1.Search-WordWheelQuery
The "WordWheelQuery" registry key is a valuable artifact found in the Windows registry of Windows 7 to Windows 10 systems. It stores information about keywords searched for from the START menu bar, providing insights into user search behavior and interests.
Location:
Registry Hive: NTUSER.DAT
Key Path: NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\WordWheelQuery
You can capture entire NTUSER.DAT or else you can manually extract particular hive using command line on live endpoint
Command:- Reg Save HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\WordWheelQuery C:\Users\User\Downloads\Shell\output.hiv
After capturing this artifact you can use registry explorer to do further investigation
example of registry explorer:
Interpretation:
Keywords: The registry key stores keywords searched from the START menu bar. These keywords are added in Unicode format, allowing for the representation of a wide range of characters and languages.
Temporal Order: The keywords are listed in temporal order, indicating the sequence in which they were searched. This temporal order can provide valuable insights into the frequency and recency of user searches.
Analysis:
MRUlist: The keywords are typically stored in an MRUlist, which stands for Most Recently Used list. This list organizes the keywords based on their usage, with the most recently searched keywords appearing at the top.
Unicode Encoding: Since the keywords are stored in Unicode format, special attention should be paid to decoding and interpreting them correctly during analysis.
Forensic Significance:
User Behavior: Analysis of the WordWheelQuery registry key can reveal valuable information about user behavior, interests, and activities on the system.
Search History: Investigators can reconstruct the search history of users, uncovering patterns, trends, and areas of interest.
Evidence Correlation: Correlating keyword searches with other artifacts and evidence on the system can provide a comprehensive understanding of user activities and intentions.
-------------------------------------------------------------------------------------------------------------
2.Index.dat file://
Index.dat files are a lesser-known but crucial component of Internet Explorer history. While many users associate IE history solely with web browsing, index.dat files also record local and remote file access, providing valuable insights into the files and applications accessed on a system over time.
Description:
File Format: Stored in index.dat files as file:///C:/directory/filename.ext.
Local and Remote Access: Tracks both local file access (from the system's local drives) and remote access (via network shares).
Not Browser Activity: It's essential to note that entries in index.dat files do not necessarily indicate that a file was opened in a browser. Instead, they capture instances where files were accessed or interacted with, regardless of the application used.
Windows Vista and Later:
In newer versions of Windows, like Windows Vista, 7, 8, and 10, index.dat files are located in the following directory:
C:\Users<Username>\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5
These files are hidden system files, so you may need to configure your system to show hidden files and folders to access them. Additionally, index.dat files may be present in other locations on the system, depending on the usage and configuration of Internet Explorer.
----------------------------------------------------------------------------------------------------------
תגובות