Artifacts

Archive for the ‘Office’ Category


Windows Essentials 2012

Posted by:  /  Tags: , , , , , , ,

Author Name
Matt Nelson – @mattnels
Submission Title
Windows Essentials 2012
Artifact or Program Version
16.4.3508.0205
Artifact Description
“Windows Essentials” – from Wikipedia:
“Windows Essentials (formerly Windows Live Essentials and Windows Live Installer) is a suite of freeware applications by Microsoft that aims to offer integrated and bundled e-mail, instant messaging, photo-sharing, blog publishing, and security services. Essentials programs are designed to integrate well with each other, with Microsoft Windows, and with other Microsoft web-based services such as SkyDrive and Outlook.com, so that they operate as a “seamless whole”.
Windows Essentials 2012 includes the following applications:
Windows Live Messenger
Windows Photo Gallery
Windows Movie Maker
Windows Live Mail
Windows Live Writer
SkyDrive for Windows
Outlook Connector Pack
Windows Live Family Safety (Windows 7 only)
Registry Keys
Registry Entries of interest:
Messenger user account picturefrom Outlook.com:HKU\S-1-5-21-2940726306-2540122514-3547223788-1000\Software\Microsoft\IdentityCRL\UserExtendedProperties\user@outlook.com\usertileurl: “http://byfiles.storage.msn.com/y1m4gfKDG3PgZg3XzURbeMEzcTjvII7nIA-llg-rJf2qOEhi8TUOBAUYYFMvIBxPlBhcQEvMWuQX4ley0hvAZ2kCg

Messenger user account picture:
HKU\S-1-5-21-2940726306-2540122514-3547223788-1000\Software\Microsoft\IdentityCRL\UserExtendedProperties\user@outlook.com\usertilepath: “C:\Users\Chuck\AppData\Local\Microsoft\Messenger\user@outlook.com\ObjectStore\UserTile\uVeLvZdl2a7TybTJn8wW0wYsWA4=.dt2″
This corresponds to the file in C:\Users\Chuck\AppData\Local\Microsoft\Messenger\user@outlook.com\ObjectStore\UserTile\uVeLvZdl2a7TybTJn8wW0wYsWA4=.dt2
HKU\S-1-5-21-2940726306-2540122514-3547223788-1000\Software\Microsoft\Windows Live\Communications Clients\Shared\Mail Primary Account: “user@outlook.com” <—main user account under profile

Safe Senders List:
HKU\S-1-5-21-2940726306-2540122514-3547223788-1000\Software\Microsoft\Windows Live Mail\PerPassportSettings\800773358\Junk Mail\Safe Senders List\
HKEY_USERS\S-1-5-21-2940736306-2540122514-3547223788-1000\Software\Microsoft\Windows Live Mail\PerPassportSettings\800773358\Junk Mail\Safe Senders List\00000000
“Flags”=dword:00000001
“Exception”=”somename@someaddress.com

HKEY_USERS\S-1-5-21-2940726306-2540122514-3547223788-1000\Software\Microsoft\Windows Live Mail\PerPassportSettings\800773358\Junk Mail\Safe Senders List\00000001
“Flags”=dword:00000001
“Exception”=”somename2@someaddress2.com

HKU\S-1-5-21-2940726306-2540122514-3547223788-1000\Software\Microsoft\Windows\CurrentVersion\UnreadMail\user@outlook.com

SkyDrive Share:
HKU\S-1-5-21-2940726306-2540122514-3547223788-1000\Software\Microsoft\IdentityCRL\UserExtendedProperties\user@outlook.com\cid: “6512e79cec0ce###”

To look at this above share you can utilize the URL https://skydrive.live.com/?cid= and enter the CID number above. This will show you the share drive.

