Artifacts

Archive for August, 2010


Registry: MUICache

Posted by:  /  Tags: , ,

Author Name
Matt

Artifact Name
MUICache

Artifact/Program Version
Windows

Description
According to Nirsoft.net, “each time that you start using a new application, Windows operating system automatically extract the application name from the version resource of the exe file, and stores it for using it later, in Registry key known as the ‘MuiCache’.”

This key is similar to the UserAssist key in that it shows you programs that have been run on the system. This key is useful when looking for evidence of malware, virtualization, or “evidence cleaning” programs.

Please see the additional description from “Windows Forensic Analysis” in the first Research Link.

Registry Keys
HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\MUICache
HKEY_CURRENT_USER\Software\Classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache

Research Links
Google Book Preview – Windows Forensic Analysis
http://windowsir.blogspot.com/2005/12/mystery-of-muicachesolved.html

Forensic Programs of Use
http://www.nirsoft.net/utils/muicache_view.html
http://regripper.net

Related Posts

Skype

Posted by:  /  Tags: , , , ,  /  Comments: 4

Author Name
Matt

Artifact Name
Skype

Description
Skype is a desktop application that enables voice and video calls, instant messaging, file transfers, and screen sharing between users.

Registry Keys
HKEY_CURRENT_USER\Software\Skype

File Locations
C:\Documents and Settings\[Profile Name]\Application Data\Skype\[Skype User]

C:\Documents and Settings\[Profile Name]\AppData\Roaming\Skype\[Skype User]

Research Links
https://docs.google.com/viewer?url=http://www.lpcforensic.it/public_html/yabbfiles/Attachments/SkypeLogFileAnalysis.pdf

http://nickfurneaux.blogspot.com/2010/03/skype-chat-carver-from-ram-skypeex.html

Subpoena Contact – http://search.org/programs/hightech/isp/default.asp#207

Forensic Programs of Use
Skype Log View – http://www.nirsoft.net/utils/skype_log_view.html

Skype Parser – http://redwolfcomputerforensics.com/index.php?option=com_content&task=view&id=42&Itemid=55

Skype Analyzer – http://belkasoft.com/bsa/en/Skype_Analyzer.asp

SkypeAlyzer – http://www.sandersonforensics.com/content.asp?page=440

Registry: App Paths

Posted by:

Author Name
Matt

Artifact Name
App Paths

Artifact/Program Version
Windows Specific

Description
An application that is installed for all users of the computer can be registered under the HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\App Paths registry key. In Windows 7 and later, an application that is installed for only one user can be registered under the HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\App Paths registry key.

The entries found under App Paths are used primarily for the following purposes:

  • To map an application’s executable file name to that file’s fully qualified path.
  • To append information to the PATH environment variable on a per-application, per-process basis.

If the name of a subkey of App Paths matches the file name, the Shell performs two actions:

  • The (Default) entry is used as the file’s fully-qualified path.
  • The Path entry for that subkey is appended to the PATH environment variable of that process. If this is not required, the Path value can be omitted.

Registry Keys
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\App Paths
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\App Paths

Research Links
http://msdn.microsoft.com/en-us/library/ee872121(VS.85).aspx

Forensic Programs of Use
RegRipper

MiTeC’s Windows Registry Analyzer and Windows Vista 64bit Edition

Posted by:  /  Tags: , ,

Ken Pryor gave us the heads up that MiTeC’s Windows Registry Analyzer 1.5.2 only works in Vista 64bit edition when using it in XP Compatibility Mode.

Thanks Ken!!!

Joe

Computer Name

Posted by:  /  Tags: , , ,  /  Comments: 2

Author Name
Joe Garcia

Artifact Name
Computer Name

Artifact/Program Version
Windows

Description
Knowing the name of a computer that you are examining can be important for many reasons.  In a situation where you may need to examine a computer that was removed from a network, it will help you verify that it is indeed the computer in question.  Having the Computer Name is also used to correlate information found in Event Logs.

Also, for Law Enforcement you may have a situation where there is a high rate of laptop thefts in a particular area.  Let us say a suspect is apprehended for a crime while in possession of a laptop in that area.  He/she may claim that the laptop is theirs.  Well, if they offer consent or you are granted a search warrant to examine the laptop, this could help build your case against the suspect.  Is this the be all, end all to determine guilt?  No, but you can use this information to possibly help challenge their alibi and poke holes in their story if the Computer Name is completely off.

