Summary
In this module, we will learn about various Windows artifacts, such as Shellbags, JumpLists, LNK files, ActivityCache.db, and more, along with their significance in understanding user behavior. The artifacts are organized into different sections and supplemented with a set of exercises.
This module covers how these artifacts are created, their forensic significance, and how to extract, interpret, and analyze them to build a comprehensive user profile. The primary objective is to enable participants to leverage these artifacts in investigations, providing a clear picture of user actions, including file access, program execution, and USB device usage. Some of the topics covered in this module include:
- Shellbags Analysis
- JumpLists Forensics
- LNK (Shortcut) Files Examination
- ActivityCache.db Analysis
- Open/Save Dialog MRUs
- SSH Host Key
- Sticky Notes Forensics
- RecentDocs Analysis
- USB Device History
- Search History and UserAssist
This module is broken down into sections with accompanying hands-on exercises to practice each of the tactics and techniques we cover. The module ends with a practical hands-on skills assessment to gauge your understanding of the various topic areas.
As you work through the module, you will see example commands and command output for the various topics introduced. It is worth reproducing as many of these examples as possible to reinforce further the concepts introduced in each section. You can do this in the Pwnbox provided in the interactive sections or your own virtual machine.
You can start and stop the module at any time and pick up where you left off. There is no time limit or "grading," but you must complete all of the exercises and the skills assessment to receive the maximum number of cubes and have this module marked as complete in any paths you have chosen.
The module is classified as "Medium" as there is a certain requirement of working knowledge of using tools and commands, and an understanding of Windows registry.
A firm grasp of the following module can be considered a prerequisites for successful completion of this module:
- Introduction to Digital Forensics
Introduction
Digital forensics involves examining and analyzing digital evidence to understand user behavior. User behavior analysis is essential in digital forensics, especially when investigating suspicious employee activities and insider threats, or when creating detailed profiles of user identities. These profiles include metadata on activities, preferences, and typical actions, providing a baseline for normal behavior. By analyzing digital artifacts, forensic investigators can reconstruct user actions and determine if any activities deviated from standard behavior patterns, indicating potential misconduct.
According to Wikipedia, forensic profiling involves studying trace evidence to gather information that law enforcement can use to identify suspects and secure convictions in court. In information sciences, this process involves uncovering connections between data in databases to identify and represent a subject, whether human or non-human, individual or group. This process is similar to user behavior analysis in digital forensics, especially when examining Windows-based operating systems and conducting registry forensics.
Just as forensic profiling helps create a picture of a suspect's actions and patterns, analyzing Windows registry artifacts can reveal a user's behavior and activities on their computer. The image below illustrates how a user profile is constructed using various registry artifacts.
What is Registry Data?
The Windows Registry is a hierarchical database used by the Windows operating system to store configuration settings, system information, and data about installed software, user profiles, and hardware. It includes settings for the operating system, applications, users, and many other system components. The registry is divided into keys
and values
, that resemble folders and files. Keys can contain other keys (subkeys
) or values, and values store the actual data, which can be in different formats such as strings, integers, or binary.
Key Components of the Registry
-
HKEY_LOCAL_MACHINE (HKLM)
: Contains system-wide settings and configurations for the OS and hardware. -
HKEY_CURRENT_USER (HKCU)
: Contains settings related to the currently logged-in user. -
HKEY_CLASSES_ROOT (HKCR)
: Contains information about file associations and registered applications. -
HKEY_USERS (HKU)
: Stores settings for all users on the system. -
HKEY_CURRENT_CONFIG (HKCC)
: Contains current hardware profile settings.
How is Registry Data Created?
Registry data is created as a result of user or application interactions with the operating system and activities within local systems, networks, and other digital devices. Analyzing this data can help investigators with a wide range of digital traces, including application usage, file access, web browsing history, and other activities on the system. These artifacts are valuable for forensic investigations and understanding users' actions and intentions within a digital environment.
This eventually can answer key investigative questions such as who
, when
, what
, where
, why
, and how
. Importantly, analysis isn't just about proving that an incident occurred; it can also be used to demonstrate that an event did not take place, highlighting its importance in both confirming and dispelling suspicions.
From the applications users use to the times they log in and out, the Registry captures it all. It's like a digital diary, but one that users may not even be aware of. In this module, we'll discuss some important artifacts that can provide us with insights into user behavior and help create a comprehensive snapshot of how users navigate the digital landscape.
How Can Registry Data Be Used for User Behavior Forensics?
