Electronic Evidence where to find in files
Windows Searches — For years, one challenge in digital investigative analysis has been proving a
user not only had something significant to an investigation on their computer, but that he knew it was on
there. Two of the easiest ways help prove knowledge of a file is to prove the user was searching for it or
accessed it. In order for Microsoft to enhance the user experience, Windows tracks the names of files you
access and search for in multiple locations. As previously discussed, the Windows registry is essentially
several databases called registry hives. Each user has his own primary registry hive called the
NTUSER.DAT. This registry hive tracks information specific to each user’s activity and preferences.
Starting in Windows 7, when a user conducts a search on his computer using the Windows search
function or the “Charm Bar” in Windows 8-10 (the magnifying glass that appears when you move your
mouse to the right edge of the screen), Windows records each search in temporal order in the “NTUSER.DAT\ Software\ Microsoft\ Windows\ CurrentVersion\ Explorer\WordWheelQuery” registry
key. Because the searches are recorded in temporal order, an analyst can frequently see indications of the
user’s thought process as he searched for particular files.
File Access —– Windows also records in numerous artifacts when a user opens or attempts to
open non-executable files. Four of the most useful digital artifacts to identify files opened or attempted to
be opened are “LNK” files (pronounced as “link” files), Jump Lists, and several “most recently used”
registry keys.
LNK files — A LNK File is an artifact that has existed since Windows XP. LNK files are also
known as a “Windows Shortcut” files and are created anytime a user opens or attempts to open a nonexecutable
file. A LNK file is created even if the file opened is on a network or external drive. When an
opened file is later deleted, its LNK file does not get deleted with it. Windows creates and stores
approximately 149 LNK files in the user’s home directory under the “AppData\Roaming\Microsoft\
Windows\Recent” directory. LNK files contain a wealth of information including the modified, accessed,
and created dates and times of the file opened; the full directory path, volume name, and volume serial
number from which the file was last opened; and the file size.
Starting in Windows 10, Microsoft added rules to when LNK files would be created in addition to
when files are opened. On earlier versions of Windows 10, a LNK file was created for the directory to
which any file was copied. The creation of a LNK file for the directory a file was copied to was stopped
on later versions of Windows 10. However, on versions as early as version 1607, Microsoft created a
LNK file for the directory a file is opened from. Additionally, when a directory is created, Windows
creates a LNK file for the directory created and for the created directories “parent” and “grandparent”
directory. In addition to all the information LNK files record, LNK files also record the last time a file
was opened.
Jump Lists — One of the newest artifacts to identify files opened by a user are “Jump Lists.”
Starting in Windows 7, Microsoft introduced two types of jump lists: “AutomaticDestinations” and
“CustomDestinations.” Automatic and Custom jump lists are created and stored in their respective
directory in each user’s home directory under the “AppData\ Roaming\ Microsoft\ Windows\Recent”
directory. Each application can incorporate its own jump lists as a “mini-start” menu.
Automatic Destinations allow a user to quickly “jump” to or access files they recently or frequently used,
usually by right-clicking the application in the Windows taskbar. CustomDestinations allow a user to pin
recent tasks, such as opening a new browser window or create a new spreadsheet to the jump list.
Jump lists are essentially mega LNK files. Each jump list can record upwards of the last 1,000
files opened by each application. As jump lists are essentially compound LNK files, they contain all the
same information as LNK files, such as when each file was opened, modified, accessed, and created;
dates and times that the file was opened; the full directory path, volume name, and volume serial number
from where the file was last opened; and the file size.
Most Recently Used (MRU) Registry Keys – As previously mentioned, the Windows Registry is a
series of massive databases that track system configuration and user activity. There are several registry
keys that track most recently used items. An analysis of these registry keys can help an analyst quickly
identify files accessed. Every application developer has the option of creating registry keys specific to his application configuration and user activity. Three of the most useful registry keys that track files accessed
are “RecentDocs,” “Microsoft Office FileMRU,” and “OpenSavePIDMRU.”
RecentDocs — The “RecentDocs” registry key tracks the name and order of the last 10 files
opened for every file extension (e.g. .doc, .docx, .jpg, etc.). The registry organizes each of the last 10 files
opened in sub keys named by the file extension. A sub key named “folder” is also created when the first
folder is opened using the Windows Explorer. This sub key tracks the name of the last 30 folders opened.
Each user has his own RecentDocs registry key located in his NTUSER.DAT registry hive under the
“\Software\ Microsoft\ Windows\ Currentversion\ Explorer” registry key. The master RecentDocs key
maintains a master list, organized in temporal order of the last 150 files or folders opened. By analyzing
the order that particular files were opened, analysts have often been able to refute claims that a single type
of file was opened by mistake. In one trade secret case, it was helpful for the analyst to show the pattern
of files opened that all related to the same subject matter.
Applications Specific Most Recently Used (MRU) — With every Windows application,
developers have the ability to create their own set of registry keys to track specific configuration and user
activity for their application. If a specific application is used to commit or facilitate a crime or is
otherwise significant to an investigation, it is often advantageous for the analyst to determine both if the
application has its own set of registry keys and what actions those keys record. Two excellent examples
are “Winzip,” which records the name of the last several zip files created using the Microsoft Office suite
of applications. Each application in the Office suite has its own set of “FileMRU” (most recently used
files) that tracks most recent files used and when they were opened. Additionally, starting with Office
version 365 and 2016, Microsoft Office tracks the “reading location” for each Word, PowerPoint, and
Excel document opened and when each file was closed. Using this information, an analyst can determine
not only what document was last opened and when it was closed, but also that the user had scrolled to and
was on page 32 of the document when it was closed.
OpenSavePIDMRU — Windows has some basic dialog boxes that all programs can use when a
user opens or saves a file. Some may have noticed that when saving files, a dropdown arrow in the file
name dialog entry location appears. By clicking on the arrow, you will see several of the most recent file
names you have saved for that application. These file names are saved as a part of the
“OpenSavePIDMRU” registry key which is located under the “NTUSER.DAT \ Software\ Microsoft\
Windows\ CurrentVersion\ Explorer\ ComDlg32\ OpenSaveMRU” registry key. A record of the last 10 to
25 names of the last files opened or saved using the Windows Common Dialog Box are stored under sub
keys based on file extension.
