Unlocking Windows Forensics: A Deep Dive into NTUSER.DAT Analysis

Introduction

In the ever-evolving field of digital forensics, the Windows Registry serves as an indispensable repository of system and user information. Among its hives, the NTUSER.DAT file is a focal point for investigators aiming to reconstruct user activities on a Windows system. Each user profile possesses its own NTUSER.DAT hive, encapsulating a wealth of artifacts that can reveal everything from recently opened files to specific search terms entered by the user.

This comprehensive guide delves into the depths of NTUSER.DAT analysis, providing detailed insights into how investigators can leverage this hive to differentiate activities between individual user accounts, identify program executions, and profile user behavior. Through practical examples and use cases, we’ll explore how artifacts like WordWheelQuery, TypedPaths, RecentDocs, Office File MRU, OpenSavePidlMRU, and the Autostart “Run” Keys can be pivotal in forensic investigations.

Why NTUSER.DAT Matters

The NTUSER.DAT hive is more than just a collection of user preferences; it’s a chronological map of a user’s interactions with their system. For forensic analysts, this hive offers the ability to:

• • – Differentiate User Activities: Isolate actions performed by specific user accounts, crucial in multi-user environments.
  • – Trace Program Executions: Identify which applications were launched and when.
  • – Monitor File and Folder Access: Determine which files and directories were accessed, modified, or created.
  • – Reconstruct User Searches: Uncover search queries and typed paths, providing context to user intentions.

By thoroughly analyzing NTUSER.DAT, investigators can piece together narratives that are essential for incident response, internal investigations, or legal proceedings.

Key Objectives of NTUSER.DAT Analysis

• 1. 1- Evidence of File & Folder Opening: Identify artifacts like RecentDocs, OpenSavePidlMRU, and ComDlg32 keys to determine accessed files and folders.
  2. 2- User Input Tracing: Discover search terms and file paths through WordWheelQuery and TypedPaths keys.
  3. 3- User Behavior Profiling: Analyze patterns to build comprehensive profiles of user activities.

Exploring Crucial Artifacts

1- WordWheelQuery

Registry Path:

NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\WordWheelQuery

What It Reveals:

The WordWheelQuery key stores search terms entered by the user in Windows Explorer. This includes filenames, keywords, or phrases, providing insights into user intentions or interests.

Analysis Tips:

• • – MRUListEx Value: Determines the order of search terms, with the most recent at the top.
  • – Search Terms: Each registry value corresponds to a search term entered by the user.
  • – Last Write Time: The key’s last write time indicates when the most recent search was conducted.

Use Case:

Imagine you’re investigating a potential data theft incident involving an employee named Mohamed Hassan at NileTech Innovations. By examining the WordWheelQuery key, you uncover that the most recent search terms include:

• • – “client_list.xlsx”
  • – “sdelete”
  • – “Bitlocker”

Relevance to Data Theft:

• • – “client_list.xlsx”: Indicates a search for a spreadsheet containing client information, which could be sensitive.
  • – “sdelete”: Refers to a secure deletion tool from Microsoft Sysinternals, suggesting an attempt to permanently delete files.
  • – “Bitlocker”: Points towards encryption activities, possibly to secure or obfuscate data.

Determining Search Timestamp:

While individual search terms don’t have timestamps, the last write time of the WordWheelQuery key can be correlated with the most recent search term.

• • – Last Write Time: 2023-09-14 14:04:07 UTC
  • – Inference: The search for “client_list.xlsx” was conducted at this time.

2- TypedPaths

Registry Path:

NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\TypedPaths

What It Reveals:

The TypedPaths key records paths manually entered by the user into the Windows Explorer address bar, including local paths, network shares, and sometimes URLs.

Analysis Tips:

• • – Value Names: Entries are named sequentially (e.g., url1, url2), with url1 being the most recent.
  • – Order Determination: Unlike other keys, TypedPaths doesn’t use an MRU list; order is based on value names.
  • – Last Write Time: Corresponds to the most recent path entered.

Use Case:

Continuing with the investigation, you notice that all entries in TypedPaths contain “My Drive”, suggesting access to Google Drive directories.

• Most Recent Entry:
  • – Value Name: url1
  • – Path: G:\My Drive\NileTech Projects\Project Sphinx
  • – Last Write Time: 2023-09-14 04:43:37 UTC

Implications:

• • – Access to company projects via personal Google Drive could indicate unauthorized data transfer.
  • – “My Drive” is associated with Google Drive, confirming the use of this cloud service.

