Windows 8: Tracking Opened Photos

One of the many new features of Windows 8 is a new stock photo viewing application called Photos.  With the inclusion of a new photo viewer comes the creation of new artifacts resulting from its use. Specifically, I've found that the Windows 8 Photos app stores usage history information within a user's UsrClass.dat registry hive.  Buried within this hive is a wealth of information about files that have been viewed using Photos (specifically by double-clicking an image).  By "wealth of information", I mean information about each file viewed using the Photos app.  This includes the file name, path to the image file, timestamps associated with the image file, the last time the file was viewed using Photos, the type of device from which the file was opened, and more.

Based on my research, if an image file has been opened using the Photos app via double-clicking the file in Explorer, a subkey named using a {GUID} value will be added to the "Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\microsoft.windowsphotos_8wekby3d8bbwe\PersistedStorageItemTable\ManagedByApp" subkey located in the user's UsrClass.dat hive. The screenshot below is a depiction of the values and value data from a ManagedByApp\{GUID} subkey as viewed with regedit.

Based on my research, each {GUID} subkey beneath the ManagedByApp subkey corresponds to an image that has been opened using the Photos app and includes six values.  The table below includes information about each value located within one of these {GUID} subkeys.

Value Name	Value Type	Value Data
FilePath	REG_SZ	Full path to the file
Flags	REG_DWORD	Appears to relate to the media type from which the image was opened
LastUpdatedTime	REG_BINARY	64-bit FILETIME value; appears to reference last time the file was opened
Link	REG_BINARY	Variation of Windows LNK file [MS-SHLLINK]
Metadata	REG_SZ	Holds the name of the file
PackageFamilyName	REG_SZ	microsoft.windowsphotos_8wekyb3d8bbwe

File Path Value

If you guessed that the FilePath value data includes the path to the image file, you'd be correct.  Based on my testing, the full path (including drive letter) is included in this data if the image file was opened from the C:\ drive, external hard drive, or network share.  If the image file was opened from a flash drive, the volume GUID is listed instead of the drive letter (e.g. \\?\Volume{D729662E-868D-11E2-BE69-000C29930361}\file1.jpg).  The inclusion of the volume GUID here will allow an examiner to corroborate this data with information from the MountPoints2 subkey of the user's NTUSER.DAT hive as well as the MountedDevices subkey from the SYSTEM hive.  The drive letter assigned to the media where the file was stored can also be found in the Link value data within the same {GUID} subkey.

Flags Value

The Flags value data appears to relate to the type of media from which the image file was opened.  Based on my testing, a flag value of 13 (0x0000000D) indicates that the image file was located on the internal C:\ drive at the time it was opened.  A flag value of 9 (0x00000009) is assigned when the image file is opened from some type of external media (such as a flash drive or external hard drive), including network shares. This should be easy to verify by checking the FilePath value data (or the Link value data) stored in the subkey.

LastUpdatedTime Value

The LastUpdatedTime value data is a 64-bit FILETIME value and appears to be updated each time the image file referenced by the {GUID} subkey is opened using the Photos app.  Since this value is updated each time the image file is opened, the LastWrite time of the {GUID} subkey to which this value belongs is also updated.  In my [fairly limited] testing, I have yet to come across a case where the LastUpdatedTime value data is different than the LastWrite time of the {GUID} subkey to which the value belongs.  

Link Value

With the exception of the first 16 bytes, the Link value data appears to follow the MS-SHLLINK file format (see this document provided by Joachim Metz for more info on this format).  The first 16 bytes of the Link value data appear to hold the LNK class identifier and are the same as bytes 20-35 of the value data (where one would expect to find the LNK class identifier based on the MS-SHLLINK file format).  After the first 16 bytes, we can find much of the same useful information here as would expect to find in Windows shortcut files (target file timestamps, full path to target file, etc.).  The value data alone provides a great deal of insight into the opened file.  

Forensic Implications 

Using the values from these {GUID} subkeys related to the Windows 8 Photos app, an examiner can determine not only what files were viewed using the app, but also the last time each file was viewed, the type of device from which each image was viewed, the path to each file, timestamps associated with each image, and much more.  This information can be used to track user activity surrounding image files, corroborate USB device activity found in other locations, as well as provide useful timestamps for inclusion within a timeline.  A RegRipper plugin or otherwise some other means of quickly harvesting this information will need to be written (it's on my TODO list unless someone beats me to it), but knowledge of these artifacts will be important when examining a Windows 8 machine (particularly when image files are of interest).    

