Digital information and evidence taken from a computer are used to aid in an investigation. While computer forensics was originally limited largely to online fraud and hacking, today, it serves as a powerful investigative tool for a number of crimes, including theft, murder, harassment, abuse, and rape.

This post is part of a series about Windows forensics and evidence.

Forensic Evidence

Proper digital forensic and incident response analysis is essential to successfully solve today’s complex cases.

Each analyst should examine the artifacts and then analyze the activity they describe to determine a clear picture of which user was involved, what the user was doing when the user was doing it, and why.

Internet History

People leave behind a large digital footprint online, and this includes the websites they’ve visited. Profiles on online dating websites may indicate adultery in a divorce case. Searches for poisonous cocktails could point to murder. This history may also be helpful in establishing a motive.

Emails

Emails are an extremely powerful tool. As hard as we might try, it is quite difficult to erase an email completely. Messages such as tax fraud or drug dealing may be analyzed to prove criminal behavior.

Text Messages

Although less common, sending a text message from your computer is possible. These messages often contain intimate, revealing material that may be pertinent to a civil or criminal case.

Social Media

What makes social media such a powerful source of computer forensics? Photos, messages, likes, and posts intersect for a powerhouse of intimate information.

Files and Images

Even if you use your smartphone most of the time, you probably have a number of documents and images on your computer. You may even store data from your smartphone on your computer as a means of backup.

Analyzing Activity

Investigators may review deleted files, communications, and images to track criminal activity. They’ll likely also analyze online search history and social media activity. Just about everything we do online leaves a trace, and the best investigators can follow it.

The computer forensics process consists of three main stages: acquisition, analysis, and reporting. Following these steps helps ensure the integrity of the investigative process.

Once the relevant material is seized, it is then duplicated. The material may not be modified in any way and must be properly stored. Once an exact match is made, the material is analyzed.

File Download

Open/Save MRU

In the simplest terms, this key tracks files that have been opened or saved within a Windows shell dialog box. This happens to be a big data set, including web browsers like Internet Explorer and Firefox and a majority of commonly used applications.

Location

• Windows XP – NTUSER.DAT\Software\Microsoft\Windows\ CurrentVersion\Explorer\ComDlg32\OpenSaveMRU
• Windows 7 and higher  – NTUSER.DAT\Software\Microsoft\Windows\ CurrentVersion\Explorer\ComDlg32\ OpenSavePIDlMRU

Annotation

• The “*” key – This subkey tracks the most recent files of any extension input in an OpenSave dialog
• ??? (Three-letter extension) – This subkey stores file info from the OpenSave dialog by specific extension

E-mail Attachments

The e-mail industry estimates that 80% of e-mail data is stored via attachments. E-mail standards only allow text. Attachments must be encoded in MIME/ base64 format.

Location (for Outlook)

• Windows XP – %USERPROFILE%\Local Settings\ ApplicationData\Microsoft\Outlook
• Windows 7 and higher – %USERPROFILE%\AppData\Local\ Microsoft\Outlook

Annotation – Microsoft Outlook data files in these locations include OST and PST files. One should also check the OLK and Content.

Outlook folder, which might roam depending on the specific version of Outlook used. For more information on where to find the OLK folder, this link has a handy chart:

Skype History

Skype history keeps a log of chat sessions and files transferred from one machine to another. This is turned on by default in Skype installations.

Location

• Windows XP –  C:\Documents and Settings\<username>\Application\ Skype\<skype-name>
• Windows 7 and higher – C:\%USERPROFILE%\AppData\ Roaming\Skype\<skype-name>

Annotation – Each entry will have a date or time value and a Skype username associated with the action.

Browser Artifacts

Not directly related to “File Download.” Details are stored for each local user account. Records the number of times visited (frequency).

