Hello and welcome back two windows registry forensics. Course three. The NT user Got Dad Hive section 10 user searches. World query Before we get started. Let's just take a quick look at what we've talked about so far and there's a point I'm trying to get across here that there are numerous MRI list throughout the registry. And these MRI list most recently used lists contain entries made due to specific actions performed by the user. For instance, recent documents tracks recently access documents back to a specific user profile and it also includes a recent documents by file extension. So each file extension has its own. M are you list most recently used and we can get an idea of which files or which programs the user is opening whether it's PDFs, Excel, spreadsheets, word documents. We look at type two RLS what that is tracking its tracking a U R L a web address that the user actually typed into the Internet Explorer address bar. Whether they did it by the auto complete function or copy and paste. It's still something that they specifically searched for. User assist maintains a list of items such as programs, shortcuts and things in the control panel Control panel Apple. It's that a user has access and it makes these programs accessible to the user from their start menu. So this is something they use often and it becomes accessible from the start menu. So that may be very important recent applications. These are applications that are used by a user and it shows some of the files that were accessed with the specific application. So that can be very important if you're looking for a specific application. Maybe it's c cleaner. Maybe it's a nefarious application. Maybe it's an application the user wasn't supposed to be using on their work computer. It can become very important. The run and run one sub key can be used for malware and these are user specific programs that is set to run its startup with no interaction from the user other than lung into Windows. So this is what this specific user has set up to run at startup. Com. Dialogue 32 tracks application usage relating to the Open save box in the Windows Explorer. This is something they opened or saved through the Windows Explorer, which most of us open or save a program through that box quite often. And it also has an M. R you list there run are you are programs or applications that are launched through the Windows run box. So the user actually brought up the run box where they ran cmd to get a control window or they ran any other program from that run box. You're going to be able to see that we looked at types paths. that's what the user actually types of path to a file or directory or an application into the Windows Explorer. So they obviously interacted with that program and knew that that program or file was on their computer. This can become very important because a lot of times we don't have to just prove that something was there. We have to prove the user knew it existed. And all of these things that I talked about would help you do that. We talked about Microsoft office applications recently use M. R. Us and this tracks the Microsoft Office applications like Word, Excel and PowerPoint. And it will give you an MRI list for each of those specific applications, which again, can become very important to your case. And it's not enough to know where this information is located within the file system. It's great that you know that and you're a step ahead of some examiners if you do know that, but it's even more important to understand how it got there. How did this information get on the computer? You need to be able to explain that. You need to know how these keys are populated and you definitely don't need to know where this information is located within the file system. We don't just want to do push button forensics. You know, it's not enough to say axiom showed me that this was here. Well, where did it come from? You need to know where it came from and you need to know how it got there. So this is what I'm trying to show you by going through all these artifacts in the end to user data. I've been explaining what they are and how they get populated where they are in the file system. Word wheel query. Windows search has changed through a little bit so we're going to have to go through a little bit of History and Windows seven We had Word Wheel query and these were searches. Keyword searches conducted by the user from the start menu. You type a search term into the start box. If you're looking for a specific file or a specific program again that's something that would show knowledge that the user knew was there. Which is important. This key did contain an M. R. You list order. It had a last a key last access date and it showed us the search terms that the user typed in there. Well that could be very important to your case. If you're doing a certain type of case where the search terms may be specific. Like if you're doing a drug case and you're looking for certain search terms, a gang related case, a child exploitation case. These all have certain key words that are used and that would be very important for you to be able to see those keywords. Now, windows changed things up a little bit in Windows eight where real query went away and they had something called the Windows file search app. And this was the path to it. Software Microsoft Windows current version Explorer, which was the same beginning as when World Real Query. But instead it went to search history. Microsoft Windows file search out this key had the same information. It had an MRI order the order that the search terms were typed in and had a key last access date. And we could see the search terms that were typed by the user. It's stored the files differently. It's stored them as a link files. So we had some file access dates and times. And we had the search terms and Windows eight point what And Windows 8.1. These searches were conducted from the charms bar what they call the charms bar instead of the start menu. And they were stored as individual link files. They had filed times and dates. And they were search terms typed by the user but they were not located within the registry. They were located out on the file system and that is the file path, the user user app data, local Microsoft, Windows Connected search