Messenger Credentials:
HKU\S-1-5-21-2940726306-2540122514-3547223788-1000\Software\Microsoft\IdentityCRL\OfflineCreds\user@outlook.com: E1 9E D3 29 60 73 A8 19 93 CD 9A E2 3B 45 38 66 6F 06 F2 F2 2F C8 ED 04 27 CA 67 48 CF E1 B2 FD BF 7A D6 80 CE 88 D8 CA 1E 89 D6 84 F0 E3 A0 72 C8 ED AC 70 2B 0D 19 08 F9 0B A4 4B FD B7 3B 7B E5 83 01 06 F3 35 AF 71 AC 61 2F 98 DD 7B EC 81 E0 D0 63 A9 5C 72 58 D7 20 C7 41 AD 16 67 EB 6D 26 D9 B2 DA A7 17 45 62 04 31 B4 29 61 4A 93 00 C8 60 74 94 D8 CF 1A 89 4D DE 5A 32 D3 9E 93 70

LiveWriter entries of interest:

HKU\S-1-5-21-2940736306-2540122514-3547223788-1000\Software\Microsoft\Windows Live\Writer\Weblogs\c2626959-dc97-4794-a339-aa41b4a5ff27 <—this value is unique to the blog on the system, another blog would have a different “id”

HKU\S-1-5-21-2940736306-2540122514-3547223788-1000\Software\Microsoft\Windows Live\Writer\Weblogs\c2626959-dc97-4794-a339-aa41b4a5ff27\Categories\xxxxxxxx <—here will be entries for labels/keywords (used Blogger account for testing)

HKU\S-1-5-21-2940736306-2540122514-3547223788-1000\Software\Microsoft\Windows Live\Writer\Weblogs\c2626959-dc97-4794-a339-aa41b4a5ff27\BlogName: “SOMEBLOG TITLE” <—blog title
HKU\S-1-5-21-2940736306-2540122514-3547223788-1000\Software\Microsoft\Windows Live\Writer\Weblogs\c2626959-dc97-4794-a339-aa41b4a5ff27\HomepageUrl: “http://someblog.blogspot.com” <—blog URL

HKU\S-1-5-21-2940736306-2540122514-3547223788-1000\Software\Microsoft\Windows Live\Writer\Weblogs\c2647659-dc93-4794-a339-aa41b6a5ff27\Credentials\Username: “someusername” <—blog username

HKU\S-1-5-21-2940736306-2540122514-3547223788-1000\Software\Microsoft\Windows Live\Writer\Weblogs\c2647659-dc93-4794-a339-aa41b6a5ff27\Credentials\Password: 00 01 00 00 00 FF FF FF FF 01 00 00 00 00 00 00 00 0F 01 00 00 00 06 01 00 00 02 01 00 00 00 D0 8C 9D DF 01 15 D1 11 8C 7A 00 C0 4F C2 97 EB 01 00 00 00 81 EE 36 19 D3 B8 54 4C 81 ED C0 2B 40 CC 55 39 00 00 00 00 02 00 00 00 00 00 10 66 00 00 00 01 00 00 20 00 00 00 55 2D AA 69 75 48 29 3F 74 76 93 F6 B8 0C FE 49 C7 17 1C 8A 54 2D EC 06 77 E5 1B 1A 89 D9 01 2E 00 00 00 00 0E 80 00 00 00 02 00 00 20 01 00 00 A0 C2 93 F3 FB DF 5B FB E1 65 09 A9 B1 48 15 1E 49 58 F2 39 35 38 3E EE 56 E2 FD 9C A1 A7 39 18 30 00 00 00 B5 F1 1F D0 8A 6D 68 EC 20 70 AA BD 8F D7 DD 5E 9F AD 78 70 DC E0 D0 F2 55 17 1B A1 C5 C9 CE 05 9A 5B DC 81 60 A2 61 77 E7 16 FC 55 92 A9 A6 17 40 00 00 00 2A A4 E8 00 57 26 CE C8 49 EE 04 88 6F 57 D1 37 48 19 62 A3 11 A2 C7 E8 A5 1C B3 E9 C9 81 00 C1 A8 C9 DB 46 8E 1D B1 AC B7 93 76 36 D6 6C 39 25 65 C3 C1 D 5 A7 D1 16 0A FF 60 49 06 9E 4A 56 25 0B <—if password is saved, this is where it is stored
File Locations
Main Program(s) location:
C:\Program Files (x86)\Windows Live
C:\Program Files (x86)\Windows Live\Contacts
C:\Program Files (x86)\Windows Live\Family Safety
C:\Program Files (x86)\Windows Live\Installer
C:\Program Files (x86)\Windows Live\Mail
C:\Program Files (x86)\Windows Live\Messenger
C:\Program Files (x86)\Windows Live\Photo Gallery
C:\Program Files (x86)\Windows Live\Shared
C:\Program Files (x86)\Windows Live\SOXE
C:\Program Files (x86)\Windows Live\Writer