First things first though.  Using your favorite Registry Viewer determine the CurrentControlSet for the Windows machine you are examining.  You can follow the instructions for doing that HERE.  Once you have done that, proceed to SYSTEM\CurrentControlSet\Control\ComputerName\ComputerName.  You will see the following:

AccessData’s Registry Viewer:




MiTeC Registry Analyzer:




RegRipper:



To find this information in a Non-Forensic fashion, go to Control Panel > System > Computer Name Tab

**AUTHOR’S ADDENDUM**
Thanks to some help from Harlan Carvey (see Comments below), I have added the other Registry Keys of note to obtain a Computer Name from a Windows system.

SYSTEM\CurrentControlSet\Services\Tcpip\Parameters (Look for the value of Hostname):



SOFTWARE\Microsoft\SchedulingAgent (Look at the value of OldName):



Registry Keys
SYSTEM\CurrentControlSet\Control\ComputerName\ComputerName
SYSTEM\CurrentControlSet\Services\Tcpip\Parameters (value: Hostname)
SOFTWARE\Microsoft\SchedulingAgent (value: OldName)

Forensic Programs of Use
AccessData Registry Viewer- http://www.accessdata.com/downloads.html

RegRipper- http://regripper.net/

MiTeC Windows Registry Analyzer- http://www.mitec.cz/Data/XML/data_downloads.xml

Research Links

http://support.microsoft.com/kb/308427

http://support.microsoft.com/kb/295017

Registry: ACMru – Search Assistant

Posted by:  /  Tags: , ,  /  Comments: 1

Author Name
Matt

Artifact Name
ACMru – Search Assistant

Description
This registry key stores search terms that have been typed into the Windows Search dialog box (Windows Start Button –> Search). There may be up to four subkeys:

– 5001: Contains list of terms used for the Internet Search Assistant

– 5603: Contains the list of terms used for the Windows XP files and folders search

– 5604: Contains list of terms used in the “word or phrase in a file” search

– 5647: Contains list of terms used in the “for computers or people” search

Registry Keys
HKEY_CURRENT_USER\Software\Microsoft\Search Assistant\ACMru

Research Links
http://books.google.com/books?id=5hvSrBGVfIgC&pg=PA235&lpg=PA235&dq=acmru+search+assistant&source=bl&ots=HqAt5n3Tue&sig=Bj7WMCRVmVOyndo9UVyXTs7tmVE&hl=en&ei=Y1ltTMWdOozSngeGtfHsBw&sa=X&oi=book_result&ct=result&resnum=8&ved=0CDcQ6AEwBw#v=onepage&q=acmru%20search%20assistant&f=false

http://www.windowsitpro.com/article/configuration/how-can-i-clear-windows-xp-s-search-companion-cache-of-previous-searches-.aspx

Forensic Programs of Use
RegRipper

Other Info
A good explanation can be read in Windows Forensic Analysis 2e by Harlan Carvey. I highly recommend this book.

Registry: Common MRUs

Posted by:  /  Tags: , ,  /  Comments: 1

Author Name
ForensicsWiki

Artifact Name
Common Windows Most Recently Used Locations

Artifact/Program Version

Windows (various versions)

Categories

Registry

Description

Registry Keys

EDITOR’S NOTE (Joe)

The author sent in a submission which included numerous Registry Keys for examiners to look for regarding Windows MRU Locations.  It was essentially a copy & paste from the ForensicsWiki page.  I have left the link to that page below so that if you would like to check out that list you can for further educational purposes.  I felt that it did not fit the format that we are going for here on this site.  Thank you to the author for their submission!

Research Links
http://www.forensicswiki.org/wiki/List_of_Windows_MRU_Locations#Common

Forensic Programs of Use
RegRipper

CurrentControlSet (Windows)

Posted by:  /  Tags: , , , ,  /  Comments: 3

Author Name
Joe Garcia

Artifact Name
CurrentControlSet (Windows Registry)

Description
A Control Set contains system configuration information for a Windows Operating System. Windows maintains two Control Sets and knowing which one to focus on during your examination is critical. Knowing the CurrentControlSet will be important to gather information of evidentiary importance such as Computer Name, Time Zone information, Shutdown Times, and even what USB Devices connected to the system.

Once you have exported out the Registry Hive of the computer that you are examining, you can use MiTeC’s Windows Registry Analyzer or AccessData’s Registry Viewer to determine what the CurrentControlSet is. Use either of those programs to open the SYSTEM Hive. You will see the following once it is open:





Now navigate to the SYSTEM\Select key. It is here you will see 4 entries. Current, Default, Failed and LastKnownGood. Current is the CurrentControlSet used last boot up the system. Default usually matches the Current. Failed denotes which control set that was unable to successfully boot into the system and LastKnownGood is the control set that last successfully booted into the system.

