Section 4.2: Timeline Analysis Overview

Question 1

What is the forensic trinity inside a system?

Answer 1

Filesystem metadata, registry keys, and Windows artifacts.

Question 2

For locations in timeline analysis to search for file downloads.

Answer 2

Open/Save MRU, emails, skype history, index.dat, & download sqlite.

Question 3

Locations in timeline analysis to search program execution.

Answer 3

UserAssist, LastedVisited MRU, Run MRU, MUI Cache, Jumplists, prefetch, & shimcache.

Question 4

What is Open/Save MRU and where can it be found?

Answer 4

This key tracks files that have been opened or saved within Windows shell dialog box. Location: NTUSER.DAT\Software\Microsofot\Current Version\ Explorer\ComDlg32\OpenSavePID1MRU

Question 5

What is the path for email attachments?

Answer 5

USER\AppData\Local\Microsoft\Outlook

Question 6

To gather downloads.sqlite information for downloaded files for each browser, what similar paths do different browsers have?

Answer 6

Search in “AppData\Roaming” for any browser and dig till you find history sections.

Question 7

What are jump lists?

Answer 7

Jump lists is a task bar engineered to allow users to “jump” or access items they frequently or recently used quickly and easily. They are labeled by AppID.

Question 8

What is the jump list path?

Answer 8

C:\Users\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations

Question 9

What is RunMRU Start-> Run? What is the path?

Answer 9

Whenever a user runs the Run command, it is recorded along with the user who did it. Path: NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU

Question 10

What is the UserAssist? What is the path?

Answer 10

GUI-based programs launched from the desktop are tracked by the launcher. Path: NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist

Question 11

What are shellbags?

Answer 11

They track user window preferences to Explorer. It also tracks activity in a folder and files.

Question 12

Path to find shellbags

Answer 12

NTUSER.DAT (USRCLASS.DAT)(Local Settings)\Software\Microsoft\Windows\Shell\Bags(BagsMRU)

Question 13

Where is the NTUSER.DAT information when looking inside registry editor?

Answer 13

You gotta click the HKEY_USERS tab. Thats NTUSER.DAT.

Question 14

What are Office Recent Files? What is the path?

Answer 14

MS Office programs will track and built a recent files list to see the last file edited. Location: NTUSER.DAT\Software\Microsoft\Office\VERSION

Question 15

What are LNK files? Where are they located?

Answer 15

They are shortcut files created by opening recent local or remote data files and documents. Location: \AppData\Roaming\Microsoft\Office\Recent

Question 16

What is the WordWheelQuery and where is it located?

Answer 16

It logs keywords searched for from the Start menu bar. Location: NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\WordWheelQuery

Question 17

To search for Browser Search Terms and cookies, what is the common path to find them?

Answer 17

\AppData(Local)\Roaming\Microsoft\Windows\History(Cookies)

Question 18

Why is tracking USB usage important? What is the path?

Answer 18

I can find the time it was plugged in as well as the brand. The path: SYSTEM\CurrentControlSet\Enum\USB

Question 19

What does log ID 20001 identify inside the System log?

Answer 19

That a plug & play driver was installed. That can be a USB, Firewire, or any PCMCIA devices

Question 20

How do I do begin to look inside a timeline?

Answer 20

Use your scope and case knowledge to help form the answer (pivot point).

Question 21

What is Temporal Proximity? Why is it important to use this method?

Answer 21

Its searching for occurrences that happened before and after pivot points. Single artifacts MUST connect to other artifacts.

Question 22

What is the Pivot Point pyramid from highest to lowest.

Answer 22

Time of Incident, Network Activity, Process Activity, Name of File, User Account, & Activity.

Question 23

What is the timeline analysis process list?

Answer 23

Determine the timeline scope, narrow pivot points, determine timeline type, filter timeline, analyze timeline.