Windows Artifact Analysis: Evidence of...

SSgt Widomski (USMC)

File Download
Open/Save MRU E-mail Attachments Skype History
Description: Description: Description:
In the simplest terms, this key tracks files that The e-mail industry estimates that 80% of e-mail • Skype history keeps a log of chat sessions and
have been opened or saved within a Windows data is stored via attachments. E-mail standards files transferred from one machine to another
shell dialog box. This happens to be a big data only allow text. Attachments must be encoded • This is turned on by default in Skype
set, not only including web browsers like Internet with MIME/ base64 format. installations
Explorer and Firefox, but also a majority of
commonly used applications. Location: Location:
Outlook XP
Location: XP C:\Documents and Settings\<username>\Application\
XP %USERPROFILE%\Local Settings\ Skype\<skype-name>
NTUSER.DAT\Software\Microsoft\Windows\ ApplicationData\Microsoft\Outlook
CurrentVersion\Explorer\ComDlg32\OpenSaveMRU Win7/8/10
Win7/8/10 C:\%USERPROFILE%\AppData\
Win7/8/10 %USERPROFILE%\AppData\Local\ Roaming\Skype\<skype-name>
NTUSER.DAT\Software\Microsoft\Windows\ Microsoft\Outlook
CurrentVersion\Explorer\ComDlg32\ Interpretation:
OpenSavePIDlMRU Interpretation: Each entry will have a date/time value and a
MS Outlook data files found in these locations Skype username associated with the action
Interpretation: include OST and PST files. One should also
• The “*” key – This subkey tracks the most check the OLK and Content.Outlook folder,
recent files of any extension input in an which might roam depending on the specific
OpenSave dialog version of Outlook used. For more information
on where to find the OLK folder this link has a
• .??? (Three letter extension) – This subkey handy chart:
stores file info from the OpenSave dialog by
specific extension http://www.hancockcomputertech.com/
blog/2010/01/06/find-the-microsoft-
outlooktemporary-olk-folder

Browser Artifacts Downloads ADS Zone.Identifer

Description: Description: Description:
Not directly related to “File Download”. Details Firefox and IE has a built-in download manager Starting with XP SP2 when files are downloaded
stored for each local user account. Records application which keeps a history of every file from the “Internet Zone” via a browser to a NTFS
number of times visited (frequency). downloaded by the user. This browser artifact volume, an alternate data stream is added to the
can provide excellent information about what file. The alternate data stream is named “Zone.
Location: sites a user has been visiting and what kinds of Identifier.”
Internet Explorer: files they have been downloading from them.
• IE8-9 Interpretation:
%USERPROFILE%\AppData\Roaming\Microsoft\W Location: Files with an ADS Zone.Identifier and contains
indows\IEDownloadHistory\index.dat Firefox: ZoneID=3 were downloaded from the Internet
• XP • URLZONE_TRUSTED = ZoneID = 2
• IE10-11 %userprofile%\Application Data\Mozilla\ Firefox\ • URLZONE_INTERNET = ZoneID = 3
%USERPROFILE%\AppData\Local\Microsoft\Wind Profiles\<random text>.default\ • URLZONE_UNTRUSTED = ZoneID = 4
ows\WebCache\WebCacheV*.dat downloads.sqlite

Firefox: • Win7/8/10
• v3-25 %userprofile%\AppData\Roaming\Mozilla\ %userprofile%\AppData\Roaming\Mozilla\ Firefox\
Firefox\Profiles\<random text>.default\ Profiles\<random text>.default\downloads.sqlite
downloads.sqlite
• v26+ %userprofile%\AppData\Roaming\Mozilla\ Internet Explorer:
Firefox\Profiles\<random text>.default\ • IE8-9
places.sqliteTable:moz_annos %USERPROFILE%\AppData\Roaming\Microsoft\
Windows\IEDownloadHistory\
Chrome:
• Win7/8/10 • IE10-11
%USERPROFILE%\AppData\Local\Google\Chrome %USERPROFILE%\AppData\Local\Microsoft\
\UserData\Default\History Windows\WebCache\ WebCacheV*.dat

Interpretation: Interpretation:
Many sites in history will list the files that were Downloads will include:
opened from remote sites and downloaded to • Filename, Size, and Type
the local system. History will record the access • Download from and Referring Page
to the file on the website that was accessed via a • File Save Location • Application Used to Open
link. File
• Download Start and End Times
Windows Artifact Analysis: Evidence of... SSgt Widomski (USMC)