3- RecentDocs

Registry Path:

NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs

What It Reveals:

The RecentDocs key lists recently accessed documents, organized by file extension, helping determine which files were opened.

Analysis Tips:

• • – Per-Extension Subkeys: Each file extension has its own subkey (e.g., .docx, .pdf).
  • – MRUListEx Value: Contains the order in which files were accessed.
  • – Timestamps: The last write time of each subkey indicates when the most recent file of that type was opened.

Use Case:

In the investigation, you find that “PyramidScheme(1).docx” was opened on 2023-09-14 03:59:19 UTC.

• • – MRU Position: 51
  • – Inference: At least 51 files were opened at or after this timestamp.

Identifying Relevant Files:

• • – Files related to company projects like “Project Sphinx”, “PyramidScheme”.
  • – Files with suspicious drive letters like G:, indicating external or network drives.

4- Office File MRU

Registry Path:

NTUSER.DAT\SOFTWARE\Microsoft\Office\<Version>\<Application>\User MRU\...\File MRU

Example for Word 2016:

NTUSER.DAT\SOFTWARE\Microsoft\Office\16.0\Word\User MRU\...\File MRU

What It Reveals:

Tracks recently accessed documents in Microsoft Office applications, providing full file paths and individual timestamps.

Analysis Tips:

• • – Full Paths: Provides complete file paths.
  • – Last Opened and Closed Times: Each entry contains timestamps for when the document was last opened and closed.
  • – Application-Specific Data: Separate MRUs for Word, Excel, PowerPoint, etc.

Use Case:

Analyzing Mohamed’s Office File MRU reveals documents opened from drives G: and F: on 09/14/2023.

• • – Sensitive Projects at Risk:
    • 1- “Project Sphinx”
    • 2- “PyramidScheme”
    • 3- “NileFlow”
    • 4- “DesertWind”
  • – Document Access Duration:
    • For example, “Project Sphinx Confidential.docx” was open for approximately five seconds.

Inference:

• • – Rapid opening of files suggests quickly searching through documents, possibly to locate specific information.

5- OpenSavePidlMRU

Registry Path:

NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSavePidlMRU

What It Reveals:

Tracks files and folders accessed via Open and Save dialog boxes, providing full path information.

Analysis Tips:

• • – Organized by Extension: Entries categorized by file extension or an asterisk (*) for all types.
  • – Full Paths: Offers complete paths to accessed files.
  • – Application Correlation: Can be matched with LastVisitedPidlMRU to identify the applications involved.

Use Case:

Investigating Mohamed’s activities, you filter for entries containing “My Drive” in the Absolute Path column, revealing files accessed within Google Drive.

• • – Findings:
    • Four entries referencing G:\My Drive.
    • Files duplicated in both * and xlsx subkeys.
  • – Last Accessed File:
    • Path: My Computer\D:\HASSAN-SYSTEM\Hassan-Memory.raw
  • – Application Correlation:
    • By examining LastVisitedPidlMRU, you find that MRC.exe (Magnet RAM Capture) accessed the same directory.

Conclusion:

• • – The memory image was saved using Magnet RAM Capture, possibly indicating an attempt to capture volatile memory data.

6- Autostart “Run” Keys

Registry Path:

NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Run

What It Reveals:

Lists programs configured to execute automatically upon user login.

Analysis Tips:

• • – Persistence Mechanisms: Common target for malware.
  • – User-Installed Applications: Indicates programs the user expects to run at login.
  • – Anomalies Detection: Unusual entries should be scrutinized.

Use Case:

Examining the Run key for Mohamed’s account, you find multiple cloud storage applications set to launch at login.

• • – Entries Found:
    • OneDrive
    • GoogleDriveSync
    • GoogleDriveFS
  • – Inference:
    • Use of both personal (GoogleDriveSync) and corporate (GoogleDriveFS) Google Drive accounts.
  • – Implications:
    • Potential for unauthorized data transfer between corporate and personal cloud storage.
    • Raises concerns about data leakage and compliance violations.

Profiling User Behavior

By aggregating data from these artifacts, investigators can construct a comprehensive profile of the user’s activities:

• • – Timeline Reconstruction: Align file access, search queries, and application usage chronologically.
  • – Behavioral Patterns: Identify routines or anomalies in user behavior.
  • – Intent Determination: Assess whether actions were deliberate, accidental, or malicious.