As an aside, I have yet to determine if there is a maximum to the number of {GUID} subkeys created before they begin to be cycled out, but I have populated more than 200 subkeys without the oldest entry being removed.  This indicates that an examiner may encounter a large number of these subkeys during an investigation, depending on how often the user views images using the Photos app.  Additionally, this information does not appear to be removed when the user clears their app usage history (using any of the stock options that I've tried to date).  

Automating USB Device Identification on Mac OS X

One of the common methods examiners may use during USB analysis on Mac OS X machines (running Snow Leopard or above) is to search the kernel log for "USBMSC" entries to identify USB devices that have been connected to the machine.  BlackBag Technologies has a couple of excellent blog posts here and here describing the logging of USB device information in the kernel log.  The "USBMSC" entries appear to have been moved to the system log in Mac OS X 10.8 (as discussed in this blog post), but the information contained within each entry looks to be unchanged.  An example of the approach an examiner may take in attempting to identify USB devices that have been connected to a Macintosh computer is:

1. Extract the kernel logs from the file system.
2. Search the kernel logs for "USBMSC Identifier".
3. Extract all entries containing "USBMSC Identifier".
4. Format the entries to make them easier to read/sort (e.g. Excel format).
5. Search the USB ID public repository for the vendor and product ID associated with each device.
6. Update each extracted log entry for which the associated vendor and product ID was found within the USB ID public repository. 

Correlating the vendor and product IDs with the USB ID public repository can help to associate a name with the type of device that was connected (e.g. Amazon Kindle, PNY flash drive, etc.).  This process can quickly become tiresome though, especially if there are many log entries for which you must search the USB ID repository.  An examiner performing the same small task over and over again is a good argument for automating that task.  With that in mind, I decided to write a script that would do as much of this for me as possible.  Perl seemed to be a good option to use since it's cross-platform and great with parsing.  And after a bit of coding, testing, and tweaking, I now have a script that takes care of steps 2-6 listed above in a matter of seconds.

The script is capable of parsing either a single kernel log or a directory full of kernel logs, outputting the "USBMSC" log entries in csv format. After using a regular expression to locate the "USBMSC" log entries, the script queries the USB ID public repository and attempts to correlate the vendor and product ID of each entry parsed from the kernel log(s) with a particular device listed in the repository.  The script defaults to checking the online version of the repository, but if you don't have a network connection or want to be able to run the script without querying the online database, you can optionally pass in the path to a local copy of the online database using the "-u" parameter (the text of the file must be in the same format as the online repository).

When you're importing the script's csv file into Excel (or your choice of spreadsheet application), you'll want to be sure and set the formatting of the USBMSC ID, Vendor ID, Product ID, and Device Release columns to text values in order to avoid the application interpreting the values as numbers and removing leading zeroes, etc..

I've only been able to test this script on kernel logs, but it should also work on the system logs from Mountain Lion as the relevant entries appear to be in the same format.  As always, feedback, suggestions, and bug reports are welcome and appreciated.

The script is available for download here.

Console view of usbmsc.pl

Snippet of usbmsc.pl output file after correlation

Resources

BlackBag Technologies Blog

VSC Toolset Update: File Recovery

I've recently added an important functionality that has been missing from VSC Toolset: the ability to systematically extract files from shadow copies.  You can now do this with VSC Toolset either by utilizing the "Copy" command from the main window or via browsing the directory structure of a shadow copy and utilizing the context menu option.

When browsing an individual shadow copy, you can easily verify the location of the files or folders you wish to copy and extract them accordingly.  To extract files in this manner, simply navigate to the folder of interest, highlight the files or folders you wish to extract, and select "Copy" from the right-click context menu.  You will be prompted to select a location to save the data, then a small status window will appear while the data is being extracted (see screenshot below).  The downside to this approach is that you must copy the files of interest from each shadow copy individually.  To alleviate this problem, the option to copy a selected file or folder from multiple shadow copies in a single operation is available from the main window of VSC Toolset.