UserAssist
UserAssist AppCompatCache RunMRU Start->Run
Description: Description: Description:
GUI-based programs launched from the desktop • Windows Application Compatibility Database is Whenever someone does a Start -> Run
are tracked in the launcher on a Windows used by Windows to identify possible application command, it will log the entry for
System. compatibility challenges with executables. the command they executed.
• Tracks the executables file name, file size, last Location:
Location: modified time, and in Windows XP the last NTUSER.DAT HIVE
NTUSER.DAT HIVE update time NTUSER.DAT\Software\Microsoft\Windows\Current
NTUSER.DAT\Software\Microsoft\Windows\Current Version\Explorer\RunMRU
version\Explorer\UserAssist\{GUID}\Count Location: Interpretation:
Interpretation: XP The order in which the commands are executed
All values are ROT-13 Encoded SYSTEM\CurrentControlSet\Control\ is listed in the RunMRU list
• GUID for XP SessionManager\AppCompatibility value. The letters represent the order in which
- 75048700 Active Desktop Win7/8/10 the commands were executed.
• GUID for Win7/8/10
- CEBFF5CD Executable File Execution
SYSTEM\CurrentControlSet\Control\Session
Manager\AppCompatCache RecentApps
- F4E57C4B Shortcut File Execution Interpretation: Description:
Any executable run on the Windows system Program execution launched on the Win10
could be found in this key. You can use this key system are tracked in the
BAM/DAM to identify systems that specific malware was RecentApps key
Description: executed on. In addition, based on the Location:
Windows Background Activity Moderator (BAM) interpretation of the timebased data you might Win10
Location: be able to determine the last time of execution or NTUSER.DAT\Software\Microsoft\Windows\Current
Win10 activity on the system. Version\Search\
SYSTEM\CurrentControlSet\Services\bam\ • Windows XP contains at most 96 entries RecentApps
UserSettings\{SID} - LastUpdateTime is updated when the files are Interpretation:
SYSTEM\CurrentControlSet\Services\dam\ executed Each GUID key points to a recent application.
UserSettings\{SID} • Windows 7 contains at most 1,024 entries AppID = Name of Application
Investigative Notes - LastUpdateTime does not exist on Win7 LastAccessTime = Last execution time in UTC
Provides full path of the executable file that was systems LaunchCount = Number of times executed
run on the system and last execution date/time

Last-Visited MRU Jump Lists Prefetch

Description: Description: Description:
Tracks the specific executable used by an • The Windows 7 task bar (Jump List) is • Increases performance of a system by
application to open the files documented in engineered to allow users to “jump” or access pre-loading code pages of commonly used
the OpenSaveMRU key. In addition, each value items they have frequently or recently used applications. Cache Manager monitors all files
also tracks the directory location for the last quickly and easily. This functionality cannot and directories referenced for each application
file that was accessed by that application. only include recent media files; it must also or
Example: include recent tasks. process and maps them into a .pf file. Utilized to
Notepad.exe was last run using the • The data stored in the AutomaticDestinations know an application was executed on a system.
C:\%USERPROFILE%\Desktop folder folder will each have a unique file prepended • Limited to 128 files on XP and Win7
with the AppID of the associated application. • Limited to 1024 files on Win8
Location: Location: • (exename)-(hash).pf
XP Win7/8/10 Location:
NTUSER.DAT\Software\Microsoft\Windows\ C:\%USERPROFILE%\AppData\Roaming\ WinXP/7/8/10
CurrentVersion\Explorer\ComDlg32\ Microsoft\Windows\Recent\ C:\Windows\Prefetch
LastVisitedMRU AutomaticDestinations Interpretation:
Interpretation: • Each .pf will include last time of execution,
Win7/8/10 • First time of execution of application. number of times run, and device and file handles
NTUSER.DAT\Software\Microsoft\Windows\ - Creation Time = First time item added to used by the program
CurrentVersion\Explorer\ComDlg32\ the AppID file. • Date/Time file by that name and path was first
LastVisitedPidlMRU • Last time of execution of application w/file executed
open. - Creation Date of .pf file (-10 seconds)
Interpretation: - Modification Time = Last time item added • Date/Time file by that name and path was last
Tracks the application executables used to to the AppID file. executed
open files in OpenSaveMRU and the last file • List of Jump List IDs -> - Embedded last execution time of .pf file
path used. http://www.forensicswiki.org/wiki/ - Last modification date of .pf file (-10 seconds)
List_of_Jump_List_IDs - Win8-10 will contain last 8 times of execution

Amacache.hve/RecentFileCache.bcf Interpretation:
• RecentFileCache.bcf – Executable PATH and FILENAME
Description: and the program is probably new to the system
ProgramDataUpdater (a task associated with the • The program executed on the system since the last
Application Experience Service) uses the registry file ProgramDataUpdated task has been run
RecentFilecache.bcf to store data during process creation • Amcache.hve – Keys = Amcache.hve\Root\File\{Volume GUID}\#######
Location: • Entry for every executable run, full path information,
Win7/8/10 File’s $StandardInfo Last Modification Time, and Disk
C:\Windows\AppCompat\Programs\Amcache.hve volume the executable was run from
(Windows 7/8/10) • First Run Time = Last Modification Time of Key
Win7 • SHA1 hash of executable also contained in the key
C:\Windows\AppCompat\Programs\RecentFilecache.bcf
Windows Artifact Analysis: Evidence of... SSgt Widomski (USMC)

