Welcome back to Windows Forensic Registry course three, section two. In this course we are covering the artifacts contained in the NT user dot dot hi file. And in this section we will be covering the type URL sub key located in the NT user dot dot hive. Before we get started, let's just do a quick review of what we've covered so far in course two, in course two, We looked at the live registry, we prepared our environment by downloading specialized tools so we can examine the registry. We located and exported registry files within our image file. We located and interpreted the system time located in the system high file. We also located and interpreted the current control set using the select key in the software hive and staying in the software hive. We located and interpreted the OS file type. In this what we've covered in course three so far in our first section in course three we were covering still the NT user dot dot hive. And we looked at the recent docs sub key, we also looked at RMU lists and how we interpret them. In this section, section two of course three, we're going to talk about typed URLs. The typed URL sub key located within the inter user dot dot hive. Becomes populated when a user types of URL into the Internet explorer address bar. It can also be populated using the AutoComplete function, or through choosing a selection in the drop down menu. Here is a quick demo of this, so it look like when you type in the address bar. You would get selections in your drop down menu and if I clicked on trump or today that would populate. Also, In the AutoComplete. So however it is selected through the auto complete the drop down menu or you completely type the URL out itself. You will get an entry in the typed URL key. In older versions of Internet Explorer IE six and below the key will be written if the browser is closed normally. If the process is killed through task manager or command line, the entries will not be written. In newer version of IE Internet Explorer these values are written in real time. Websites that are accessed through the IE Internet Explorer favorites are not recorded in the typed URLs sub key. And if somebody clears history via the IE options menu, Internet Explorer options menu, the key itself will be completely removed. You also want to keep in mind that another way this key could be populated if an intruder breaches and accesses terminal services and uses a web shell. These entries will be recorded in the typed URL sub key and this may give you some insight into the intruders activity on the system. As we're going to take a look at here right now, the key is also populated by default when a user logs into windows. And launches IE for the first time, there is a single entry that will be populated in that key. So let's go ahead and launch Register Explorer, if you haven't already done so. And go ahead and load your Ivan dot NT user hive wherever you say that out to on your system, just go to it, select it and load it. Once you've done that, Let's go ahead and expand that one. So we're going to find the path now to where the sub key is within the NT user dot dot file, we're going to find the typed URL sub key. We're going to expand into user, going to expand the route, we're going to expand software. Once you've expanded software, we're going to expand Microsoft. We're then going to scroll down and expand Internet Explorer. And now we're going to search for our typed URLs and we can see is located down here. We will take a look at the data that is populated on the right hand side of the page, you see only one entry. And another thing that's really interesting is you don't see any times associated with the century. This is that default entry that is just there, it is going to be when you launch URL for the first time this is going to be the homepage you go to. So if you were writing your report and you said that the user had typed this or somehow the user had caused this to happen. Either through auto complete or the drop down menu or that it was some type of intruder that did it, you would be incorrect. This is one of those things that is just there and we want to make sure we're aware of that. Now you don't have this image but I'm going to just show you, I'm going to go ahead and use the bookmarks and go to the typed URLs sub key. In this image. And we're going to see it populate, we're going to see it populate on the right hand side and we're going to see time stamps here. We're going to see timestamps and where this tool is pulling these time stamps from is this key directly under it called type URL times. And it's interpreting these times and putting into our typed URL times. So we do have a time stamp for each of these URLs, now the most recent one is going to be right up here at the top. And we can see that was on June 2, 2018 at this particular time. If you were to add a new time stamp, if you were to go and type a new address into this IE Explorer. What would happen is that new entry would come to the top and all these entries would be pushed downward. So your newest entry is always going to be on top, and you can see very clearly all the websites that were accessed. And this will give you some type of idea of what the user was doing on the system. You can see a delta dot com. And then you can see some restaurants googled, you can see some stores. So this will give you a good idea of what the user was doing or may have been doing on the system. This key will hold up to 25 entries and once it reaches 25 entries it's going to start to overwrite. And you might have noticed we have a slack, file slack tab over here, which this is showing us. These are entries that were overwritten but you may still find some data here in the file slack that could be useful. You take a look through and see what we have here. We do have some that are somewhat recognizable, I have one that wings dot com. So you will be able to see some partial entries in the file slack and some of that may be of interest to you. This will only hold 25, so if your user has done more than 25 entries, they are going to start to overwrite. Now remember this applies only to Internet Explorer, we would have to look elsewhere for other browser artifacts. And that is generally outside of the registry in the OS area and also in the user class dot dot sub folder, which we will look at shortly. And in the user class dot dot sub folder, there will be some more information regarding other websites. But to get your complete histories, you're going to have to look outside the registry in the operating system.
