@night 1803 access accessdata active directory admissibility ads aduc aim aix ajax alex levinson alissa torres amcache analysis anjp anssi answer key antiforensics apfs appcompat appcompatflags applocker april fools argparse arman gungor arsenal artifact extractor attachments attacker tools austin automating automation awards aws azure azuread back to basics backstage bam base16 best finds beta bias bitcoin bitlocker blackbag blackberry enterprise server blackhat blacklight blade blanche lagny book book review brute force bsides bulk extractor c2 carved carving case ccdc cd burning ceic cfp challenge champlain chat logs Christmas Christmas eve chrome cit client info cloud forensics command line computer forensics computername conference schedule consulting contest cool tools. tips copy and paste coreanalytics cortana court approved credentials cryptocurrency ctf cti summit cut and paste cyberbox Daily Blog dbir deep freeze defcon defender ata deviceclasses dfa dfir dfir automation dfir exposed dfir in 120 seconds dfir indepth dfir review dfir summit dfir wizard dfrws dfvfs dingo stole my baby directories directory dirty file system disablelastaccess discount download dropbox dvd burning e01 elastic search elcomsoft elevated email recovery email searching emdmgmt Encyclopedia Forensica enfuse eric huber es eshandler esxi evalexperience event log event logs evidence execution exfat ext3 ext4 extended mapi external drives f-response factory access mode false positive fat fde firefox for408 for498 for500 for526 for668 forenisc toolkit forensic 4cast forensic lunch forensic soundness forensic tips fraud free fsutil ftk ftk 2 full disk encryption future gcfe gcp github go bag golden ticket google gsuite guardduty gui hackthebox hal pomeranz hashlib hfs honeypot honeypots how does it work how i use it how to howto IE10 imaging incident response indepth information theft infosec pro guide intern internetusername Interview ios ip theft iphone ir itunes encrypted backups jailbreak jeddah jessica hyde joe sylve journals json jump lists kali kape kevin stokes kibana knowledgec korman labs lance mueller last access last logon lateral movement leanpub libtsk libvshadow linux linux forensics linux-3g live systems lnk files log analysis log2timeline login logs london love notes lznt1 mac mac_apt macmini magnet magnet user summit magnet virtual summit mari degrazia mathias fuchs md viewer memorial day memory forensics metaspike mft mftecmd mhn microsoft milestones mimikatz missing features mlocate mobile devices mojave mount mtp multiboot usb mus mus 2019 mus2019 nccdc netanalysis netbios netflow new book new years eve new years resolutions nominations nosql notifications ntfs ntfsdisablelastaccessupdate nuc nw3c objectid offensive forensics office office 2016 office 365 oleg skilkin osx outlook outlook web access owa packetsled paladin pancake viewer path specification pdf perl persistence pfic plists posix powerforensics powerpoint powershell prefetch psexec py2exe pyewf pyinstaller python pytsk rallysecurity raw images rdp re-c re-creation testing reader project recipes recon recursive hashing recycle bin redteam regipy registry registry explorer registry recon regripper remote research reverse engineering rhel rootless runas sample images san diego SANS sans dfir summit sarah edwards saturday Saturday reading sbe sccm scrap files search server 2008 server 2008 r2 server 2012 server 2019 setmace setupapi sha1 shadowkit shadows shell items shellbags shimcache silv3rhorn skull canyon skype slow down smb solution solution saturday sop speed sponsors sqlite srum ssd stage 1 stories storport sunday funday swgde syscache system t2 takeout telemetry temporary files test kitchen thanksgiving threat intel timeline times timestamps timestomp timezone tool tool testing training transaction logs triage triforce truecrypt tsk tun naung tutorial typed paths typedpaths uac unc understanding unicorn unified logs unread updates usb usb detective usbstor user assist userassist usnjrnl validation vhd video video blog videopost vlive vmug vmware volatility vote vss web2.0 webcast webinar webmail weekend reading what are you missing what did they take what don't we know What I wish I knew whitfield windows windows 10 windows 2008 windows 7 windows forensics windows server winfe winfe lite winscp wmi write head xboot xfs xways yarp yogesh zimmerman zone.identifier

What did they take when they left? Part 2 – Finding out what they ran before they left

Hello Reader,

        In Part 1 we discussed how to determine if a CD was burned. Knowing what application it was burned with and what other tools they ran before they left is also important.