File/Folder Opening
Open/Save MRU Shortcut (LNK) Files Recent Files
Description: Description: Description:
In the simplest terms, this key tracks files that • Shortcut Files automatically created by Registry Key that will track the last files and
have been opened or saved within a Windows Windows folders opened and is used to populate data in
shell dialog box. This happens to be a big data - Recent Items “Recent” menus of the Start menu.
set, not only including web browsers like Internet - Opening local and remote data files and Location:
Explorer and Firefox, but also a majority of documents will generate a shortcut file (.lnk) NTUSER.DAT
commonly used applications. Location: NTUSER.DAT\Software\Microsoft\Windows\
Location: XP CurrentVersion\Explorer\RecentDocs
XP • C:\%USERPROFILE%\Recent Win7/8/10 Interpretation:
NTUSER.DAT\Software\Microsoft\Windows\Current • C:\%USERPROFILE%\AppData\Roaming\ • RecentDocs – Overall key will track the overall
Version\Explorer\ComDlg32\OpenSaveMRU Microsoft\Windows\Recent\ order of the last 150 files or folders opened.
Win7/8/10 • C:\%USERPROFILE%\AppData\Roaming\ MRU list will keep track of the temporal order in
NTUSER.DAT\Software\Microsoft\Windows\Current Microsoft\Office\Recent\ which each file/ folder was opened. The last
Version\Explorer\ComDlg32\OpenSavePIDlMRU Note these are primary locations of LNK files. entry and modification time of this key will be the
Interpretation: They can also be found in other locations. time and location the last file of a specific
• The “*” key – This subkey tracks the most Interpretation: extension was opened.
recent files of any extension input in an • Date/Time file of that name was first opened • .??? – This subkey stores the last files with a
OpenSave dialog - Creation Date of Shortcut (LNK) File specific extension that were opened. MRU list
• .??? (Three letter extension) – • Date/Time file of that name was last opened will keep track of the temporal order in which
This subkey stores file info from the OpenSave - Last Modification Date of Shortcut (LNK) File each file was opened. The last entry and
dialog by specific extension • LNKTarget File (Internal LNK File Information) modification time of this key will be the time
Data: when and location where the last file of a
IE|Edge file:// - Modified, Access, and Creation times of the
target file
specific extension was opened.
Description: • Folder – This subkey stores the last folders
- Volume Information (Name, Type, Serial that were opened. MRU list will keep track of the
• A little known fact about the IE History is that
Number) temporal order in which each folder was opened.
the information stored in the history files is not
- Network Share information The last entry and modification time of this key
just related to Internet browsing. The history also
- Original Location will be the time and location of the last folder
records local, removable, and remote (via
- Name of System opened.
network shares) file access, giving us an
excellent means for determining which files and
applications were accessed on the system, day Shell Bags Last-Visited MRU
by day. Description: Description:
Location: • Which folders were accessed on the local Tracks the specific executable used by an
Internet Explorer: machine, the network, and/or removable application to open the files documented in the
• IE6-7 devices. Evidence of previously existing OpenSaveMRU key. In addition, each value also
%USERPROFILE%\Local Settings\ History\ folders after deletion/overwrite. When certain tracks the directory location for the last file that
History.IE5 folders were accessed. was accessed by that application.
• IE8-9 Location: Example:
%USERPROFILE%\AppData\Local\Microsoft\ Explorer Access Notepad.exe was last run using the
Windows\History\ • USRCLASS.DAT\Local Settings\ C:\Users\Rob\Desktop folder
History.IE5 Software\Microsoft\Windows\ Shell\Bags Location:
• IE10-11 • USRCLASS.DAT\Local Settings\ XP
%USERPROFILE%\AppData\Local\Microsoft\Wind Software\Microsoft\Windows\ Shell\BagMRU NTUSER.DAT\Software\Microsoft\Windows\
ows\WebCache\WebCacheV*.dat Desktop Access CurrentVersion\Explorer\ComDlg32\
Interpretation: • NTUSER.DAT\Software\ Microsoft\Windows\Shell\ LastVisitedMRU
• Stored in index.dat as: BagMRU Win7/8/10
file:///C:/directory/filename.ext •NTUSER.DAT\Software\Microsoft\Windows\ NTUSER.DAT\Software\Microsoft\Windows\
• Does not mean file was opened in browser Shell\Bags CurrentVersion\Explorer\ComDlg32\
Interpretation: LastVisitedPidlMRU
Stores information about which folders were Interpretation:
Jump Lists most recently browsed by the user. Tracks the application executables used to open
Description: files in OpenSaveMRU and the last file path
• The Windows 7 task bar (Jump List) is used.
engineered to allow users to “jump” or access Office Recent Files
items have frequently or recently used quickly Description:
MS Office programs will track their own Recent
and easily. This functionality cannot only include
Files list to make it easier for users to remember
Prefetch
recent media files; it must also include recent Description:
tasks. the last file they were editing.
Location: • Increases performance of a system by pre-
• The data stored in the AutomaticDestinations loading code pages of commonly used
folder will each have a unique file prepended NTUSER.DAT\Software\Microsoft\Office\VERSION
• 14.0 = Office 2010 applications. Cache Manager monitors all files
with the AppID of the association application and and directories referenced for each application
embedded with LNK files in each stream. • 12.0 = Office 2007
• 11.0 = Office 2003 or process and maps them into a .pf file. Utilized
Location: to know an application was executed on
Win7/8/10 • 10.0 = Office XP
a system.
C:\%USERPROFILE%\AppData\Roaming\ • Limited to 128 files on XP and Win7
Microsoft\Windows\Recent\AutomaticDestinations NTUSER.DAT\Software\Microsoft\Office\VERSION\
UserMRU\LiveID_####\FileMRU • Limited to 1024 files on Win8-10
Interpretation: • (exename)-(hash).pf
• 15.0 = Office 365
• Using the Structured Storage Viewer, Location:
open up one of the AutomaticDestination WinXP/7/8/10
Interpretation:
jumplist files. C:\Windows\Prefetch
Similar to the Recent Files, this will track the last
• Each one of these files is a separate LNK Interpretation:
files that were opened by each MS Office
file. They are also stored numerically in • Can examine each .pf file to look for file
application. The last entry added, per the MRU,
order from the earliest one (usually 1) to handles recently used
will be the time the last file was opened by a
the most recent (largest integer value). • Can examine each .pf file to look for device
specific MS Office application.
handles recently used
Windows Artifact Analysis: Evidence of... SSgt Widomski (USMC)

