Hello, and welcome back to course three of Windows registry forensics. In this course, we're going to cover the NT user.hi file. Now remember, this file contains the settings and preferences for the users on the system. It also tracks quite a bit of user activity is we're going to see throughout our course. Each user on the system will have their own NT user.dat that is specific to that particular user. Throughout this course, we are going to locate the mounted volumes specific to a user which will include some removable devices. We're going to learn how to interpret the most recently used, the MRU lists. We're going to examine the UserAssist key. We're going to locate user search terms and relevant user settings, and find and interpret some important user settings. In our first section, section one we are going to cover the recent documents sub key. And recent documents is going to show us if a user access used or created a document. And by documents, they're going to be stored by file type, and we'll get to see that when we look at the sub keys. And they are specific to the user, so it does show user interaction with a file which can be very important to our forensic investigation. What we have covered so far. In section one, we took a look at the live registry. In section two, we prepared our environment by downloading the specialized tools which we're going to use shortly. In section three, we located and exported the registry files. And in section four, we located and interpreted the system time from the system high file. We also located and interpreted the current control set using the select key in the software hive. And also staying in the software hive, we located and interpreted the OS version and install date. The tools we are going to use today are going to be registry browser and register explorer. And these are the tools we're going to use in this section. So go ahead and bring up registry browser, and again, that was the gold cube. And once you've done that, you're going to load the files that we exported. So we're going to go ahead and go to File, you open Registry and navigate to where you saved those files. If you save them out in your desktop, that's good. And we wanted to name them something we knew was associated with registry browser. So if we have the RB exported registry, we're going to select the Windows folder within there, and then you're going to go ahead and click OK. Once it's loaded up, we're going to expand the H key users. We're going to now navigate to the recent docs sub key in the NT user hive file. We're going to pick 1001 right here, this is the user we're going to look at, this is Ivan. We're going to expand that. Once we've done that, we're going to go ahead and expand Software, Microsoft. We're going to expand Windows, we're going to expand current version. We're going to expand Explorer. And now we're going to highlight our recent doc folder. And when we do that we can see the paint on the upper right will populate. These are our recent OX folder. Go ahead and expand it just so we can see the sub folders. Right now, we're just going to look at the main folder though for a second here. We could see we have value data and it is in X here. But one thing I want to make you aware of is these values are stored in what's called route 13. So each letter is rotated 13 places. So it's kind of just obfuscated, not really encrypted, but it is stored as route 13. But first, we're going to take a look at is RMU.exe. And when you look at this list, we're going to look at the X pane for a moment. We can see we have values here and they appear to be four byte values which they are, and each of them refers to an entry here. We can see our first entry is this four byte value. And again, these are red little Indian, so you would read from right to left. So this value would be 00, 00, 00, 3C. And you don't have to follow me through this if you don't want to. But we're going to bring up the Windows calculator and we're going to change the view to programmer if you're not in programmer. We're going to select X, we're going to put in 3C, and we're going to go ahead and change that to decimal, and we see we get a value of 60. So the first document would be decimal 60. And we're going to go ahead and scroll down, and you're going to see they're usually right bottom up from the bottom to the top, and it is 60. So this is showing us that it was a local disk F, and it was a link file. And then the next document that was accessed, it is an untitled PDF. And you can go ahead and go all the way up. You can see we have another link file. And then we have an outlook link file, orphan crack. Downloads. And you can see this is all not so easy to read. We're going to take a look and another tool shortly where it makes it a little easier to read for us. But what I want to explain to you are these sub folders first. These are by folder types, file types, I'm sorry. These are my file types and this is actually tracking the folders they are located. So again, you would do the same thing. Now this is tracking folders. You go to MRU list and we see the first value here. Again, if we read that little Indian, it would be 0F, if we know 0F and X is 15. And that is telling you the folders or directories. That were most recently accessed. And this was the directory most recently accessed that we were seeing the F volume. The value from the main recent docs and the value from where it's divided out here by file extension and directory specific is going to be duplicated, but we're going to take a look at it. So this tells us the overall how are documents were accessed. This is going to tell us specifically by which file type in the order that they were assessed. So the next one we have a zip, we have a short MRU list, and it's 2, 1, 0. So 2 would be the first document and it's orphan crack, it's a link file. I will link it to a zip file probably. And you can see the file names down here in x. If we look at PNG which is going to be pictures. Again, we have three entries in our MRU list, 0, 2 being the first one. We have an untitled PNG, we have a gun PNG. And we have another link. And PDFs. Same thing, we would interpret the MRU list which is going to start, [COUGH] usually start at the bottom. And you can take a look through here and see the different types of PDFs they were assessed. Same thing is going to be true with JPEG, 05. I'm working our way up. And g, z, it's going to be the same thing, 2, 1, 0, 2, 1, 0. Okay, now let's take a look at this in a different tool, that may give us a little more information and be a little more easier to interpret. So we're going to go ahead and minimize registry browser or you could close it for now. And we're going to go to registry Explorer which is going to be the green cube. And I'm going to show you some things here. I already have this open, let me just close it up really quick. What I want to show you here, go to the bookmarks on the top and Common. Registering Explorer has built-in bookmarks for common reused artifacts. And what we can see is we do have a bookmark in here for recent docs. So we could go ahead and click on that, and that will take us right to our recent docs sub key. And again, when we expand that, you can see we have the same sub folders as we did when we looked at it in registry browser. But one thing I want to make you aware of here, you noticed in registry decimal 60 when we used the windows calculated to find that value was our first entry and it was a link to local disk F, and we read from the bottom up. Register Explorer goes ahead and puts them top down for you, it interprets it for you,.and it makes it a little more easy to read. It also will break out the target and the link. You also have some more dates and times here, we have been opened on and extension last opened on. The extension last opened on is coming from the extension tab. When we looked at it by extension, so it'll be coming from the folder tap, but it's pulling that value and showing it to you. And it's interpreting all these values. So we can see we have F, we have an untitled document, and we have the internet, we have Outlook. And if you go through here, you can kind of see what is going on with the user. You can look in here and find documents that may be relevant to your case. And like I said, this is the overall list, so it's going to have different file extensions. If you're interested in a specific file extension, say you were just interested in seeing the PDF files, you could find the most recently accessed PDF file. And again, we have this untitled PDF link. And we have several other files in here, and it gives us our market position in the order. This MRU position is showing you the actual order. And the same with PNGs. And zip files and then folders. And with folders, it's going to give you the time from the folders, directory sub key, and it's also going to give you an extension if there was one. But these are all linked files, so there is not. But this is a lot easier to read, a lot easier to look at, and to see your dates and times. And we do have the target name and the link name. They can be different, I don't really see too much difference in the ones that we have here. But another nice thing about these tools, we can go to Tools. And we can do a search if we're looking for a specific entry. It does have a data interpreter, if we wanted to interpret x data. And it also has this pretty view, but we can also go back and look at the not so pretty view. And values, which will show us more of the binary type data that we saw in registry browser. Because here if you go ahead and you click on the MRU list, again you're going to see that 3C which we interpreted 60, but it is going ahead and reordering these. So it's a 60, it was the first one, and 60 is over here. So in this, you would have to actually look at the list, and interpret each four byte value. But what makes it nice is it puts it all in order for us in a nice human-readable. Tab. Which is extremely helpful. That concludes our look at the recent doc sub key. In the next section, we will take a look at our type URLs sub key.