Example:

Combining evidence from RecentDocs, Office File MRU, and OpenSavePidlMRU, it’s apparent that Mohamed accessed sensitive company projects from a personal Google Drive on 09/14/2023, shortly before a reported data breach.

• • – Searches for “sdelete”: Suggests an attempt to securely delete traces of activity.
  • – Access to “Bitlocker” Recovery Keys: Indicates possible encryption or decryption of drives to conceal or move data.
  • – Use of External Drives (G:, F:): Points towards data being transferred to removable media or network locations.

Case Study: Unveiling a Data Theft Incident

Background

An incident response team is investigating potential data theft at NileTech Innovations. An employee, Mohamed Hassan, is under scrutiny due to suspicious activities detected on his workstation.

Investigation Steps

1. Analyzing WordWheelQuery
   • Search Terms:
     • “client_list.xlsx”
     • “sdelete”
     • “Bitlocker”
   • Insights:
     • Access to sensitive customer data.
     • Intent to securely delete data.
     • Possible encryption activities.
2. Examining TypedPaths
   • Entries:
     • Paths containing “My Drive”, e.g., G:\My Drive\NileTech Projects\Project Sphinx
   • Implications:
     • Unauthorized data transfer to personal cloud storage.
3. Reviewing RecentDocs
   • Files Accessed:
     • “PyramidScheme(1).docx”
     • Multiple files related to NileTech projects.
   • Drive Letters Used:
     • D:, E:, F:, G:
   • Observations:
     • Access to sensitive project files via external drives.
4. Inspecting Office File MRU
   • Documents Opened:
     • Files associated with “Project Sphinx”, “PyramidScheme”, etc.
   • Access Duration:
     • Some files opened for mere seconds.
   • Conclusions:
     • Possible copying or scanning for specific data.
5. Assessing OpenSavePidlMRU
   • Files in Google Drive:
     • Four entries referencing G:\My Drive.
   • Last Accessed File:
     • My Computer\D:\HASSAN-SYSTEM\Hassan-Memory.raw
   • Application Correlation:
     • Used MRC.exe (Magnet RAM Capture).
6. Checking Autostart “Run” Keys
   • Cloud Applications:
     • Both personal and corporate Google Drive clients.
   • Risk Assessment:
     • Increased risk of data leakage.

Findings

• • – Mohamed accessed and possibly transferred sensitive project files to his personal Google Drive.
  • – Searches for secure deletion tools and encryption utilities suggest attempts to cover tracks.
  • – Use of external drives and cloud storage indicates potential data exfiltration routes.
  • – Presence of both personal and corporate cloud storage applications raises security concerns.

Recommendations

• • – Immediate Actions:
    • 1- Suspend Mohamed’s access pending further investigation.
    • 2- Secure and analyze all associated devices and accounts.
  • – Security Measures:
    • 1- Implement stricter controls on cloud storage applications.
    • 2- Monitor for unauthorized data transfers.
    • 3- Educate employees on data handling policies.

Conclusion

The NTUSER.DAT hive is a powerful resource in Windows forensics, offering deep insights into user activities. By understanding and effectively analyzing artifacts like WordWheelQuery, TypedPaths, RecentDocs, Office File MRU, OpenSavePidlMRU, and the Autostart “Run” Keys, investigators can reconstruct user behaviors, identify potential security incidents, and gather evidence crucial for legal proceedings.

In an era where data breaches and insider threats are prevalent, mastering NTUSER.DAT analysis not only enhances an investigator’s skill set but also significantly contributes to organizational security and compliance efforts.

Note: Always ensure compliance with legal and ethical guidelines when performing digital forensic analyses.

Disclaimer: The case study presented is a fictional scenario intended for educational purposes. Any resemblance to real persons or organizations is purely coincidental.

🚀 Ready to elevate your Digital Forensics and Incident Response skills?

Cyber Dojo’s DFIR Bootcamp is here to equip you with the expertise to thrive in the cybersecurity field. Cyber Dojo offers a DFIR Bootcamp that combines GCFE Preparation (FOR500) and GCIH Preparation (SEC504), this intensive course combines in-depth knowledge and hands-on practice, giving you the tools and confidence to tackle real-world DFIR challenges.

Take the next step in your cybersecurity career—join our DFIR Bootcamp and gain the edge you need to succeed! 🔍🛡️

Click on the link to view or DFIR Bootcamp: DFIR Bootcamp – Cyber Dojo