  1. User Assist

One way to determine this is with the user assist registry keys. Over the years since the user assist registry keys were first discovered (they were included in our windows analysis chapter in 2005) many people have realized the impact it can have on their case. The User Assistance functionality has existed since Windows 2000 and is a registry key divided into two parts that keeps track of recently used programs and files for the start menu.

The user assist registry key exists in each user's ntuser.dat under the key: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist

Of which there are multiple keys depending on the version of windows you are examining, two for windows 2000, xp, 2003 and three for windows vista, server 2008, under which you will find a count key that contains the actual data we are looking for. Entries are encoded in rot13 and if you are not using one the tools listed in this blog you will need to decode them yourself to read the entries.


 

There are multiple tools that support the user assist registry keys for analysis (Accessdata's registry viewer and Didier Stevens tool for instance) that will quickly allow you to see:

  1. What program or file was accessed
  2. How many times the program or file has been accessed through windows explorer
  3. The last time the program or file was accessed through windows explorer

As a simple example, I use Microsoft Office a lot. In fact I write my blog posts in it as it can directly post them to blogger (hopefully catching all my typos). So a decoded user assist entry for Office in my registry looks like this:

"{75048700-EF1F-11D0-9888-006097DEACF9}","20","UEME_RUNPATH:C:\Program Files\Microsoft Office\Office12\WINWORD.EXE","","54","37","3/22/2009 9:25:59 PM"

This entry was found in:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count

Decoding the entry section by section we see:

  1. {75048700-EF1F-11D0-9888-006097DEACF9} - the registry key under user assist that this belongs to, data appears to be grouped into categories based on these id's.
  2. 20 – The index number this number increments as entries are added to this key. In this case this is the 20th entry logged. If you have a program executed multiple times, such as my Word 2007 program, sorting by the index number will give you an idea of when it was first executed.
  3. UEME_RUNPATH:C:\Program Files\Microsoft Office\Office12\WINWORD.EXE – This is two pieces of info combined into one:
    1. UEME_RUNPATH – This is the prefix for all entries that will give you a full path to the program or file being accessed
    2. C:\Program Files\Microsoft Office\Office12\WINWORD.EXE – this is the full path to the program or file executed
  4. 54 – This is the session, its use is still unknown
  5. 37 – This is the number of times the program has been executed
  6. 3/22/2009 9:25:59 PM – This is the last time the key was updated and should be the last time it was executed

Going through the user assist then allows us to find out what programs where being executed around the time that for instance a CD was burned. Sorting the entries for that time we can see what was being executed around that time. If there is no corresponding entry you may want to look at the restore points for backups of the ntuser.dat close to time of the burn to find the program executed.

If the user assist keys is missing two things could have occurred

  1. The user disabled them, there will be a registry key created showing this if true.
  2. The user has deleted them, this can be an indication of some type of 'cleaning' tool being run such as Crap Cleaner.

Now the user assist registry keys are not the only place to look for what programs have been executed. We don't want to rely solely on access times as they change so easily and don't prove that a program was actually executed. We want to focus on artifacts created because of an execution of which there are two other well documented sets of artifacts that show the actual execution of a program.

  1. Shortcut/Lnk Files

Stored in several locations depending on its function LNK files so named because of the extension '.LNK' that is given to them. We will discuss LNK files in more detail in the next post as they are an extreme wealth of information but for the purposes of this post it can suffice to say that we can use LNK files to determine if a program was executed through it.

The start menu for each user stored from windows 2000 and on is under the user's profile directory (\documents and settings\<user>\start menu in xp and \users\<user>\start menu in vista and 2008) contains a LNK file for each of the files listed in the user's start menu when the click the start button. So each time a user loads a program through it the modified date of the LNK file will change to reflect it. This also applies to any other instance of the lnk file such as in the quick launch bar or on the desktop.

So for instance my Office 2007 LNK file in the start menu shows a created time of 11/24/2008 which is when I installed office 2007 on this computer. The modification date is 3/22/09 9:25pm which is the last time I used the LNK file to load up office 2007. You can see that the prefetch reference below says 9:26pm, it takes a couple second between the time I clicked the LNK and when the prefetch file gets created.