Location (Internet Explorer)

• IE8 or IE9  – %USERPROFILE%\AppData\Roaming\Microsoft\Windows\ IEDownloadHistory\index.dat
• IE10 and IE 11 – %USERPROFILE%\AppData\Local\Microsoft\Windows\ WebCache\WebCacheV*.dat
• Firefox
  • v3-25 –  %userprofile%\AppData\Roaming\Mozilla\ Firefox\ Profiles\<random text>.default\downloads.sqlite
  • v26 and higher – %userprofile%\AppData\Roaming\Mozilla\ Firefox\ Profiles\<random text>.default\places.sqlite Table:moz_annos
• Chrome
  • Windows 7 and higher – %USERPROFILE%\AppData\Local\Google\Chrome\User Data\Default\History

Annotation – Many sites in history will list the files that were opened from remote sites and downloaded to the local system. History will record the access to the file on the website that was accessed via a link.

Downloads

Firefox and IE have a built-in download manager application that keeps a history of every file downloaded by the user.

This browser artifact can provide excellent information about what sites a user has been visiting and what kinds of files they have been downloading from them.

Location

• Firefox
  • Windows XP – %userprofile%\Application Data\Mozilla\ Firefox\ Profiles\<random text>.default\downloads.sqlite
  • Windows 7 and higher – <random text>.default\downloads.sqlite
• Internet Explorer
  • IE8 and IE9 –  %USERPROFILE%\AppData\Roaming\Microsoft\Windows\ IEDownloadHistory\
  • IE10 and IE11 – %USERPROFILE%\AppData\Local\Microsoft\Windows\ WebCache\ WebCacheV*.dat

Annotation – Downloads will include

• Filename, Size, and Type
• Download from and Referring Page
• File Save Location
• Application Used to Open File
• Download Start and End Times

ADS Zone.Identifer

Starting with Windows XP SP2, when files are downloaded from the “Internet Zone” via a browser to an NTFS volume, an alternate data stream is added to the file. The alternate data stream is named “Zone. Identifier.”

Annotation – Files with an ADS Zone.Identifier and contains ZoneID=3 were downloaded from the Internet

• URLZONE_TRUSTED = ZoneID = 2
• URLZONE_INTERNET = ZoneID = 3
• URLZONE_UNTRUSTED = ZoneID = 4

Program Execution

Last-Visited MRU

Tracks the specific executable used by an application to open the files documented in the OpenSaveMRU key.

In addition, each value also tracks the directory location for the last file that was accessed by that application. Example: Notepad.exe was the last run using the C:\%USERPROFILE%\Desktop

Location

• Windows XP NTUSER.DAT\Software\Microsoft\Windows\ CurrentVersion\Explorer\ComDlg32\ LastVisitedMRU
• Windows 7 and higher – NTUSER.DAT\Software\Microsoft\Windows\ CurrentVersion\Explorer\ComDlg32\ LastVisitedPidlMRU

Annotation – Tracks the application executables used to open files in OpenSaveMRU and the last file path used.

UserAssist

GUI-based programs launched from the desktop are tracked in the launcher on a Windows System.

Location

• NTUSER.DAT HIVE NTUSER.DAT\Software\Microsoft\Windows\ Currentversion\Explorer\UserAssist\{GUID}\ Count

Annotation – All values are ROT-13 Encoded

• Windows XP GUID – 7 5048700 Active Desktop
• Windows 7 and higher GUID – C EBFF5CD Executable File Execution – F 4E57C4B Shortcut File Execution

RunMRU Start->Run

Whenever someone does a Start -> Run command, it will log the entry for the command they executed.

Location

• NTUSER.DAT HIVE NTUSER.DAT\Software\Microsoft\Windows\ CurrentVersion\Explorer\RunMRU

Annotation – The order in which the commands are executed is listed in the RunMRU list value. The letters represent the order in which the commands were executed.

