Archive for Registry Forensics

ShellBags & Windows 10 Feature Updates

Windows 10 feature updates have far reaching impacts on a digital forensic investigation. Released twice a year in Windows 10, these updates essentially install a new version of the Windows operating system when they’re applied. From clearing event logs to removing common USB storage registry subkeys and more, feature updates touch many artifacts often relied upon in digital investigations.

ShellBags are a popular artifact in Windows forensics often used to identify the existence of directories on local, network, and removable storage devices. ShellBags are stored as a highly nested and hierarchal set of subkeys in the UsrClass.dat registry hive of Windows 10 systems (although they’ve been around since much earlier versions of Windows). The structure and layout of shellbags has been covered in numerous locations (such as here and here), so I won’t be detailing that.  Instead, the focus of this post is to highlight the impact of Windows 10 feature updates as it relates to the interpretation of shellbags in a forensic investigation.

One of the data points that can be leveraged during shellbag analysis is the LastWrite time of various subkeys within the BagMRU hierarchy in an attempt to identify the first and last interacted times of a directory referenced by shellbags. The methodology used to identify these times, which leverages the MRUListEx values in conjunction with subkey LastWrite times, was detailed by Dan Pullega back in 2013 and later described in an episode of David Cowen’s forensic lunch. It was also incorporated into some shellbag forensic tools. While the interaction times of a directory referenced in shellbags can be extremely valuable, they come with some caveats for later versions of Windows 10.

During the process of installing a Windows 10 feature update, testing has shown that the LastWrite time of all subkeys in the BagMRU hierarchy are updated.  This looks to be the case with versions dating back to at least 1709 and up through the latest feature update (1903 at the time of this writing).  Since the LastWrite time of these subkeys is used to illustrate an interaction time with a directory, this eliminates the examiner’s ability to use the active UsrClass.dat hive to reliably determine interaction times that occurred prior to the most recent feature update.  As an example, the below screenshot illustrates the view of a couple of shellbag entries just prior to the 1803 feature update being applied to a system.

View of ShellBags Prior to Feature Update

The next screenshot below is from the same shellbag entries on the system after the 1803 feature update was applied on May 9, 2018.  As you can see, the first and last interacted timestamps have been updated to May 9, 2018.  The interaction times here are simply pulled from the LastWrite time registry subkeys.  The LastWrite time of the subkeys was changed during the feature update.

View of ShellBags After a Feature Update

This change wouldn’t necessarily stand out if you were focusing on a single location within the system shellbags. However, when the first/last interacted times (or the LastWrite times of UsrClass.dat subkeys) are viewed in aggregate, it becomes clear that they have been updated en masse.

Interaction Times After a Feature Update

One thing to note in this example is that the directory file system timestamps (such as the Created On timestamp included in the screenshots above) that are included in the shellbag extension blocks remain unchanged across feature updates.  However, the first and last interaction methodology that relies upon the LastWrite time of registry subkeys is limited by Windows 10 feature updates.  If a directory referenced in the shellbags is interacted with after a feature update, the associated LastWrite time should be as reliable as it has been for identifying an interaction time.  Directories that have not been interacted with since the most recent feature update will not have a reliable interaction time available in the active UsrClass.dat since any interaction time previously available for the directory was updated during the feature update.

This issue is reminiscent of the problems caused when various USB-related subkey LastWrite times were updated en masse.  As with the USB-related subkeys though, understanding the limitations of the data points that are being relied upon – registry subkey LastWrite times in this example – will allow an examiner to more effectively and accurately leverage the artifact.

Amcache and USB Device Tracking

Eric Zimmerman recently posted about updates to the amcache in Windows 10.  There are numerous additions to the new amcache format, including information about application shortcuts, device containers, and more.  This post is focused on the new information concerning storage devices tracked in the amcache, specifically in the Root\InventoryDevicePnp key.

Some of the useful bits of data that can be found through analysis of the amcache include device serial numbers, descriptions (e.g. FriendlyName-like values), volume names, VID/PID data, and more.  When a USB storage device is connected to a system, multiple subkeys in the amcache are created under Root\InventoryDevicePnp.  The following four keys have been observed to be associated with a device connection:

  1. swd/wpdbusenum/_??_usbstor#disk&ven_{manufacturer}&prod_{model}&rev_{rev}#{S/N or UID}#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} (WPD class subkey)
  2. usbstor/disk&ven_{manufacturer}&prod_{model}&rev_{rev}/{S/N or UID} (diskdrive class subkey)
  3. storage/volume/_??_usbstor#disk&ven_{manufacturer}&prod_{model}&rev_{rev}#{S/N or UID}#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} (volume class subkey)
  4.  usb/vid_{VID}&pid_{PID}/{S/N or UID} (USB class subkey)

Each of these four subkeys is created under Root\InventoryDevicePnp and will hold information about a connected device, with some information duplicated across two or more of the subkeys.  The Container ID of the device is present in each of the subkeys and can be used to easily link the information from each subkey.  The Container ID is helpful in tracking a device across other artifacts on a system as well since it is present in the USBSTOR subkey, the DeviceContainers subkey, and more.  Of the four subkeys listed above, the WPD class and diskdrive class subkey appear to contain the most useful information for identifying and profiling a USB device.

