Posts Tagged ‘windows’

Using Apple Time Capsule with Microsoft Windows

Posted by:  /  Tags: , , , ,

John Lukach

AirPort Utility 5.6.1 for Windows

The AirPort Utility for Windows allows Microsoft computers using Bonjour to access the Apple Time Capsule hard disk. The drive is available as a network share through UNC mapping on your PC. The binary data stored in HKEY_Users\S-1-5-1234567890-1234567890-123456789-1000\Software\AppleInc.\Preferences\ will provide confirmation of which volume is associated with your Apple Time Capsule. An external USB connection is available so you could have two volumes listed.

If the end-user setup Windows Backups than you will be able to gain additional insight into the size of the disk with the free space available that may be beneficial in identifying the external USB drive.







User defined inclusions are listed as numbered keys under the Rules folder containing specific paths.

PsTools Artifacts

Posted by:  /  Tags: , ,  /  Comments: 1

John Lukach

PsTools Suite 2.44

PsTools are a common resource used to manage remote systems. During execution of PsExec, PsFile, PsGetSID, PsInfo, PsKill, PsList, PsLoggedOn, PsLogList, PsPasswd, PsService, PsShutDown, and PsSuspend the EULA software license agreement must be accepted. A registry entry is created allowing you to determine which tools have been used on a specific machine. I used the RegRipper framework by Harlan Carvey to create a new plugin that will be available at: to harvest these artifacts.


Join.Me Screen Sharing

Posted by:  /  Tags: , , ,

Author Name
John Lukach
Submission Title
Join.Me Screen Sharing
Artifact or Program Version
Join.Me on Windows 7
Post Category
Cloud Based
Submission Tags
Join.Me, Cloud, Screen Sharing, Windows
Artifact Description
Join.Me is a cloud screen sharing application that allows remote collaboration and presentations. Additional security information and system requirements can be found by browsing to the product website at:

Registry Keys
Join.Me stores information in the following hive structure for each specific user account on the system.

NTUSER.DAT -> \Software\Join.Me\
NTUSER.DAT -> \Software\Microsoft\Windows\CurrentVersion\Uninstall\Join.Me\
File Locations
Join.Me has some low hanging fruit in the form of logs that can be found in C:\Users\Username\AppData\Local\Join.Me directory.
Forensic Programs of Use
Using full packet captures you will be able to see network connections communicating to during an active screen sharing session.

RSS Gadget

Posted by:  /  Tags: , ,

John Lukach

Feed Headlines for Windows Gadget Platform on Windows 7 x64

Windows Gadget Platform allows the Feeds Headlines (RSS) mini-program to be displayed on the desktop. The RSS Gadget determines which feeds and how many to display from settings stored in the C:\Users\Username\AppData\Local\Microsoft\Windows Sidebar\Settings.ini file. These feeds are managed by Internet Explorer using the FeedStore.FeedsDB-MS file found under the C:\ Users\Username\AppData\Local\Microsoft\Feeds path. Other files organized in sub-folder structures in this directory that normally contain the tilde (~) would indicate independent feeds and content downloaded by the RSS Gadget.

The NTUSER.DAT registry hive contains three keys that automate the feed updates under the Software\Microsoft\Feeds path. SyncStatus is used to enable automatic feed updates based on the yes value of “1”. DefaultInterval lets you determine if the updates should occur every 15 minutes, 30 minutes, 1 hour, 4 hours, 1 day, or 1 week intervals. SynTask correlates to a key in the SOFTWARE registry hive that provides a Last Written time stamp of when the scheduled task last ran to update the feeds under Software\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\User_Feed_Sychronization{guid}.

Outlook Email Saving Options

Posted by:  /  Tags: , , , ,

John Lukach

Outlook 2010 & Aid4Mail 2.4

Microsoft Outlook 2010 by default allows users to save email messages externally as a MSG, OFT, HTML, MHT, or TXT file format. Microsoft Office programs can have add-ins installed that extend the available functionality of the software. Verifying if any add-ins exists in Outlook can be done by checking the SOFTWARE and NTUSER.DAT registry hives for the following folder path: Microsoft\Office\Outlook\Addins.

Other applications can access email using a Messaging Application Programming Interface (MAPI) connection. One example is Aid4Mail an email conversion program from Fookes Software that adds additional file format export options such as PDF, ZIP, XML, and others. The file formats and export paths used by the application can be found in the C:\Users\\AppData\Roaming\Aid4Mail\Aid4Mail.ini file.