AppCompatCache

Windows Application Compatibility Database is used by Windows to identify possible application compatibility challenges with executables. • Tracks the executables file name, file size, last modified time, and in Windows XP, the last update time

Location

• Windows XP SYSTEM\CurrentControlSet\Control\SessionManager\AppCompatibility
• Windows 7 and higher – SYSTEM\CurrentControlSet\Control\Session Manager\AppCompatCache

Annotation – Any executable run on the Windows system could be found in this key. You can use this key to identify systems on which specific malware was executed.

In addition, based on the annotation of the time-based data, you might be able to determine the last time of execution or activity on the system.

• Windows XP contains at most 96 entries – LastUpdateTime is updated when the files are executed
• Windows 7 and higher – contains at most 1,024 entries – LastUpdateTime does not exist on Win7 systems

Jump Lists

The Windows 7 taskbar is called Jump List is engineered to allow users to “jump” or access items they have frequently or recently used quickly and easily.

This functionality cannot only include recent media files, but it must also include recent tasks. The data stored in the AutomaticDestinations folder will each have a unique file prepended with the AppID of the associated application.

Location

• Windows 7 and higher – C:\%USERPROFILE%\AppData\Roaming\Microsoft\ Windows\Recent\ AutomaticDestinations

Annotation

• First time of execution of the application. – Creation Time = First-time item added to the AppID file.
• Last time of execution of application w/file open. – Modification Time = Last time item added to the AppID file.

Prefetch

Increases the performance of a system by pre-loading code pages of commonly used applications. Cache Manager monitors all files and directories referenced for each application or process and maps them into a .pf file.

Utilized to know an application was executed on a system.

• Limited to 128 files on Windows XP and Windows 7
• Limited to 1024 files on Windows 8 and higher (exename)-(hash).pf

Location

• Windows XP and higher – C:\Windows\Prefetch

Interpretation

• Each .pf will include the last time of execution, the number of times run, and device and file handles used by the program • Date/Time file by that name and path was first executed – Creation Date of .pf file (-10 seconds)
• Date/Time file by that name and path was last executed – Embedded last execution time of .pf file – Last modification date of .pf file (-10 seconds) – Windows 8 and higher will contain the last 8 times of execution

Amacache.HVE

RecentFileCache.bcf Description: ProgramDataUpdater (a task associated with the Application Experience Service) uses the registry file RecentFilecache.bcf to store data during process creation

Location

• Windows 7 and higher – C:\Windows\AppCompat\Programs\Amcache.hve
• Windows 7 and higher – C:\Windows\AppCompat\Programs\RecentFilecache.bcf

Annotation

• RecentFileCache.bcf – Executable PATH and FILENAME, and the program is probably new to the system
• The program executed on the system since the last ProgramDataUpdated task has been run • Amcache.have – Keys = Amcache.hve\Root\File\{Volume GUID}\
• Entry for every executable run, full path information, File’s $StandardInfo Last Modification Time, and Disk volume the executable was run from
• First Run Time = Last Modification Time of Key • SHA1 hash of executable also contained in the key

File/Folder Opening

Open/Save MRU

In the simplest terms, this key tracks files that have been opened or saved within a Windows shell dialog box. This happens to be a big data set, including web browsers like Internet Explorer and Firefox and a majority of commonly used applications.

Location

• Windows XP NTUSER.DAT\Software\Microsoft\ Windows\CurrentVersion\Explorer\ ComDlg32\OpenSaveMRU
• Windows 7 and higher – NTUSER.DAT\Software\Microsoft\ Windows\CurrentVersion\Explorer\ ComDlg32\OpenSavePIDlMRU

Annotation

• The “*” key – This subkey tracks the most recent files of any extension input in an OpenSave dialog
• ??? (Three-letter extension) – This subkey stores file info from the OpenSave dialog by specific extension

Last-Visited MRU

Tracks the specific executable used by an application to open the files documented in the OpenSaveMRU key. In addition, each value also tracks the directory location for the last file that was accessed by that application. Example: Notepad.exe was the last run using the C:\Users\Rob\Desktop folder

Location

• Windows XP NTUSER.DAT\Software\Microsoft\ Windows\CurrentVersion\Explorer\ ComDlg32\ LastVisitedMRU
• Windows 7 and higher – NTUSER.DAT\Software\Microsoft\ Windows\CurrentVersion\Explorer\ ComDlg32\ LastVisitedPidlMRU

Annotation – Tracks the application executables used to open files in OpenSaveMRU and the last file path used.

