine located in their application data directory under their
home directory.
Location:
C:\Users\<username>\AppData\Local\Microsoft\Windows\
Explorer\
Interpretation:
• These are created when a user switches a folder to thumbnail
mode or views pictures via a slide show. As it were, our thumbs
are now stored in separate database les. Vista/Win7 has 4 sizes
for thumbnails and the les in the cache folder reect this:
- 32 -> small - 96 -> medium
- 256 -> large - 1024 -> extra large
• The thumbcache will store the thumbnail copy of the picture
based on the thumbnail size in the content of the equivalent
database le.
XP Recycle Bin
Description:
The recycle bin is a very important location on a
Windows le system to understand. It can help you
when accomplishing a forensic investigation, as every
le that is deleted from a Windows recycle bin aware
program is generally rst put in the recycle bin.
Location:
• Hidden System Folder
• Windows XP
- C:\RECYCLER” 2000/NT/XP/2003
- Subfolder is created with user’s SID
- Hidden le in directory called “INFO2”
-
INFO2 Contains Deleted Time and Original Filename
- Filename in both ASCII and UNICODE
Interpretation:
• SID can be mapped to user via Registry Analysis
• Windows XP
- INFO2
• Hidden le in Recycle Bin called INFO2
• Maps le name to the actual name and path
it was deleted from
Win7 Recycle Bin
Description:
The recycle bin is a very important location on a
Windows le system to understand. It can help
you when accomplishing a forensic investigation,
as every le that is deleted from a Windows
recycle bin aware program is generally rst put in
the recycle bin.
Location:
• Hidden System Folder
• Windows 7
- C:\$Recycle.bin
- Deleted Time and Original Filename contained
in separate les for each deleted recovery le
Interpretation:
• SID can be mapped to user via Registry Analysis
• Windows 7
- Files Preceded by $I###### les contain
• Original PATH and name
• Deletion Date/Time
- Files Preceded by $R###### les contain
• Recovery Data
Win7 Search –
WordWheelQuery
Description:
Keywords searched for from the START menu
bar on a Windows 7 machine.
Location: Win7 NTUSER.DAT Hive
NTUSER.DAT\Software\Microsoft\Windows\
CurrentVersion\Explorer\WordWheelQuery
Interpretation:
Keywords are added in Unicode and listed in
temporal order in an MRUlist
Thumbs.db
Description:
Hidden le in directory where pictures
on Windows XP machine exist. Catalogs
all the pictures and stores a copy of the
thumbnail even if the pictures were
deleted.
Location:
Each directory where pictures resided that
were viewed in thumbnail mode. Many
cameras also will auto-generate a thumbs.
db le when you view the pictures on the
camera itself.
Interpretation:
Include:
• Thumbnail Picture of Original
• Last Modication Time
• Original Filename
Index.dat le://
Description:
A little-known fact about the IE History is
that the information stored in the history
les is not just related to Internet browsing.
The history also records local and remote
(via network shares) le access, giving us an
excellent means for determining which les
and applications were accessed on the system,
day by day.
Interpretation:
• Stored in index.dat as:
le:///C:/directory/lename.ext
• Does not mean le was opened in browser
Last Login
Description:
Lists the local accounts of the system and their equivalent
security identiers.
Location:
• C:\windows\system32\cong\SAM
• SAM\Domains\Account\Users
Interpretation:
• Only the last login time will be stored in the registry key
Success / Fail Logons
Description:
Determine which accounts have been used for attempted
logons. Track account usage for known compromised
accounts.
Location:
XP %system root%\System32\cong\SecEvent.evt
Win7 %system root%\System32\winevt\logs\
Security.evtx
Interpretation:
• XP/Win7 - Interpretation
• Event ID - 528/4624 – Successful Logon
• Event ID - 529/4625 – Failed Logon
• Event ID - 538/4634 – Successful Logo
• Event ID - 540/4624 – Successful Network Logon
(example: le shares)
Last Password Change
Description:
Lists the last time the password of a specic user has been
changed.
Location:
• C:\windows\system32\cong\SAM
• SAM\Domains\Account\Users
Interpretation:
• Only the last password change time will be stored in the
registry key
Logon Types
Description:
Logon Events can give us very specic information regarding the nature of account
authorizations on a system if we know where to look and how to decipher the data that
we nd. In addition to telling us the date, time, username, hostname, and success/failure
status of a logon, Logon Events also enables us to determine by exactly what means a
logon was attempted.
