LNK
There are several artifacts indicating user activity. One of them is LNK files. To analyse acquired LNK files use π LECmd (E. Zimmerman’s) or Link Parser.
Prefetch
Enother mechanism is Prefetch. It’s usually located at C:\Windows\Prefetch. Several tools are available for viewing this artifact: Magnet AXIOM π°, PECmd.
Recent Files
Recent files (LNK) - C:\Users\veronicazvereva\AppData\Roaming\Microsoft\Windows\Recent Files\ on Windows 11, C:\Users\veronicazvereva\AppData\Roaming\Microsoft\Windows\Recent Windows 10-. Captures the MAC times of the original file.
Last Accessed (filetime, NTFS timestamps) for a file is updated by FTK.
1.18 original file opened
several mins passed
File association
Key π: Classes. For each extension there is a OpenWith - suggestions, which program can be used. That’s the file association itself. OpenWithProgIDs - user-selected.
Key π: Software\Microsoft\Windows\CurrentVersion\Applets. Something that comes with Windows (built-in).
Recent documents
Key π: NTUSER.DAT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs
Contains the list of all recent documents as a bunch and also the same data sorted by extension. MRUListEx is list. It has a number of 4 byte values, each noting the sequence number of a document. It starts from the document’s number that was accessed some time age (first in the list) and ends with the most recently used one. This key also has a list of recently accessed folders.
β οΈπ I only had a short binary data stream under the
ViewStreamsubkey.
Office MRU
Key π: NTUSER.DAT\Software\Microsoft\Office\XX.X.
You might see if there were several versions of Microsoft Office installed. Expanding Word|Excel|PowerPoint etc and looking at the entries, they have a Txxxxxxxx in the middle. That’s time (Win64 big-endian, UTC).
Jump List Data and LNK
Key π: NTUSER.DAT\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\JumplistData.
LnkFilesAndJumpLists: Path: C: (Users\ (*\AppData\Roaming\Microsoft\Windows\ Recent
LnkFilesAndJumpLists: Path: C: Documents and Settings\|*\Recent
LnkFilesAndJumpLists: Path: C: (Documents and Settings| |* Desktop| |*. lnk
LnkFilesAndJumpLists: Path: C:| Users \* Desktop \*.lnk
LnkFilesAndJumpLists: Path: C:\ Users\ \* AppData\Local\ConnectedDevicesPlatform||*||*.db
Shows applications accessed.
ShellBags
Key π : UsrClass\Local Settings\Software\Microsoft\Windows\Shell\BagMRU . Values: MRUListEx, NodeSlot, Subkeys.
Key π : UsrClass\Local Settings\Software\Microsoft\Windows\Shell\Bags. Values: Shell, will have folder’s GUID.
volatility.exe -f memory.dmp --profile=Win7SP1x64 shellbags
Created On: when the folder was created/moved/renamed. Last accessed and created are sometimes the same. Last modified is when the preferences were last changed (window resized, view options changed). Mind if itβs utc or gmt. Also, this data might be updated with a little lag. Last key write time is the ShellBag’s timestamp.
β οΈ Shortcuts MAC times are not updated!
β οΈ Fat16 only records date. No time. So the
Last accessedtime for a fat16 formatted folder will be00:00:00.000. It’s more usual for a USB removable media.
Created On, Modified On and Last accessed on are all FS timestamps βοΈβοΈβοΈ However, Registry last write time is its own timestamp and it seems to be updated even when no preferences were changed.
Track Windows folder settings (how the view is set), track zip files, folder access, even if information was deleted. Can also show folders on removable media. This data is a little bit confusing at first, but can be digested in a couple of minutes. One important thing to note is that both keys are interconnected. I’ve used arrows, squares and circles to mark data corresponding to each for better visualization on the picture below. Sometimes, additional info for NTFS filesystem will be available (MFT record number) and file system type as well, not always however.
β οΈ Proves that the user interacted with these folders if they are found in ShellBags but not on the system.
β How about when being hacked? A hacker might delete the folder.
Right under BagMRU subkey, there is only one subkey (in this case, in case of shell bags, a folder): 0. MRUListEx contains a list of folders inside this one identified by sequence numbers. In our example there are only three subfolders (and, hence, values in the list) in this folder: 00 00 00 00, just 0 in little-endian (green), 01 00 00 00, just 1 in little-endian (orange) and 02 00 00 00, just 2 in little-endian (purple). Above the MRUListEx there are three values in our case, each corresponding to the subfolder and containing a folder path and name. In the example below the 0 subfolder’s value is expanded and marked with a green circle.
