Hello and welcome back to Windows Registry Forensics course seven. The UsrClass.dat hive section two. In this section, we're going to be looking at MuiCache and ManagedByApp subkeys. And again, just to reiterate every user on the system will have their own UsrClass.dat file and the file path to UsrClass.dat within the file system will be C user:\(User Name)\ AppData\Local\Microsoft\ Windows. Look to the right and you'll find your UsrClass.dat hive. In this section we're going to be looking at installed and executed applications for a particular user and that's going to be in MuiCache. And in the Microsoft Photo App Recent Files, we're going to to look at ManagedByApp subkey section two, UsrClass.dat hive, ManagedByApp and MuiCache. Okay. ManagedByApp, this subkey tracks images opened with a Microsoft application. What we're going to be able to see in here is a volume GUID and we saw a volume GUIDs in other sections of this course and we're going to take a look at the volume GUIDs and how they tracked back to other things we've looked at throughout this path. It also will give us a full file path to where the files located within the file system and we're going to get a date and time, which is very helpful. The subkey name is ManagedByApp and the location, Iit's kind of buried in there. It's a little long, Local Settings\ Software\Microsoft\ Windows \CurrentVersion\AppModel\SystemAppData \Microsoft.Windows.Photos_8wekyb3d8bbwe\ PersistedStorageItem Table\ManagedByApp. We are going to use our bookmarks to navigate to that, but you do need to know where it is located MuiCache is going to be located in Local Settings\Software\Microsoft\Windows\ Shell\MuiCache. And this is going to show us user-specific program execution. Unfortunately, we're not going to have a date and time in MuiCache. We will have a last written key date and time, but not a specific date and time for each individual application. For our walk through, we're going to cover ManagedByApp and MuiCache. What we're going to need for this walkthrough is we're going to need Registry Explorer. We're going to need decode and we're going to need Ivan UsrClass.dat hive file. Optional things, we can have Ivan NTUser.dat and System file and Shellbag Explorer. I'm going to show you how things start to connect together and how we can put several artifacts together to determine conclusively that a user did or did not take a specific action, which is kind of the whole point of computer forensics. We're going to start with Registry Explorer and you can go ahead and load your hives in. You at the very least they're going to need the UsrClass.dat for Ivan. Optionally the NTuser.dat and the system file. Again, we would go to file load hive, navigate out to where that hive is out on our system, click open and the hive will open. So the first key we're going to cover is going to be ManagedByApp. We're going to use our bookmarks because that was the one with the very long file path. And we're going to go ahead and click on ManagedByApp. Now underneath here, you can see a lot of GUIDs. We also see that we do have a last write time stamp. We're going to take a look at the first GUID. When we look at what's labeled here value named file path, we see a volume GUID and this volume GUID should probably look familiar to us and we can see next to that folder called Camino del Rey. And then we have a name of an image. Also down in the metadata, we have the complete file path which is showing us an E drive, the folder, Camino del Rey and the name of the image. We also have a last update time. And this again, we're going to be able to decode using our decode app. So go ahead and bring up decode. Once we brought up decode, we're going to put in the value that we see here in update time and we're going to hit to code and we get a date and time. Now let's compare this date and time to our key last right date and time. And we can see that they are indeed the same, February 15th at 18 27 23 UTC time. And we have the same time for our key last write time to. So we know that our key last write time stamp is accurate. Go ahead and close decode. Now you may remember, we did see this when we looked at our Shellbags. So we're going to go ahead and bring up Shellbag Explorer. Once we brought up Shellbag Explorer, if you don't have it loaded, go ahead and load they UsrClass.dat hive for Ivan. Now we're going to take a look here again at our E drive. So we would expand my computer, I would highlight our E drive and we can see the folder, Camino del Rey and we can see the last right date and time, the last interacted with date and time. And we can see that that date and time is very similar, less than a minute difference between this date and time for last interacted and the last right date and time we had on our key in Registry Explorer. So we see a reference to that here in Ivan's Shellbags in his UsrClass.dat hive. If we go ahead and expand the drive and highlight the Camino del Rey file, you can see the file path, we can see our last interacted with date and time again. We do see what type of file system it is and we do see an MFT entry number, but we don't see any identifiers to the particular volume that we're looking at besides the drive letter. So we need to look a little further here. So we're going to go ahead and go back to Register Explorer. We're going to close up managed apps for a second. We're going to close up our UsrClass.dat hive. And we're going to go ahead and open are NTuser.dat hive. We're going to use our bookmarks and we're going to navigate to MountPoints2. We're going to expand MountPoints2 and we can see we have our volume GUIDs. We saw a reference to the grid when we looked at the ManagedByApp subkey in the UsrClass.dat hive. And we see the same GUID in MountPoints2. I'm going to go ahead and now look at the system file. So I'm going to expand the System file. We'll go ahead and use our bookmarks. We're going to navigate to USB store in our system files. We're going to expand USB store, we're going to highlight the C eight, we're going to expand the serial number, expand device parameters and we're going to look at our partition table cache because that's where we found our GUID. And if you remember we had to navigate down past the FFs and