We just released our July Artifact Update to Magnet IEF customers, which includes a number of new artifacts and improvements for previously supported apps. As part of this release, we wanted to improve support for Windows OS artifacts and integrate some popular customer requests. As a result, this update includes artifact support for the Recycle Bin, UserAssist, Keyword Searches, Network Profiles, Windows Logon Banners, Google Chrome SyncData, Virtual Machine detection, and detection for potentially unwanted applications for Android devices. We’ve also made some major improvements to our artifact support for Windows Event Logs, USB device history, shellbags, LNK files, OS information, and documents.
The Windows Recycle Bin contains files that have been deleted by the user, but haven’t yet been purged from the system. While users can empty out their Recycle Bin quite easily, they often forget to do so, making it a valuable source of evidence for an examiner. Even if the data has been deleted from the Recycle Bin, it’s still possible to recover the information.
Magnet IEF will recover artifacts from the Recycle Bin for Windows XP, Vista, 7, and 8. It will list the filename, the date the file was deleted (in UTC), the user’s name and SID, the original path, the file size, and the current location, as well as indicate if it’s a file or directory.
For more information on Recycle Bin artifacts in IEF, see our Recycle Bin Artifact Profile.
Windows contains a number of registry entries under UserAssist that allow investigators to see what programs were recently executed on a system. This information can be extremely valuable in an investigation where an examiner wishes to see if a particular application was run, such as an encryption or wiping tool. Unlike prefetch files, UserAssist data will include information on whether an application was run from a shortcut (LNK file) or directly from the executable.
Magnet IEF will parse the UserAssist registry data and decode the ROT13 encoded data, providing examiners with the file name and path, application run count, associated user, and date/time of when the program was last executed.
For more information on UserAssist artifacts in IEF, see our UserAssist Artifact Profile.
We have also added support for Windows keyword searches. Magnet IEF will parse the WordWheelQuery registry data for Windows Vista+ or the Search Assistant/ACMRU data for Windows XP, revealing any keywords that the user might have searched for on the system. IEF will report the search term and the timestamp when it was searched.
Magnet IEF already supports the recovery of saved Wi-Fi profiles on iOS and Android devices. With this release, we have expanded our support to include Wi-Fi and network profiles for Windows systems. IEF will recover Wi-Fi profiles for Windows XP, Vista, 7, and 8, as well as wired Ethernet profiles for Windows Vista, 7, and 8. Investigators can review Wi-Fi profiles to identify where a computer (or user) may have been at a particular time. They can also identify additional networks on scene that may not be known to the investigator.
IEF will now recover details for previously connected networks in Windows, including the network name/SSID, timestamps for the creation of the network, and last time the computer was connected. It will also pull the MAC address for the default gateway and any authentication details for wireless networks, including the connection type, encryption being used, and password for the network.
Windows Logon Banner
Magnet IEF can now pull any custom messages in the Windows logon banner that might have been set on the user’s system or pushed through a group policy. These messages are commonly placed on users’ computers in an enterprise setting to notify them that their actions or activity may be monitored while using the corporate network.
IEF will recover the banner message and title for any local or domain users on the system.
Google Chrome SyncData
Artifacts recovered from Google Chrome will now include information from the SyncData SQLite database. This database contains information that is synced across a user’s devices and can include bookmarks, preferences, typed URLs and other information that the user links to his/her Google account. Adding support for this database means that investigators have access to even more data on the user. It’s important to note, however, that data found in this database could correspond to actions taken on another device (such as a typed URL), and not necessarily the device you’re investigating.
Magnet IEF will parse the name, the created and last modified timestamps from both the local device and server, the type of data stored, as well as some additional content relative to the type of data.
Virtual Machine Detection
Magnet IEF will now detect if there are virtual machines found on the system, which could be additional sources of evidence for an investigator. IEF will search for files associated to common virtual machine applications such as VMWare, VirtualBox, Microsoft, Xen, Parallels, and QEMU. It will report the file name, VM type, and MAC timestamps for the files.
IEF will also automatically search for data within any virtual machine and provide those results to the examiner within the IEF Report Viewer. Examiners can analyze individual virtual machines by loading in the .vmdk, .vdi, or other virtual machine images found on a system.
Android Potentially Unwanted Apps
Potentially Unwanted Apps is a new refined result in Magnet IEF which identifies installed applications on Android devices, and notifies the examiner if there are any blacklisted files that could pose a security problem. This search will help examiners identify apps that may be recognized as spyware or that perform other potentially malicious actions.
IEF uses a pre-defined list of potentially malicious apps and also allows examiners to add their own apps to the list.
Additional Artifact Improvements
Based on customer feedback, we have also made some improvements to our existing Windows OS artifacts including Event Logs, shellbags, USB Devices, documents, and LNK files. We hope that these new artifacts and improvements will assist you in your investigations.
For additional artifact information, see our associated Artifact Profiles below:
Forensics Consultant, Magnet Forensics