In digital forensics, identifying, collecting, and interpreting system artifacts is crucial for uncovering the truth behind user activity. Whether you’re investigating a suspected insider threat, recovering data from a compromised system, or conducting a post-incident analysis, Windows operating systems leave behind a wealth of artifacts. These artifacts provide invaluable insights into the behavior of users, applications, and system processes. In this post, we’ll explore a set of key Windows artifacts that are essential in forensic investigations and when and where each should be used to piece together the puzzle.
1. Open/Save MRU (Most Recently Used) List
Location:
- – XP: NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU
- – Win7/8/10: NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSavePIDlMRU
What It Tells You: The Open/Save MRU tracks the files a user has recently opened or saved via dialog boxes. This artifact is instrumental in determining which files a user interacted with, providing a detailed list of documents opened or saved within applications like Microsoft Office, web browsers, and chat clients.
Forensic Application:
- – Use when: You need to uncover recent user activity, especially if a suspect denies interacting with specific files.
- – Interpretation: Look for the “*” key (tracks the most recent files of any extension), or extension-specific subkeys (.docx, .jpg) that store file info by type.
2. Recent Files (RecentDocs)
Location:
- – NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs
What It Tells You: The RecentDocs registry key records the last files and folders a user opened. This artifact provides a chronological record of the user’s interactions with files, crucial for understanding their recent activities.
Forensic Application:
- – Use when: Investigating what files were recently accessed by a user, especially for tracking file access without relying on external evidence.
- – Interpretation: Focus on the MRU (Most Recently Used) list to see a timestamp of file openings and identify patterns of activity. Look for .??? extensions for file types and folders for quick access.
3. MS Word Reading Locations
Location:
- – NTUSER\Software\Microsoft\Office<Version>\Word\Reading Locations
What It Tells You: This artifact, introduced in Word 2013, tracks the last position of a user within a Word document. It includes details like the time the document was closed and where the user left off in the document.
Forensic Application:
- – Use when: You need to determine how a user interacted with a Word document, including the last opened position within the file.
- – Interpretation: Track the last closed time and user position for activity related to document editing or reading.
4. Last Visited MRU
Location:
- XP: NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\LastVisitedMRU
- Win7+: NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\LastVisitedPidlMRU
What It Tells You: The Last Visited MRU stores information on the last directories and applications used by a user, offering insight into file system locations accessed.
Forensic Application:
- – Use when: You need to determine which applications the user recently interacted with, and the last directory they accessed.
- – Interpretation: Review for hidden directories, particularly useful when examining the last used folders by applications like file managers or web browsers.
5. Shortcut (LNK) Files
Location:
- – XP: %USERPROFILE%\Recent
- – Win7+: %USERPROFILE%\AppData\Roaming\Microsoft\Windows\Recent\
What It Tells You: Shortcut files (LNK files) are created when a user opens a file or folder, capturing metadata such as the creation and modification dates of the file or shortcut, as well as volume information.
Forensic Application:
- – Use when: Investigating quick access to files and folders or when a user has used the “recent” functionality to access a document.
- – Interpretation: Analyze the creation and modification timestamps to understand when files were accessed. Also, check for the location and network share information to track remote access.
6. Office Recent Files
Location:
- – NTUSER.DAT\Software\Microsoft\Office<Version><AppName>\File MRU
What It Tells You: MS Office keeps track of recently opened files, recording full paths and last access times. This artifact is specific to Microsoft Office programs like Word, Excel, and PowerPoint.
Forensic Application:
- – Use when: Investigating document activity in MS Office programs. Helps identify specific documents accessed in a particular application.
- – Interpretation: Look for paths to documents and the times those documents were last accessed.
7. Shell Bags
Location:
- – USRCLASS.DAT\Local Settings\Software\Microsoft\Windows\Shell\Bags
- – NTUSER.DAT\Software\Microsoft\Windows\Shell\Bags
What It Tells You: Shell bags record folder access information, including folder timestamps, paths, and even residual data after folders are deleted. This is crucial for determining which folders were accessed, even if they no longer exist on the system.
Forensic Application:
- – Use when: You suspect that folders were accessed and potentially deleted, but you still need to prove they existed at some point.
- – Interpretation: Analyze shell bags to track access times, deleted folders, and any “exotic” folder activities such as network share or USB drive access.
8. Jump Lists
Location:
- – %USERPROFILE%\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations
- – %USERPROFILE%\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations
What It Tells You: Jump lists provide information on recently or frequently accessed items, including files and applications. They are stored for each application and contain metadata such as timestamps and file paths.
Forensic Application:
- – Use when: You need to identify what applications and files were recently used. This can help establish a timeline of user activity.
- – Interpretation: Dive into the Jump List for application identifiers, target timestamps, and MRU order for detailed insight into user behavior.
9. Office Trust Records
Location:
- – NTUSER\Software\Microsoft\Office<Version><AppName>\Security\Trusted Documents\TrustRecords
What It Tells You: The Trust Records key holds data on documents that a user has marked as trusted, helping to track documents that were opened with elevated permissions.
Forensic Application:
- – Use when: Investigating whether a user trusted a particular document, which could be relevant in cases involving malicious documents or unauthorized access.
- – Interpretation: Review file paths and trust timestamps to determine the user’s interaction with suspicious documents.
10. Internet Explorer file:/// URLs
Location:
- – IE6-7: %USERPROFILE%\LocalSettings\History\History.IE5
- – IE8-9: %USERPROFILE%\AppData\Local\Microsoft\Windows\History\History.IE5
What It Tells You: Internet Explorer history records information on file access via the browser, even for local files opened using file:// URLs, providing insight into which files were accessed via network shares or locally.
Forensic Application:
- – Use when: Investigating file access via web browsers, especially in the context of local or network file access.
- – Interpretation: Check for URLs like file:///C:/path/to/file.ext to identify previously accessed files.
Conclusion: The Art of Digital Footprint Analysis
Windows systems are rich with artifacts that can provide forensic investigators with valuable information about user activity. Understanding the different types of artifacts—such as MRU lists, jump lists, and shortcut files—and knowing when to use them, can make the difference between solving a case and missing critical evidence. By incorporating these artifacts into your investigative toolkit, you can uncover a detailed, chronological record of user interactions and activities on a system, helping you to piece together the events leading up to and following an incident.
Stay Ahead, Stay Informed. These digital footprints are the silent witnesses to every action, and with the right knowledge, they become the evidence you need to ensure a complete forensic investigation.
🚀 Ready to elevate your Digital Forensics and Incident Response skills?
Cyber Dojo’s DFIR Bootcamp is here to equip you with the expertise to thrive in the cybersecurity field. Cyber Dojo offers a DFIR Bootcamp that combines GCFE Preparation (FOR500) and GCIH Preparation (SEC504), this intensive course combines in-depth knowledge and hands-on practice, giving you the tools and confidence to tackle real-world DFIR challenges.
Take the next step in your cybersecurity career—join our DFIR Bootcamp and gain the edge you need to succeed! 🔍🛡️
Click on the link to view or DFIR Bootcamp: DFIR Bootcamp – Cyber Dojo
