Evidence of Execution
I have covered this topic in my previous articles, but I would like to show you some more advanced techniques.
Windows Prefetch Files
When a program is run in Windows, it stores information for future use. This stored information is used to load the program quickly in case of frequent use. This information is stored in prefetch files located in the C:\Windows\Prefetch directory.
Prefetch files have a .pf extension. Prefetch files contain the last times the application was run, the number of times the application was run, and all files and device handles used by the file. This is an excellent source of information about recently executed programs and files.
To parse prefetch files and extract data, we can use Prefetch Parser (PECmd.exe), a tool by Eric Zimmerman.
You can then use the EZViewer tool to view this output.
Windows 10 Timeline
Windows 10 stores recently used applications and files in a SQLite database called the Windows 10 Timeline. This data can be a source of information about recently run programs. It includes the application that was executed and the focus time of the application. The Windows 10 timeline can be found in the following location: C:\Users\<username>\AppData\Local\ConnectedDevicesPlatform\{randomfolder}\ActivitiesCache.db
We can use Eric Zimmerman’s WxTCmd.exe to parse the Windows 10 Timeline.
You can then use the EZViewer tool to view this output.
Windows Jump Lists
Windows introduced Jump Lists to help users navigate directly from the taskbar to their recently used files. We can display Jump Lists by right-clicking on an application’s icon in the taskbar and it will show us the most recently opened files in that application. This data is stored in the following directory: C:\Users\<username>\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations
Jump Lists contain information about the applications run, the first run time and the last run time of the application against an AppID.
You can explore them using the JumpList Explorer tool.
File/Folder Information
Shortcut Files
Windows creates a shortcut file for each file opened locally or remotely. Shortcut files contain information about the first and last times the file was opened and the path to the opened file, among some other data. Shortcut files can be found in the following locations:
- C:\Users\<username>\AppData\Roaming\Microsoft\Windows\Recent\
- C:\Users\<username>\AppData\Roaming\Microsoft\Office\Recent\
To parse shortcut files we can use Eric Zimmerman’s LECmd.exe (Lnk Explorer) program.
The creation date of the shortcut file indicates the date/time when the file was first opened. The modification date/time of the shortcut file indicates the date/time when the file was last accessed.
You can then use the EZViewer tool to view this output.
IE/Edge History
An interesting thing about the IE/Edge browsing history is that it also contains files opened on the system, whether or not these files were opened using the browser. Therefore, a valuable source of information about files opened on a system is the IE/Edge history. We can access the history from the following location: C:\Users\<username>\AppData\Local\Microsoft\Windows\WebCache\WebCacheV*.dat
Accessed files/folders appear in the IE/Edge history with the prefix file:///*. Although various tools can be used to analyze web cache data, you can use Autopsy to do this in the attached VM. To do this, select Logical Files as the data source.
When we select the Recent Activity module and the relevant analysis is completed, we get an output as in the screenshot.
Jump Lists
As we learned in the last topic, Jump Lists create a list of recently opened files. This information can be used to identify both recently run programs and recently opened files on a system.
Stay safe…
