Skip to main content
HashnodeMithun Dev

Command Palette

Search for a command to run...

Tracing the Digital Footprints - Deleted File or File Knowledge

Updated
7 min read
Tracing the Digital Footprints - Deleted File or File Knowledge
M
Mithun Dev
Part of seriesWindows Forensics

In digital forensics, recovering and understanding information about deleted files, or even just knowledge of files that existed on a system, is paramount. Whether it's to reconstruct events, identify malicious activity, or recover lost data, Windows leaves behind a surprising amount of data about what once was. Let's delve into some key artifacts that shed light on "Deleted File or File Knowledge" on a Windows system.

XP Search – ACMRU

The XP Search – ACMRU artifact provides insight into a user's search history on Windows XP systems.

  • Description: The search assistant on a Windows XP machine allows users to search for a wide range of information. This assistant will remember a user’s search terms for filenames, computers, or words that are inside a file, serving as a form of "Search History".

  • Location: This artifact is found within the NTUSER.DAT HIVE, specifically at NTUSER.DAT\Software\Microsoft\Search Assistant\ACMru\####.

  • Interpretation: The #### in the location denotes different categories of searches:

    • 5001 indicates a search for "Search the Internet".

    • 5603 indicates a search for "All or part of a document name".

    • 5604 indicates a search for "A word or phrase in a file".

    • 5647 indicates a search for "Printers, Computers and People". This artifact can reveal what a user was looking for, even if the files or information themselves are no longer present.

Thumbcache

Thumbcache databases store visual representations of files, providing a glimpse into previously viewed content.

  • Description: The thumbcache is a database that contains thumbnails of pictures, office documents, and folders. Each user has their own database, which is based on the thumbnail sizes the user has viewed (small, medium, large, and extra-large).

  • Location: The thumbcache files are located at C:\%USERPROFILE%\AppData\Local\Microsoft\Windows\Explorer.

  • Interpretation: These thumbnail caches are created when a user switches a folder to thumbnail mode or views pictures via a slideshow. On Windows 7 and later, four distinct sizes for thumbnails are stored in separate database files, reflecting sizes 32 (small), 96 (medium), 256 (large), and 1024 (extra large). The thumbcache stores a copy of the picture's thumbnail based on the size in the content of the equivalent database file. This means that even if the original image or document file has been deleted, its thumbnail might still exist in the thumbcache, offering evidence that the file was once present and viewed.

Thumbs.db

Similar to Thumbcache, Thumbs.db files offer another avenue for uncovering previously viewed images.

  • Description: Thumbs.db is a hidden file found in directories where images exist. It stores smaller thumbnail graphics and catalogs pictures in a folder, importantly, it stores a copy of the thumbnail even if the pictures were deleted.

  • Location:

    • On Windows XP and Windows 8/8.1, Thumbs.db is automatically created anywhere with homegroup enabled.

    • On Windows 7, 8, and 10, it is automatically created anywhere and can be accessed via a UNC Path (local or remote).

  • Interpretation: The contents of Thumbs.db include:

    • The Thumbnail Picture of the Original Picture.

    • Document Thumbnails, even if the original document was deleted.

    • Last Modification Time (for XP Only).

    • Original Filename (for XP Only). This artifact is crucial for identifying images that were once present in a specific folder, even after their deletion.

IE | Edge file://

This artifact provides a less obvious but powerful way to track local file access.

  • Description: A "little-known fact" is that Internet Explorer History is not solely related to Internet browsing. It also records local, removable, and remote (via network shares) file access. This makes it an "excellent means for determining which files and applications were accessed on the system, day by day".

  • Location: The location varies by Internet Explorer version:

    • IE6-7: %USERPROFILE%\Local Settings\History\History.IE5.

    • IE8-9: %USERPROFILE%\AppData\Local\Microsoft\WindowsHistory\History.IE5.

    • IE10-11 & Edge: %USERPROFILE%\AppData\Local\Microsoft\Windows\WebCache\WebCacheV*.dat.

