Electronic Evidence where to find in files
Windows Searches — For years, one challenge in digital investigative analysis has been proving a user not only had something significant to an investigation on their computer, but that he knew it was on there. Two of the easiest ways help prove knowledge of a file is to prove the user was searching for it or accessed it. In order for Microsoft to enhance the user experience, Windows tracks the names of files you access and search for in multiple locations. As previously discussed, the Windows registry is essentially several databases called registry hives. Each user has his own primary registry hive called the NTUSER.DAT. This registry hive tracks information specific to each user’s activity and preferences. Starting in Windows 7, when a user conducts a search on his computer using the Windows search function or the “Charm Bar” in Windows 8-10 (the magnifying glass that appears when you move your mouse to the right edge of the screen), Windows records each search in temporal order in the “NTUSER.DAT\ Software\ Microsoft\ Windows\ CurrentVersion\ Explorer\WordWheelQuery” registry key. Because the searches are recorded in temporal order, an analyst can frequently see indications of the user’s thought process as he searched for particular files.
File Access —– Windows also records in numerous artifacts when a user opens or attempts to open non-executable files. Four of the most useful digital artifacts to identify files opened or attempted to be opened are “LNK” files (pronounced as “link” files), Jump Lists, and several “most recently used” registry keys.
LNK files — A LNK File is an artifact that has existed since Windows XP. LNK files are also known as a “Windows Shortcut” files and are created anytime a user opens or attempts to open a nonexecutable file. A LNK file is created even if the file opened is on a network or external drive. When an opened file is later deleted, its LNK file does not get deleted with it. Windows creates and stores approximately 149 LNK files in the user’s home directory under the “AppData\Roaming\Microsoft\ Windows\Recent” directory. LNK files contain a wealth of information including the modified, accessed, and created dates and times of the file opened; the full directory path, volume name, and volume serial number from which the file was last opened; and the file size.
Starting in Windows 10, Microsoft added rules to when LNK files would be created in addition to when files are opened. On earlier versions of Windows 10, a LNK file was created for the directory to which any file was copied. The creation of a LNK file for the directory a file was copied to was stopped on later versions of Windows 10. However, on versions as early as version 1607, Microsoft created a LNK file for the directory a file is opened from. Additionally, when a directory is created, Windows creates a LNK file for the directory created and for the created directories “parent” and “grandparent” directory. In addition to all the information LNK files record, LNK files also record the last time a file was opened.
Jump Lists — One of the newest artifacts to identify files opened by a user are “Jump Lists.” Starting in Windows 7, Microsoft introduced two types of jump lists: “AutomaticDestinations” and “CustomDestinations.” Automatic and Custom jump lists are created and stored in their respective directory in each user’s home directory under the “AppData\ Roaming\ Microsoft\ Windows\Recent” directory. Each application can incorporate its own jump lists as a “mini-start” menu. Automatic Destinations allow a user to quickly “jump” to or access files they recently or frequently used, usually by right-clicking the application in the Windows taskbar. CustomDestinations allow a user to pin recent tasks, such as opening a new browser window or create a new spreadsheet to the jump list. Jump lists are essentially mega LNK files. Each jump list can record upwards of the last 1,000 files opened by each application. As jump lists are essentially compound LNK files, they contain all the same information as LNK files, such as when each file was opened, modified, accessed, and created; dates and times that the file was opened; the full directory path, volume name, and volume serial number from where the file was last opened; and the file size.
Most Recently Used (MRU) Registry Keys – As previously mentioned, the Windows Registry is a series of massive databases that track system configuration and user activity. There are several registry keys that track most recently used items. An analysis of these registry keys can help an analyst quickly identify files accessed. Every application developer has the option of creating registry keys specific to his application configuration and user activity. Three of the most useful registry keys that track files accessed are “RecentDocs,” “Microsoft Office FileMRU,” and “OpenSavePIDMRU.”
RecentDocs — The “RecentDocs” registry key tracks the name and order of the last 10 files opened for every file extension (e.g. .doc, .docx, .jpg, etc.). The registry organizes each of the last 10 files opened in sub keys named by the file extension. A sub key named “folder” is also created when the first folder is opened using the Windows Explorer. This sub key tracks the name of the last 30 folders opened. Each user has his own RecentDocs registry key located in his NTUSER.DAT registry hive under the “\Software\ Microsoft\ Windows\ Currentversion\ Explorer” registry key. The master RecentDocs key maintains a master list, organized in temporal order of the last 150 files or folders opened. By analyzing the order that particular files were opened, analysts have often been able to refute claims that a single type of file was opened by mistake. In one trade secret case, it was helpful for the analyst to show the pattern of files opened that all related to the same subject matter.
Applications Specific Most Recently Used (MRU) — With every Windows application, developers have the ability to create their own set of registry keys to track specific configuration and user activity for their application. If a specific application is used to commit or facilitate a crime or is otherwise significant to an investigation, it is often advantageous for the analyst to determine both if the application has its own set of registry keys and what actions those keys record. Two excellent examples are “Winzip,” which records the name of the last several zip files created using the Microsoft Office suite of applications. Each application in the Office suite has its own set of “FileMRU” (most recently used files) that tracks most recent files used and when they were opened. Additionally, starting with Office version 365 and 2016, Microsoft Office tracks the “reading location” for each Word, PowerPoint, and Excel document opened and when each file was closed. Using this information, an analyst can determine not only what document was last opened and when it was closed, but also that the user had scrolled to and was on page 32 of the document when it was closed.
OpenSavePIDMRU — Windows has some basic dialog boxes that all programs can use when a user opens or saves a file. Some may have noticed that when saving files, a dropdown arrow in the file name dialog entry location appears. By clicking on the arrow, you will see several of the most recent file names you have saved for that application. These file names are saved as a part of the “OpenSavePIDMRU” registry key which is located under the “NTUSER.DAT \ Software\ Microsoft\ Windows\ CurrentVersion\ Explorer\ ComDlg32\ OpenSaveMRU” registry key. A record of the last 10 to 25 names of the last files opened or saved using the Windows Common Dialog Box are stored under sub keys based on file extension.