Digital Forensics Stream
Findings, tips, and tools developed while trekking through the world of digital forensics

Archive for TypedURLsTime

Posted by Jason Hale 
· June 12, 2012 
· 6 Comments

TypedURLsTime RegRipper Plugin

I mentioned in a previous post that a RegRipper plugin (or something similar) would need to be written in order to easily correlate the contents of the TypedURLs subkey with the TypedURLsTime subkey that is present in Windows 8.  Being that I haven’t had the opportunity to do a whole lot with Perl or write a RegRipper plugin, I figured this would be a good learning experience for me and another way to contribute a bit to the community.  Harlan’s Windows Registry Analysis book does a nice job explaining the process of creating a RegRipper plugin, so I decided to start there.

The book mentions the fact that you can create plugins while writing very little code by copying the functionality from other existing plugins. After all, why spend time rewriting something that’s already been put out there (although an argument could be made for the sake of learning)? With that in mind, I thought about the different plugins that I’d executed in the past and what they did.  The typedurls plugin would obviously take care of parsing the TypedURLs subkey for me; I only needed to find code that would parse the TypedURLsTime value data containing the FILETIME structures.  The first plugin that came to mind is also one of my favorites: the userassist2 plugin.

So to create the TypedURLsTime plugin, I started simply by copying the code that parses the contents of the UserAssist key and adding that to the parsing code for the TypedURLs key.  I then went in and removed some unnecessary portions, such as the part decoding the ROT-13 values existing in the UserAssist key.  I was left with code that would parse both of the subkeys I’m interested in; I just needed to correlate the results to make the output easier to read.  There is an abundance of material out there to help you get started with Perl.  Learn.perl.org is a nice way to learn the basics; you can also go out and buy one of the many books that exist on the subject (Learning Perl on Win32 Systems was recommended to me).  After reading though a bit of the basics (comparing values, looping, hashes, etc.), I put together the rest of the plugin to correlate the results and display them appropriately.  I added a couple of variables, but the vast majority of the code and the actual work was completed using functionality from two previously written plugins.  That’s it.  In very little time and roughly 10 lines of code, I’d put something together that can be used to extract and make use of the information from the TypedURLsTime subkey or simply add in as part of a plugin file for future use.

This obviously required very little coding, but that’s part of the point.  I was surprised at how easy it was and the limited amount of Perl knowledge that’s required to create a working RegRipper plugin.  That’s not to say that other plugins wouldn’t require much more coding and a deeper knowledge of Perl, but this is an example of how easy it can be. So the next time you think about writing a RegRipper plugin or realize that one would be helpful, think about what you’re trying to pull from the registry. What is the format of the data you’re trying to parse?  Are there existing plugins that perform some or all of the required functionality, except applied to a different key?  You might find that nearly everything you need is already out there and available, you just need to piece it together.

If you’re interested in viewing or testing the typedurlstime plugin, it’s included as part of the updated RegRipper plugins archive available from the RegRipper wordpress site (or more precisely, the RR supplemental plugins google code page).  I also went ahead and modified the reporting format to allow for outputting in TLN format, which is available with the typedurlstime_tln plugin (included in the download).  The output of the typedurlstime plugin could easily be modified to report in csv format as well.

6 Comments
Categories : Registry Forensics, Tool Release/Update
Tags : , ,
Posted by Jason Hale 
· May 8, 2012 
· 4 Comments

Windows 8 TypedURLsTime

Amanda Thomson posted a Windows 8 Forensic Guide last month that covers a variety of topics examiners can expect to encounter with this new operating system on the horizon.  One of the new items in Windows 8 – existing at least in the Consumer Preview version – is the TypedURLsTime subkey that is located in the respective user’s NTUSER.DAT hive.  Amanda touched on this in her guide, but also mentioned that additional research should be conducted on this subkey. I was interested in when this key was updated, how it might be affected by a user performing specific actions (such as clearing the browsing history), and the added benefits to forensic analysis that an examiner may see with the existence of this subkey.  In an attempt to answer these questions, I ran a few tests on a clean install of Windows 8 Consumer Preview using Internet Explorer 10.

Note that this post doesn’t go into a great deal of detail regarding the TypedURLs subkey because it’s been covered in other locations such as the Crucial Security Forensics Blog and ForensicArtifacts.com.  I would recommend checking out one of those or the many other sources out there that discuss the TypedURLs subkey if you’re interested in more information.

Upon review of the NTUSER.DAT hive immediately after the first login (before Internet Explorer was ever opened), I observed a single value named “url1” in the TypedURLs subkey with the data being “http://go.microsoft.com/fwlink/?LinkId=69157”.  This existence of this value appears to be consistent with the behavior in older versions of Windows.  The TypedURLsTime subkey had not been created at this point.