Location:
XP Event ID 528
Win7 Event ID 4624
Interpretation:
Logon Type Explanation
2 Logon via console
3 Network Logon
4 Batch Logon
5 Windows Service Logon
7 Credentials used to unlock screen
8 Network logon sending credentials (cleartext)
9 Dierent credentials used than logged on user
10 Remote interactive logon (RDP)
11 Cached credentials used to logon
RDP Usage
Description:
Track Remote Desktop Protocol logons to target machines.
Location: Security Log
XP %system root%\System32\cong\SecEvent.evt
Win7 %system root%\System32\winevt\logs\Security.evtx
Interpretation:
• XP/Win7 - Interpretation
- Event ID 682/4778 – Session Connected / Reconnected
- Event ID 683/4779 – Session Disconnected
• Event log provides hostname and IP address of remote
machine making the connection
• On workstations you will often see current console session
disconnected (683) followed by RDP connection (682)
Windows Artifact Analysis: Evidence of...
UserAssist
Description:
GUI-basedprogramslaunched from the desktop are
tracked in the launcher on a Windows System.
Location: NTUSER.DAT HIVE
NTUSER.DAT\Software\Microsoft\Windows\
Currentversion\Explorer\UserAssist\{GUID}\Count
Interpretation:
All values are ROT-13 Encoded
• GUID for XP
- 75048700 Active Desktop
• GUID for Win7
- CEBFF5CD Executable File Execution
- F4E57C4B Shortcut File Execution
• Program Locations for Win7 Userassist
- ProgramFilesX64 6D809377-…
- ProgramFilesX86 7C5A40EF-…
- System 1AC14E77-…
- SystemX86 D65231B0-…
- Desktop B4BFCC3A-…
- Documents FDD39AD0-…
- Downloads 374DE290-…
- UserProles 0762D272-…
©2012 SANS – Created by Rob Lee and the SANS DFIR Faculty
Win7 Jump Lists
Description:
• The Windows 7 task bar (Jump List) is
engineered to allow users to “jump” or
access items have frequently or recently
used quickly and easily. This functionality
cannot only include recent media les; it
must also include recent tasks.
•
The data stored in the AutomaticDestinations
folder will each have a unique le prepended
with the AppID of the association
application and embedded with LNK les in
each stream.
Location:
Win7 C:\Users\<user>\AppData\Roaming\
Microsoft\Windows\Recent\
AutomaticDestinations
Interpretation:
• Using the Structured Storage Viewer,
open up one of the AutomaticDestination
jumplist les.
• Each one of these les is a separate LNK le.
They are also stored numerically in order
from the earliest one (usually 1) to the most
recent (largest integer value).
First / Last Times
Description:
Determine temporal usage of specic USB devices
connected to a Windows Machine.
Location: First Time
• Plug and Play Log Files
XP C:\Windows\setupapi.log
Win7 C:\Windows\inf\setupapi.dev.log
Interpretation:
• Search for Device Serial Number
• Log File times are set to local time zone
Location: Last Time
• NTUSER.DAT Hive: NTUSER//Software/Microsoft/
Windows/CurrentVersion/Explorer/MountPoints2/{GUID}
• Interpretation:
• Using the Serial Number as the marker, you can
determine the last time a specic USB device was last
connected to the local machine
File
Download
Program
Execution
File
Opening /
Creation
Account
Usage
Deleted
File or File
Knowledge
Physical
Location
USB or
Drive
Usage
Browser
Usage
Proper digital forensic and incident response
analysis is essential to successfully solving today’s
complex cases. Each analyst should examine the
artifacts and then analyze the activity that they
describe to determine a clear picture of which
user was involved, what the user was doing, when
the user was doing it, and why. The data here will
help you in nding multiple locations that can
substantiate facts related to your casework.
Each of the rows listed on this page
describes a series of artifacts found
on a Windows system that can help
determine if an action occurred.
Usually multiple artifacts will be
discovered that all point to the same
activity. These locations are a guide
to help you focus your analysis on the
areas in Windows that can best help
you answer simple but critical questions.
The “Evidence of...” categories were originally created
by SANS Digital Forensics ad Incidence Response
faculty for the SANS course FOR408 - Windows
Forensics. The categories map a specic artifact to
the analysis questions that it will help to answer.
Use this poster as a cheat-sheet to help you
remember where you can discover key items to an
activity for Microsoft Windows systems for intrusions,
intellectual property theft, or common cyber crimes.