User Behavior
Shellbags
Description:
Shellbags in Windows are Registry artifacts that store metadata about users’ folder view preferences and interactions in Windows Explorer. They are valuable in digital forensics for reconstructing user activity, including details about accessed and deleted directories.
Important Information:
- Still present after the original file has been deleted.
- Only file names and metadata, not the full file contents.
Registry Paths:
- HKCU\Software\Microsoft\Windows\Shell\BagMRU (NTUser.dat)
- HKCU\Software\Microsoft\Windows\Shell\Bags (NTUser.dat)
- HKCU\Software\Microsoft\Windows\Shell\BagMRU (USRClass.dat)
Analysis:
- MRUListEx value: Records the order of recently accessed subfolders. Example: 0, Folder0, 1, Folder1, 2, Folder2. If someone opens Folder2, the entire BagMRU\MRUlistEx is updated, and the last written time of BagMRU changes.
Software:
- ShellBagsExplorer (EZ)
References:
Jumplists
Description:
Jumplists in Windows provide quick access to recently or frequently used files and tasks associated with applications, accessible from the taskbar or Start menu. They are useful in digital forensics for tracking user activity and identifying recently accessed documents and programs.
Important Information:
- Jumplist is a list of .lnk files.
Paths:
- C:\Users\\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations (General)
- C:\Users\\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations (Applications)
Analysis:
- Timestamp: Target and source timestamp (UTC).
- Full-Path: The full path of accessed files.
- File Size: The size of the file.
Software:
- JLECmd.exe (EZ)
- JumpListExplorer (EZ)
UserAssist
Description:
UserAssist is a Windows registry feature that tracks user activity by logging details of executable files and applications that have been run on the system. This information, stored in a concealed registry key, is often used for forensic analysis to understand user behavior and activity on a computer.
Important Information:
- Executables may have a last execution time, but the run counter is zero. The program might have been started by a service or other mechanism without user interaction. Verify this with other evidence.
Registry Path:
- HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{GUID}\Count (NTUser.dat)
- CEB* = Tracks executables (Values in ROT13 encoding)
- FE* = Tracks .lnk files (Values in ROT13 encoding)
Analysis:
- Last Execution Time: (UTC)
- Focus Time: Duration of focus on the application.
- Run Counter: Number of times the program was run.
- Program Name: The name of the program.
Software:
- CyberChef (ROT13 decoder)
- RegistryExplorer
References:
Thumbnail Cache
Description:
The Thumbnail Cache in Windows stores thumbnail images of files and folders to speed up their display in Windows Explorer. This cache is useful in digital forensics for revealing previously viewed images and documents, even if the original files have been deleted.
Important Information:
- If you can’t open the thumbcache under Windows 11, try copying the thumbcache to Windows 10 to open it.
Path:
- C:\Users\\AppData\Local\Microsoft\Windows\Explorer
Analysis:
- Search for Pictures.
- The number at the end of the thumbcache name indicates the resolution of the image.
Software:
- thumbcache_viewer.exe
MRUs (Most Recent Used)
Description:
Most Recently Used (MRU) lists are records maintained by an operating system or application to track the most recently accessed files, folders, or commands. These lists help users quickly reopen recently used items and are valuable in digital forensics for understanding recent user activity.
Important Information:
- There are different MRUs for things like open files or folders, but also for starting programs via Windows Run. You should know what you are looking for.
MRUs:
- RecentDocs/Files
- List of recently opened documents and files.
- HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs
- RegRipper (Plugin: recentdocs)
- RecentRun
- Commands or programs run by the user through the Windows Run dialog. (Win+R)
- HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU
- RegRipper (Plugin: runmru)
- RecentSearch
- This key contains recent search terms using the standard Windows search.
- HKCU\Software\Microsoft\Search Assistant\ACMru
- RegRipper (Plugin: acmru)
- NetworkMRU
- Recently mapped network shares or network paths.
- HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Map Network Drive MRU
- RegRipper (Plugin: nmdmru)
- MicrosoftPaint
- HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\Paint\Recent File List
- RegRipper (Plugin: mpmru)
- Print MRU
- List of installed printers or software.
- HKCU\Software\Microsoft\Windows NT\CurrentVersion\Devices
- RegRipper (Plugin: printermru)
Event Log
Description
The following event log might help to track whether a user was actively working on the PC or not. You can see whether or not the PC was locked for a certain period of time.
| Action | Eventlog-Categorie | Event-ID | Regripper Plugin | Description |
|---|---|---|---|---|
| Eventlog start | System | 6005 | ||
| Eventlog stop | System | 6006 | ||
| System start | System | 12 | logon | |
| System shutdown | System | 1074 | shutdown (\Windows\System32\config\SYSTEM) | |
| System standby | System | 42 | ||
| Computer locked | Security | 4800 | ||
| Computer unlocked | Security | 4801 | ||
| User logon | Security | 4624 | Successful logon | |
| User logoff | Security | 4634 | ||
| Special logon | Security | 4672 | Indicates a special logon (e.g. administrative logon) which provides additional privileges. | |
| Logon Failure | Security | 4625 | Failed logon attempts. | |
| Screen saver Invoked | Security | 4802 | Screen saver is invoked. (Typically indicating inactivity) | |
| Screen saver dismissed | Security | 4803 | User has returned to the system |
| Logon Type | Description |
|---|---|
| 2 | Console (Example: Keyboard) |
| 3 | Network (Example: SMB, SCCMrdp) |
| 4 | Batch (Scheduled Tasks) (Example: Schedule Task) |
| 5 | Windows Services (Example: Windows Services) |
| 7 | Screen Lock/Unlock (Example: ) |
| 8 | Network (Cleartext Logon) |
| 9 | Alternate Credentials Specified (RunAs) |
| 10 | Remote Interactive (RDP) |
| 11 | Cached Credentials (e.g., Offline DC) |
| 12 | Cached Remote Interactive (RDP, similar to Type 10) |
| 13 | Cached Unlock (Similar to Type 7) |