After visiting a few websites by typing the URL into the address bar and hitting Enter, I observed that the URLs I typed had been added to the TypedURLs subkey with the most recently visited site being associated with the value “url1”.  This is consistent with the behavior an examiner would expect to see in older versions of Windows.  However, I also observed that the TypedURLsTime subkey had been created after values were added to the TypedURLs subkey.  The TypedURLsTime subkey is located at HKCUSoftwareMicrosoftInternet ExplorerTypedURLsTime. The values within this key are similar to those in the TypedURLs subkey (“url1”, “url2”, etc.), but the data for each of the values consists of a 64-bit FILETIME structure, as noted in Amanda’s guide.  This date/time combination appears to be the most recent date/time the corresponding URL was added to the TypedURLs subkey.  The connection is trivial to make between the TypedURLs subkey and the TypedURLsTime subkey. The URL listed as the data of value “url1” in the Typed URLs subkey was last added to that subkey at the date and time (UTC) contained within the data of value “url1” in the TypedURLsTime subkey.  This appears to be consistent and accurate with each “url##” value within each subkey.

An important point to note is that the date/time listed in the TypedURLsTime subkey corresponds to the most recent date/time the corresponding value was added to TypedURLs.  That is, if an entry for “www.google.com” already exists as the data of “url5” in TypedURLs and is added to the key again, the entry for “www.google.com” will become “url1” in the TypedURLs subkey and the data for “url1” in the TypedURLsTime subkey will correspond to the most recent visit to “www.google.com”.  The original data that once existed as “url5” will be replaced by the data from “url4” as each of the values are shifted down in order to add the most recent URL as “url1”.  Values existing in either subkey after “url5” (“url6”, “url7”, etc.) will remain the same.

One difference I noted with Windows 8 is that it appears the maximum number of values within the Typed URLs subkey – and thus the TypedURLsTime subkey – has been increased to 50, as opposed to the limit of 25 that exists in previous versions of Windows.  This may not be a huge difference, but more information – especially when it comes to user activity – is always nice.

When a user clears the browsing history via Internet Options –> Delete (under the Browsing History category), both the TypedURLs and TypedURLsTime subkeys are deleted.  I observed this when monitoring the deletion operating using procmon (snipped screenshot below).

The deletion of these subkeys, specifically the TypedURLs subkey, is of note to an examiner.  As Harlan mentioned in his corollary to the first law of computer forensics, “Once you understand what actions or conditions create or modify an artifact, then the absence of that artifact is itself an artifact”.  Since we know that the TypedURLs subkey should exist in a default installation of Windows 8, the absence of this subkey would be an indication that the browsing history may have been deleted (or the user may have taken other means to remove this subkey).

Further, the TypedURLs subkey does not appear to be immediately recreated after it is deleted using the method described above.  I have noted that opening Internet Explorer and navigating to websites using links within web pages will not prompt Windows to recreate this key.  I also noted that launching regedt32 directly from the System32 folder will not recreate the key, nor will restarting the machine.  However, oddly enough, opening the Run window appears to cause the shell to recreate the TypedURLs subkey (I would imagine there are other means of accomplishing this too, aside from visiting websites to populate the subkey).  When TypedURLs is created in this manner, the “url1” value with “http://go.microsoft.com/fwlink/?LinkId=69157” as its data does not exist as we observed before.  Instead, there are no values contained within the subkey.  This is yet another interesting note for an examiner. Observing the existence of an empty TypedURLs subkey may be an indication that the browsing history was deleted at some point, but the subkey was later recreated by the shell.  Note that when the TypedURLs and TypedURLsTime subkeys are deleted, their contents may still be recoverable as with any other deleted registry keys.  I successfully recovered portions of these subkeys after the browsing history was deleted by using regslack as well as X-Ways Forensics, although any registry-carving utility should work.

So what exactly are we gaining as forensic examiners with the introduction of the TypedURLsTime subkey? Once obvious benefit is that we’re provided with more information regarding the URLs listed in the TypedURLs subkey.  We can now correlate those URLs with a date and time that they were last added to the subkey.  And you can’t say date/time in the DFIR world today without thinking timeline.  A tool/script/RegRipper plugin or log2timeline module will need to be written, but correlating the contents of TypedURLs with TypedURLsTime may contribute valuable information to a timeline.  When you add in the additional entries that may exist in NTUSER.DAT hives from volume shadow copies, these subkeys become even more interesting.

Overall, it appears that the TypedURLsTime subkey is closely tied to the TypedURLs subkey, which doesn’t come as a surprise.  However, the knowledge that this key exists and how we might be able to use it will be important when we begin encountering it during examinations.  This is just a single aspect of Windows that will be a bit different with the introduction of Windows 8 (assuming this key is still around when its officially released).  There is certainly a lot of work and research that will need to be conducted so that we as forensic examiners can be ready for what’s to come with Windows 8.

4 Comments
Categories : Registry Forensics
Tags : , ,

Twitter

Subscribe via Email

Enter your email address to subscribe to this blog and receive notifications of new posts by email.

Archives

DISCLAIMER

The contents of this blog reflect my opinion and may not represent the views of my employer or anyone else.  Any material on this blog, especially related to technology and/or forensic methodology should not be assumed to be true in all possible scenarios.  As always, test any theories, ideas, or tools from this blog in your own environment before stating them or the results therefrom as factual.