Search Results

Google Drive is one of the most widely used cloud storage services , integrated seamlessly with Gmail, Google Workspace (G Suite), and Android devices . With over one billion users , it presents unique forensic challenges  due to its virtual filesystem, cloud-only storage model, and metadata structures . ------------------------------------------------------------------------------------------------------------- 1️⃣ Understanding Google Drive for Desktop The Google Drive for Desktop  application ( previously called Google File Stream ) operates as a virtual FAT32 filesystem , appearing as a s eparate drive letter  (e.g., G:\ or H:\). 🔹 Key Forensic Challenges ✅ Cloud-Only Files:  Many files exist only in the cloud  and never touch local storage. ✅ Virtual Drive:  The mounted Google Drive folder disappears after logout , making live acquisition critical. ✅ Unique Metadata:   File information is stored in SQLite databases and protocol buffer (protobuf) formats . ------------------------------------------------------------------------------------------------------------- 2️⃣ Identifying Google Drive Activity on a System 📌 Key File Locations for Google Drive Artifacts Artifact Location Google Drive Local Storage %UserProfile%\Google Drive\  (if offline sync is enabled) Metadata Database %UserProfile%\AppData\Local\Google\DriveFS\\metadata_sqlite_db File Cache (Locally Stored Files) We can use this folder to recover original files stored in the cloud %UserProfile%\AppData\Local\Google\DriveFS\\content_cache\ Registry Keys ***** (Tracking the Mounter drive letter)**** NTUSER\Software\Google\DriveFS\Share Google Workspace Cloud Logs Google Workspace Admin Reports (for business users) 📌 Note:  The  folder is unique for each Google Drive account  and corresponds to Google Chrome profile IDs . ------------------------------------------------------------------------------------------------------------- 3️⃣ Investigating Google Drive Registry Keys Registry keys help confirm if Google Drive was installed, used, and what drive letter was assigned . 📍 Registry Key for Google Drive for Desktop: NTUSER\Software\Google\DriveFS\Share Value Description SyncTargets Tracks assigned drive letter and Google account ID (hex format) MountPoint (Older Versions) Path where Google Drive was mounted on older File Stream versions 💡 Forensic Use: Identify if Google Drive was installed and used . Determine the drive letter  Google Drive was mapped to. Cross-reference with Windows shell items, RecentDocs, and prefetch files  to track activity. ------------------------------------------------------------------------------------------------------------- 4️⃣ Metadata & File Forensics in Google Drive for Desktop The primary forensic database  for Google Drive is stored in SQLite format  and contains file details, ownership metadata, timestamps, and deletion status . 📍 Metadata Database Location: %UserProfile%\AppData\Local\Google\DriveFS\\metadata_sqlite_db 📌 Database Tables of Interest 🔹 Table: items (Tracks Google Drive Files & Folders) Column Description stable_id Unique file identifier id Cloud file identifier ( can be cross-referenced with Google Drive URLs & audit logs) trashed Indicates ****i f file is in Google Drive Trash (1 = Yes) is_owner Shows if the user owns the file (1 = Yes) is_folder Differentiates between files (0) and folders (1) local_title Actual file name file_size Size of the file in bytes modified_date Last modified time (Unix Epoch format) viewed_by_me_date Last time user interacted with file shared_with_me_date Indicates if file was shared (1 = Yes) proto Binary data containing MD5 file hash  (stored in protocol buffer format) 📌 Forensic Use: ✅ Identify files that were deleted (trashed = 1) . ✅ Correlate viewed_by_me_date with user activity to determine last access . ✅ Recover shared files & owners from shared_with_me_date . ✅ Extract MD5 hashes from proto column to match files with known malware databases . ------------------------------------------------------------------------------------------------------------- 5️⃣ Investigating Cached Files & Deleted Data Google Drive maintains locally cached files  in the following location: 📍 Cache Folder: %UserProfile%\AppData\Local\Google\DriveFS\\content_cache\ These temporary f iles may persist even after deletion  from the cloud. If a file was opened but not saved , it might still exist in cache . Cached files lack original filenames  but can be matched via metadata. 🔹 Table: item_properties (Tracks Cached & Deleted Files) These Below are all keys which u can search in Key folder Column Description pinned Indicates if file was stored offline  (1 = Yes) trashed_locally trashed_locally_name Original name of locally deleted file (found in $Recycle.Bin) content-entry Confirms if file is locally cached file drivefs.Zone.Identifier Provides file origin details (useful for identifying downloads) version-counter Tracks file modifications & revisions Modified-date Modification time of the file reported from the local filesystem Local-title Name of file or folder 📌 Forensic Use: ✅ Recover files that were deleted but still present in cache . ✅ Identify files that were deleted locally but still exist in Google Drive Trash . ✅ Determine if files were downloaded from external sources (drivefs.Zone.Identifier) . 