Investigating User Activity with Windows Artifacts in IEF


Sometimes when conducting forensic examinations, investigators can lose sight of the fact that they’re investigating the actions of a person, not a computer. Almost every event or action on a system is the result of a user either doing something (or not doing something) at a particular time to create that event. It’s important for an investigator to understand how those events on a system correlate to the actions of somebody in the real world.

New with the Business and OS artifacts module in Internet Evidence Finder (IEF) v6.4, we’ve added a number of valuable Windows operating system artifacts that will help investigators gain insight into details about a system and its users. IEF will now search for File System Information, Jump Lists, LNK Files, Network Share Information, Operating System Information, Shellbags, Startup Items, Timezone Information, USB Devices, User Accounts, Windows Event Logs and Windows Prefetch Files. These artifacts can be broken down into two categories: system artifacts and artifacts focused around a user’s activity. Here we will discuss artifacts based around user activity and how they are relevant to your investigation.

The artifacts that we will discuss are: Jump Lists, LNK files, Shellbags, USB Devices and Prefetch files.

Jump Lists

Jump lists were added to Windows 7 and later systems to provide a list of recently accessed files and documents associated with a given application. Previously, examiners only had access to a short list of recently accessed files, but jump list artifacts provide details on recent files for each application, giving investigators a lot more information and timestamps around what the user was doing on a system.

IEF will now recover jump list details from the automaticDestinations-ms and customDestinations-ms files, providing details around the application, recent files and timestamps, as well as several other items of potential forensic value.

One unique artifact included in jump lists is the AppID field that is a CRC64 hash of the application path. For more information on calculating AppID values, see a great write up from the Hexacorn blog here. While it’s possible for the investigator to calculate the AppID value, IEF uses a predefined list of commonly known application paths to provide examiners with the potential application associated to the jump list.1

LNK Files

LNK files are commonly known as shortcuts on Windows systems. Forensically, they provide volume, path and timestamp details around both the LNK file and the targeted shortcut. For example, when examining a shortcut that links to notepad.exe, the LNK file will contain details on the:

  •  path of notepad.exe
  •  serial number of the volume where notepad.exe is located (as well as MAC addresses of any network locations)
  •  timestamps surrounding when notepad.exe was first and last accessed through the LNK file

The LNK file will also contain details on the MAC times of notepad.exe itself, which can be quite useful if the original file cannot be found or accessed on a system.

IEF will recover all the relevant details from LNK files found on a system including the path, volume and timestamp details mentioned above. Much of this data can be correlated with other artifacts, such as jump lists and prefetch files, to help investigators build an excellent timeline of a user’s activity on a system.

Shellbags

Shellbags have become a popular topic for forensic examiners trying to trace the activities of a user on a Windows system. Harlan Carvey and Dan Pullega have written great posts on the topic and should certainly be read by any investigator looking to dig deeper into shellbag analysis.

In a nutshell, shellbags help track views, sizes and positions of a folder window when viewed through Windows Explorer; this includes network folders and removable devices. Forensically, this will help investigators build a timeline of events as a user might have traversed through a system going from folder to folder; it may also help refute claims that a suspect might not have known certain files or pictures were present on a system.

Additionally, shellbags will be structured differently depending on how a user accessed the folder in question (whether they were accessed through the start menu, a sidebar, etc.).

IEF will pull shellbag artifacts from the UsrClass.dat registry hive at the following two locations:

HKCR\Local Settings\Software\Microsoft\Windows\Shell\Bag

HKCR\Local Settings\Software\Microsoft\Windows\Shell\BagMRU

USB Devices

Analyzing USB devices is a common technique used by forensic examiners to determine what removable media has been plugged into a system. The steps on how to gather USB device history, and tie it back to a user, is well documented by SANS for both Windows XP and Vista/7. There are several registry keys of value to the investigator if they wish to gain as much insight as possible about USB devices:

HKLM\System\CurrentControlSet\Enum\USB

HKLM\System\CurrentControlSet\Enum\USBSTOR

HKLM\System\MountedDevices

NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2

Also, the setupapi.log contains additional timestamp information that could be valuable to investigators. IEF will search these locations for USB details, and provide investigators with a list of devices that have connected to the system, as well as any potential timestamp or user details that it could recover.

Sometimes examiners might come across an Android device or something similar that uses the MTP (Media Transfer Protocol) drivers instead of USB mass storage drivers. These devices should be examined differently than a typical USB device since there will be no information about them in the USBSTOR or MountPoints2 registry keys.

Combining your USB/MTP analysis with other artifacts, such as shellbags and LNK files, will help investigators piece together the actions of a user on the system. From accessing particular files and applications on a system, to connecting an external device and browsing through explorer to those locations, these artifacts will track a user throughout an incident whether it’s an IP theft investigation, malware intrusion or something similar.

Prefetch Files

Windows creates a prefetch file (ending in the .pf extension) when an application is run from a particular location for the very first time. This is used to help speed up the loading of applications, but for investigators these files contain some valuable data on a user’s application history on a computer.

Prefetch files contain the name of the application and then an eight character hash of the location where the application was run. For example, the prefetch file for notepad.exe would appear as NOTEPAD.EXE-F01516D55.pf, where F01516D55 is a hash of the path from where the file was executed.

Prefetch files will contain timestamp details on when the application was first and last run, as well as frequency. For Windows 8, prefetch files now contain up to eight different timestamps for when an application was previously run, giving investigators several additional timestamps to help build a timeline of events on a system.

The location of the executable can be just as important as any timestamp data. For example, if I’m working on a malware investigation and I find a prefetch file for lsass.exe in the Windows\system32 folder, I wouldn’t think too much of it. If I found a prefetch file for the same executable in either a temp directory or anywhere else on the system, I would certainly investigate that file further as that’s not expected behaviour for this file.

IEF will parse details for prefetch files from the ROOT\Windows\Prefetch folder and display them in the Report Viewer, including any additional timestamps for Windows 8 files.

Overall, there is a wealth of user activity found in these artifacts. Investigators can often piece together information from one artifact with another, which provides an excellent timeline of events on how a user traversed the system over a given time –  so don’t try to analyze these artifacts as individual pieces. The data should be pieced together from multiple sources for an examiner to understand the complete picture.

There is an abundance of additional information about these artifacts and they are well documented in the links I referenced above. Keep an eye out for some additional blogs where I will dig deeper into each one of these artifacts to give you some additional insight into their value in your investigations.

Here are some other resources worth taking a look at:

As always, please let me know if you have any questions, suggestions or requests. I can be reached by email at jamie(dot)mcquaid(at)magnetforensics(dot)com.

Jamie McQuaid
Forensics Consultant, Magnet Forensics


[1] IEF uses the compiled list of AppIDs available at http://www.forensicswiki.org/wiki/List_of_Jump_List_IDs. Many thanks to Harlan Carvey, Troy Larsen, Dan Pullega, among several others who provided this information.