  • Interpretation: Entries for local or remote file access are stored in index.dat and appear as [file:///C:/directory/filename.ext](file:///C:/directory/filename.ext). It's important to note that this does not mean the file was opened within the browser itself. Instead, it simply indicates that the file was accessed via a path that IE's history tracks.

Search – WordWheelQuery

This artifact provides a direct record of user search queries made through the Start menu.

  • Description: This artifact tracks keywords searched for from the START menu bar on a Windows 7 machine (and subsequently Windows 8/10).

  • Location: This information is stored in the NTUSER.DAT Hive at NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\WordWheelQuery.

  • Interpretation: The keywords searched are added in Unicode format and are listed in temporal order within an MRU (Most Recently Used) list. This can be valuable for understanding what a user was looking for on their system, providing clues about file names or content, even if the files themselves were later deleted or moved.

Win7/8/10 Recycle Bin

The Recycle Bin is often the first place to look for deleted files, offering direct evidence of their removal.

  • Description: The Recycle Bin is a "very important location on a Windows file system to understand" for forensic investigations. Generally, every file deleted from a Recycle Bin-aware program is first placed in the Recycle Bin.

  • Location: This is a Hidden System Folder located at C:\$Recycle.bin. Within this location, the Deleted Time and Original Filename of the deleted items are contained in separate files for each recovery file.

  • Interpretation:

    • The Security Identifier (SID) associated with Recycle Bin contents can be mapped to a specific user via Registry Analysis.

    • For Windows 7, 8, and 10:

      • Files preceded by $I###### contain the Original PATH and name of the deleted file, along with its Deletion Date/Time.

      • Files preceded by $R###### contain the Recovery Data (the actual content of the deleted file). The Recycle Bin provides critical information about what was deleted, when, by whom, and from where, potentially allowing for recovery of the original data.

Last-Visited MRU

This artifact links file access to the applications used and the last directories accessed.

  • Description: The Last-Visited MRU tracks the specific executable used by an application to open the files documented in the OpenSaveMRU key. Additionally, each value in this artifact tracks the directory location for the last file that was accessed by that application. An example given is Notepad.exe last run using the C:\%USERPROFILE%\Desktop folder.

  • Location:

    • Windows XP: NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\LastVisitedMRU.

    • Windows 7/8/10: NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\LastVisitedPidlMRU.

  • Interpretation: This key specifically tracks the application executables used to open files in OpenSaveMRU and, critically, the last file path used by that application. This can provide context on what files were being worked on with what applications, even if the files themselves are no longer directly accessible.

XP Recycle Bin

Similar to its modern counterpart, the XP Recycle Bin provides crucial information about deleted files on older Windows systems.

  • Description: The Recycle Bin is a "very important location on a Windows file system to understand" for forensic investigations. Similar to later Windows versions, every file that is deleted from a Windows recycle bin aware program is generally first put in the recycle bin on XP.

  • Location: This is a Hidden System Folder located at C:\RECYCLER for Windows 2000, NT, XP, and 2003. Within this directory, a subfolder is created with the user’s SID. A hidden file named INFO2 within this subfolder contains the Deleted Time and Original Filename. The filename is stored in both ASCII and UNICODE formats.

  • Interpretation:

    • The SID can be mapped to the specific user via Registry Analysis.

    • This artifact maps the file name to the actual name and path it was deleted from. By examining the XP Recycle Bin, investigators can determine what files were deleted, when, and from where, allowing for a reconstruction of events surrounding file removal on Windows XP systems.

By understanding and meticulously analyzing these artifacts, digital forensic investigators can piece together a compelling narrative about file activity, even when explicit files have been removed from the system. These digital breadcrumbs are invaluable for revealing the truth about what happened on a Windows machine.

Windows Forensics

Part 4 of 8
Up next

Tracing the Digital Footprints - File/Folder Opening

In the intricate landscape of digital forensics, understanding how users interact with files and folders on a Windows system is paramount. Every open, save, move, or even a simple glance at a folder leaves behind a digital fingerprint, providing crit...

More from this blog

Mithun Dev

9 posts