Going back to your registry viewer of choice, find the Select key and highlight it:





In the example above, you will see Current has a value of 0x1 or (1). This means that the CurrentControlSet is ControlSet001. That means you must focus on ControlSet001 to gather the information that you are looking for during your examination. As you can see in the above screenshots, the Default value matches the Current value. Looking at the Failed entry, it shows a value of 0x0 which means that there was no failed boot ups. Finally, the LastKnownGood value shows 0x2 or (2), meaning that ControlSet002 previously booted into the system successfully.

Registry Keys
SYTEM\ControlSet001
SYSTEM\ControlSet002
SYSTEM\Select\Current
SYSTEM\Select\Default
SYSTEM\Select\Failed
SYSTEM\Select\LastKnownGood

Research Links
http://support.microsoft.com/kb/100010
http://technet.microsoft.com/en-us/library/cc783264%28WS.10%29.aspx

Forensic Programs of Use
MiTeC Windows Registry Analyzer (by Michal Mutl)- http://www.mitec.cz/Data/XML/data_downloads.xml (found under Registry/INI Tools)

AccessData Registry Viewer- www.accessdata.com/support/downloads

Registry: Show Hidden Folders

Posted by:  /  Tags: , ,  /  Comments: 1

Author Name
Matt

Artifact Name
Show Hidden Folders

Artifact/Program Version
Windows XP

Description
This registry key will enable or disable the viewing of hidden folders.

Registry Keys
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
Value Name: Hidden
Data Type: REG_DWORD (DWORD Value)
Value Data: (1 = show hidden, 2 = do not show)

Research Links
http://www.pctools.com/guides/registry/detail/1007


Safari Browsing History (Mac)

Posted by:  /  Tags: , , , , , , ,  /  Comments: 2

Author Name

Joe Garcia

Artifact Name

Safari Browsing History (Mac)

Description

Safari is the default browser on the Mac OS X Operating System.  As with most browsers, there is a plethora of information to be found and Browsing History is one of them.  If you are looking into the Safari Browsing History on an Apple computer, you will have to find the History.plist to get that information.  For those that don’t know, a plist is a Preference file for an application on an Apple computer.  They usually contain user settings for that particular application.  They also hold information regarding that application.  The default setting for Browsing History in Safari 4 and 5 is one month.

Now, locate the Safari History plist by navigating to /username/Library/Safari/History.plist on the suspect machine.  Then export it out of your case.  If you are working in a Windows based forensics lab, you can download a copy of WOWSoft’s free plist Editor and install it.  Once installed, find the exported copy of the History.plist file and open it.  You will see the following screen:


If you are using a Mac as your forensics platform, I would suggest heading over to the Apple Developers site and register there to get a free copy of XCode 3.  XCode comes with a plist Editor included.  Once installed, it becomes your default viewer for plists.  Locate the History.plist file that you wish to view and double click on it.  It will open in the plist Editor and here is what you will see:



Now let’s say I want to find out the Last Visit Date & Time to a particular site.  I would locate the site in the History and look for the lastVisitedDate row and look across to the right to the third column:

In the XCode plist Editor:


In the WOWSoft plist Editor:


Now the value that you see recorded there is Mac Absolute Time. You are going to want to decode that into a readable format. In Windows, you can download a copy of R. Craig Wilson’s DCode to do that. For example, you would take the number shown in the lastVisitedDate row and enter all of the numbers in up to the period into DCode, choose Mac Absolute Time and make sure to adjust for the suspect machine’s Time Zone Settings and click on Decode. I have used the lastVisitedDate string from the example screenshots I have provided above and received the following results:



AUTHOR NOTE— As of this post, I am unfamiliar with a tool/utility that works in Mac OS X that has the same functionality. If someone can point me in the right direction, I will be more than happy to edit this post and give full credit.

File Location

/username/Library/Safari/History.plist

Forensic Tools of Use

Apple Developer Tools (XCode): http://developer.apple.com/programs/mac/

WOWSoft’s Free plist editor of Windows: http://www.icopybot.com/blog/free-plist-editor-for-windows-10-released.htm

DCode by R. Craig Wilson (Digital Detective UK): http://www.digital-detective.co.uk/freetools/decode.asp