Copying Files via VSC Browser Context Menu

By utilizing the Copy command from the main VSC Toolset window, you can extract a file or folder from multiple shadow copies in a batch processing manner.  It's as simple as selecting the shadow copies from which to extract the file or folder, inputting the path (or browsing to it using the Browse button), and clicking the Run Command button.  It's important that the path to the file or folder of interest be the full path on the drive containing the VSCs.  For example, if the image containing the shadow copies is mounted as the H:\ drive, the path to the file/folder to copy should be something like H:\folder\subfolder\file.txt.  VSC Toolset will then use the batch files associated with the copy operation to copy the specified file or folder from all selected shadow copies.  The extracted files will be stored in the "VSCToolset_Output\ExtractedFiles" folder (the location of which may be changed under Tools --> Options).

Copying Files from VSC Toolset Main Window

All copy operations issued with VSC Toolset are simply passing parameters to a robocopy batch file that resides in the VSC Toolset "batch" folder.  Robocopy is a powerful copying utility and is a standard feature of Windows Vista and above.  For information on Robocopy options, check out this Microsoft article.  With VSC Toolset copy operations, the /COPYALL flag is passed for file and folder copies to copy all file information (including time stamps).  Additionally, the /E flag is passed during folder copy operations to include empty subdirectories. These options can of course be modified by changing the respective batch files within the "batch" folder used by VSC Toolset.  CopyFile.cmd and CopyFolder.cmd are the batch scripts used to issue the robocopy commands for file and folder copying, respectively. The robocopy log, which can also be customized by modifying the batch files, is saved in the "VSCToolset_Output\RobocopyLogs" directory that is created by VSC Toolset upon issuing a copy operation.

A couple of other improvements have been made as well, including adding multiple threads for processing.  By making VSC Toolset a multi-threaded application, the user interface remains responsive even when running time-consuming operations such as Diff or a large copy operation.  This allows you to immediately start a process such as running Diff against a couple of shadow copies and then running a RegRipper plugin or profile against one or more shadow copies while Diff is still executing in the background.

You can download the latest version of VSC Toolset here.

For tips on setting up and using VSC Toolset, check out this blog post. To get the most out of the program, you'll need the accompanying tools below. Also, keep in mind that with the exception of RegRipper, all accompanying executable files and scripts should be stored in the same directory as the VSC Toolset executable in order for the program to see them.

• RegRipper
• ActiveState Perl 
• jl.pl script (available in the wfa3e files) 
• lslnk-directory-parse2.pl script (download from the Win4n6 group under Files\Tools)
• diff.exe (included with the UnxUtils package)
• Microsoft Log Parser

Feedback, suggestions, and bug reports are always welcome and appreciated.

FoxTab: Firefox's Hidden Camera

The FoxTab add-on to Mozilla Firefox presents some interesting artifacts in respect to forensic analysis.  According to FoxTab's webpage, the add-on "brings innovative 3D functionality to your Firefox."  Among the features offered by FoxTab are the "Tab Flipper" and "Recently Closed Tabs", which allow a user to view their currently opened tabs and recently closed tabs in an animated fashion.  While these features may be appealing to some users, they are interesting from a digital forensic standpoint in that the artifacts they leave behind provide a unique insight into a user's browsing history.  Each screenshot taken by FoxTab is either a JPG or PNG file (depending on the version of FoxTab) that is stored on the disk and in many cases readily available to a forensic examiner.  And unlike the page thumbnails stored by newer versions of Firefox, Foxtab's thumbnails are undisturbed after clearing the browsing history.

Screenshot stored by FoxTab

Foxtab\thumbs Directory

The images displayed using the Tab Flipper feature (depicting the currently opened tabs) are stored in a folder titled "thumbs" within a user's AppData\Local\Temp\foxtab directory (or Local Settings\Temp\foxtab on XP).  For each tab that is opened in Firefox, a screenshot of the webpage depicted in the tab is stored for use in navigating between currently opened tabs using the Foxtab interface. While newer versions of FoxTab appear to delete the screenshots in the foxtab\thumbs folder when Firefox is closed, older versions (1.4.2 and earlier) of FoxTab aren't quite as efficient in cleaning up their mess. When testing this feature, I observed on several occasions files remaining in the foxtab\thumbs directory after closing Firefox.  The remaining files could simply be given a .jpg or .png extension (they are stored without an extension) and viewed using the native Windows photo viewer. 