Recent Files

Registry Key that will track the last files and folders opened is used to populate data in the “Recent” menus of the Start menu.

Location

• NTUSER.DAT NTUSER.DAT\Software\Microsoft\Windows\ CurrentVersion\Explorer\RecentDocs

Annotation

• RecentDocs – The key will track the order of the last 150 files or folders opened. MRU list will keep track of the temporal order in which each file/ folder was opened. This key’s last entry and modification time will be the time and location of the last file of a specific extension that was opened.
• ??? – This subkey stores the last files with a specific extension that was opened. MRU list will keep track of the temporal order in which each file was opened. This key’s last entry and modification time will be when and location where the last file of a specific extension was opened.
• Folder – This subkey stores the last folders that were opened. MRU list will keep track of the temporal order in which each folder was opened. The last entry and modification time of this key will be the time and location of the last folder opened

Office Recent Files

Microsoft Office programs will track their recent Files list to make it easier for users to remember the last file they edited.

Location

• NTUSER.DAT\Software\Microsoft\ Office\VERSION
• 16.0 = Office 365 Pro Plus (Office 2016 and Office 2019)
• 15.0 = Office 2013
• 14.0 = Office 2010
• 12.0 = Office 2007
• 11.0 = Office 2003
• 10.0 = Office XP NTUSER.DAT\Software\Microsoft\ Office\VERSION\UserMRU\LiveID_####\

Annotation – Similar to the Recent Files, this will track the last files that were opened by each MS Office application. The last entry added, per the MRU, will be when a specific MS Office application opens the last file.

Shellbags

Which folders were accessed on the local machine, the network, and/or removable devices? Evidence of previously existing folders after deletion/overwriting. When certain folders were accessed.

Location

• Explorer Access
  • USRCLASS.DAT\Local Settings\ Software\Microsoft\Windows\ Shell\Bags
  • USRCLASS.DAT\Local Settings\ Software\Microsoft\Windows\ Shell\BagMRU
• Desktop Access
  • NTUSER.DAT\Software\ Microsoft\Windows\Shell\ BagMRU
  • NTUSER.DAT\Software\ Microsoft\Windows\Shell\Bags

Annotation – Stores information about which folders were most recently browsed by the user

Shortcut (LNK) File

• Stores information about which folders were most recently browsed by the user.
• Shortcut (LNK) Files
• Shortcut Files automatically created by Windows – Recent Items – local and remote data files and documents will generate a shortcut file (.lnk)

Location

• Windows XP – C:\%USERPROFILE%\Recent
• Windows 7 and higher – C:\%USERPROFILE%\AppData\Roaming\Microsoft\Windows\ Recent\
• Windows 7 and higher – C:\%USERPROFILE%\AppData\Roaming\Microsoft\Office\ Recent\ Note these are primary locations of LNK files.

They can also be found in other locations.

Annotation

• Date/Time file of that name was first opened – Creation Date of Shortcut (LNK) File
• Date/Time file of that name was last opened – Last Modification Date of Shortcut (LNK) File
• LNKTarget File (Internal LNK File Information) Data:
  • Modified, Access, and Creation times of the target file
  • Volume Information (Name, Type, Serial Number)
  • Network Share information – Original Location – Name of System

Jump Lists

The Windows 7 taskbar (Jump List) is engineered to allow users to “jump” or access items have frequently or recently used quickly and easily. This functionality can include not only recent media files but also recent tasks.