🔍 Tools for Parsing Google Drive Databases: DB Browser for SQLite   protobuf-decoder   Google Drive API   ------------------------------------------------------------------------------------------------------------- 6️⃣ Investigating Google Drive Cloud Logs (Google Workspace Only) For Google Workspace (G Suite) users , cloud logs provide detailed file access records , including: ✅ Uploads, downloads, file deletions, and sharing events ✅ User email, IP address, timestamps, and file actions ✅ Cross-referencing file IDs with forensic artifacts 📍 Google Workspace Audit Log Location: Google Workspace Admin Console → Reports → Audit → Drive Audit Log 📌 Key Audit Events: Event Name Description File Edited Logs file modifications File Deleted Tracks deleted files (even if removed from Trash) File Downloaded Identifies files copied to another device File Uploaded Captures new files added to Google Drive File Shared Tracks when files are shared externally File Unshared Logs when shared access is removed 💡 Forensic Use: Identify stolen data  by tracking downloads and external shares . Recover deleted file information  using file IDs from forensic artifacts . Monitor insider threats  by analyzing suspicious access patterns . ------------------------------------------------------------------------------------------------------------- 7️⃣ Forensic Workflow: Investigating Google Drive for Desktop 🔹 Step 1: Identify Google Drive Usage on the System Check registry keys  (NTUSER\Software\Google\DriveFS\Share). Identify Google Drive mount point & assigned drive letter . 🔹 Step 2: Extract Metadata & File Listings Parse metadata_sqlite_db  to list all Google Drive files, including cloud-only files . Check i tem_properties  for cached & deleted files . 🔹 Step 3: Recover Locally Stored or Deleted Files Extract locally cached files  from content_cache . Look for deleted files in $Recycle.Bin and Google Drive Trash . 🔹 Step 4: Investigate External Sharing & Data Exfiltration Cross-reference file IDs  with Google Workspace Admin logs . Track file downloads & sharing events  to detect data leaks . 🔹 Step 5: Correlate with Other Forensic Artifacts Compare Google Drive activity with browser history, Windows Event Logs, and Prefetch data . Look for unauthorized access from unusual IP addresses . ------------------------------------------------------------------------------------------------------------- We will explore more about Google Drive in the next article ( Decoding Google Drive’s Protocol Buffers and Investigating Cached Files)   , so stay tuned! See you in the next one. ----------------------------------------------Dean------------------------------------------

Microsoft OneDrive for Business  is a powerful enterprise cloud storage solution , distinct from the personal OneDrive available by default on Windows . With Microsoft 365 integration, extensive logging, and advanced security controls , it provides rich forensic opportunities  for investigators. 🔹 Why Investigate OneDrive for Business? ✅ Tracks file uploads, downloads, deletions, and modifications ✅ Stores detailed metadata for all synchronized files ✅ Keeps 90 days of Unified Audit Logs (UAL)  with granular user activity ✅ Logs file sharing events, including external access 🚀 Let’s dive into forensic artifacts, registry keys, logs, and the powerful Microsoft 365 Unified Audit Log (UAL). ----------------------------------------------------------------------------------------------------- 1️⃣ Identifying OneDrive for Business on a System Unlike personal OneDrive, OneDrive for Business requires authentication with a Microsoft 365 account . A single system can sync: ✅ One personal OneDrive account ✅ Up to nine OneDrive for Business accounts 📌 Key File Locations for OneDrive for Business ✅ Up to nine OneDrive for Business accounts Artifact Location Synchronized Files %UserProfile%\OneDrive - \ Sync Metadata %UserProfile%\AppData\Local\Microsoft\OneDrive\settings\Business1\SyncEngineDatabase.db Sync Logs %UserProfile%\AppData\Local\Microsoft\OneDrive\logs\Business1\ Audit Logs (Cloud-based) Microsoft 365 Unified Audit Log 📌 Note:  If multiple OneDrive for Business accounts exist, folders and settings will be named Business2, Business3 , etc. ---------------------------------------------------------------------------------------------------------- 2️⃣ Investigating OneDrive for Business Registry Keys Forensic investigators must audit registry keys  to determine: ✅ The existence of OneDrive for Business accounts ✅ User authentication details (email, last sign-in time, account names) ✅ The actual sync folder location  (which may differ from default) 📍 Registry Keys for OneDrive for Business: NTUSER\Software\Microsoft\OneDrive\Accounts\Business1 Value Description UserFolder Path to OneDrive for Business local storage UserEmail Microsoft 365 account email UserName Name of the user tied to the account LastSignInTime Last authentication timestamp (Unix Epoch) ClientFirstSignInTimestamp Timestamp of first authentication SPOResourceID SharePoint URL linked to OneDrive Business 📌 Key Insight:   SPOResourceID  confirms SharePoint integration , as OneDrive for Business leverages SharePoint for storage and sharing . 