From a forensic standpoint, the registry can provide valuable insights into a user's behavior and overall system usage. By analyzing registry data, forensic investigators can reconstruct a timeline of events, identify patterns of use, and uncover important details related to system activities, user interactions, and application usage. Much like the correlation of evidence in forensic profiling, the registry speaks volumes about the who, what, and when of digital activities.
Let's take an example of an activity.
-
Activity
: User connects or disconnects a USB device from the system. -
Potential Threat
: Data exfiltration, unauthorized file transfers. -
Forensic Artifact
: USB device history in the Windows Registry, i.e.,SYSTEM\CurrentControlSet\Enum\USBSTOR
andSYSTEM\CurrentControlSet\Control\DeviceClasses
.-
Registry Forensics
: TheUSBSTOR
registry key stores details of connected USB devices, such as thedevice ID
andserial number
. -
Correlation
: Evidence of unauthorized device usage that might indicate data theft or malware spreading via USB drives can be revealed by analyzing these registry keys and correlating them with other forensic artifacts.
-
The image below shows a breakdown of various user activities and the corresponding artifacts that provide evidence of those actions. Each activity is associated with a potential threat, such as data exfiltration or suspicious actions, and is mapped to the forensic artifact that can uncover or reveal these behaviors.
This module focuses on the following artifacts to identify and analyze user actions on Windows-based computers:
-
Shellbags
: Shellbags are registry keys that store information about Windows Explorer folder views, which can help reconstruct a user's folder browsing history. These artifacts are found inNTUSER.DAT
andUSRCLASS.DAT
and can be examined using tools like Shellbags Explorer. -
UserAssist
: UserAssist entries record the execution history of programs by a user. They are stored underHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist
and are ROT-13 encoded. These entries can reveal which applications were recently used. -
Search History in File Explorer
: Search history in File Explorer can be found underHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\WordWheelQuery
. This registry key stores recent search terms, providing insight into what the user was searching for. -
JumpLists
: JumpLists are used by Windows to track recently accessed files and applications. They are stored in AutomaticDestinations and CustomDestinations and can be analyzed with tools like JLECmd. -
LNK Files
: LNK (shortcut) files provide metadata about the files they link to, such as the original file path, access times, and more. LNK files can be parsed with tools like LECmd. -
Run MRU Forensics
: The Run MRU (Most Recently Used) list records the commands executed via the Run dialog box. This information is stored in theHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU
key. -
Recent Docs
: The RecentDocs registry key tracks the files and folders recently accessed by the user. It is located underHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs
. -
Open/Save Dialog MRUs
: These entries track files and folders accessed through open/save dialog boxes. They are stored in theHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSavePidlMRU
key. -
TypedPaths
: TypedPaths stores the paths typed into the Windows Explorer address bar, found inHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\TypedPaths
key. -
MS Office Accessed Files (File MRU)
: Microsoft Office maintains a list of recently accessed files inHKEY_CURRENT_USER\Software\Microsoft\Office\16.0\<Application>\File MRU
. -
User's Sticky Notes Forensics
: Sticky notes created by the user are stored in a SQLite database file calledplum.sqlite
. Analyzing this file can provide insights into the user's notes and reminders. -
Command-line History Forensics
: The history of commands typed into command-line interfaces, such as PowerShell, is recorded. PowerShell command history can be found in a file namedConsoleHost_history.txt
. -
User's Clipboard Data
: Clipboard data can be volatile but might be cached by certain applications. Clipboard forensics involves analyzing this transient data to uncover what was copied or cut by the user. -
Saved SSH Keys and Server Information (PuTTY)
: PuTTY, a popular SSH client, stores saved session information and SSH host keys in the registry underHKEY_CURRENT_USER\Software\SimonTatham\PuTTY\SshHostKeys
. -
User Activity Timeline Analysis
: Windows 10 and later versions have a feature called Activity History, which logs user activities such as app usage and file access. This data is stored inActivityCache.db
and can be parsed to understand user actions over time. -
Terminal Server History (tsclient)
: The Terminal Server Client (RDP) history stores information about remote desktop connections underHKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Default
. -
Adobe Recent Files
: Adobe applications, like Acrobat Reader, keep a list of recently accessed files in the registry. For Acrobat DC, this is found underHKEY_CURRENT_USER\Software\Adobe\Adobe Acrobat\DC\AVGeneral\cRecentFiles
. -
Archive History
: Tools like WinZip maintain a history of recently accessed archives in the registry, found underHKEY_CURRENT_USER\Software\WinZip\WinZip\mru\archives
. -
USB Devices
: Information about connected USB devices is stored in the registry and can be found underHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\USB
.
In the upcoming sections, we'll understand these registry hives, and analyze these artifacts, which helps investigators to reconstruct user activity and detect suspicious behavior.