Based on my testing thus far, the $STANDARD_INFORMATION creation date of the files within the foxtab\thumbs folder correspond with the time in which the webpage depicted in the screenshot was first visited. The $STANDARD_INFORMATION last modified time appears to be a close approximation of the time the webpage was first visited, although it's a few seconds after the creation date.  I haven't pinned down exactly what the variance can be attributed to, but in all tests, the last modified time of each file was within 40 seconds of the creation time (although some were as close as four seconds apart). 

Foxtab\thumbsRCT Directory 

The images displayed using the Recently Closed Tabs feature are stored in a folder titled "thumbsRCT" within a user's AppData\Local\Temp\foxtab folder (or Local Settings\Temp\foxtab on XP).  Similar to the foxtab\thumbs folder, this directory stores images of tabs that were opened in Firefox at some point.  Within the FoxTab interface, a user may view a graphical depiction of the recently closed tabs.  My testing has indicated that only those tabs that were closed since Firefox was last opened are available, despite the fact that screenshots from previous browsing sessions may very well still be stored in the foxtab\thumbsRCT folder.

Recently Closed Tab Feature of FoxTab

As with the foxtab\thumbs folder, newer versions of FoxTab appear to remove screenshots from previous browsing sessions stored in the foxtab\thumbsRCT directory more frequently.  When FoxTab is installed and a tab is closed within Firefox, the image file depicting the screenshot appears to be copied from the foxtab\thumbs directory to the foxtab\thumbsRCT folder and renamed using the computed MD5 hash of the URL of the webpage from which the screenshot was taken.  I've been unable to find a location in which the URL is stored for the purposes of FoxTab, so an examiner may only have the screenshot of the webpage and the MD5 of the URL at their disposal.  

Based on my testing thus far, it appears that the $STANDARD_INFORMATION last modified date of each file in the foxtab\thumbsRCT folder corresponds to the approximate time in which the webpage depicted in the screenshot was opened (this is the same last modified time of the file when stored in the foxtab\thumbs directory).  The $STANDARD_INFORMATION creation date of each file appears to correspond with the time in which the Firefox tab containing the depicted webpage was closed (and hence the screenshot was added to the "thumbsRCT" folder).  If the $STANDARD_INFORMATION timestamps can be trusted in a particular case, the creation and last modified time of files in the foxtab\thumbsRCT folder may provide a time frame in which the webpage depicted in the screenshot was open in the user's browser.

Forensic Implications of FoxTab

Although the artifacts left behind by FoxTab do not seem to store the URL of the webpage depicted in each screenshot, an examiner is provided with a visual depiction of the webpage as the user would have viewed it.  This can be very telling in cases involving access to illicit websites where the relevant browsing history of the computer is no longer available.

It seems that clearing the Firefox browsing history does not have an effect on the files saved by FoxTab, as they are stored independently of the browsing history and cache files.  Additionally, uninstalling the FoxTab add-on does not seem to remove either the foxtab\thumbs or foxtab\thumbsRCT directory.  Further, utilizing Firefox's InPrivate browsing mode does not seem to have an effect on the functionality of FoxTab.  It appears that unless the foxtab directories themselves are deleted, many screenshots from previous browsing sessions, both standard and InPrivate, may remain on disk.

Overall, if FoxTab is functioning correctly, it will save screenshots of currently opened tabs and tabs that were closed since Firefox was last opened.  Older versions of FoxTab (1.4.2 and earlier) remove screenshots less frequently (if at all) than newer versions, however, even the most current version (1.4.5) does not seem to remove all screenshots.  This means that a visual depiction of many webpages visited by the user may potentially be available in the foxtab directories previously described, regardless of whether a user deleted their browsing history or utilized the InPrivate browsing mode of Firefox.  While the absence of the page URL is certainly a drawback, the artifacts left behind by FoxTab may provide insight into a user's browsing history where it would otherwise be unavailable.         