 

  1. Prefetch Files

Stored in the \Windows\Prefetch directory there is one .pf file for each of a max of 128 programs and the last modified time is updated each time the program is executed. The Forensic Wiki has a nice write up on prefetch files. There are several tools out there for parsing prefect files, one that is free is part of the Windows File Analyzer program. If I were to analyze the prefetch file for Office 2007 I would see the following:

File name: WINWORD.EXE-6AC9169C.pf

Last loaded: 3/22/09 and 9:26PM

This is when I started writing this blog post, it's been a couple days of research catching up on old topics to see what people have figured out.

So the prefetch file is a third correlation point we can use to determine if and when a program has been executed.

  1. Conclusion

So we now have three separate sources on a typical Windows system that we can use to determine what programs had been executed (the first and last times), when and how many times they have been executed. These are not the only places we can look for this information but they are three of the most reliable due to the nature of their creation and use. If you find that all of this data is missing then it becomes almost certain that either

  1. The system is being reimaged each time it reboots/logs in (some public access terminals do this)
  2. A cleaning/wiping tool has been run

I plan to make a post on how to determine what a user has wiped after this series but if a cleaning tool has not been run one or all of these sources will allow you to state for a fact what program was executed to:

  1. Run a backup program (such as the ones that are packaged with some external hard drives like retrospect)
  2. Burn a CD
  3. Run an ftp program
  4. Access some kind of archiving or copy tool

Which will then lead to the next question and our next post in the series : Part 3 - Where did it go and what did they take?

Post a Comment

  1. Really good post, looking forward to part 3.

    ReplyDelete
  2. RegRipper extracts this information quickly and efficiently, as well. In fact, I am using rip and the useassist plugin on a current engagement, and I didn't find what I was looking for (ie, running a particular app). I knew that the app was installed due to the existence of a specific keyword in one of the Uninstall key entries (extracted from the Software hive file via RegRipper). I then ran the TypedURLs plugin across the 13 NTUSER.DAT files that I had extracted from the image, and narrowed the specific activity to two accounts. Now it's on to Pasco (after using ProDiscover's Find Internet Histroy function) to get the information I need in a reportable format.

    ReplyDelete
  3. Hi Harvey,
    I really should have included regripper here, I've been using it lately instead of registry viewer for exactly this purpose. When I move into the next post where I detail more registry locations to view I will make sure to do so. Thanks for the tool btw, very handy.

    ReplyDelete
  4. UserAssist entries can be extremely useful, particularly in determining the use of CD Burning functionality. Look for the use of a CD/DVD burning application, such as Sonic, Nero, or whatever is installed. Remember that on XP systems in particular, if a driver is installed when a burner application is installed, a System Restore Point will be created, and that can help you with your timeline information.

    Speaking of Restore Points, I have a variant of RegRipper that I call "ripXP" that I use to run RegRipper plugins across Restore Points automatically, giving me a historic view of the Registry entries. Very nice to have in a number of cases.

    Back to CD burning...RegRipper includes a plugin for extracting MRU information from the Registry with respect to the CD/DVD burning application GUI. By default, the only entries that I've seen here have been ISO files (Helix, Linux distros, etc.), but it still shows usage. As these files are accessed through the shell, in many instances, you will also find references to them in the user's RecentDocs subkey entries.

    ReplyDelete
  5. You know Harvey, H(arlan C)arvey, everyone is abbreviating these days.

    Not really, I messed up but atleast I could find a good excuse. Thanks for the mention on your blog looking forward to your second edition.

    ReplyDelete
  6. This is excellent information. Im looking forward to part 3 as this is what all my legal folks want to know. "What did they take, and where did it go?"

    ReplyDelete
  7. Great post! Nothing is better than seeing some real content on the internet. Keep up the good work you should be proud. Most people do not know about the PreFetch folder in Windows! I touched basis on it on my blog in my windows tweak section. You should check out my Computer Hacking Blog when you have the chance. I have favorited this blog because I am looking forward to reading more great posts in the near future. Dont stop, knowledge is power.

    ReplyDelete
  8. I really liked this post. very helpful and understandable.

    ReplyDelete

[blogger][disqus][facebook][spotim]

Author Name

Contact Form

Name

Email *

Message *

Powered by Blogger.