User History Artifact : Practical Gathering of Artifacts

By

 


There is a lot of evidence that shows recent user activity, such as ShellBags, Amcache, Thumbcache, UserAssist, Recent Items, MRU, and MuiCache. Additionally, some interesting user activity artifacts can be found in the $UsnJrnl file. However, one of the main challenges in most cases is time. It often takes a while to dump an image from the seized machine, examine event logs, and review files like pagefile.sys. Sometimes, having a comprehensive toolkit also requires a budget. But with these artifacts, we can save a lot of time. They don’t even require additional toolkits or full image dumps from the seized machine. All we need is access to the seized machine to conduct our investigation directly on it. One of the interesting things here is that we don't even need to examine the registry to find these artifacts . they're available directly within the operating system itself. It even provides details of user activity based on the specific day and time the user was active on the seized machine. 

Scenario : A corporate investigator is called in to examine a company laptop suspected of being used to leak confidential data. You play the role of the investigator

Case Brief: 

  1. Subject: Elena Carter, Senior Analyst Incident
  2. Date: Friday, 10:30 AM 
  3. Allegation: Possible unauthorized access and sharing of sensitive ZIP files 
  4. System: Windows 10 Pro, corporate-issue laptop 
  5. Condition: Laptop powered off, no disk image available yet

Restrictions: 

  1. No registry tools 
  2. No commercial forensic software You can examine only what the OS already gives
  3. you You have physical access to the machine
Your Investigation Begins: You power on the machine. You're logged into Elena's profile. The system looks clean . no obvious signs of tampering or new software. The Downloads folder shows nothing suspicious. Event logs take too long to parse manually, and you don’t have admin access for registry viewing.  

Hint : “What if the system itself remembers more than it lets on? Something hidden in plain sight...”

Solutions : You begin exploring Elena's user profile. The standard paths offer nothing Documents, Desktop, even Recent Files look wiped or untouched. 

But while browsing: C:\Users\Elena\AppData\Local\Microsoft\Windows


User Activities By Date :

User Activities Genre : 


This evidence has been available since Windows Vista and still exists in modern versions of Windows. However, many forensic investigators tend to overlook it, assuming it holds nothing important. In reality, we need to think outside the box and approach investigations like true detectives . not just follow traditional methods . So, what is this artifact? It's the History folder located in the %APPDATA% directory. By analyzing this folder, we can uncover valuable information about executed files, such as: 

  1. JPEG files 
  2. EXE files 
  3. ZIP archives
  4.  ETC ..

Artifacts of Execution Evidence : 

Times Visited : Indicates how many times the file was executed. 
Last Visited : Shows the last time the user accessed that directory



How can this artifact be useful in forensic investigations? That’s a great question. Here are several ways this artifact can support and enhance a digital forensic investigation: 

  1. File Execution Tracking : The forensic investigator can identify which files were executed by the user.
  2.  Execution Timestamps : It provides information on when specific files were executed (e.g., when a video was played).
  3. Last Accessed Details : Investigators can determine the last time a user accessed or executed a file or folder.
  4. Time Efficiency : This artifact helps reduce investigation time. Instead of searching through the registry and trying to recall complex 
  5. No Additional Tools Required : There's no need for commercial or freeware tools to parse data like ShimCache, ShellBags, or UserAssist. The information is readily available from the History artifact. 
  6. Multi-Extension Support : Unlike RecentDocs (which primarily tracks documents), this artifact supports a wide range of file types and extensions.
  7. No Dependency on Event Logs : You don’t need to rely on event logs to determine which files were executed and when . it’s all available within this artifact. 

“What other secrets are hidden inside the OS… just waiting for someone to notice?”

Comments

Post a Comment