Not every application using MAPI connections will leave as obvious of an artifact thus leaving it up to the specific developer on what email formats will be available. One option is to determine what specific DLL’s are used by an executable such as C:\Windows\SysWow64\mapi32.dll or C:\Program Files (x86)\Microsoft Office\Office14\olmapi32.dll for example. Another is using a time line approach to determine if a MAPI configuration was abnormally accessed by looking for creation and deletion of C:\Users\\Documents\Outlook Files\~Outlook.pst.tmp without other normal Outlook behavior.

iCloud Service on Windows

Posted by:  /  Tags: , ,

John Lukach

iCloud Control Panel for Windows v1.01

Apple is commonly known for artifacts left on the iPhone, iPad, iPod, and Mac but can also be found on Windows if the iCloud service was enabled. The goal of this post is to provide the application level artifacts that could potentially determine who, what, and when email, contacts, calendar items, tasks, bookmarks, and photos were transferred between devices. It is important to note that operating system artifacts such as registry, event logs, and others will be available for correlation and validation of your findings too.

iCloud maintains detailed logs located in C:\Users\\AppData\Roaming\Apple Computer\Logs to determine the time line of when the features provided by the service were used. Log file naming schema follows this example format asl.221320_23feb12.log based on initial start up and system reboots. Photo Stream log entries provide more granular information on when photos are transferred plus the Bookmark log entries even disclose the primary Apple ID.

The preferences defined for each specific user who used the iCloud service can be found in this directory C:\Users\\AppData\Roaming\Apple Computer\Preferences. Specifically the mobilemeaccounts.plist file contains the account information along with configuration details on each service being used. Additionally the file is of interest as it lists what bookmarks are being transferred to Internet Explorer or Safari.

Media Stream artifacts are located in the C:\Users\\AppData\Roaming\Apple Computer\MediaStream folder. The root level contains a SQLite database called local.db that has the Apple ID plus locations where pictures are uploaded and downloaded on the system. The same path has a DL and UL folder with logs indicating dates and times that a specific number of files were uploaded/downloaded to the locations defined in the database. Each file is assigned a unique asset number like this 0142e0bf66ffe3f3ed826c51e6d3cc4f0eaad7db8d in the logs. It would be nice to determine the algorithm used by Apple, allowing the identification of images outside the defined locations if anyone happens to know?

At this time, there does not appear to be any application specific artifacts for Mail, Calendar, Contacts and Tasks in the iCloud service thus you should be able to use the forensic tool of choice to parse Microsoft Outlook information from the system.

Final artifact of interest is when the iCloud Control Panel is opened you are presented the option to manage the service storage. Looking at the Backups section may give you some insight on the number of mobile devices such as iPhones, iPads, and iPods that are archiving to iCloud with the last successful completion date.

SSH Server Connections

Posted by:  /  Tags: , , ,

Author Name

Artifact Name
Determine SSH Servers Users Connected To

Artifact/Program Version

User Activity, Active Machines

SSH is a popular and practical management protocol for system administrators and nefarious users alike. In windows systems, the multifaceted terminal client, PuTTY, does not log by default but conditionally stores ssh host keys within the registry. This information can be beneficial to an analyst during a relevant incident/investigation to ascertain historical attributes about user activity and server authenticity.

Contained within the user’s NTUSER.DAT hive, the subkeys (outlined below) have the following syntax which are indicative of a successful SSH connection but not a successful SSH login:


The Last Write Time value of the NTUSER.DAT/Software/SimonTatham/SshHostKeys corresponds to the time the last ssh server was first connected to, as opposed to the last time the user had ssh’d to the server. If a user has connected to a server multiple times, these keys are not updated, in this event network logs are a more suitable quantitative source.

If a user chooses to save their PuTTY profile (connection preferences, servers, logs, etc), it will be stored under the NTUSER.DAT/Software/SimonTatham/Sessions.

Registry Keys
To determine servers connected to via SSH:
NTUSER.DAT/Software/SimonTatham/SshHostKeys -> Subkeys correspond to successful SSH connections but not SSH logins.

To determine PuTTY configurations based on saved profiles:
NTUSER.DAT/Software/SimonTatham/Sessions -> Subkeys will correspond to profiles user created.


Related Posts:

Dropbox Config Files (Windows)

Posted by:  /  Tags: , , ,

Author Name
Frank McClain

Artifact Name
Dropbox Config Files (Windows)

Artifact/Program Version
Dropbox 1.1.35 (Windows)

Dropbox is a file-synchronization, backup, and (even) sharing service.
It has applications that run on Windows ®, Mac, Linux, iPhone,
Android and Blackberry. Once downloaded and installed, their
application will run when the OS starts. It adds a systray item that
allows you to access the settings (‘Preferences’), and your files.
The application creates a ‘My Dropbox’ folder inside the user’s
‘My Documents’ folder, for local cached/offline copies of the
files (this default location can be changed). These will then synch
with the web storage and across all other computers connected to the
account that are online. Multiple computers can be connected to one
account; if these are on the same network, a feature called ‘LAN
synch’ allows them to communicate with one another directly when
synching files, in order to reduce bandwidth consumption (as a note,
the synch only transfers the data that is changed, not the entire