WPD Class Subkey

The WPD class subkey contains information such as the manufacturer, model/description, and the volume name/label of the device. Interestingly, I’ve seen instances in my testing where the volume name of a device is populated in the WPD class subkey when it is not available in other locations that it often exists (e.g. Windows Portable Devices key in the SOFTWARE hive).  This alone makes the WPD class subkey worth checking in order to help build a more complete profile of a USB device.

WPD Class Subkey

Diskdrive Class Subkey

The diskdrive class subkey contains information such as a description of the device (e.g. TOSHIBA External 3.0 USB Device) and the device serial number. The device serial number, along with VID/PID data, can be obtained from the ParentId value as well as the name of the subkey itself.  An example of a diskdrive class subkey name is: “usbstor/disk&ven_kingston&prod_dt_101_g2&rev_1.00/001372995dddcb6185180cdb&0”.

diskdrive Class Subkey

In my testing, the LastWrite time of all four class subkeys in the InventoryDevicePnp key is the same and is updated when a device is first connected, but it also appears to be updated through events outside of device connection/disconnection.  As such, the LastWrite time of these subkeys does not appear to be a reliable indicator of a connection or disconnection event.  I’ve also found that the subkeys related to some USB devices are quickly rolled out of the InventoryDevicePnp key.  In some instances, the most recently connected USB device was deleted after a system restart.  In other cases, the subkeys remained in the InventoryDevicePnp for some time.

The amcache doesn’t store the depth of USB device information found in the SYSTEM hive or other well-known locations, but it provides an additional data point that helps to corroborate and/or supplement data harvested from other areas.  For example, the Description value of the WPD class subkey can be used to gather the volume name/label of a device that was discovered through analysis of the SYSTEM hive by using the device serial or Container ID to correlate the two data points.  This method of analysis – using multiple data points across a system – will help to build a more complete profile of connected devices as well as increase your overall confidence in your findings.

RecentApps Registry Key

While digging into a Windows 10 NTUSER.DAT hive recently, I came across a registry key/subkey hierarchy that was really intriguing.  The top level key, called RecentApps, contained references to several applications and files that had been accessed on the system.  In addition to the application and file name, I found that the path to the application, a launch count, the full path to the file, and the last time the file was accessed was available from the RecentApps key hierarchy.

The RecentApps key is located in the user’s NTUSER.DAT hive at Software\Microsoft\Windows\Current Version\Search\RecentApps. Its general hierarchy looks something like the image below.  Beneath the RecentApps key is a series of subkeys named by GUIDs.  Each GUID subkey directly under RecentApps corresponds to an application.  Some of the GUID subkeys have additional subkeys as well, which correspond to particular files accessed by the application.

RecentApps key hierarchy

Application GUID Subkeys

As mentioned, the subkeys directly under RecentApps are associated with applications.  Each of these GUID subkeys contain values that may be of useful during an examination, such as the full path to the application, a last accessed time, and a launch count.  The LastAccessedTime value is in the ever-popular 64-bit FILETIME format.  In my experience, both the LastAccessedTime and LaunchCount values have been consistent with the last execution and run count data available in the UserAssist key.

RecentApps File Subkey

File GUID Subkeys

Each subkey under an application GUID’s “RecentItems” subkey is associated with a file accessed by the application and is also named by a GUID.  The information included in each file GUID subkey includes the file name, a last accessed time (in some cases), the full path of the file, and more.

The last accessed time, when present, is a FILETIME value and appears to be consistent with the last accessed time available from jump lists in the file system.  Unfortunately, this value does not appear to be populated in many cases.  Windows 10 Professional version 1703 build 15063.483 has been observed with the LastAccessedTime value populated, but in all other tested versions of Windows 10 – both before and after the release of 15063.483 – this value appears to be set to zero.  Fortunately, an access time for the file referenced by the file GUID subkey can be determined using the LastWrite time of the file GUID subkey itself.  Importantly, the LastWrite time does not appear to be updated on subsequent access to the file, so the LastWrite time should not be concluded as the last time the file was accessed without further corroborating evidence from other artifacts.