Quickly Find the Date Range of EVTX Event Logs

It's helpful to know the date range that an event log spans, as that information lets you know whether or not you should expect the events from a particular time to be included in the event log, assuming the events you're interested in are being audited.  I've often used Harlan's evtrpt.pl script (available on the WFA 2e DVD) to find, among other things, the date range that is covered by an EVT file.  This has proven to be very helpful in identifying whether a particular event log covers the time frame of interest in an examination.  However, to my knowledge, no such script exists for EVTX files.
          

I originally wrote a batch script for pulling the date range from EVTX files as an add-on to VSC Toolset, but I figured it would be helpful to have the ability to run it against the most current version of event logs (i.e. those not in volume shadow copies) as well.  A couple of modifications to the VSC Toolset batch script made it ready for use on its own.       

In writing the batch script, I decided to harness the power of Log Parser to get the job done.  If you're unfamiliar with Log Parser, it's a great tool from Microsoft that allows you to interpret data files (event logs, for example) as SQL records and execute SQL queries against them to quickly pull out specific information.  The command that I used to find the oldest event record (by TimeGenerated) in an event log is "logparser -i: EVT "SELECT TOP 1 TimeGenerated FROM %1 ORDER BY TimeGenerated ASC".  Walking through the command, I simply notify Log Parser that the input file is an event log and then specify the query that I want to execute against the file.  The "%1" indicates the value passed into the batch file (G:\files\Security.evtx, for example). The query instructs Log Parser to return the top value existing in the TimeGenerated field when that field is listed in ascending order.  You should actually get the same results without "ORDER BY TimeGenerated ASC" since we're only interested in the first entry of the event log.

To find the newest event record by TimeGenerated, I simply had to sort the event log in reverse order by TimeGenerated.  This can be done by changing the "ASC" in the previous command to "DESC".  I also gathered the oldest and newest records by TimeWritten to report in addition to the TimeGenerated values.  The bulk of the code and work on my part in writing the batch file came from formatting the output for a very easy-to-read display.  I won't break down the code I used for that here, but it turned out to be a nice exercise in batch programming for me.

To use the script, download it here and copy the Log Parser executable and DLL into the same folder as the script (or vice versa).  Note that you'll have to install Log Parser from the MSI before the executable and DLL are available in the Program Files directory.  Then execute the evtxdaterange.bat script from the command line, passing in the path to the extracted event log.  For example, issuing "evtxdaterange k:\files\Security.evtx" should give you output similar to that in the screenshot below.

If you're interested in learning more about Log Parser, I would recommend taking a look at the Log Parser Toolkit book (however there are also many resources available online, such as this article by Chad Tilbury).  If you're interested in batch scripting, there are countless online references, including this one by Corey Harrell that goes over getting started with batch scripting.

VSC Toolset Update

I thought it would be helpful to quickly be able to determine the date range covered by an event log within a shadow copy, particularly if the most current version doesn't go back far enough.  So if you're interested in finding which shadow copy contains the event log covering the date range of interest, you can simply run the EventLogDateRange command against all shadow copies to pinpoint which event logs you'll want to parse.  Event log parsing has also been incorporated in the latest update, via Log Parser.  You can read about the other updates and download the latest version of VSC Toolset here. 

TypedURLsTime RegRipper Plugin

I mentioned in a previous post that a RegRipper plugin (or something similar) would need to be written in order to easily correlate the contents of the TypedURLs subkey with the TypedURLsTime subkey that is present in Windows 8.  Being that I haven't had the opportunity to do a whole lot with Perl or write a RegRipper plugin, I figured this would be a good learning experience for me and another way to contribute a bit to the community.  Harlan's Windows Registry Analysis book does a nice job explaining the process of creating a RegRipper plugin, so I decided to start there.

The book mentions the fact that you can create plugins while writing very little code by copying the functionality from other existing plugins. After all, why spend time rewriting something that's already been put out there (although an argument could be made for the sake of learning)? With that in mind, I thought about the different plugins that I'd executed in the past and what they did.  The typedurls plugin would obviously take care of parsing the TypedURLs subkey for me; I only needed to find code that would parse the TypedURLsTime value data containing the FILETIME structures.  The first plugin that came to mind is also one of my favorites: the userassist2 plugin.

So to create the TypedURLsTime plugin, I started simply by copying the code that parses the contents of the UserAssist key and adding that to the parsing code for the TypedURLs key.  I then went in and removed some unnecessary portions, such as the part decoding the ROT-13 values existing in the UserAssist key.  I was left with code that would parse both of the subkeys I'm interested in; I just needed to correlate the results to make the output easier to read.  There is an abundance of material out there to help you get started with Perl.  Learn.perl.org is a nice way to learn the basics; you can also go out and buy one of the many books that exist on the subject (Learning Perl on Win32 Systems was recommended to me).  After reading though a bit of the basics (comparing values, looping, hashes, etc.), I put together the rest of the plugin to correlate the results and display them appropriately.  I added a couple of variables, but the vast majority of the code and the actual work was completed using functionality from two previously written plugins.  That's it.  In very little time and roughly 10 lines of code, I'd put something together that can be used to extract and make use of the information from the TypedURLsTime subkey or simply add in as part of a plugin file for future use.

This obviously required very little coding, but that's part of the point.  I was surprised at how easy it was and the limited amount of Perl knowledge that's required to create a working RegRipper plugin.  That's not to say that other plugins wouldn't require much more coding and a deeper knowledge of Perl, but this is an example of how easy it can be. So the next time you think about writing a RegRipper plugin or realize that one would be helpful, think about what you're trying to pull from the registry. What is the format of the data you're trying to parse?  Are there existing plugins that perform some or all of the required functionality, except applied to a different key?  You might find that nearly everything you need is already out there and available, you just need to piece it together.

If you're interested in viewing or testing the typedurlstime plugin, it's included as part of the updated RegRipper plugins archive available from the RegRipper wordpress site (or more precisely, the RR supplemental plugins google code page).  I also went ahead and modified the reporting format to allow for outputting in TLN format, which is available with the typedurlstime_tln plugin (included in the download).  The output of the typedurlstime plugin could easily be modified to report in csv format as well.

VSC Toolset Update: Browsing Shadow Copies

I don't plan to regularly post about tool updates, but I figured there's enough in the most recent update to VSC Toolset that I might want to write a bit about it.  As indicated by the title of this post, the biggest change incorporates the ability to browse shadow copies using an Explorer-like interface.  Although you can easily write a batch file to list the directory contents of each shadow copy, it's nice to be able to see the directory structure.  The "Browse Selected VSCs" button will open all selected linked VSCs.  This allows you to open a directory view of two (or more) shadow copies and view them side by side to visually see the differences between them.  If you find it easier to view the directory contents in another view mode other than "Details", you can right-click on the list view pane and select a different view mode.

I've also tweaked how the VSCs are listed in the main interface.  For example, when you're viewing a list of the shadow copies on a drive, you will no longer see "ShadowCopy1", "ShadowCopy2", etc..  Instead, you should see something like "VSC1: 4/24/2012", "VSC2: 5/12/2012", etc.. Including the date right beside the listing makes it quicker to determine which VSC(s) you may be interested in, based on the creation date.

Other minor updates include:

• Removed the "List Shadows" button - shadow copies are now automatically listed upon selecting the drive letter
• Logging is now in local time instead of UTC
• Added an "Open Output Folder" button that...well, opens the output folder
• Added another parameter input box, allowing for up to three additional parameters that can be specified at run time to execute against one or more shadow copies using a simple batch script
• As noted in the release notes of another recent update, jump lists and custom RegRipper plugin files now have built-in functionality with VSC Toolset (see here for more details).

You can download the latest version of VSC Toolset here.

For tips on setting up and using VSC Toolset, check out this blog post. To get the most out of the program, you'll need the accompanying tools below. Also, keep in mind that with the exception of RegRipper, all accompanying executable files and scripts should be stored in the same directory as the VSC Toolset executable in order for the program to see them.

• RegRipper
• ActiveState Perl 
• jl.pl script (available in the wfa3e files) 
• lslnk-directory-parse2.pl script (download from the Win4n6 group under Files\Tools) 
• diff.exe (included with the UnxUtils package)

Feedback, suggestions, and bug reports are always welcome.