Enother mechanism is Prefetch. It’s usually located at
C:\Windows\Prefetch. Several tools are available for viewing this artifact: Magnet AXIOM 💰, PECmd.
Recent files (LNK) -
C:\Users\veronicazvereva\AppData\Roaming\Microsoft\Windows\Recent Files\ on Windows 11,
C:\Users\veronicazvereva\AppData\Roaming\Microsoft\Windows\Recent Windows 10-. Captures the MAC times of the original file.
Last Accessed (filetime, NTFS timestamps) for a file is updated by FTK.
1.18 original file opened
several mins passed
Classes. For each extension there is a
OpenWith - suggestions, which program can be used. That’s the file association itself.
OpenWithProgIDs - user-selected.
Software\Microsoft\Windows\CurrentVersion\Applets. Something that comes with Windows (built-in).
Contains the list of all recent documents as a bunch and also the same data sorted by extension.
MRUListEx is list. It has a number of 4 byte values, each noting the sequence number of a document. It starts from the document’s number that was accessed some time age (first in the list) and ends with the most recently used one. This key also has a list of recently accessed folders.
⚠️🔎 I only had a short binary data stream under the
You might see if there were several versions of Microsoft Office installed. Expanding Word|Excel|PowerPoint etc and looking at the entries, they have a
Txxxxxxxx in the middle. That’s time (Win64 big-endian, UTC).
Jump List Data and LNK
LnkFilesAndJumpLists: Path: C: (Users\ (*\AppData\Roaming\Microsoft\Windows\ Recent LnkFilesAndJumpLists: Path: C: Documents and Settings\|*\Recent LnkFilesAndJumpLists: Path: C: (Documents and Settings| |* Desktop| |*. lnk LnkFilesAndJumpLists: Path: C:| Users \* Desktop \*.lnk LnkFilesAndJumpLists: Path: C:\ Users\ \* AppData\Local\ConnectedDevicesPlatform||*||*.db
Shows applications accessed.
Key 🔑 :
UsrClass\Local Settings\Software\Microsoft\Windows\Shell\BagMRU . Values:
Key 🔑 :
UsrClass\Local Settings\Software\Microsoft\Windows\Shell\Bags. Values:
Shell, will have folder’s GUID.
volatility.exe -f memory.dmp --profile=Win7SP1x64 shellbags
Created On: when the folder was created/moved/renamed. Last accessed and created are sometimes the same. Last modified is when the preferences were last changed (window resized, view options changed). Mind if it’s utc or gmt. Also, this data might be updated with a little lag.
Last key write time is the ShellBag’s timestamp.
⚠️ Shortcuts MAC times are not updated!
⚠️ Fat16 only records date. No time. So the
Last accessedtime for a fat16 formatted folder will be
00:00:00.000. It’s more usual for a USB removable media.
Modified On and
Last accessed on are all FS timestamps ❗️❗️❗️ However,
Registry last write time is its own timestamp and it seems to be updated even when no preferences were changed.
Track Windows folder settings (how the view is set), track zip files, folder access, even if information was deleted. Can also show folders on removable media. This data is a little bit confusing at first, but can be digested in a couple of minutes. One important thing to note is that both keys are interconnected. I’ve used arrows, squares and circles to mark data corresponding to each for better visualization on the picture below. Sometimes, additional info for NTFS filesystem will be available (MFT record number) and file system type as well, not always however.
⚠️ Proves that the user interacted with these folders if they are found in ShellBags but not on the system.
❓ How about when being hacked? A hacker might delete the folder.
BagMRU subkey, there is only one subkey (in this case, in case of shell bags, a folder):
MRUListEx contains a list of folders inside this one identified by sequence numbers. In our example there are only three subfolders (and, hence, values in the list) in this folder:
00 00 00 00, just
0 in little-endian (green),
01 00 00 00, just
1 in little-endian (orange) and
02 00 00 00, just
2 in little-endian (purple). Above the
MRUListEx there are three values in our case, each corresponding to the subfolder and containing a folder path and name. In the example below the
0 subfolder’s value is expanded and marked with a green circle.
Each of these folders in the list will have a corresponding subkey inside our
0 subkey/folder (marked with arrows on the left).
So, we have a parent folder info, what folders it contains and the paths to them. Now, since ShellBags store folder settings, where are they? Under the second subkey,
Bags. But since sequence numbers are used here as well, how do we find the folder we need? Are these sequence number the same as on the picture above? The answer is no. On the picture above numbering restarts from
0 for each folder’s subfolders, so that each folder that has at least one subfolder, will have at least
0 value and a
0 subkey. However, the
Bags subkeys numbers folders sequencially. Each subkey representing a folder in a
BagMRU subkey we’ve seen above, will have a value
NodeSlot. This is a number it’s identified by withing
Bags subkey. See the below example for the folder
🛠 ShellBagsExplorer (E. Zimmerman) is a tools that helps automating this process which is useful for larger amount of data.
