Tracing the Digital Footprints - File/Folder Opening
In the intricate landscape of digital forensics, understanding how users interact with files and folders on a Windows system is paramount. Every open, save, move, or even a simple glance at a folder leaves behind a digital fingerprint, providing critical clues for investigators. This blog post explores key Windows artifacts under the "File/Folder Opening" category, revealing how they document user activity and can help reconstruct crucial timelines.
Open/Save MRU
The Open/Save Most Recently Used (MRU) key is a treasure trove for understanding file interactions.
Description: This key tracks files that have been opened or saved within a Windows shell dialog box. This includes a vast array of applications, not just web browsers like Internet Explorer and Firefox, but also a majority of commonly used applications.
Location:
XP:
NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU.Win7/8/10:
NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSavePIDlMRU.
Interpretation:
The
*key within this structure tracks the most recent files of any extension that were input in an OpenSave dialog.Subkeys named after three-letter extensions (e.g.,
.doc,.pdf) store file information from the OpenSave dialog specific to that extension.
Recent Files
Windows keeps a dynamic list of recently accessed files and folders, directly influencing the "Recent" menus available to users.
Description: This Registry Key tracks the last files and folders opened and is used to populate data in “Recent” menus of the Start menu.
Location:
NTUSER.DAT: NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs.Interpretation:
The
RecentDocskey itself tracks the overall order of the last 150 files or folders opened. Its MRU (Most Recently Used) list maintains the temporal order in which each file/folder was opened. The last entry and modification time of this key will reveal the time and location the last file of a specific extension was opened.Subkeys named after specific extensions (e.g.,
.???) store information about the last files with that extension that were opened. Their MRU lists also track temporal order.The
Foldersubkey tracks the last folders that were opened, with its MRU list maintaining their temporal order. The last entry and modification time of this key identifies the time and location of the last folder opened.
Jump Lists
Introduced with Windows 7, Jump Lists provide a quick way for users to access frequently or recently used items, but also serve as a forensic goldmine.
Description: The Windows 7 taskbar (Jump List) is designed to allow users to "jump" or access items they have frequently or recently used quickly and easily. This functionality includes not only recent media files but also recent tasks. The data is stored in the AutomaticDestinations folder, where each unique file is prepended with the AppID of its associated application and contains embedded LNK files within its streams.
Location: Win7/8/10:
C:\%USERPROFILE%\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations.Interpretation:
The Creation Time of an item indicates the first time of execution of the application, or when the item was first added to the AppID file.
The Modification Time indicates the last time of execution of the application when a file was open, or when the item was last added to the AppID file.
Forensic investigators can use a Structured Storage Viewer to open these AutomaticDestination jumplist files. Each one is a separate LNK file, numerically stored in order from the earliest (usually 1) to the most recent (largest integer value). A list of Jump List IDs is available online for further reference.
Shell Bags
Shell Bags offer valuable insights into a user's browsing of folders, even those that no longer exist.
Description: Shell Bags track which folders were accessed on the local machine, the network, and/or removable devices. They can provide evidence of previously existing folders after deletion/overwrite and when certain folders were accessed.
Location:
Explorer Access:
USRCLASS.DAT\Local Settings\Software\Microsoft\Windows\Shell\Bags.USRCLASS.DAT\Local Settings\Software\Microsoft\Windows\Shell\BagMRU.
Desktop Access:
NTUSER.DAT\Software\Microsoft\Windows\Shell\BagMRU.NTUSER.DAT\Software\Microsoft\Windows\Shell\Bags.
Interpretation: Shell Bags store information about which folders were most recently browsed by the user.
Shortcut (LNK) Files
Windows automatically creates shortcut files, which are a rich source of information about accessed files and their locations.
Description: Shortcut Files (
.lnk) are automatically created by Windows for "Recent Items" and whenever local or remote data files and documents are opened.Location:
XP:
C:\%USERPROFILE%\Recent.Win7/8/10:
C:\%USERPROFILE%\AppData\Roaming\Microsoft\Windows\Recent\.C:\%USERPROFILE%\AppData\Roaming\Microsoft\Office\Recent\.