Deleted File or File Knowledge

XP Search – ACMRU Last-Visited MRU Win7/8/10 Recycle Bin
Description: Description: Description:
You can search for a wide range of information Tracks the specific executable used by an The recycle bin is a very important location on a
through the search assistant on a Windows XP application to open the files documented Windows file system to understand. It can help
machine. The search assistant will remember a in the OpenSaveMRU key. In addition, each you when accomplishing a forensic investigation,
user’s search terms for filenames, computers, or value also tracks the directory location for the as every file that is deleted from a Windows
words that are inside a file. This is an example of last file that was accessed by that application. recycle bin aware program is generally first put
where you can find the “Search History” on the in the recycle bin.
Windows system. Location:
XP Location:
Location: NTUSER.DAT\Software\Microsoft\Windows\ Hidden System Folder
NTUSER.DAT HIVE CurrentVersion\Explorer\ComDlg32\ Win7/8/10
NTUSER.DAT\Software\Microsoft\Search LastVisitedMRU • C:\$Recycle.bin
Assistant\ACMru\#### • Deleted Time and Original Filename contained
Win7/8/10 in separate files for each deleted recovery file
Interpretation: NTUSER.DAT\Software\Microsoft\Windows\
• Search the Internet – ####=5001 CurrentVersion\Explorer\ComDlg32\
Interpretation:
• All or part of a document name – ####=5603 LastVisitedPidlMRU
• SID can be mapped to user via Registry
• A word or phrase in a file – ####=5604 Analysis
• Printers, Computers and People – ####=5647 Interpretation:
• Win7/8/10
Tracks the application executables used to open
- Files Preceded by $I###### files contain
XP Recycle Bin files in OpenSaveMRU and the last file path
used.
• Original PATH and name
Description: • Deletion Date/Time
The recycle bin is a very important location on a - Files Preceded by $R###### files contain
Windows file system to understand. It can help • Recovery Data
you when accomplishing a forensic investigation,
as every file that is deleted from a Windows
Thumbs.db
Description:
recycle bin aware program is generally first put Hidden file in directory where images on
in the recycle bin.
machine exist stored in a smaller thumbnail
graphics. thumbs.db catalogs pictures in a
Location:
folder and stores a copy of the thumbnail
Hidden System Folder even if the pictures were deleted.
Windows XP Thumbscache
• C:\RECYCLER” 2000/NT/XP/2003 Location: Description:
• Subfolder is created with user’s SID WinXP/Win8|8.1 Thumbnails of pictures, office documents, and
• Hidden file in directory called “INFO2” folders exist in a database called the
Automatically created anywhere with
• INFO2 Contains Deleted Time and Original thumbcache. Each user will have their own
homegroup enabled
Filename database based on the thumbnail sizes
• Filename in both ASCII and UNICODE Win7/10 viewed by the user (small, medium, large, and
Interpretation: extra-larger)
Automatically created anywhere and
• SID can be mapped to user via Registry accessed via a UNC Path (local or remote)
Analysis Location:
• Maps file name to the actual name and path it Interpretation: C:\%USERPROFILE%\AppData\Local\Microsoft\
was deleted from Include: Windows\Explorer
• Thumbnail Picture of Original Picture
Interpretation:
IE|Edge file:// • Document Thumbnail – Even if Deleted
• These are created when a user switches a
Description: • Last Modification Time (XP Only)
• Original Filename (XP Only) folder to thumbnail mode or views pictures via a
A little-known fact about the IE History is that the slide show. As it were, our thumbs are now
information stored in the history files is not just stored in separate database files. Win7+ has 4
related to Internet browsing. The history also sizes for thumbnails and the files in the cache
records local and remote (via network shares) Search – WordWheelQuery folder reflect this:
file access, giving us an excellent means for Description: - 32 -> small - 96 -> medium
determining which files and applications were Keywords searched for from the START menu - 256 -> large - 1024 -> extra large
accessed on the system, day by day. bar on a Windows 7 machine. • The thumbscache will store the thumbnail copy
of the picture based on the thumbnail size in the
Location: Location: content of the equivalent database file.
Internet Explorer: Win7/8/10 NTUSER.DAT Hive
IE6-7 NTUSER.DAT\Software\Microsoft\Windows\
%USERPROFILE%\LocalSettings\ CurrentVersion\Explorer\WordWheelQuery
History\History.IE5
Interpretation:
IE8-9 Keywords are added in Unicode and listed in
%USERPROFILE%\AppData\Local\Microsoft\ temporal order in an MRUlist
WindowsHistory\History.IE5