The data stored in the AutomaticDestinations folder will each have a unique file prepended with the AppID of the associated application and embedded with LNK files in each stream.

Location

Windows 7 and higher – C:\%USERPROFILE%\AppData\Roaming\ Microsoft\Windows\Recent\ AutomaticDestinations

Interpretation:

• Open up one of the AutomaticDestination jumplist files using the Structured Storage Viewer.
• Each one of these files is a separate LNK file. They are also stored numerically in order from the earliest one (usually 1) to the most recent (largest integer value).

Prefetch

• Increases performance of a system by pre-loading code pages of commonly used applications.
• Cache Manager monitors all files and directories referenced for each application or process and maps them into a .pf file.
• Utilized to know an application was executed on a system.
• It’s limited to 128 files on XP and Win7 • Limited to 1024 files on Win8 • (exename)-(hash).pf

Location

• Windows XP and higher – C:\Windows\Prefetch

Annotation

• Can examine each .pf file to look for file handles recently used
• Can examine each .pf file to look for device handles recently used

Shortcut (LNK) Files

Shortcut Files automatically created by Windows – Recent Items – local and remote data files and documents will generate a shortcut file (.lnk)

Location

• Windows XP – C:\%USERPROFILE%\Recent
• Windows 7 and higher – C:\%USERPROFILE%\AppData\Roaming\Microsoft\Windows\ Recent\
• Windows 7 and higher – C:\%USERPROFILE%\AppData\Roaming\Microsoft\Office\ Recent\ Note these are primary locations of LNK files.

They can also be found in other locations.

Annotation

• Date/Time file of that name was first opened – Creation Date of Shortcut (LNK) File • Date/Time file of that name was last opened – Last Modification Date of Shortcut (LNK) File
• LNKTarget File (Internal LNK File Information) Data:
  • Modified, Access, and Creation times of the target file
  • Volume Information (Name, Type, Serial Number)
  • Network Share information – Original Location – Name of the System

Jump Lists Description

The Windows 7 taskbar is engineered to allow users to “jump” or access items that have frequently or recently used quickly and easily. This functionality can include not only recent media files but also recent tasks.

The data stored in the AutomaticDestinations folder will each have a unique file prepended with the AppID of the association application and embedded with LNK files in each stream.

Location

• Windows 7 and higher – C:\%USERPROFILE%\AppData\Roaming\ Microsoft\Windows\Recent\ AutomaticDestinations

Annotation

• Open up one of the AutomaticDestination jumplist files using the Structured Storage Viewer.
• Each one of these files is a separate LNK file. They are also stored numerically in order from the earliest one (usually 1) to the most recent (largest integer value).

Prefetch

Increases performance of a system by pre-loading code pages of commonly used applications. Cache Manager monitors all files and directories referenced for each application or process and maps them into a .pf file. Utilized to know an application was executed on a system.

• Windows XP is limited to 128 files
• Windows 7 limited to 1024 files
• Windows 8 and higher (exename)-(hash).pf

Location

• Windows XP and higher – C:\Windows\Prefetch

Annotation

• Can examine each .pf file to look for file handles recently used
• Can examine each .pf file to look for device handles recently used

IE|Edge

A little-known fact about IE History is that the information stored in the history files is not just related to Internet browsing. The history also records local, removable, and remote (via network shares) file access, giving us an excellent means for determining which files and applications were accessed on the system daily.

Location

• Internet Explorer:
  • IE6 and IE7 %USERPROFILE%\Local Settings\ History\ History.
  • IE5 to IE8-9 %USERPROFILE%\AppData\Local\ Microsoft\Windows\History\ History.
  • IE5 to IE11 %USERPROFILE%\AppData\Local\ Microsoft\Windows\WebCache\ WebCacheV*.dat

Annotation – Stored in index.dat as: file:///C:/directory/filename.ext and does not mean file