Uncovering Digital Footprints: A Beginner’s Guide to Registry Analysis for Evidence of Execution

Welcome to the third part of our registry forensics series, where we delve into the fascinating world of digital footprints. In this article, we will explore the traces left behind when programs are opened, files are viewed, and actions are taken on a computer.

Welcome to the third part of our registry forensics series, where we delve into the fascinating world of digital footprints. In this article, we will explore the traces left behind when programs are opened, files are viewed, and actions are taken on a computer. This is a crucial part of Windows Registry analysis, as it connects computer activity with real behavior, providing valuable insights for digital investigators.

Introduction to Evidence of Execution

Evidence of execution is a vital aspect of digital forensics, as it helps investigators understand what happened on a system. Every opened document, launched application, and user interaction becomes a clue, allowing analysts to reconstruct the events surrounding a digital incident. The Windows Registry, in particular, is a treasure trove of information, containing user-specific settings, preferences, and activity logs. By learning where to look and how to interpret these artifacts, investigators can gain a deeper understanding of the system’s past activity.

Recent Activity: Uncovering User Interactions

Several locations within the Windows Registry can reveal files that a user interacted with and places they visited. These areas are essential for forensic analysts, as they provide context about what the user knew and what they accessed. In this section, we will explore three key areas: Known Files, Office Recent Files, and ShellBags.

Known Files: Tracking User Activity

Windows keeps track of recently opened files for every user, storing this information inside the NTUSER.DAT hive. The path to this location is: NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs. In Registry Explorer, this area is neatly organized, with the most recently opened files appearing at the top. These lists can contain documents, images, executables, and more, providing valuable insights into user behavior.

For example, if you see a user opened a Word document named “2020-03-15-12-30-00.docx”, you can assume the user was working on a document from March 15th, 2020 at 12:30 PM. This information can be used to reconstruct the user’s activities, helping investigators understand the context surrounding a digital incident.

Office Recent Files: Microsoft Office Activity

Microsoft Office also keeps its own list of recently opened documents, which can be found in the NTUSER hive. The exact location depends on the version of Office installed, but the general path is: NTUSER.DAT\Software\Microsoft\Office\VERSION. For example, Office 2013 uses the path: NTUSER.DAT\Software\Microsoft\Office\15.0\Word. Newer Office versions tied to a user’s Microsoft account save this information under: NTUSER.DAT\Software\Microsoft\Office\VERSION\UserMRU\LiveID_####\FileMRU.

This area not only lists recently accessed files but often includes their full paths, which can help investigators reconstruct user behavior in great detail. By analyzing these logs, investigators can gain a deeper understanding of the user’s activities, including the documents they accessed and the applications they used.

ShellBags: Windows Explorer Activity

Whenever a user opens a folder, Windows stores information about icons, list mode, size, and more. These details help Windows remember the user’s preferred settings, but they also provide valuable insights for investigators. ShellBags can be found in the NTUSER.DAT hive, under the path: NTUSER.DAT\Software\Microsoft\Windows\Shell\Bags.

By analyzing ShellBags, investigators can reconstruct the user’s interactions with Windows Explorer, including the folders they accessed and the files they viewed. This information can be used to identify potential evidence, such as documents or images, and to understand the user’s behavior in the context of a digital incident.

Putting it all Together: Analyzing Evidence of Execution

When analyzing evidence of execution, investigators must consider the various locations within the Windows Registry that contain user activity logs. By combining the information from Known Files, Office Recent Files, and ShellBags, investigators can gain a comprehensive understanding of the user’s behavior and reconstruct the events surrounding a digital incident.

The following list highlights the key locations to consider when analyzing evidence of execution:

  • NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs (Known Files)
  • NTUSER.DAT\Software\Microsoft\Office\VERSION (Office Recent Files)
  • NTUSER.DAT\Software\Microsoft\Windows\Shell\Bags (ShellBags)

By analyzing these locations and combining the information, investigators can create a detailed timeline of the user’s activities, including the documents they accessed, the applications they used, and the folders they viewed. This information can be used to identify potential evidence, reconstruct the events surrounding a digital incident, and ultimately, bring perpetrators to justice.

Conclusion

In

More Reading

Post navigation

Leave a Comment

Leave a Reply

Your email address will not be published. Required fields are marked *

Related Posts

If you like this post you might also like these

back to top