File and Folder Interaction
Techniques that can be used to discover evidence in support of an attackers interaction with files and folders such as search, deletion and opening post-breach.
Windows
XP Search (ACMRU)
A wide variety of information can be searched for through the search assistant on a Windows XP Machine. The search assistant will remember a user's search terms for filenames, computers, or words that are inside a file. This is an example of where you can find the "Search History" on the Windows system.
WIN: XP SRV: NULL
Location
Interpretation and Investigative Notes
Search the Internet
####-5001
All or part of a document name
####-5603
A word or phrase within a document
####-5604
Printers, computers, or people
####-5647
Tools
Sources
ThumbCache.db
Thumbnails of pictures, office documents, and folders exist in a database called the thumbcache. Each user will have their own database based on the thumbnail sizes viewed by the user (small, medium, large, and extra large)
WIN: XP+ SRV: 2003+
Location
Interpretation and Investigative Notes
Created when a user switches a folder to thumbnail mode or views pictures via a slide show. As it were, our thumbs are now stored in separate database files.
The thumbnail will store the thumbnail copy of the picture based on the thumbnail size in the content of the equivalent database file (Small, Medium, Large, and Extra Large)
Tools
Sources
Thumbs.db
Hidden file in directory where images on a machine exist stored in a smaller thumbnail graphic. Thumbs.db catalogs pictures in a folder and stores a copy of the thumbnail even if the pictures were deleted.
WIN: XP+ SRV: 2003+
Location
Interpretation and Investigative Notes
The database includes information such as:
Thumbnail Picture of Origin Picture
Document Thumbnail - Even if Deleted
Last Modification Time (XP Only)
Original Filename (XP Only)
Tools
Sources
Internet Explorer (IE) and Edge File History
A little-known fact about the IE and Edge History is that the information stored is not just related to Internet browsing. The history also contains records of local and remote network share file access, giving us an excellent means for determining which files and applications were accessed on the system, day by day.
WIN: XP+ SRV: 2003+
Location
Interpretation and Investigative Notes
Stored in
index.datas:file:///C:/directory/filename.ext
Does not prove that the file was opened by the browser
Tools
Sources
Search WordWheelQuery
Keywords search for from the START menu bar.
WIN: 7+ SRV: 2003+
Location
Interpretation and Investigative Notes
Keywords are added in Unicode and listed in temporal order in an MRUlist.
Tools
Sources
Recycle Bin
The recycle bin is a very important location on a Windows file system system to understand. It can help you when accomplishing a forensics investigation, as every file that is deleted from a Windows Recycle Bin aware program is generally first put in the Recycle Bin.
WIN: XP+ SRV: 2003+
Location
Interpretation and Investigative Notes
WINDOWS XP
Subfolder is created with user's SID and can be mapped to user
Maps file name to the actual name and path it was deleted from
Hidden file in directory called
INFO2contains Deleted Time and Original FilenameFilename in both ASCII and UNICODE
WINDOWS 7+
Subfolder is created with user's SID and can be mapped to user
Deleted Time and Original Filename contained in separate files for each deleted recovery file
Filenames proceeded by
$I######, contain:Original PATH and name
Deletion Date/Time
Filenames proceeded by
$R######, contain:Recovery Data
Tools
Sources
LastVisitedMRU
Tracks the specific executable used by an application to open files documented in the OpenSaveMRU key. In addition, each value also tracks the directory location for the last file that was access by that application.
Darkcybe - Evidence of Execution
OpenSaveMRU
Tracks files that have been opened or saved within a Windows shell dialog box. This happens to be a big data set, not only including web browsers like Internet Explorer and Firefox, but also a majority of commonly used applications.
Darkcybe - Evidence of Download
Recent Files
Registry Key that will track the last files and folder opened and is used to populate data in "recent" menus of the Start Menu.
WIN: XP+ SRV: Not Tested
Location
Interpretation and Investigative Notes
RecentDocs
Overall key will track the overall order of the last 150 files or folders opened. MRU list will keep track of the temporal order in which each file/folder was opened.
Includes last entry time which mirrors the last opening time.
The
.%%%key (Three Letter Extension)Stores file opening operations based of a specific extension in temporal order.
Folder
Stores folder access based on opening in temporal order.
Tools
Sources
Jump Lists
The Windows task bar (Jump List) is engineered to allow users to "jump" or access items they have frequently or recently used quickly and easily. This functionality cannot only include recent media files; it must also include recent tasks.
The data stored in the AutomaticDestinations folder will each have a unique file prepended with the AppID of the associated application on Windows 7 through 10 machines. Windows 11 contains a shortcut (.LNK) files that direct to the application, file, or directory.
Darkcybe - Evidence of Execution
Shell Bags
Which folders were accessed on the local machine, the network and/or removable devices. Evidence of previously existing folders after deletion/overwrite. When certain folders are created.
WIN: XP+ SRV: Not Tested
Location
Interpretation and Investigative Notes
Tools
Sources
Shortcut Files (.LNK)
Shortcut files automatically created by windows when accessing recent items and opening local and remote data files and documents. Windows 11 contains a shortcut (.LNK) files that direct to the application, file, or directory.
WIN: XP+ SRV: Not Tested
Location
Interpretation and Investigative Notes
Although the locations listed are the default, they can be created anywhere.
Date/Time file of that name was first opened
Creation Date of .LNK file
Date/Time file of that name was last opened
Last Modification Date of .LNK file
LNKTarget File (Internal LNK file details) Details:
Modified, Accessed and creation times of target file
Volume information
Network Share information
Original location
Name of system
Tools
Sources
Prefetch
Increases performance of a system by pre-loading code pages of commonly used applications. Cache Manager monitors all files and directories referenced for each application or process and maps them into a .pf file. Utilized to know an application was executed on a system.
Limited to 128 files on XP and Windows 7
Limited to 1024 files on Windows 8
<EXE_NAME>-<HASH>.pf
Darkcybe - Evidence of Execution
Microsoft Office Recent Files
Microsoft Office programs will track their own recent files list to make it easier for users to remember the last file they were editing.
WIN: XP+ SRV: Not Tested
Location
Interpretation and Investigative Notes
Similar to recent files, this will track the last files that were opened by each Microsoft Office application. The last entry added, per the MRU, will be the time the last file was opened by a specific application.
Tools
Sources
Windows Timeline (ActivitiesCache.db)
Windows 10 introduced a background feature that records recently used applications and accessed files over a 30 day duration in a "timeline" accessible via the "WIN+TAB" key. The data is recorded in a SQLite database. Windows 11 removed the "WIN+TAB" functionality, however the ActivitiesCache.db still remains.
Research identified that Windows Server 2016 also maintains an ActivitiesCache.db file, however ActivityOperation, Activity_PackageId, and Activity entries were not recorded.
Last updated