Each of these folders in the list will have a corresponding subkey inside our 0 subkey/folder (marked with arrows on the left).
So, we have a parent folder info, what folders it contains and the paths to them. Now, since ShellBags store folder settings, where are they? Under the second subkey, Bags. But since sequence numbers are used here as well, how do we find the folder we need? Are these sequence number the same as on the picture above? The answer is no. On the picture above numbering restarts from 0 for each folder’s subfolders, so that each folder that has at least one subfolder, will have at least 0 value and a 0 subkey. However, the Bags subkeys numbers folders sequencially. Each subkey representing a folder in a BagMRU subkey we’ve seen above, will have a value NodeSlot. This is a number it’s identified by withing Bags subkey. See the below example for the folder 0.
π ShellBagsExplorer (E. Zimmerman) is a tools that helps automating this process which is useful for larger amount of data.
The above is an example of the ShellBagsExplorer for my Windows 10 Parallels VM. Pretty user-friendly representation and lot’s of valuable information. Note the folders on the very top: \\Mac\vm, \\Mac\Home and \\Mac\AllFiles. Someone who is using Paralells Windows 10 on Mac might note this at once, that this is a VM running on a Mac. Also, both \\Mac\Home and \\Mac\AllFiles are no longer available for Windows 10, but they were not deleted from the registry as you may see. That’s because when folders are deleted, they are not deleted from here, at least not soon.
Office
General Properties get information from OS metadata and Statistics tab for word.exe is for embedded metadata. If the timestamps are different is probably from a fatal system error. On reboot file was opened by recovery option which changed the embedded timestamps.
Also, some information can be hidden within embedded metadata. Just imagine, that most of the data for a tiny office document is the meta. π One of the tools to view DocScrubber. Office documents also have additional meta that reveals much about the document, for example, who edited it, user name, user initials, org name, comp name, doc location, previous authors, revision logs (Word, Excel), version logs (Word), template file name (Word, PowerPoint), hidden text (Word, Excel), GUIDs. If the file was renamed and then reopened, it’s seen as a new file and editing clocks β° start over.
π§Ήπ£ There are certains anti-forensics techniques that allow cleansing the file’s metadata.
Do not forget about autosaved docs (asd). Also, sometimes the Track Changes feature was enabled.
Temp file
Some of the programs keep tmp files. Digital Archaeology, page 173 (Kindle, Mining the Temporary Files) has a table of some temp files for different applications on a Windows machine. Some of them will be deleted on OS shutdown, but can also be carved before overwritten anyway.
ADS
Alternate data streams, see more here. Are there such streams for other OS? If yes, how to make them and discover them?
To ensure compatability between NTFS and HFS. Allows hiding files.
C:\type C:\mal.exe > C:\readme.txt:naughty.exe
start readme.txt:naughty.exe
C:\mklink innocent.exe readme.txt:naughty.exe
# to run
innocent.exe
But dir /r - will display all streams. LNS and Sfind will hunt down such files. Also, when you copy files from and to a FAT partition - all residual files will be deleted.
On Windows machines (NTFS file system) it’s possible to “append” a file to another file in such a way that this files is not visible with standard tools. This notion is called an alternate data stream. There are several problems that arise in this case:
- The host file’s hash is not changed, because technically it is not a part of this file. To check -
fciv. - The host file’s size is not changed, again, because technically it is not a part of this file.
- These files are not visible for the file system and therefore such tools as cmd, PowerShell, Explorer or others won’t see them if don’t know the magic πͺ word. Even if you run
type filewithlitter.txtyou won’t see the stream file’s contents, only the original one’s.
How to create an ADS
type litter.txt > host.txt:litterhidden.txt
How to check a directory for an ADS
streams -s <directory>
How to get a file from a stream
You need to know its name to be able to reference it:
notepad host.txt:litterhidden.txt
If you find a program file with an executable attached, it’s almoust always means something malicious is at place. Sometimes, attackers might hide the extension. In this case the file size might be a good reason to dig deeper.
How to delete the stream
streams -s -d <directory>. Quite dangerous since you might delete something good instead. Some system files are stored as streams for legitimate reasons. Why, btw?