Skip to main content
HashnodeMithun Dev

Command Palette

Search for a command to run...

Tracing the Digital Footprints - File Download

Updated
5 min read
Tracing the Digital Footprints - File Download
M
Mithun Dev
Part of seriesWindows Forensics

Understanding how files arrive and are handled on a Windows system is a cornerstone of digital forensics. From everyday documents to potentially malicious software, every downloaded file leaves a trail. This blog post delves into key Windows artifacts that provide invaluable insights into file download activities.

Open/Save MRU

The "Open/Save MRU" (Most Recently Used) key is a fundamental artifact for tracking user interaction with files.

  • Description: This key tracks files that have been opened or saved within a Windows shell dialog box. It represents a significant data set, encompassing not only web browsers like Internet Explorer and Firefox, but also a majority of commonly used applications.

  • Location:

    • Windows XP: NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU.

    • Windows 7/8/10: NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSavePIDlMRU.

  • Interpretation:

    • The "*" key within this artifact tracks the most recent files of any extension that were input in an Open/Save dialog.

    • Subkeys named after three-letter extensions (.???) store file information from the Open/Save dialog specifically by that extension.

Email Attachments

Email attachments are a primary method for file transfer, leaving distinct forensic traces on a system.

  • Description: The email industry estimates that 80% of email data is stored via attachments. Since email standards fundamentally allow only text, attachments must be encoded using MIME/base64 format for transfer.

  • Location:

    • Outlook XP: %USERPROFILE%\Local Settings\ApplicationData\Microsoft\Outlook.

    • Windows 7/8/10: %USERPROFILE%\AppData\Local\Microsoft\Outlook.

  • Interpretation: Microsoft Outlook data files, such as OST and PST files, can be found in these locations. Additionally, forensic investigators should examine the OLK and Content.Outlook folders, as their roaming behavior can depend on the specific Outlook version used.

Skype History

Communication platforms like Skype often log file transfers, which can be critical for investigations.

  • Description: Skype history maintains a log of chat sessions and files transferred from one machine to another. This logging functionality is enabled by default in Skype installations.

  • Location:

    • Windows XP: C:\Documents and Settings\<username>\Application\Skype\<skype-name>.

    • Windows 7/8/10: C:\%USERPROFILE%\AppData\Roaming\Skype\<skype-name>.

  • Interpretation: Each entry within the Skype history will include a date/time value and a Skype username associated with the recorded action.

Browser Artifacts (History)

While not directly focused on file downloads, browser history can provide crucial context and indirect evidence of such activities.

  • Description: Browser history records websites visited by date and time. It stores details for each local user account, including the frequency (number of times visited). Importantly, it also tracks access to local system files. A "little-known fact" is that Internet Explorer history, in particular, records local, removable, and remote (via network shares) file access, providing an excellent means to determine which files and applications were accessed on the system daily. Search terms used in search engines may also be included.

  • Location: The specific location varies by browser and Windows version:

    • Internet Explorer:

      • IE6-7: %USERPROFILE%\Local Settings\History\History.IE5.

      • IE8-9: %USERPROFILE%\AppData\Local\Microsoft\WindowsHistory\History.IE5.

      • IE10-11 & Edge: %USERPROFILE%\AppData\Local\Microsoft\Windows\WebCache\WebCacheV*.dat.

    • Firefox:

      • XP (v3-25): %userprofile%\Application Data\Mozilla\Firefox\Profiles\<random text>.default\places.sqlite.

      • Win7/8/10 (v26+): %userprofile%\AppData\Roaming\Mozilla\Firefox\Profiles\<random text>.default\places.sqlite.

    • Chrome:

      • XP: %USERPROFILE%\Local Settings\Application Data\Google\Chrome\User Data\Default\History.

      • Win7/8/10: %USERPROFILE%\AppData\Local\Google\Chrome\User Data\Default\History.

  • Interpretation: Browser history can reveal numerous sites that listed files opened from remote sites and subsequently downloaded to the local system. It records access to files on websites that were accessed via a link. For Internet Explorer, entries stored in index.dat as [file:///C:/directory/filename.ext](file:///C:/directory/filename.ext) indicate local or remote file access, but this does not necessarily imply the file was opened within the browser itself.

Downloads (Browser Download Manager History)

Beyond general history, browsers often keep a dedicated log of downloaded files, offering direct evidence of download activity.

  • Description: Firefox and Internet Explorer incorporate built-in download manager applications that meticulously record a history of every file downloaded by the user. This specific browser artifact is an "excellent" source of information regarding the websites a user has visited and the types of files they have been downloading from those sites.

  • Location:

    • Firefox:

      • XP: %userprofile%\Application Data\Mozilla\Firefox\Profiles\<random text>.default\downloads.sqlite.

      • Win7/8/10: %userprofile%\AppData\Roaming\Mozilla\Firefox\Profiles\<random text>.default\downloads.sqlite.

    • Internet Explorer:

      • IE8-9: %USERPROFILE%\AppData\Roaming\Microsoft\Windows\IEDownloadHistory\.

      • IE10-11: %USERPROFILE%\AppData\Local\Microsoft\Windows\WebCache\WebCacheV*.dat.

  • Interpretation: These download history artifacts offer a wealth of information, including:

    • The Filename, Size, and Type of the downloaded file.

    • The originating URL (Download from) and the Referring Page.

    • The File Save Location on the local system.

    • The Application Used to Open File.

    • The Download Start and End Times.

ADS Zone.Identifier

A subtle but powerful artifact, the "Zone.Identifier" is an Alternate Data Stream (ADS) that tags the origin of downloaded files.

  • Description: Beginning with Windows XP SP2, whenever files are downloaded from the "Internet Zone" via a browser to an NTFS volume, an alternate data stream (ADS) named "Zone.Identifier" is automatically appended to that file. This stream serves as a digital marker, indicating the file's source.

  • Location: This artifact is not a standalone file or registry entry; instead, it is an alternate data stream embedded directly within the downloaded file itself on an NTFS volume.

  • Interpretation: The presence of the "Zone.Identifier" explicitly indicates that a file was downloaded from the "Internet Zone". This provides a potent piece of evidence for understanding the initial entry point of a specific file onto the system.

These artifacts, when analyzed individually and correlated, provide a robust framework for reconstructing file download events and understanding user behavior on a Windows system. They are indispensable tools in any digital forensic investigation.

#dfir

Windows Forensics

Part 7 of 8
Up next

Tracing the Digital Footprints - Program Execution

In the realm of digital forensics, understanding how and when programs were executed on a Windows system is paramount. These insights can unravel the narrative of an incident, identify malicious activity, or reconstruct user behavior. Windows operati...

More from this blog

Mithun Dev

9 posts