Introduction

Digital forensics involves examining and analyzing digital evidence to understand user behavior. User behavior analysis is essential in digital forensics, especially when investigating suspicious employee activities and insider threats, or when creating detailed profiles of user identities. These profiles include metadata on activities, preferences, and typical actions, providing a baseline for normal behavior. By analyzing digital artifacts, forensic investigators can reconstruct user actions and determine if any activities deviated from standard behavior patterns, indicating potential misconduct.

According to Wikipedia, forensic profiling involves studying trace evidence to gather information that law enforcement can use to identify suspects and secure convictions in court. In information sciences, this process involves uncovering connections between data in databases to identify and represent a subject, whether human or non-human, individual or group. This process is similar to user behavior analysis in digital forensics, especially when examining Windows-based operating systems and conducting registry forensics.

Just as forensic profiling helps create a picture of a suspect's actions and patterns, analyzing Windows registry artifacts can reveal a user's behavior and activities on their computer. The image below illustrates how a user profile is constructed using various registry artifacts.

What is Registry Data?

The Windows Registry is a hierarchical database used by the Windows operating system to store configuration settings, system information, and data about installed software, user profiles, and hardware. It includes settings for the operating system, applications, users, and many other system components. The registry is divided into keys and values, that resemble folders and files. Keys can contain other keys (subkeys) or values, and values store the actual data, which can be in different formats such as strings, integers, or binary.

Key Components of the Registry

• HKEY_LOCAL_MACHINE (HKLM): Contains system-wide settings and configurations for the OS and hardware.
• HKEY_CURRENT_USER (HKCU): Contains settings related to the currently logged-in user.
• HKEY_CLASSES_ROOT (HKCR): Contains information about file associations and registered applications.
• HKEY_USERS (HKU): Stores settings for all users on the system.
• HKEY_CURRENT_CONFIG (HKCC): Contains current hardware profile settings.

How is Registry Data Created?

Registry data is created as a result of user or application interactions with the operating system and activities within local systems, networks, and other digital devices. Analyzing this data can help investigators with a wide range of digital traces, including application usage, file access, web browsing history, and other activities on the system. These artifacts are valuable for forensic investigations and understanding users' actions and intentions within a digital environment.

This eventually can answer key investigative questions such as who, when, what, where, why, and how. Importantly, analysis isn't just about proving that an incident occurred; it can also be used to demonstrate that an event did not take place, highlighting its importance in both confirming and dispelling suspicions.

From the applications users use to the times they log in and out, the Registry captures it all. It's like a digital diary, but one that users may not even be aware of. In this module, we'll discuss some important artifacts that can provide us with insights into user behavior and help create a comprehensive snapshot of how users navigate the digital landscape.

How Can Registry Data Be Used for User Behavior Forensics?

From a forensic standpoint, the registry can provide valuable insights into a user's behavior and overall system usage. By analyzing registry data, forensic investigators can reconstruct a timeline of events, identify patterns of use, and uncover important details related to system activities, user interactions, and application usage. Much like the correlation of evidence in forensic profiling, the registry speaks volumes about the who, what, and when of digital activities.

Let's take an example of an activity.

• Activity: User connects or disconnects a USB device from the system.
• Potential Threat: Data exfiltration, unauthorized file transfers.
• Forensic Artifact: USB device history in the Windows Registry, i.e., SYSTEM\CurrentControlSet\Enum\USBSTOR and SYSTEM\CurrentControlSet\Control\DeviceClasses.
  • Registry Forensics: The USBSTOR registry key stores details of connected USB devices, such as the device ID and serial number.
  • Correlation: Evidence of unauthorized device usage that might indicate data theft or malware spreading via USB drives can be revealed by analyzing these registry keys and correlating them with other forensic artifacts.

The image below shows a breakdown of various user activities and the corresponding artifacts that provide evidence of those actions. Each activity is associated with a potential threat, such as data exfiltration or suspicious actions, and is mapped to the forensic artifact that can uncover or reveal these behaviors.

This module focuses on the following artifacts to identify and analyze user actions on Windows-based computers:

• Shellbags: Shellbags are registry keys that store information about Windows Explorer folder views, which can help reconstruct a user's folder browsing history. These artifacts are found in NTUSER.DAT and USRCLASS.DAT and can be examined using tools like Shellbags Explorer.

• UserAssist: UserAssist entries record the execution history of programs by a user. They are stored under HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist and are ROT-13 encoded. These entries can reveal which applications were recently used.

• Search History in File Explorer: Search history in File Explorer can be found under HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\WordWheelQuery. This registry key stores recent search terms, providing insight into what the user was searching for.

• JumpLists: JumpLists are used by Windows to track recently accessed files and applications. They are stored in AutomaticDestinations and CustomDestinations and can be analyzed with tools like JLECmd.

• LNK Files: LNK (shortcut) files provide metadata about the files they link to, such as the original file path, access times, and more. LNK files can be parsed with tools like LECmd.

• Run MRU Forensics: The Run MRU (Most Recently Used) list records the commands executed via the Run dialog box. This information is stored in the HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU key.

• Recent Docs: The RecentDocs registry key tracks the files and folders recently accessed by the user. It is located under HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs.

• Open/Save Dialog MRUs: These entries track files and folders accessed through open/save dialog boxes. They are stored in the HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSavePidlMRU key.

• TypedPaths: TypedPaths stores the paths typed into the Windows Explorer address bar, found in HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\TypedPaths key.

• MS Office Accessed Files (File MRU): Microsoft Office maintains a list of recently accessed files in HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\<Application>\File MRU.

• User's Sticky Notes Forensics: Sticky notes created by the user are stored in a SQLite database file called plum.sqlite. Analyzing this file can provide insights into the user's notes and reminders.

• Command-line History Forensics: The history of commands typed into command-line interfaces, such as PowerShell, is recorded. PowerShell command history can be found in a file named ConsoleHost_history.txt.

• User's Clipboard Data: Clipboard data can be volatile but might be cached by certain applications. Clipboard forensics involves analyzing this transient data to uncover what was copied or cut by the user.

• Saved SSH Keys and Server Information (PuTTY): PuTTY, a popular SSH client, stores saved session information and SSH host keys in the registry under HKEY_CURRENT_USER\Software\SimonTatham\PuTTY\SshHostKeys.

• User Activity Timeline Analysis: Windows 10 and later versions have a feature called Activity History, which logs user activities such as app usage and file access. This data is stored in ActivityCache.db and can be parsed to understand user actions over time.

• Terminal Server History (tsclient): The Terminal Server Client (RDP) history stores information about remote desktop connections under HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Default.

• Adobe Recent Files: Adobe applications, like Acrobat Reader, keep a list of recently accessed files in the registry. For Acrobat DC, this is found under HKEY_CURRENT_USER\Software\Adobe\Adobe Acrobat\DC\AVGeneral\cRecentFiles.

• Archive History: Tools like WinZip maintain a history of recently accessed archives in the registry, found under HKEY_CURRENT_USER\Software\WinZip\WinZip\mru\archives.

• USB Devices: Information about connected USB devices is stored in the registry and can be found under HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\USB.

In the upcoming sections, we'll understand these registry hives, and analyze these artifacts, which helps investigators to reconstruct user activity and detect suspicious behavior.