RecentApps\RecentItems Subkeys

The number of file GUID subkeys under each application GUID key appears to be limited to 10.  Interestingly, the cycling of these subkeys does not appear to be on a first-in-first-out basis (as with many other artifacts in Windows).  Instead, it appears that when an eleventh subkey is added to an application GUID key, the file GUID subkeys are arranged alphabetically by name.  After being arranged alphabetically, the last one in the list is removed.  Since the alphabetization is by GUID, it is inherently random which 10 files that were accessed by an application will be included in the list of file GUID subkeys .  The method of cycling utilized by the file GUID subkeys means that an examiner cannot conclude that the files referenced by these subkeys are the 10 files most recently accessed by a particular application.

Data points such as the RecentApps key hierarchy in Windows 10 help to provide corroborating information to increase an examiner’s overall confidence in his or her findings.  If any type of anti-forensic measures were taken (system or user initiated), locations such as the RecentApps key may also provide information that was deleted from other and more well known areas of the system.

Adobe Reader’s Not-So-cRecentFiles

Version 11.0.07 of Adobe Reader, released in May 2014, introduced some interesting changes that can impact forensic examination.  With previous versions of Reader for Windows, the cRecentFiles subkey found in the Acrobat Reader subkeys of an NTUSER.DAT hive provided an examiner with the five most recent files accessed by Adobe Reader.  Information about these files was divided into five subkeys named “c1”, “c2”, “c3”, etc., with each subkey containing a bit of information about the accessed file.  Version 11.0.07 of Adobe Reader expanded this capability, tracking much more than just the five most recently accessed files.  Additional information is also recorded about each accessed file, as well as a list of the
five most recently accessed folders.

The screenshot below shows the new look of the “c#” subkeys that store information about recent files accessed in Adobe Reader version 11.0.07 and above.  Note that the full path to these subkeys is found in a user’s NTUSER.DAT hive under “SoftwareAdobeAcrobat Reader<version>AVGeneralcRecentFilesc#”.

Values in a cRecentFilesc# subkey

The new values added to the “cRecentFilesc#”subkeys are
“sDate”, “uFileSize”, and“uPageCount”.  The “uFileSize” and “uPageCount” are pretty self-explanatory, storing the size of the file in bytes and the number of pages in the accessed file, respectively.

sDate value data

The “sDate” value stores the last time that the file was accessed in Adobe Reader.  The “sDate” value type is REG_BINARY, but the value data holds a simple ASCII string of the timestamp.  Interestingly, the time zone offset of the system at the time the file is opened is included in the “sDate” value data.  If the time zone of the system is changed, the offset included in the “sDate” value is reflected accordingly for files that are later opened in Adobe Reader.  This provides examiners with a more more granular view of when files were accessed in Adobe Reader, as previous versions only allowed us to determine the last time the most recent PDF was accessed.

The five most recently accessed folders are also tracked by
Adobe Reader version 11.0.07 and later in a “cRecentFolders” subkey under “HKCUSoftwareAdobeAcrobat Reader<version>AVGeneral”.  Recently accessed folders are maintained in a similar fashion as the recently accessed files, but the level of detail associated with each accessed folder is pretty minimal.  Each “c#” subkey provides us with the name and path of the accessed folder via the tDIText (or sDI) value, and we can correlate the Last Write time of the cRecentFolders subkey with time that the most recent folder was accessed.

Values in a cRecentFoldersc# subkey

Perhaps the most significant change from a forensic perspective in Adobe Reader version 11.0.7 and later is the alteration to the number of files tracked in the cRecentFiles subkey.  Instead of the most five most recent files that are tracked in previous versions, Adobe Reader 11.0.7 appears to track the 50 most recently accessed files.  In version 11.0.9, the maximum number of recently accessed files jumps to 100.  After testing the current version of Adobe Reader DC, 100 still appears to be the maximum.  This means that you could have up to 100 “c#” subkeys under the cRecentFiles key!  After 100 documents have been accessed, the subkeys will be reused in a FIFO fashion as seen in previous versions of Adobe Reader (e.g. the contents of subkey c100 will be removed and replaced with the contents of c99).

cRecentFiles with 100 subkeys

Examiners should be aware of this additional functionality in Adobe Reader in order to take advantage of the historical information it provides.  The cRecentFiles subkey from a user’s active NTUSER.DAT hive can provide a nice list of files accessed by Adobe Reader.  With later versions storing up to 100 “recently” accessed files, the cRecentFiles subkeys could end up storing files that were not-so-recently accessed as well.  Further, when combined with previous versions of the user’s NTUSER.DAT hive from volume shadow copies, an examiner may be provided with quite a detailed history of files accessed using Adobe Reader.

