Section 4.2: Timeline Analysis Overview Flashcards
What is the forensic trinity inside a system?
Filesystem metadata, registry keys, and Windows artifacts.
For locations in timeline analysis to search for file downloads.
Open/Save MRU, emails, skype history, index.dat, & download sqlite.
Locations in timeline analysis to search program execution.
UserAssist, LastedVisited MRU, Run MRU, MUI Cache, Jumplists, prefetch, & shimcache.
What is Open/Save MRU and where can it be found?
This key tracks files that have been opened or saved within Windows shell dialog box. Location: NTUSER.DAT\Software\Microsofot\Current Version\ Explorer\ComDlg32\OpenSavePID1MRU
What is the path for email attachments?
USER\AppData\Local\Microsoft\Outlook
To gather downloads.sqlite information for downloaded files for each browser, what similar paths do different browsers have?
Search in “AppData\Roaming” for any browser and dig till you find history sections.
What are jump lists?
Jump lists is a task bar engineered to allow users to “jump” or access items they frequently or recently used quickly and easily. They are labeled by AppID.
What is the jump list path?
C:\Users\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations
What is RunMRU Start-> Run? What is the path?
Whenever a user runs the Run command, it is recorded along with the user who did it. Path: NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU
What is the UserAssist? What is the path?
GUI-based programs launched from the desktop are tracked by the launcher. Path: NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist
What are shellbags?
They track user window preferences to Explorer. It also tracks activity in a folder and files.
Path to find shellbags
NTUSER.DAT (USRCLASS.DAT)(Local Settings)\Software\Microsoft\Windows\Shell\Bags(BagsMRU)
Where is the NTUSER.DAT information when looking inside registry editor?
You gotta click the HKEY_USERS tab. Thats NTUSER.DAT.
What are Office Recent Files? What is the path?
MS Office programs will track and built a recent files list to see the last file edited. Location: NTUSER.DAT\Software\Microsoft\Office\VERSION
What are LNK files? Where are they located?
They are shortcut files created by opening recent local or remote data files and documents. Location: \AppData\Roaming\Microsoft\Office\Recent
What is the WordWheelQuery and where is it located?
It logs keywords searched for from the Start menu bar. Location: NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\WordWheelQuery
To search for Browser Search Terms and cookies, what is the common path to find them?
\AppData(Local)\Roaming\Microsoft\Windows\History(Cookies)
Why is tracking USB usage important? What is the path?
I can find the time it was plugged in as well as the brand. The path: SYSTEM\CurrentControlSet\Enum\USB
What does log ID 20001 identify inside the System log?
That a plug & play driver was installed. That can be a USB, Firewire, or any PCMCIA devices
How do I do begin to look inside a timeline?
Use your scope and case knowledge to help form the answer (pivot point).
What is Temporal Proximity? Why is it important to use this method?
Its searching for occurrences that happened before and after pivot points. Single artifacts MUST connect to other artifacts.
What is the Pivot Point pyramid from highest to lowest.
Time of Incident, Network Activity, Process Activity, Name of File, User Account, & Activity.
What is the timeline analysis process list?
Determine the timeline scope, narrow pivot points, determine timeline type, filter timeline, analyze timeline.