Registry Keys
With a clean installation, there were 173 registry keys created and 58
values set (captured via Sysinternals ProcMon). During
uninstallation, there were 153 changes to the registry (logged with
regshot), including 49 deletions:
“C:\Documents and Settings\username\Application Data\Dropbox\bin”
“”C:\Documents and Settings\username\Application
“C:\Documents and Settings\username\Application Data\Dropbox\bin”
“C:\Documents and Settings\username\Application
“Dropbox, Inc.”
“C:\Documents and Settings\username\Application
“C:\Documents and Settings\username\Application
“C:\Documents and Settings\username\Application
“C:\Documents and Settings\username\Application
“C:\Documents and Settings\username\Application
“C:\Documents and Settings\username\Application
“C:\Documents and Settings\username\Application
“C:\Documents and Settings\username\Application

File Locations
The majority of Dropbox’s configuration and user info are stored in
SQLite database files in %appdata% under the Dropbox directory.
Two are not actually SQLite files: host.db (plain text) and unlink.db
(not sure?).

Config.db contains some info about the local Dropbox installation and
account. It shows what it calls the “host_id” which appears to be
an md5 hash value. It also lists the email address associated with
the account (could be useful during an investigation). Also shown is
the current version/build for the local application.

Filecache.db has several tables, but the one I think is of the most
interest is ‘file_journal;’ it contains a listing of all directories
and files inside ‘My Dropbox.’ It appears these are only the live
files, not deleted ones.

Sigstore.db records SHA-256 hash and size information about each file,
but no names etc.

These can be viewed with a SQLite viewer, or parsed with other
programs (see research links).

Inside the user’s Dropbox folder is a hidden directory,
.dropbox.cache. This contains a record of files created/modified (and
saved) on another linked system. There are copies of the files
themselves, for each revision/save, and an entries.log file that
appears to contain encoded information about each of those files.

Research Links

(some more research to be posted

Forensic Programs of Use
(not forensic, but good for
viewing the SQLite db files)
(haven’t tried it yet, may be able to parse deleted records from the
SQLite db files)

Other Info
The Dropbox Reader python scripts are handy to parse through the
SQLite db files quickly and get output that way, rather than trying to
load up individually in a viewer. They’re designed specifically to
work with Dropbox’s implementation, and present the information in a
more meaningful way.

I had some issues getting them to work properly and they were very
responsive and helpful. Apparently one of my files is a bit of an
oddball (missing some information) so it won’t parse correctly;
they’re working on a fix for that.

UserInfo (Windows)

Posted by:  /  Tags: , ,  /  Comments: 2

Author Name
Corey Harrell

Artifact Name

Artifact/Program Version
Windows Registry

Microsoft Office documents contain metadata that show when a file was
created, modified, and user names. The user names in Microsoft Office
documents’ metadata is pulled from the UserInfo registry key of the
user account’s registry hive performing the actions. The values
responsible in the UserInfo registry are the UserName and Company

The population of the data in the UserName and Company registry values
varies. The values are populated in the user account that installed
Microsoft Office with the user name and company entered during
installation. For the user accounts that are using Microsoft Office
but didn’t install it, the values are populated a little different.
The first time the user launches an Office application a dialog box
appears asking for the user name and initials. The information entered
in the dialog box is what results in the UserName value in the user’s
UserInfo registry key. The location of the UserInfo registry key
varies depending on the version of Microsoft Office installed on the

Registry Keys
Microsoft Office 2007: HCU\Software\Microsoft\Office\Common\UserInfo
Microsoft Office 2003:

Research Links

Forensic Programs of Use
Registry viewer such as the free MiTeC Windows Registry Recovery

Google Chrome Browser Profile (Windows Vista/Windows 7)

Posted by:  /  Tags: , , , ,  /  Comments: 2

Author Name
Joe Garcia

Artifact Name
Google Chrome Browser Profile Folder (Windows Vista/Windows 7)

Artifact/Program Version
Windows Vista/Windows 7

As part of a lot of Digital Forensics investigations, obtaining information of the user’s browsing habits is an important step. We see lots of articles on IE & Firefox, but what about Google’s Chrome Browser? Like Firefox before it, Chrome is steadily gaining in the browser market share. This post looks to point out where to find the Chrome user’s Profile folder. Most times, this will be saved as “Default”, but be on the look out for multiple profiles. Once you locate and extract the Chrome Profile folder (listed below) from your image, you can use tools like ChromeAnalysis or ChromeForensics to assist you in parsing out the information stored within it. You will get the following data, which is stored in SQLite files:

History (Web, bookmarks, downloads and search terms)


Web Logins

Archived History (Web History and search terms)

Bookmarks (This is in a non-SQLite format)

File Locations
HardDrive\Users\USERNAME\AppData\Local\Google\Chrome\User Data\Default

Research Links
Get Google’s Chrome Browser HERE

Forensic Programs of Use
ChromeAnalysis from

ChromeForensics by Woanware: