Thursday, July 16, 2015

Adobe Reader's Not-So-cRecentFiles

Version 11.0.07 of Adobe Reader, released in May 2014, introduced some interesting changes that can impact forensic examination.  With previous versions of Reader for Windows, the cRecentFiles subkey found in the Acrobat Reader subkeys of an NTUSER.DAT hive provided an examiner with the five most recent files accessed by Adobe Reader.  Information about these files was divided into five subkeys named “c1”, “c2”, “c3”, etc., with each subkey containing a bit of information about the accessed file.  Version 11.0.07 of Adobe Reader expanded this capability, tracking much more than just the five most recently accessed files.  Additional information is also recorded about each accessed file, as well as a list of the five most recently accessed folders.

The screenshot below shows the new look of the “c#” subkeys that store information about recent files accessed in Adobe Reader version 11.0.07 and above.  Note that the full path to these subkeys is found in a user's NTUSER.DAT hive under "\Software\Adobe\Acrobat Reader\<version>\AVGeneral\cRecentFiles\c#".
Values in a cRecentFiles\c# subkey
The new values added to the "cRecentFiles\c#"subkeys are “sDate”, “uFileSize”, and 
sDate value data
“uPageCount”.  The “uFileSize” and “uPageCount” are pretty self-explanatory, storing the size of the file in bytes and the number of pages in the accessed file, respectively.  The “sDate” value stores the last time that the file was accessed in Adobe Reader.  The “sDate” value type is REG_BINARY, but the value data holds a simple ASCII string of the timestamp.  Interestingly, the time zone offset of the system at the time the file is opened is included in the “sDate” value data.  If the time zone of the system is changed, the offset included in the “sDate” value is reflected accordingly for files that are later opened in Adobe Reader.  This provides examiners with a more more granular view of when files were accessed in Adobe Reader, as previous versions only allowed us to determine the last time the most recent PDF was accessed.

The five most recently accessed folders are also tracked by Adobe Reader version 11.0.07 and later in a "cRecentFolders" subkey under "HKCU\Software\Adobe\Acrobat Reader\<version>\AVGeneral".  Recently accessed folders are maintained in a
Values in a cRecentFolders\c# subkey
similar fashion as the recently accessed files, but the level of detail associated with each accessed folder is pretty minimal.  Each "c#" subkey provides us with the name and path of the accessed folder via the tDIText (or sDI) value, and we can correlate the Last Write time of the cRecentFolders subkey with time that the most recent folder was accessed.  

Perhaps the most significant change from a forensic perspective in Adobe Reader version 11.0.7 and later is the alteration to the number of files tracked in the cRecentFiles subkey.  Instead of the most five most recent files that are tracked in previous versions, Adobe Reader 11.0.7 appears to track the 50 most recently accessed files.  In version 11.0.9, the maximum number of recently accessed files jumps to 100.  After testing the current version of Adobe Reader DC, 100 still appears to be the maximum.  This means that you could have up to 100 “c#” subkeys under the cRecentFiles key!  After 100 documents have been accessed, the subkeys will be reused in a FIFO fashion as seen in previous versions of Adobe Reader (e.g. the contents of subkey c100 will be removed and replaced with the contents of c99).

cRecentFiles with 100 subkeys
Examiners should be aware of this additional functionality in Adobe Reader in order to take advantage of the historical information it provides.  The cRecentFiles subkey from a user's active NTUSER.DAT hive can provide a nice list of files accessed by Adobe Reader.  With later versions storing up to 100 "recently" accessed files, the cRecentFiles subkeys could end up storing files that were not-so-recently accessed as well.  Further, when combined with previous versions of the user's NTUSER.DAT hive from volume shadow copies, an examiner may be provided with quite a detailed history of files accessed using Adobe Reader. 

Wednesday, February 4, 2015

Leveraging the DeviceContainers Key

If you've ever examined registry artifacts related to a particular USB device, you've probably come across a value called "ContainerID".  For example, a flash drive's instance ID subkey of the USBSTOR key includes a ContainerID value.  Prior to Windows 8, a device's Container ID was probably of little interest to an examiner. However, beginning with Windows 8, a device's Container ID can be used to help profile a specific device and corroborate findings from other locations.  The CurrentControlSet\Control\DeviceContainers key of the SYSTEM hive on a Windows 8 machine holds a wealth of information, broken down by Container ID, about devices connected to the system.

Before dissecting the DeviceContainers subkey, it's important to understand what a container ID represents in the first place.  Starting with Windows 7, container IDs were used to identify a physical device on the system.  This Windows Dev Center page describes a container ID as "a system-supplied device identification string that uniquely groups the functional devices associated with a single-function or multifunction device installed in the computer."  This "system supplied identification string" is a GUID and is referenced in various locations, including the Enum\USBSTOR and Enum\USB subkeys of the SYSTEM hive, as the "ContainerID".  One thing to keep in mind is that all physical devices should be assigned a ContainerID - not just storage devices.  This means that when digging into the DeviceContainers key, many of the devices listed may be something other than storage devices (e.g. monitors, external speakers, keyboards, etc.).

DeviceContainers\ContainerID subkey structure
The screenshot on the right is an example of what you might see when browsing a device's DeviceContainers subkey.  The top node as well as the subkey to the BaseContainers key is named by the ContainerID value (the same one found in the USBSTOR key).  The Properties subkey contains eight different sets of.... well, properties.  The idea of useful information being found in a set of "Properties" subkeys is not new; Harlan blogged about the Properties subkeys within the USBSTOR key here and Yogesh Khatri wrote about it here as well.  This is a different set of properties, however, than what is found in the USBSTOR key.

While there are numerous bits of data available in the Properties subkey, I will only highlight a few of the items that may prove useful in a typical forensic examination. The table below summarizes some of the information about a device that is available from the DeviceContainers key.  As you can see, the device instance ID, "DeviceContainer_ModelName", and "DeviceContainer_PrimaryCategory" properties are available here in addition to two 64-bit FILETIME properties.  The "DeviceContainer_ModelName", and "DeviceContainer_PrimaryCategory" properties are defined in the devpkey.h file of the Windows 8.1 SDK.  In addition to the property subkey listed in the table below, the device instance ID is also available in the subkey named by the device's Container ID within the BaseContainers key.


The device instance ID is a valuable piece of information, as it contains the VID and PID of a device as well as the serial number or unique identifier of the device.  For example, when connecting a flash drive to a Windows 8.1 system, I found "USB\VID_090C&PID_1000\1009070810017910" to be the device instance ID associated with the flash drive.  In this case, you can see that "1009070810017910" is the serial number of the flash drive; this information can be corroborated with the USB and USBSTOR keys as well.

The DeviceContainer_ModelName helps describe the device - similar to the FriendlyName value of the USBSTOR key.  Examples of what I have seen in this property are "My Passport 0730", "iPhone", and "USB DISK".  The DeviceContainer_PrimaryCategory helps describe the purpose of the device.  Some examples of what I have noted in this property are "Storage", "Audio", and "Display Monitor".

There are also two 64-bit FILETIME timestamps that appear to be consistent with the first time the device was connected to the system.  Specifically, the "3464f7a4-2444-40b1-980a-e0903cb6d912\0007" property appears to contain the time the device driver installation started, while the "3464f7a4-2444-40b1-980a-e0903cb6d912\0008" property appears to contain the time the device driver installation completed.  This theory is supported by the setupapi.dev.log file, which includes the start and end time of device driver installations.  Interestingly, these two timestamps are slightly different than the Install and First Install timestamps found in other Properties subkeys in the registry. Unfortunately I have not yet found a precise definition - such as that from a Windows SDK - for what these two timestamps officially represent.

One of the nice things about the DeviceContainers key is that it appears to group all physical devices that have been connected to a system into one place.  If an examiner is focusing solely on the USBSTOR key, he or she may miss the fact that an MTP device was connected or that a hard drive was connected using something other than USB.  While the DeviceContainers key may not necessarily provide information that cannot be found elsewhere, it serves as yet another source to help examiners corroborate findings from other locations on the system and may be critical in cases where the ordinary sources of device-related information are not available.