history. So in Windows 8.1 they moved outside the registry and seven they were in the registry underworld weird query and eight they were still in the registry 8.1 they left the registry. Windows 10. We go back to world where query, word wheel query. And these again are searches conducted by the user. But it's not tracking the search is typed into the search box at the bottom by the start menu. It is tracking the searches that you conduct from within Windows Explorer. And we'll take a look at that in the second. It does contain an MRI you order. It does contain a key last access date and it will show you the search term that was typed in by the user and the path is the same as it is was in Windows seven. It's Software Microsoft, Windows current version Explorer Word where Query, You're going to see a lot of stuff out there online that says We're in Windows 10. It will track from the search box. I did a lot of testing. I tested on three different Windows 10 computers, three different versions of Windows 10 and I did not get those results in Windows 10. The search terms are tracked by katana outside of the registry in a database. The items were going to be using in this section. We're going to use registry Explorer. We're going to use ivans and to user dot dot file and we're going to use registry ripper and registry browser before we get started. I just want to show you really quickly what I'm talking about is searches conducted from this search box right here within the Windows Explorer. You can see it has attracted some of my searches that I've already done, but if you type a search term in here, say we typed in dog that would show up in my world. Will query, let's go ahead and bring up registry Explorer. Spring up registry Explorer and let's go ahead. Like we've done several times and we're going to load the Ivan anti dot dot Hive, navigate out to your computer where you have it and go ahead and load that Hive in, click the open and the Hive will load. Once the Hive is loaded, we're going to go ahead, expand, expand route software, Microsoft Windows, current version Explorer scroll all the way down to you. Get to a world where word wheel query and go ahead and click on it. Now. We can see in registry Explorer it goes ahead and displays the search terms for us. It doesn't give it to us in unicode, which is how they are stored. And we'll take a look at that and another tool and it's showing us right at the top the first one, the last search that was done. And again, I did this search myself and I did it this way. So we could say this is the most recent search done is key right now has 20 entries in it and you can see as we go down all the search terms that were used. We can also see down here in the hacks that there is what looks like to us and them are you list, it ends with the floor eFS and it is indeed an M R you list and it's stored and a D word value. It's binary data. It's displayed to us in a hex to decimal double word D word value. We c 00 01020304. All the way up to hexi decimal 014 Which translated to decimal is the number 20. We do have a key last right date in time. So you can tell when the last search was conducted by the key last right date in time. We're pretty close to one that was conducted depending on how it right but we cannot tell when the other searches were done. But this can be very valuable data. And in fact, I did use this in a case where somebody had child exploitation material on their computer and I found child exploitation terms in their world where query so they can't say they didn't know the material was there and they weren't looking for it. Now let's go ahead and take a look at registry browser. It displays it a little different. And if you haven't done so what you would do is file open registry again in this tool we need to select the Windows folder which you would select. You'd hit. Okay? It'll load. It will give you that error message, but just hit. Ok. Now, when we navigate down the world where word Wheel query, which again the path We would open up. The users Expand the user 1001 B. Software Microsoft Windows current version Explorer. Word wheel query. And we could see our MRI list here just like we saw it and register Explorer, but this is showing us hexi decimal are actually unicode values for the search terms. But if you click on them you can see the ask or unicode displayed down here in the bottom pane. But what I want you to Notice is the first search. You do get zero registry Explorer just showed it to us in a nice neat order, descending order. But this is actually the way it is stored in this particular order. So 20 would be the most recent. So we also need to be aware of our tools and what they're telling us and how they display the data and how they interpret the data so we don't get it wrong Because if you said that zero was the last search done in this case, it would not be correct. And we still have a key last write time as we can see at the top. It's giving us it in local time and in GMT time. Let's take a look at our registry ripper report. We've done the Ivan into user Hive and let's see what it says for word will query. It's a big report. Just use control F and type in the word wheel and it will take you here and you can see here it's giving us the file path where it got the information from. It's giving us our last write time and UTC. But what's weird here again and we noticed this before and registry ripper that It was giving us this January one time, which we know is not the case. So you'd want to use other tools to get the correct time and again we see Most recent is # 20. So you want to be careful that registry Explorer and make sure we know what we're talking about. If we need to testify in court and you can see the same search terms all the way down to that. Nt At the very 1st 1. And we can see the last write time and registry browser. And if we were to bring up registry Explorer, we can see the same last write time, January 16 2020. And it's giving us the time here in UTC. We need to remember that too. And we're getting our time in UTC. And when you look at the GMT time, which would be the same as the UTC time. We can see that they match 22-01-29 22-0129. And our dates are the same. This is local time. So be my local time on my computer or the local time on your computer.