the zero zeros for the second entry and we wanted the second 16 bytes of data. That would be our first 16 bytes which we said would be our partition type, identifier. It's the type of partition and in this case it is a basic data partition and our next 16 bytes of data is going to give us our partition GUID which is unique to that partition and we bring up the data interpreter and when we interpret that as a GUID, we get the same GUID, the same volume GUID that we are looking at in the UsrClass.dat file under the ManagedByApp key. So now we can definitively say that that picture that Jpeg was on this thumb drive. This thumb drive is connected to the Ivan user account by both the UsrClass.dat file and his NT user.dat hive. We also know when we look at USB store, we know the serial number. If we expand properties, if we highlight the serial number, we're going to get a whole lot more information too. We have this container ID, we have a class and a driver GUID in here. We have a friendly name and we have a hardware ID. If we expand properties and go down to that key that starts with the 8 3 D A we expand that. We now have all his connection times, we have the first installed time. We have the last installed time if the drivers were updated or was reinstalled, we have our last connected time and our last disconnected time. The last time the thumb drive or hard drive was attached to the system and the last time it was disconnected from the system. So if you were doing an illicit image case or a child exploitation case, this would be a goldmine for you, to be able to say definitively that those pictures, those images were on this device and in this case it's removable media but it would still record that in the UsrClass.dat hive under the ManagedByApp even if the photo resided on the local machine. So let's go ahead and go back to our UsrClass.dat hive, go back to our bookmarks and go back to ManagedByApp for a second, expand it and we can see the volume GUID, the folder and the file name. We can see the drive letter that it was mounted to. We can see the last update time, which we verified corresponds with the key last right date in time. So we have shown for the fact that this particular photo resides on this drive connected to the Ivan user account. We also know all the file times related to that drive, the first install, the last install, the last connect and the last disconnect time. We have the volume serial number which we got from the software file. We have the volume name, which again we got from the software file and EMD management where we got the volume serial number was EMD management. We have the device serial number which we got from USB store. We have the container ID which we got from USB store. We have the drive letter which we got from mounted devices and we had that GUID, the volume GUID, which we got from partition cache, partition table cache. So we know for a fact that this drive contains this file, it's connected to the Ivan user and we have a lot of information concerning the drive itself. So if that drive was not recovered as part of your initial seizure, you could go back and get it or ask that it be turned over and if it was collected as evidence, you would examine that device. Now all these GUIDs do relate to the same folder and they all contain different files, different Jpeg image files. There were quite a few of them. If there were other photos opened on the Ivan computer using a Microsoft application, you would see those photos here too, here also. They are not always going to resolve back to the same folder or even back to the same place in the file system. That just happens to be the case with our Ivan image. So this is a gold mine of information. And I want you to see how you can start connecting an artifact found in UsrClass to an artifact found in system or software or NT user and using all this evidence, we can put it together and definitively say a user did or did not take a specific action. Let's go ahead and now look at MuiCache and the file path for MuiCache is going to be under Local settings\local settings\Software\Microsoft\Windows\Shell \MuiCache. We can see that we do have a Last right date and time stamp. But this is for the key, not the individual applications. We do not have a date and time stamp for the individual applications themselves. We do have some description, some additional description as well as a file path here. We can see the full file path to the application. We know this application is connected to this user account. Some type of interaction with the shell occurred by this user account. So these applications were executed by this user account. And we also have a data column which gives us a description of what each of these applications is. We can see libra office in here. We can see Internet Explorer, some of these art dills dynamic link libraries. But you can scroll through here and see the applications that were launched by the user. And even if these applications are removed, if he deletes them, if he uninstalls them, if he gets rid of them, he or she, they are still going to be able to be found here. Well, for instance, if someone was using some type of anti forensic applications, say a CCleaner or if they were doing some type of stenography and using a stenography application and then they deleted it from their computer because they didn't want anybody to find out they were using it, you would still be able to see it here if it was executed under that user account. So this can be a very important piece of information when you're doing your investigation because you may not be able to find an indication that that application was ever even on the system. If the user did a really good job cleaning it up. But it would still be able to be found here. So this is a place you always want to take a look when you're doing your investigation to see what applications the user has run. Unfortunately, we don't have an individual date and time stamp of when this application was run, but we know the application was run in connection with this particular user account, depending on which UsrClass.dat hive file you're looking at. In our next course, we're going to cover the Amcache hive. And there's a lot of information in the Amcache hive