It's important to note that while these are primary locations, LNK files can also be found elsewhere on the system.
Interpretation:
The Creation Date of the Shortcut (LNK) File indicates the date/time the file of that name was first opened.
The Last Modification Date of the Shortcut (LNK) File indicates the date/time the file of that name was last opened.
LNKTarget File Data (Internal LNK File Information) provides critical details about the target file, including:
Modified, Access, and Creation times of the target file itself.
Volume Information (Name, Type, Serial Number) where the target file resided.
Network Share information if it was accessed remotely.
The Original Location of the file.
The Name of the System where the file was located.
Prefetch
Prefetch files are primarily for system performance optimization, but they inadvertently record valuable execution history for forensic analysis.
Description: Prefetch increases system performance by pre-loading code pages of commonly used applications. The Cache Manager monitors all files and directories referenced for each application or process and maps them into a
.pffile. This artifact is utilized to know if an application was executed on a system.Limitations: Limited to 128 files on XP and Win7, and 1024 files on Win8 and Win8-10.
Files are named in the format
(exename)-(hash).pf.
Location: WinXP/7/8/10:
C:\Windows\Prefetch.Interpretation:
Each
.pffile includes the last time of execution, the number of times the program was run, and the device and file handles used by the program.The Creation Date of the
.pffile (minus 10 seconds) indicates the date/time the file by that name and path was first executed.The embedded last execution time within the
.pffile, or the Last modification date of the.pffile (minus 10 seconds), indicates the date/time the file by that name and path was last executed.Win8-10 systems will contain the last 8 times of execution. Additionally, these files can be examined for recently used file handles and device handles.
Last-Visited MRU
Complementing the Open/Save MRU, this artifact narrows down the specific executable and path for the last accessed file.
Description: This artifact tracks the specific executable used by an application to open the files documented in the OpenSaveMRU key. Furthermore, each value tracks the directory location for the last file that was accessed by that application. An example given is "Notepad.exe was last run using the C:\Users\Rob\Desktop folder".
Location:
XP:
NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\LastVisitedMRU.Win7/8/10:
NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\LastVisitedPidlMRU.
Interpretation: This artifact directly tracks the application executables used to open files in OpenSaveMRU and the last file path used.
IE | Edge file://
Often overlooked, browser history can record much more than just internet browsing.
Description: A little-known fact about the Internet Explorer (IE) History is that the information stored within its history files is not solely related to Internet browsing. The history also records local, removable, and remote (via network shares) file access, providing an excellent means for determining which files and applications were accessed on the system, day by day.
Location:
Internet Explorer:
IE6-7:
%USERPROFILE%\Local Settings\History\History.IE5.IE8-9:
%USERPROFILE%\AppData\Local\Microsoft\Windows\History\History.IE5.IE10-11:
%USERPROFILE%\AppData\Local\Microsoft\Windows\WebCache\WebCacheV*.dat.
Interpretation:
This information is stored in
index.datfiles, typically formatted as: [file:///C:/directory/filename.ext](file:///C:/directory/filename.ext).It is crucial to understand that the presence of such an entry does not mean the file was opened within the browser itself, but simply that the file was accessed.
Office Recent Files
Microsoft Office applications maintain their own internal logs of recently opened documents, offering specific insights into productivity and file interaction.
Description: Microsoft Office programs track their own "Recent Files" list to make it easier for users to remember the last file they were editing.
Location:
NTUSER.DAT\Software\Microsoft\Office\VERSION, whereVERSIONcorresponds to:10.0= Office XP.11.0= Office 2003.12.0= Office 2007.14.0= Office 2010.
NTUSER.DAT\Software\Microsoft\Office\VERSION\UserMRU\LiveID_####\FileMRU, specifically for:15.0= Office 365.
Interpretation: Similar to the general "Recent Files" artifact, this tracks the last files that were opened by each specific MS Office application. The last entry added, according to the MRU, signifies the time the last file was opened by that particular MS Office application.
By meticulously examining these "File/Folder Opening" artifacts, digital forensic investigators can reconstruct detailed timelines of user activity, identify accessed documents, and uncover crucial evidence related to data manipulation, exfiltration, or general system usage.
