Hello. Welcome back to Windows Registry Forensics, Course 3, the NT user.dat hive, section 6, the com dialogue 32 subkey. Now this key is going to track application usage. It does contain four subkeys, which we're going to take a look at very shortly. Before we do so, let's just have a quick review of what we've covered so far. Remember our recent docs from back in section 1, recently used documents tied to a specific user, the typed URL subkey, searches that were typed into the Internet Explorer user bar. We also track the UserAssist key, which shows application usage by a user. Recent apps, which again is an indication of user application usage. It even shows us some of the files that were accessed with certain applications. Then the run and run once sub keys. The run key, and the run once key show us programs that are set to run at startup. The run key being persistent, and the run once key, only running once. In this section, we're covering the com dialogue 32, which has four subkeys. The first subkey is CIDSizeMRU. The second subkey would be first folder. The subkey under that would be LastVisitedPidIMRU. The third subkey would be OpenSavedPidIMRU. This last subkey, does have additional subkeys beneath it, as we're going to see very shortly when we take a look at it. Here's a graphical representation of the folder structure for this subkey. We see at the very top level we have the com dialogue 32. We do have the CIDsizeMRU, FirstFolder, LastVisitedPidIMRU, and then we have our OpenSavedPidIMRU. Beneath open saved, there are additional subkeys for individual files by extension. We have that asterisk key, which we're also going to talk about in a minute. You can see here that you do have dates and times associated with the subkeys. The first of the subkeys we looked at, CIDSizeMRU subkey, this tracks applications globally. It does contained an MRU order and a key last access date. The MRU order will start at zero, and number up from there. There will be a date and timestamp for the most recent entry only. FirstFolder subkey, tracks the installation location of applications. Tracks where applications are installed. It will give you a full path to that application. Common dialogue 32, LastVisitedPidMRU. This tracks applications that are used to access the files in the OpenSavePidMRU subkey. These are the applications that are used to open the files in the subkey beneath the OpenSavePidMRU subkey. It tracks the locations where the file existed, but it does not track the specific file. You will get a directory, a location in which that file was at one point in time, but you will not get an exact filename. This is going to include files that are no longer on the system. This is a good place for historical data also. Each value also tracks the directory location for the last file that was accessed by the application. The date is stored in a binary format. The data in this key, is stored in a binary format. This is what the actual open save dialog box, on your computer when you open or save a file, and you bring up the Save As and the dialog box comes up, and you click where you want to save it. This tracks the last directory used by that application, to open or save our file. It does keep its own MRU list. It does have a last right, timestamp. The common dialogue 32, OpenSavePidMRU. This key tracks the files that have been opened or saved, within a window's open, save dialog box. When we pop up the open or the Save As, from the Window Explorer type dialog box, this is where that information is being stored. This key is also responsible for tracking the auto-complete terms. It does contain a number of sub-keys underneath it like we saw, in a couple slides earlier. This is an example of the open, save auto-complete. This would be the open, save dialog box. If I were using this right here to save a PDF file, and I'm saving it to this particular folder, the next time I want to save a PDF document, it's going to go to this particular folder. It does remember that, and it will go to the last folder used by the application. The auto-complete box is what you see down here, at the bottom, right underneath the filename. All I typed in here was an F and it gives me an auto-complete. Now if I just go ahead and click on the "Auto-complete," that will also be recorded, under this sub-key. The OpenSavePidMRU sub-key. The one sub-key with the asterisk, like we saw earlier in the slides, this key tracks the last 20 files of any extension, including files that don't have an extension. The rest of the sub-keys are by file extension. Let's open up Registry Explorer, and let's take a look at this key. We're going to go ahead, and if you haven't already done so, please load your NT user, Ivan, the one we exported from the Ivan image, into Registry browser. Click "Open," and it will load. Registry Explorer, excuse me. We're going to expand root. We're going to expand software. We're going to expand Microsoft. We're going to expand Windows. We're going to expand current version Explorer. We're going to scroll down and find our com dialogue 32 sub-key. As we can see here, we see those four sub-keys that we talked about earlier. We see the size, the first folder, the last visited, PidIMRU, and the open, saved. If I go ahead and expand the open, saved, I see the subfolders, that asterisk folder we talked about, again, that stores 20 files. Numbering starts at zero through 19. Let's start at the top. Let's click on the "Size." Now the size is showing us programs that were used by this particular user, because it's in their NT.Dat hive, and it's showing us the most recently used programs. It does have a keyless right time, as we can see, 2017, June 13th, and a time of 21:55. We do have an MRU order. There's no list here, it is just ordered 0, 1, 2, 3, 4, 0 being the most recent, the last right, and we have the last right time. First folder is, again, showing us where the programs are installed. In this key we can see, Google chrome.exe is in C Program Files 86, Google Chrome Applications, chrome.exe, and we also have a date and time for that. LastVisitedPidIMRU, is showing us the applications that were used to open the files that are going to be saved in OpenSavePidIMRU. These are the applications that were used to open or save the files listed here. Now when we click there, we see we have quite a few files here. When we click on the asterisk, we're going to get an MRU list. This is an MRU list like we've seen in previous MRU list, where if we were looking at the hex, we would read from the bottom up, but it is ordered from us, starting at zero, and we should have 19 entries in here, which we do. We are going to need to look at the hex to see what they are. Entry 0 would be gun.png. Then we can go through and look at the other entries, because some of these may be important to your case. This is tracking files of any extension, in the order that they were accessed. Because we do have a last right time for the key itself, but that would only tell us the last right time of the last accessed file. If we look at the app extension specific entries, we can get a little more granular. Again, we do see that they have an MRU list, starting at zero, and they have a keyless right time. If we look into the PDF section, and we take a look at entry 14, we can see we have a Google Drive, with a reference to snowdensbox.pdf. We've seen this before, when we were looking at other files, specifically, when when we looked at RecentApps. I may not have a date and time for this particular entry. I do have a last right time on the key, but that's only going to give me the last right entry, which would be the zero. But I may be able to find a time for this file, if I looked elsewhere. Let's go to our bookmarks for a second. We're going to go to RecentApps. When we look in RecentApps, we're going to expand it, we're going to go down to that RecentItems subkey, and we're going to look for snowdens box PDF. We find it here, and we see we have a last access time here. Now, again, we would have to translate the hex. I'm going to bring up decode, and I'm going to go ahead and translate that. I get a date and time of Tuesday, June 13th, 2017, at 21:15 UTC. This is some way that we can put our pieces together. You could probably go back to RecentDocs and take a look at this particular document also, because I believe it showed up under there too. Or even UserAssist. But here's a way to correlate your information and confirm your findings throughout the file system, and gain a little more insight into what you're looking at. If that particular PDF was of interest to your case, you can gain a lot of information about that one document. Now I know that it was opened by one of these applications. It's showing me last folder, the last directory that was accessed using this particular application. We want to start putting the pieces together to form a picture of user activity on the computer. Remember the list of files recently opened directly from the Windows Explorer are going to be stored in our RecentDoc subkey, and which we covered the RecentDoc subkey in section 1.