Main user profile locations:
C:\Users\Chuck\AppData\Local\Windows Live Writer
C:\Users\Chuck\AppData\Local\Microsoft\Feeds
C:\Users\Chuck\AppData\Local\Microsoft\Messenger
C:\Users\Chuck\AppData\Local\Microsoft\SkyDrive
C:\Users\Chuck\AppData\Local\Microsoft\Windows Live
C:\Users\Chuck\AppData\Local\Microsoft\Windows Live Mail
C:\Users\Chuck\AppData\Local\Microsoft\Windows Live\Contacts\user@outlook.com\15.5\DBStore\contacts.edb <—Contacts file
C:\Users\Chuck\AppData\Local\Microsoft\Windows Live\Contacts\user@outlook.com\15.5\DBStore\dbstore.ini <—LastStartupTime= & LastShutdownTime=
C:\Users\Chuck\AppData\Local\Microsoft\Windows Live\Contacts\user@outlook.com\15.5\DBStore\LogFiles

Messenger Log of importance:
C:\Users\Chuck\AppData\Local\Microsoft\Messenger\contactslog.txt

SkyDrive Log of importance:
C:\Users\Chuck\AppData\Local\Microsoft\SkyDrive\setup\logs\yyyy-mm-dd_timecreated_xxx-xxx.log <–contains info usersid tie to SkyDrive and other info.

Messenger user account (corresponds with Outlook.com picture):
C:\Users\Chuck\AppData\Local\Microsoft\Messenger\user@outlook.com\ObjectStore\UserTile\uVeLvZdl2a7TybTJn8wW0wYsWA4=.dt2
Research Links
http://en.wikipedia.org/wiki/Windows_Essentials
http://media.blackhat.com/bh-us-11/Bursztein/BH_US_11_Bursztein_Owade_WP.pdf
http://windows.microsoft.com/en-us/windows-live/essentials
Forensic Programs of Use
Sysinternals Process Monitor
Regshot

Outlook Email Saving Options

Posted by:  /  Tags: , , , ,

John Lukach

Outlook 2010 & Aid4Mail 2.4

Microsoft Outlook 2010 by default allows users to save email messages externally as a MSG, OFT, HTML, MHT, or TXT file format. Microsoft Office programs can have add-ins installed that extend the available functionality of the software. Verifying if any add-ins exists in Outlook can be done by checking the SOFTWARE and NTUSER.DAT registry hives for the following folder path: Microsoft\Office\Outlook\Addins.

Other applications can access email using a Messaging Application Programming Interface (MAPI) connection. One example is Aid4Mail an email conversion program from Fookes Software that adds additional file format export options such as PDF, ZIP, XML, and others. The file formats and export paths used by the application can be found in the C:\Users\\AppData\Roaming\Aid4Mail\Aid4Mail.ini file.

Not every application using MAPI connections will leave as obvious of an artifact thus leaving it up to the specific developer on what email formats will be available. One option is to determine what specific DLL’s are used by an executable such as C:\Windows\SysWow64\mapi32.dll or C:\Program Files (x86)\Microsoft Office\Office14\olmapi32.dll for example. Another is using a time line approach to determine if a MAPI configuration was abnormally accessed by looking for creation and deletion of C:\Users\\Documents\Outlook Files\~Outlook.pst.tmp without other normal Outlook behavior.

First Post

Posted by:

This is a temporary placeholder.