The above is an example of the ShellBagsExplorer for my Windows 10 Parallels VM. Pretty user-friendly representation and lot’s of valuable information. Note the folders on the very top:
\\Mac\AllFiles. Someone who is using Paralells Windows 10 on Mac might note this at once, that this is a VM running on a Mac. Also, both
\\Mac\AllFiles are no longer available for Windows 10, but they were not deleted from the registry as you may see. That’s because when folders are deleted, they are not deleted from here, at least not soon.
General Properties get information from OS metadata and Statistics tab for
word.exe is for embedded metadata. If the timestamps are different is probably from a fatal system error. On reboot file was opened by recovery option which changed the embedded timestamps.
Also, some information can be hidden within embedded metadata. Just imagine, that most of the data for a tiny office document is the meta. 🛠 One of the tools to view
DocScrubber. Office documents also have additional meta that reveals much about the document, for example, who edited it, user name, user initials, org name, comp name, doc location, previous authors, revision logs (Word, Excel), version logs (Word), template file name (Word, PowerPoint), hidden text (Word, Excel), GUIDs. If the file was renamed and then reopened, it’s seen as a new file and editing clocks ⏰ start over.
🧹👣 There are certains anti-forensics techniques that allow cleansing the file’s metadata.
Do not forget about autosaved docs (
asd). Also, sometimes the Track Changes feature was enabled.
Some of the programs keep tmp files. Digital Archaeology, page 173 (Kindle, Mining the Temporary Files) has a table of some temp files for different applications on a Windows machine. Some of them will be deleted on OS shutdown, but can also be carved before overwritten anyway.
Alternate data streams, see more here. Are there such streams for other OS? If yes, how to make them and discover them?
To ensure compatability between NTFS and HFS. Allows hiding files.
C:\type C:\mal.exe > C:\readme.txt:naughty.exe start readme.txt:naughty.exe C:\mklink innocent.exe readme.txt:naughty.exe # to run innocent.exe
dir /r - will display all streams. LNS and Sfind will hunt down such files. Also, when you copy files from and to a FAT partition - all residual files will be deleted.
On Windows machines (NTFS file system) it’s possible to “append” a file to another file in such a way that this files is not visible with standard tools. This notion is called an alternate data stream. There are several problems that arise in this case:
- The host file’s hash is not changed, because technically it is not a part of this file. To check -
- The host file’s size is not changed, again, because technically it is not a part of this file.
- These files are not visible for the file system and therefore such tools as cmd, PowerShell, Explorer or others won’t see them if don’t know the magic 🪄 word. Even if you run
type filewithlitter.txtyou won’t see the stream file’s contents, only the original one’s.
How to create an ADS
type litter.txt > host.txt:litterhidden.txt
How to check a directory for an ADS
streams -s <directory>
How to get a file from a stream
You need to know its name to be able to reference it:
If you find a program file with an executable attached, it’s almoust always means something malicious is at place. Sometimes, attackers might hide the extension. In this case the file size might be a good reason to dig deeper.
How to delete the stream
streams -s -d <directory>. Quite dangerous since you might delete something good instead. Some system files are stored as streams for legitimate reasons. Why, btw?
Obtain and image or physical evidence to work with. For Android, to see installed apps and recent activity:
packages.xml- to see permissions for all applications in one place. For example, if this application has a SMS or messaging permission, you’ll know to look. Or, for example, I need all applications with chat permissions or access to the camera.
- usage history
- battery stats
- recent images
tccb on iOS?
Chromebook - extension preferences file.
Run commercial tools to parse the info. If not, then try to find some specific parser, may be for similar app and try.
Create profiles and you any real data for generation.
Fake data - mockaroo and generatedata.com
- take the snapshot of the system state before populating with data
- Write a script-plan
- take notes
- perform actions 1 min apart
- scrrencap actions
- document them (log with script)
- compare with the the baseline “snapshot” from step 1.
Do not make assumptions before testing! For example, a QuizUp game folder contained some usernames and pictures and the assumption would be that this person was in touch with the suspect. However, testing revealed that when you choose to randomly find you a rival from around the globe 🌎, QuizUp automatically adds them to the player’s contacts.
Jessica advices to use appropriate view-managers for specific files, but I would also recommend to check these files in hex as well. There was once a case when I performed vulnerability assessment of a mobile application and I got a SQLite DB, opened it in SQLite Browser DB and couldn’t find the data I was looking for. However
grep command showed that this data was in the DB. I opened it in hex and noticed that it might have been damaged because there was an amount of data almoust the same size as the visible one, that was not shown in the viewer. Perhaps that were some deleted rows or the DB was damaged indeed.
Applications of different versions or platforms may have different data structure. For example, iOS QuizUp had a geolocation field, while Android didn’t at that point in time. 
https://www.magnetforensics.com/blog/analysis-of-graykey-images-with-axiom-new-knowledgec-database-artifact-additions/ • /private/var/mobile/Library/CoreDuet/Knowledge/ knowledgeC.db
• /private/var/mobile/Library/Containers/Data/ Application/[APPGUID]/Library/Splashboard/ Snapshots/