As many of you who would be interested in this post may know, many important things involving a forensic investigation can be found within the registry. One location that holds a ton of good information that would relate to how a user is utilizing their PC can be found within the NTUSER.DAT file. To gain access to the information found on the NTUSER.DAT file, we first need to acquire the file at either C:\Document and Settings\<USER NAME> (for Windows XP) or C:\Users\<USER NAME> (for Vista/Win7). Natively you will not see this file, so you’ll want a forensic program such as FTK Imager to acquire the file (using FTK Imager: right-click file and export the file to your desired location). Once the file has been acquired, you can run it through a program called RegRipper by simply adding the path to the NTUSER.DAT file you acquired, selecting an output, and selecting the proper NTUSER.DAT plugin. This will output a great text file with a wealth of knowledge an examiner can use in an investigation.
One great piece of information one can access with this analysis is the recent documents a logged in user can access. Using RegRipper on my Windows 7 machine I was able to come up with this information on files I’ve last accessed:
This is a great piece of information to have because it can implement a user to accessing a specific file.
Windows 7 adds some great new features; this post is going to focus on Jump Lists. What are jump lists? In Windows 7 you may have noticed those neat additions to your right-click menu, like recent history and in few instances application options. These are jump lists, application specific tasks that are added to a programs right click menu. I provide a few examples of these jump lists below:
Now you’ll notice that the Google Chrome jump list offers more options than that for Explorer. It is important to note, that only some applications will take use of this feature. Jump lists are great for accessing your recent/frequently used objects for several applications quickly. It’s possible that one would assume that this information is pulled from the NTUSER.DAT file which contains recent document information. This is not the case, examination of the PC will reveal that the jump list information at C:\Users\<USER NAME>\AppData\Roaming\Microsoft\Windows\Recent Items :
This redundancy provides examiners with something quite vital. For instance, if a system has CCleaner installed on it, CCleaner is set to delete Recent Document upon default. So, a quick run of CCleaner and all of this information is wiped (including the secondary location at C:\Users\<USER NAME>\AppData\Roaming\Microsoft\Windows\Recent Items); something quite possible in a case where malicious content is being stored on PC.. However, with the secondary location on the PC can provide an examiner with something recoverable, a link (LNK) file. Upon examination of the path some LNK files are going to be recoverable within the Recent Items folder. This may be able to cause an association to a User to a particular file.
Recent Document information can also be found at: C:\Users<USERNAME>\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations
Examining this location with FTK Imager we can see something like this:
As seen above, examining these files at the hex level we will see the location of a file I recently opened. In my case we see I recently opened an NTUSER registry rip from RegRipper.
This is great bit of information to retain. Again, this can help show a user was accessing certain files.
For more information on Windows 7 Forensics take a look at this paper on the topic by Piotrek Smulikowski. You'll find more info on Jump Lists at page 23.