IE10-11
%USERPROFILE%\AppData\Local\Microsoft\
Windows\WebCache\WebCacheV*.dat

Interpretation:
• Stored in index.dat as:
file:///C:/directory/filename.ext
• Does not mean file was opened in browser
Windows Artifact Analysis: Evidence of... SSgt Widomski (USMC)

Physical Location
Timezone Cookies Browser SearchTerms
Description: Description: Description:
Identifies the current system time zone. Cookies give insight into what websites have Records websites visited by date and time.
been visited and what activities may have taken Details stored for each local user account.
Location: place there. Records number of times visited (frequency).
SYSTEM Hive Also tracks access of local system files. This will
SYSTEM\CurrentControlSet\Control\ Location: also include the website history of search terms
TimeZoneInformation Internet Explorer in search engines.
• IE6-8
Interpretation: %USERPROFILE%\AppData\Roaming\Microsoft\ Location:
• Time activity is incredibly useful for correlation Windows\Cookies Internet Explorer
of activity • IE6-7
• Internal log files and date/timestamps will be • IE10 %USERPROFILE%\Local Settings\
based on the system time zone information %USERPROFILE%\AppData\Roaming\Microsoft\ History\History.IE5
• You might have other network devices and you Windows\Cookies
will need to correlate information to the time • IE8-9
zone information collected here • IE11 %USERPROFILE%\AppData\Local\Microsoft\
%USERPROFILE%\AppData\Local\Microsoft\ Windows\History\History.IE5
Windows\INetCookies
Network History Firefox • IE10-11
Description: %USERPROFILE%\AppData\Local\Microsoft\
• Identify networks that the computer has been • XP Windows\WebCache\WebCacheV*.dat
connected to %USERPROFILE%\Application Data\
• Networks could be wireless or wired Mozilla\Firefox\Profiles\<random text>.default\ Firefox
• Identify domain name/intranet name cookies.sqlite • XP
• Identify SSID %userprofile%\Application Data\
• Win7/8/10 Mozilla\Firefox\Profiles\
• Identify Gateway MAC Address %USERPROFILE%\AppData\Roaming\Mozilla\Fire <randomtext>.default\places.sqlite
fox\Profiles\<randomtext>.default\cookies.sqlite
Location: Chrome • Win7/8/10
Win7/8/10 SOFTWARE HIVE %userprofile%\AppData\Roaming\Mozilla\Firefox\
•SOFTWARE\Microsoft\WindowsNT\ • XP Profiles\<randomtext>.default\places.sqlite
CurrentVersion\NetworkList\Signatures\Unmanaged %USERPROFILE%\LocalSettings\ApplicationData\
•SOFTWARE\Microsoft\WindowsNT\ Google\Chrome\User Data\Default\Local Storage
CurrentVersion\NetworkList\Signatures\Managed
• SOFTWARE\Microsoft\Windows • Win7/8/10
NT\CurrentVersion\NetworkList\Nla\Cache %USERPROFILE%\AppData\Local\Google\Chrome
\UserData\Default\Local Storage
Interpretation:
• Identifying intranets and networks that a
computer has connected to is incredibly
important
• Not only can you determine the intranet name,
you can determine the last time the network was
connected to it based on the last write time of
the key
• This will also list any networks that have been
connected to via a VPN
• MAC Address of SSID for Gateway could be
physically triangulated
Windows Artifact Analysis: Evidence of... SSgt Widomski (USMC)

External Device/USB Usage

Key Identification First/Last Times User
Description: Description: Description:
Track USB devices plugged into a machine. Determine temporal usage of specific USB Find User that used the Unique USB Device.
devices connected to a Windows Machine.
Location: Location:
• SYSTEM\CurrentControlSet\Enum\USBSTOR Location:First Time • Look for GUID from
• SYSTEM\CurrentControlSet\Enum\USB • Plug and Play Log Files SYSTEM\MountedDevices
XP
Interpretation: C:\Windows\setupapi.log • NTUSER.DAT\Software\Microsoft\Windows\
• Identify vendor, product, and version of a USB CurrentVersion\Explorer\MountPoints2
device plugged into a machine Win7/8/10
• Identify a unique USB device plugged into the C:\Windows\inf\setupapi.dev.log Interpretation:
machine This GUID will be used next to identify the user
• Determine the time a device was plugged Interpretation: that plugged in the device.The last write time of
into the machine • Search for Device Serial Number this key also corresponds to the last time the
• Devices that do not have a unique serial • Log File times are set to local time zone device was plugged into the machine by that
number will have an “&” in the second character user. The number will be referenced in the user’s
of the serial number Location: First, Last, and Removal Times personal mountpoints key in the NTUSER.DAT
(Win7/8/10 Only) Hive.
System Hive
\CurrentControlSet\Enum\USBSTOR\
Ven_Prod_Version\USBiSerial #\
Shortcut (LNK) Files
Description:
Properties\{83da6326-97a6-4088-9453-a1923f573b29}\
#### Shortcut files automatically created by Windows
• Recent Items
0064 = First Install (Win7-10) • Open local and remote data files and
0066 = Last Connected (Win8-10) documents will generate a shortcut file (.lnk)
Volume Serial Number 0067 = Last Removal (Win8-10)
Description: Location:
Discover the Volume Serial Number of the Drive Letter & Volume Name XP
• %USERPROFILE%\Recent
Filesystem Partition on the USB. (NOTE: This is Description:
not the USB Unique Serial Number, which is Win7/8/10
Discover the last drive letter of the USB Device •%USERPROFILE%\AppData\Roaming\Microsoft\
hardcoded into the device firmware.) when it was plugged into the machine. Windows\Recent
•%USERPROFILE%\AppData\Roaming\Microsoft\
Location: Location: Office\Recent
•SOFTWARE\Microsoft\WindowsNT\ XP
CurrentVersion\ENDMgmt • Find ParentIdPrefix Interpretation:
• Use Volume Name and USB Unique Serial - SYSTEM\CurrentControlSet\Enum\USBSTOR • Date/Time file of that name was first opened
Number to: • Using ParentIdPrefix Discover Last Mount Point - Creation Date of Shortcut (LNK) File
- Find last integer number in line - SYSTEM\MountedDevices • Date/Time file of that name was last opened
- Convert Decimal Serial Number into Hex Serial
- Last Modification Date of Shortcut (LNK) File
Number Win7/8/10 • LNKTarget File (Internal LNK File Information)
• SOFTWARE\Microsoft\Windows Portable
Data:
Interpretation: Devices\Devices
• SYSTEM\MountedDevices
- Modified, Access, and Creation times of the
• Knowing both the Volume Serial Number and
- Examine Drive Letters looking at Value Data target file
the Volume Name, you can correlate the data
Looking for Serial Number - Volume Information (Name, Type, Serial
across SHORTCUT File (LNK) analysis and the
Number)
RECENTDOCs key.
Interpretation: - Network Share information
• The Shortcut File (LNK) contains the Volume
Identify the USB device that was last mapped to - Original Location
Serial Number and Name
• RecentDocs Registry Key, in most cases, will a specific drive letter. This technique will only
contain the volume name when the USB device work for the last drive mapped. It does not
is opened via Explorer contain historical records of every drive letter
mapped to a removable drive.

PnP Events Interpretation:

Description: • Event ID: 20001 – Plug and Play driver install
When a Plug and Play driver install is attempted, attempted
the service will log an ID 20001 event and • Event ID 20001
provide a Status within the event. It is important • Timestamp
to note that this event will trigger for any Plug • Device information
and Play-capable device, including but not limited • Device serial number
to USB, Firewire, and PCMCIA devices. • Status (0 = no errors)

Location: System Log File

Win7/8/10
%system root%\System32\winevt\logs\System.evtx

https://www.twitter.com/threathunting_
Windows Artifact Analysis: Evidence of... SSgt Widomski (USMC)

Account Usage
Services Events RDP Usage Logon Types
Description: Description: Description:
• Analyze logs for suspicious services running at Track Remote Desktop Protocol logons to target Logon Events can give us very specific
boot time machines. information regarding the nature of account
• Review services started or stopped around the authorizations on a system if we know where
time of a suspected compromise Location: Security Log to look and how to decipher the data that we
Win7/8/10 find. In addition to telling us the date, time,
Location: %SYSTEM ROOT%\System32\winevt\logs\ username, hostname, and success/failure
All Event IDs reference the System Log Security.evtx status of a logon, Logon Events also enables us
7034 – Service crashed unexpectedly to determine by exactly what means a logon was
7035 – Service sent a Start/Stop control Interpretation: attempted.
7036 – Service started or stopped • Win7/8/10 - Interpretation
7040 – Start type changed (Boot | On Request | - Event ID 4778 – Location:
Disabled) Session Connected/Reconnected Win7/8/10
7045 – A service was installed on the system - Event ID 4779 – Event ID 4624
(Win2008R2+) Session Disconnected
4697 – A service was installed on the system • Event log provides hostname and IP address of Interpretation:
remote machine making the connection Logon Type Explanation
(from Security log)
• On workstations you will often see current 2 Logon via console
Interpretation: console session disconnected (4779) followed 3 Network Logon
• All Event IDs except 4697 reference the by RDP connection (4778) 4 Batch Logon
System Log 5 Windows Service Logon
• A large amount of malware and worms in the 7 Credentials used to unlock screen
wild utilize Services 8 Network logon sending credentials (cleartext)
• Services started on boot illustrate persistence 9 Different credentials used than logged on user
(desirable in malware) 10 Remote interactive logon (RDP)
• Services can crash due to attacks like process Success/Fail Logons 11 Cached credentials used to logon
12 Cached remote interactive (similar to Type
injection Description:
10)
Determine which accounts have been used for
13 Cached unlock (similar to Type 7)
attempted logons. Track account usage for
known compromised accounts.

Location: Authentication Events

Win7/8/10 Description:
%system root%\System32\winevt\logs\Security.evtx Authentication mechanisms

Scheduled Tasks Interpretation:

• Win7/8/10 – Interpretation
Location:
Description: Recorded on system that authenticated
• 4624 – Successful Logon credentials
Identify and audit scheduled tasks
• 4625 – Failed Logon Local Account/Workgroup = on workstation
• 4634 | 4647 – Successful Logoff Domain/Active Directory = on domain controller
Location:
• 4648 – Logon using explicit credentials
Win7/8/10
(Runas) Win7/8/10
%system root%\System32\winevt\logs\Security.evtx
• 4672 – Account logon with superuser rights %SYSTEM ROOT%\System32\winevt\logs\
%system root%\System32\winevt\logs\Microsoft- (Administrator) Security.evtx
Windows-TaskScheduler%4Maintenance.evtx • 4720 – An account was created
Interpretation:
Interpretation: Event ID Codes (NTLM protocol)
• 106 | 4698 – Scheduled task created (Task Last Login • 4776: Successful/Failed account authentication
Scheduler/Security Log) Description: Event ID Codes (Kerberos protocol)
• 140 | 4702 – Scheduled task updated (Task Lists the local accounts of the system and their • 4768: Ticket Granting Ticket was granted
Scheduler/Security Log) equivalent security identifiers. (successful logon)
• 141 | 4699 – Scheduled task deleted (Task • 4769: Service Ticket requested (access to
Scheduler/Security Log) Location: server
• 200 | 201 – Scheduled task • C:\windows\system32\config\SAM resource)
executed/completed • SAM\Domains\Account\Users • 4771: Pre-authentication failed (failed logon)
(Task Scheduler Log)
• 4700 | 4701 – Scheduled task enabled/disabled Interpretation:
(Security Log) • Only the last login time will be stored in the
registry key Last Password Change
Investigative Notes Description:
• Scheduled tasks can be executed both locally Lists the last time the password of a specific
and remotely. local user has been changed.
• Remotely scheduled tasks also cause Logon
(ID 4624) Location:
Type 3 events • C:\windows\system32\config\SAM
• SAM\Domains\Account\Users

Interpretation:
• Only the last password change time will be
stored in the registry key

https://www.twitter.com/threathunting_
Windows Artifact Analysis: Evidence of... SSgt Widomski (USMC)

Browser Usage
History Cache Cookies
Description: Description: Description:
Records websites visited by date and time. • The cache is where web page components can Cookies give insight into what websites have
Details stored for each local user account. be stored locally to speed up subsequent visits been visited and what activities may have taken
Records number of times visited (frequency). • Gives the investigator a “snapshot in time” of place there.
Also tracks access of local system files. what a user was looking at online
- Identifies websites which were visited Location:
Location: - Provides the actual files the user viewed on a Internet Explorer
Internet Explorer given website • IE8-9
• IE6-7 - Cached files are tied to a specific local user %USERPROFILE%\AppData\Roaming\Microsoft\
%USERPROFILE%\Local Settings\ account Windows\Cookies
History\History.IE5 - Timestamps show when the site was first
saved and last viewed • IE10
• IE8-9 %USERPROFILE%\AppData\Roaming\Microsoft\
%USERPROFILE%\AppData\Local\Microsoft\Wind Windows\Cookies
Location:
ows\History\History.IE5
Internet Explorer • IE11
• IE10,11,Edge %USERPROFILE%\AppData\Local\Microsoft\Wind
%USERPROFILE%\AppData\Local\Microsoft\ • IE8-9 ows\INetCookies
%USERPROFILE%\AppData\Local\Microsoft\
Windows\WebCache\WebCacheV*.dat
Windows\Temporary Internet Files\Content.IE5 • Edge
Firefox %USERPROFILE%\AppData\Local\Packages\
• IE10 microsoft.microsoftedge_<APPID>\AC\
• XP
%USERPROFILE%\AppData\Local\Microsoft\ MicrosoftEdge\Cookies
%USERPROFILE%\Application Data\Mozilla\
Windows\Temporary Internet Files\Content.IE5
Firefox\Profiles\<random text>.default\places.sqlite
Firefox
• IE11 • XP
• Win7/8/10
%USERPROFILE%\AppData\Local\Microsoft\ %USERPROFILE%\Application Data\Mozilla\
%USERPROFILE%\AppData\Roaming\Mozilla\Fire
Windows\INetCache\IE Firefox\Profiles\<random text>.default\cookies.sqlite
fox\Profiles\<random text>.default\places.sqlite
• Edge • Win7/8/10
Chrome %USERPROFILE%\AppData\Local\Packages\
• XP %USERPROFILE%\AppData\Roaming\Mozilla\
microsoft.microsoftedge_<APPID>\AC\
%USERPROFILE%\Local Settings\Application Firefox\Profiles\<randomtext>.default\
MicrosoftEdge\Cache cookies.sqlite
Data\Google\Chrome\User Data\Default\History
Firefox Chrome
• Win7/8/10
• XP
%USERPROFILE%\AppData\Local\Google\Chrome • XP
%USERPROFILE%\Local
\User Data\Default\History %USERPROFILE%\Local Settings\Application
Settings\ApplicationData\Mozilla\Firefox\Profiles\
Data\Google\Chrome\User Data\Default\Local
<randomtext>.default\Cache
Storage\
Google Analytics Cookies • Win7/8/10
Description: • Win7/8/10
%USERPROFILE%\AppData\Local\Mozilla\Firefox\
Google Analytics (GA) has developed an %USERPROFILE%\AppData\Local\Google\Chrome
Profiles\<randomtext>.default\Cache
extremely sophisticated methodology for \User Data\Default\Local Storage\
tracking site visits, user activity, and paid search. Chrome
Since GA is largely free, it has a commanding
share of the market,estimated at over 80% of
• XP
%USERPROFILE%\Local Settings\Application
Session Restore
sites using traffic analysis and over 50% of all Description:
Data\Google\Chrome\User Data\Default\Cache
sites. - data_# and f_######
Automatic Crash Recovery features built into the
browser.
__utma – Unique visitors • Win7/8/10
• Domain Hash %USERPROFILE%\AppData\Local\Google\Chrome Location:
• Visitor ID \User Data\Default\Cache\ - data_# and f_###### Internet Explorer
• Win7/8/10
• Cookie Creation Time
• Time of 2nd most recent visit Flash & Super Cookies %USERPROFILE%/AppData/Local/Microsoft/
Internet Explorer/Recovery
• Time of most recent visit Description:
• Number of visits Local Stored Objects (LSOs), or Flash Cookies, Firefox
have become ubiquitous on most systems due • Win7/8/10
__utmz – Traffic sources to the extremely high penetration of Flash %USERPROFILE%\AppData\Roaming\Mozilla\
• Domain Hash applications across the Internet. They tend to be Firefox\Profiles\<randomtext>.default\sessionstore.js
• Last Update time much more persistent because they do not
• Number of visits expire, and there is no built-in mechanism within Chrome
• Number of different types of visits the browser to remove them. In fact, many sites • Win7/8/10
• Source used to access site have begun using LSOs for their tracking %USERPROFILE%\AppData\Local\Google\
• Google Adwords campaign name mechanisms because they rarely get cleared like Chrome\User Data\Default\
• Access Method (organic, referral, cpc, email, Files =
traditional cookies. Current Session, Current Tabs, Last Session, Last Tabs
direct)
• Keyword used to find site (non-SSL only) Location: Interpretation:
Win7/8/10 • Historical websites viewed in each tab
__utmb – Session tracking %APPDATA%\Roaming\Macromedia\FlashPlayer\
• Domain hash • Referring websites
#SharedObjects\<randomprofileid>
• Page views in current session • Time session ended
• Outbound link clicks Interpretation: • Modified time of .dat files in LastActive folder
• Time current session started • Time each tab opened (only when crash
• Websites visited
occurred)
• User account used to visit the site
• Creation time of .dat files in Active folder
• When cookie was created and last accessed

https://www.twitter.com/threathunting_