Leveraging the DeviceContainers Key

If you’ve ever examined registry artifacts related to a particular USB device, you’ve probably come across a value called “ContainerID”.  For example, a flash drive’s instance ID subkey of the USBSTOR key includes a ContainerID value.  Prior to Windows 8, a device’s Container ID was probably of little interest to an examiner. However, beginning with Windows 8, a device’s Container ID can be used to help profile a specific device and corroborate findings from other locations.  The CurrentControlSetControlDeviceContainers key of the SYSTEM hive on a Windows 8 machine holds a wealth of information, broken down by Container ID, about devices connected to the system.

Before dissecting the DeviceContainers subkey, it’s important to understand what a container ID represents in the first place.  Starting with Windows 7, container IDs were used to identify a physical device on the system.  This Windows Dev Center page describes a container ID as “a system-supplied device identification string that uniquely groups the functional devices associated with a single-function or multifunction device installed in the computer.”  This “system supplied identification string” is a GUID and is referenced in various locations, including the EnumUSBSTOR and EnumUSB subkeys of the SYSTEM hive, as the “ContainerID”.  One thing to keep in mind is that all physical devices should be assigned a ContainerID – not just storage devices.  This means that when digging into the DeviceContainers key, many of the devices listed may be something other than storage devices (e.g. monitors, external speakers, keyboards, etc.).

DeviceContainersContainerID subkey structure

The screenshot on the right is an example of what you might see when browsing a device’s DeviceContainers subkey.  The top node as well as the subkey to the BaseContainers key is named by the ContainerID value (the same one found in the USBSTOR key).  The Properties subkey contains eight different sets of…. well, properties.  The idea of useful information being found in a set of “Properties” subkeys is not new; Harlan blogged about the Properties subkeys within the USBSTOR key here and Yogesh Khatri wrote about it here as well.  This is a different set of properties, however, than what is found in the USBSTOR key.

While there are numerous bits of data available in the Properties subkey, I will only highlight a few of the items that may prove useful in a typical forensic examination. The table below summarizes some of the information about a device that is available from the DeviceContainers key.  As you can see, the device instance ID, “DeviceContainer_ModelName”, and “DeviceContainer_PrimaryCategory” properties are available here in addition to two 64-bit FILETIME properties.  The “DeviceContainer_ModelName”, and “DeviceContainer_PrimaryCategory” properties are defined in the devpkey.h file of the Windows 8.1 SDK.  In addition to the property subkey listed in the table below, the device instance ID is also available in the subkey named by the device’s Container ID within the BaseContainers key.

 

 

 

The device instance ID is a valuable piece of information, as it contains the VID and PID of a device as well as the serial number or unique identifier of the device.  For example, when connecting a flash drive to a Windows 8.1 system, I found “USBVID_090C&PID_10001009070810017910” to be the device instance ID associated with the flash drive.  In this case, you can see that “1009070810017910” is the serial number of the flash drive; this information can be corroborated with the USB and USBSTOR keys as well.

The DeviceContainer_ModelName helps describe the device – similar to the FriendlyName value of the USBSTOR key.  Examples of what I have seen in this property are “My Passport 0730”, “iPhone”, and “USB DISK”.  The DeviceContainer_PrimaryCategory helps describe the purpose of the device.  Some examples of what I have noted in this property are “Storage”, “Audio”, and “Display Monitor”.

There are also two 64-bit FILETIME timestamps that appear to be consistent with the first time the device was connected to the system.  Specifically, the “3464f7a4-2444-40b1-980a-e0903cb6d912\0007” property appears to contain the time the device driver installation started, while the “3464f7a4-2444-40b1-980a-e0903cb6d912\0008” property appears to contain the time the device driver installation completed.  This theory is supported by the setupapi.dev.log file, which includes the start and end time of device driver installations.  Interestingly, these two timestamps are slightly different than the Install and First Install timestamps found in other Properties subkeys in the registry. Unfortunately I have not yet found a precise definition – such as that from a Windows SDK – for what these two timestamps officially represent.

One of the nice things about the DeviceContainers key is that it appears to group all physical devices that have been connected to a system into one place.  If an examiner is focusing solely on the USBSTOR key, he or she may miss the fact that an MTP device was connected or that a hard drive was connected using something other than USB.  While the DeviceContainers key may not necessarily provide information that cannot be found elsewhere, it serves as yet another source to help examiners corroborate findings from other locations on the system and may be critical in cases where the ordinary sources of device-related information are not available.