Home Evidence of File and Folder Interaction
Post
Cancel

Evidence of File and Folder Interaction

Techniques that can be used to discover evidence in support of an attackers interaction with files and folders such as search, deletion and opening post-breach.

Windows

XP Search (ACMRU)

A wide variety of information can be searched for through the search assistant on a Windows XP Machine. The search assistant will remember a user’s search terms for filenames, computers, or words that are inside a file. This is an example of where you can find the “Search History” on the Windows system.

WIN: XP
SRV: NULL

Location

1
NTUSER.DAT\Software\Microsoft\Search Assistant\ACMru\####

Interpretation and Investigative Notes

  • Search the Internet
    • ####-5001
  • All or part of a document name
    • ####-5603
  • A word or phrase within a document
    • ####-5604
  • Printers, computers, or people
    • ####-5647

Tools

Sources

ThumbCache.db

Thumbnails of pictures, office documents, and folders exist in a database called the thumbcache. Each user will have their own database based on the thumbnail sizes viewed by the user (small, medium, large, and extra large)

WIN: XP+
SRV: 2003+

Location

1
C:%USERPROFILE%\AppData\Local\Microsoft\Windows\Explorer

Interpretation and Investigative Notes

  • Created when a user switches a folder to thumbnail mode or views pictures via a slide show. As it were, our thumbs are now stored in separate database files.
  • The thumbnail will store the thumbnail copy of the picture based on the thumbnail size in the content of the equivalent database file (Small, Medium, Large, and Extra Large)

Tools

Sources

Thumbs.db

Hidden file in directory where images on a machine exist stored in a smaller thumbnail graphic. Thumbs.db catalogs pictures in a folder and stores a copy of the thumbnail even if the pictures were deleted.

WIN: XP+
SRV: 2003+

Location

1
2
3
4
# WINDOWS XP-8
Automatically created anywhere with home group enabled
# WINDOWS 7+
Automatically created anywhere and accessed via a UNC Path (local or remote)

Interpretation and Investigative Notes

  • The database includes information such as:
    • Thumbnail Picture of Origin Picture
    • Document Thumbnail - Even if Deleted
    • Last Modification Time (XP Only)
    • Original Filename (XP Only)

Tools

Sources

Internet Explorer (IE) and Edge File History

A little-known fact about the IE and Edge History is that the information stored is not just related to Internet browsing. The history also contains records of local and remote network share file access, giving us an excellent means for determining which files and applications were accessed on the system, day by day.

WIN: XP+
SRV: 2003+

Location

1
2
3
4
5
6
7
8
9
10
11
12
# INTERNET EXPLORER
# Version 6/7
%USERPROFILE%\LocalSettings\History\History.IE5

# Version 8/9
%USERPROFILE%\AppData\Local\Microsoft\WindowsHistory\History.IE5

# Version 10/11
%USERPROFILE%\AppData\Local\Microsoft\Windows\WebCache\WebCacheV*.dat

# EDGE
%USERPROFILE%\AppData\Local\Microsoft\Windows\History\Low\History.IE5>

Interpretation and Investigative Notes

  • Stored in index.dat as:
    • file:///C:/directory/filename.ext
  • Does not prove that the file was opened by the browser

Tools

Sources

Search WordWheelQuery

Keywords search for from the START menu bar.

WIN: 7+
SRV: 2003+

Location

1
NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\WordWheelQuery

Interpretation and Investigative Notes

  • Keywords are added in Unicode and listed in temporal order in an MRUlist.

Tools

Sources

Recycle Bin

The recycle bin is a very important location on a Windows file system system to understand. It can help you when accomplishing a forensics investigation, as every file that is deleted from a Windows Recycle Bin aware program is generally first put in the Recycle Bin.

WIN: XP+
SRV: 2003+

Location

1
2
3
4
5
6
7
# WINDOWS XP
C:\Recycler" 2000/NT/XP/2003

# WINDOWS 7+
C:$Recycle.bin

Deleted Time and Original Filename contained in separate files for each deleted recovery file

Interpretation and Investigative Notes

  • WINDOWS XP
    • Subfolder is created with user’s SID and can be mapped to user
    • Maps file name to the actual name and path it was deleted from
    • Hidden file in directory called INFO2 contains Deleted Time and Original Filename
    • Filename in both ASCII and UNICODE
  • WINDOWS 7+
    • Subfolder is created with user’s SID and can be mapped to user
    • Deleted Time and Original Filename contained in separate files for each deleted recovery file
    • Filenames proceeded by $I######, contain:
      • Original PATH and name
      • Deletion Date/Time
    • Filenames proceeded by $R######, contain:
      • Recovery Data

Tools

Sources

LastVisitedMRU

Tracks the specific executable used by an application to open files documented in the OpenSaveMRU key. In addition, each value also tracks the directory location for the last file that was access by that application.

Darkcybe - Evidence of Execution

OpenSaveMRU

Tracks files that have been opened or saved within a Windows shell dialog box. This happens to be a big data set, not only including web browsers like Internet Explorer and Firefox, but also a majority of commonly used applications.

Darkcybe - Evidence of Download

Recent Files

Registry Key that will track the last files and folder opened and is used to populate data in “recent” menus of the Start Menu.

WIN: XP+
SRV: Not Tested

Location

1
NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs

Interpretation and Investigative Notes

  • RecentDocs
    • Overall key will track the overall order of the last 150 files or folders opened. MRU list will keep track of the temporal order in which each file/folder was opened.
    • Includes last entry time which mirrors the last opening time.
  • The .%%% key (Three Letter Extension)
    • Stores file opening operations based of a specific extension in temporal order.
  • Folder
    • Stores folder access based on opening in temporal order.

Tools

Sources

Jump Lists

The Windows task bar (Jump List) is engineered to allow users to “jump” or access items they have frequently or recently used quickly and easily. This functionality cannot only include recent media files; it must also include recent tasks.

The data stored in the AutomaticDestinations folder will each have a unique file prepended with the AppID of the associated application on Windows 7 through 10 machines. Windows 11 contains a shortcut (.LNK) files that direct to the application, file, or directory.

Darkcybe - Evidence of Execution

Shell Bags

Which folders were accessed on the local machine, the network and/or removable devices. Evidence of previously existing folders after deletion/overwrite. When certain folders are created.

WIN: XP+
SRV: Not Tested

Location

1
2
3
4
5
6
7
# Access via Explorer
USRCLASS.DAT\Local Settings\Software\Microsoft\Windows\Shell\Bags
USRCLASS.DAT\Local Settings\Software\Microsoft\Windows\Shell\BagsMRU

# Access via Desktop
NTUSER.DAT\Software\Microsoft\Windows\Shell\Bags
NTUSER.DAT\Software\Microsoft\Windows\Shell\BagsMRU

Interpretation and Investigative Notes

Tools

Sources

Shortcut Files (.LNK)

Shortcut files automatically created by windows when accessing recent items and opening local and remote data files and documents. Windows 11 contains a shortcut (.LNK) files that direct to the application, file, or directory.

WIN: XP+
SRV: Not Tested

Location

1
2
3
4
5
6
7
# WINDOWS XP
C:%USERPROFILE%\Recent

# WINDOWS 7+
C:%USERPROFILE%\AppData\Roaming\Microsoft\Windows\Recent\

C:%USERPROFILE%\AppData\Roaming\Microsoft\Office\Recent\

Interpretation and Investigative Notes

  • Although the locations listed are the default, they can be created anywhere.
  • Date/Time file of that name was first opened
    • Creation Date of .LNK file
  • Date/Time file of that name was last opened
    • Last Modification Date of .LNK file
  • LNKTarget File (Internal LNK file details) Details:
    • Modified, Accessed and creation times of target file
    • Volume information
    • Network Share information
    • Original location
    • Name of system

Tools

Sources

Prefetch

Increases performance of a system by pre-loading code pages of commonly used applications. Cache Manager monitors all files and directories referenced for each application or process and maps them into a .pf file. Utilized to know an application was executed on a system.

  • Limited to 128 files on XP and Windows 7
  • Limited to 1024 files on Windows 8
  • <EXE_NAME>-<HASH>.pf

Darkcybe - Evidence of Execution

Microsoft Office Recent Files

Microsoft Office programs will track their own recent files list to make it easier for users to remember the last file they were editing.

WIN: XP+
SRV: Not Tested

Location

1
2
3
4
5
6
# MICROSOFT OFFICE
# Versions 10-14 (XP - 2010)
NTUSER.DAT\Software\Microsoft\Office\VERSION

# Version 15 (Office365)
NTUSER.DAT\Software\Microsoft\Office\VERSION\UserMRU\LiveID_####\FileMRU

Interpretation and Investigative Notes

Similar to recent files, this will track the last files that were opened by each Microsoft Office application. The last entry added, per the MRU, will be the time the last file was opened by a specific application.

Tools

Sources

Windows Timeline (ActivitiesCache.db)

Windows 10 introduced a background feature that records recently used applications and accessed files over a 30 day duration in a “timeline” accessible via the “WIN+TAB” key. The data is recorded in a SQLite database. Windows 11 removed the “WIN+TAB” functionality, however the ActivitiesCache.db still remains.

Research identified that Windows Server 2016 also maintains an ActivitiesCache.db file, however ActivityOperation, Activity_PackageId, and Activity entries were not recorded.

Darkcybe - Evidence of Execution

This post is licensed under CC BY 4.0 by the author.