🔍 Tracking Shared Folders & External Sources: NTUSER\Software\Microsoft\OneDrive\Accounts\Business1\Tenants ---------------------------------------------------------------------------------------------------------- 3️⃣ OneDrive for Business Sync Logs & Metadata Analysis Investigating OneDrive-Business for Sync Logs & Metadata Analysis is similar to analyzing data in a personal-OneDrive account . Headline of the article Advanced OneDrive Forensics: Investigating Cloud-Only Files & Synchronization https://www.cyberengage.org/post/advanced-onedrive-forensics-investigating-cloud-only-files-synchronization Part 3: Of the mentioned above Link/Article 3️⃣ Investigating Cloud-Only Files Using OneDrive Sync Database ---------------------------------------------------------------------------------------------------------- 4️⃣ Microsoft 365 Unified Audit Logs (UAL) for OneDrive Business OneDrive for Business integrates with Microsoft 365 Unified Audit Logs (UAL) , providing detailed forensic tracking  of user activity for 90 days . 📍 Accessing UAL Logs: Microsoft 365 Security & Compliance Center PowerShell (Search-UnifiedAuditLog) Microsoft Graph API 📌 Key UAL Events for OneDrive Investigations: Event Name Description FileAccessed Tracks file views (noisy, consider FileAccessedExtended) FileModified Tracks file edits (use FileModifiedExtended for fewer entries) FileDeleted Tracks file deletions FileDeletedFirstStageRecycleBin Identifies files moved to the OneDrive Recycle Bin FileDeletedSecondStageRecycleBin Identifies permanently deleted files FileDownloaded Tracks files downloaded from OneDrive/SharePoint AnonymousLinkCreated Tracks externally shared files (links sent outside the organization) FileSyncUploadedFull Logs full file uploads FileSyncDownloadedFull Logs full file downloads 💡 Forensic Use: Identify suspicious file downloads and deletions . Track data exfiltration via external sharing  (AnonymousLinkCreated). Correlate file access patterns  to suspicious login activity . https://learn.microsoft.com/en-us/purview/audit-search?tabs=microsoft-purview-portal ---------------------------------------------------------------------------------------------------------- 5️⃣ Investigating External File Sharing & Data Exfiltration Investigating OneDrive-Business for File Sharing & Data Exfiltration is similar to analyzing data in a personal-OneDrive account . Headline of the article Advanced OneDrive Forensics: Investigating Cloud-Only Files & Synchronization https://www.cyberengage.org/post/advanced-onedrive-forensics-investigating-cloud-only-files-synchronization Part 5: Of the mentioned above Link/Article 5️⃣ Tracking Shared Files & External Data Sources ---------------------------------------------------------------------------------------------------------- Final Thoughts: OneDrive for Business Forensics is a Goldmine for Investigators 🚀 Next Up: Google Drive for desktop– Investigating Enterprise Cloud Storage Activity  🔍 -------------------------------------------Dean-------------------------------------------------------

USB devices play an essential role in digital forensics. While some devices, like Human Interface Devices (HIDs), may not seem particularly data-rich, they can still hold critical clues . Knowing how to analyze USB artifacts is crucial, especially when investigating potential malicious activity or suspicious system behavior. ------------------------------------------------------------------------------------------------------------ Human Interface Devices (HIDs) HIDs, such as keyboards, mice, and game controllers, might not be the flashiest USB devices, but they can reveal important information. For instance, you might discover a new HID device installed during a time of suspicious activity. This is significant because malicious devices often disguise themselves as HIDs to bypass detection. One common attack involves using a HID keyboard to send pre-programmed keystrokes that execute scripts, such as PowerShell commands. Devices like the Hak5 Rubber Ducky are built specifically for this purpose. Other tools, like hardware keyloggers (e.g., AirDrive) and the USB Ninja, can mimic HID input to compromise systems stealthily. Fortunately, HIDs must associate with a USB device class , and this process leaves traces in the system registry. HID associations are stored under the registry SYSTEM\\Enum\HID. Here, you’ll typically find Vendor ID (VID), Product ID (PID), and timestamps. These timestamps, located in sub-keys like 0064, 0066, and 0067, record: First connected time Last connected time Last removal time ------------------------------------------------------------------------------------------------------------ Media Transfer Protocol (MTP) and Picture Transfer Protocol (PTP) Devices like smartphones, cameras, and music players often use MTP or PTP. These protocols differ from traditional mass storage devices and leave fewer forensic traces, but they are still worth investigating when analyzing data exfiltration or suspicious activity. Picture Transfer Protocol (PTP) PTP is an older protocol designed for transferring images, videos, and related metadata. It only allows files to be copied from the device to a computer and does not support other file types. Media Transfer Protocol (MTP) MTP is an upgraded protocol introduced by Microsoft to support a wider variety of file types. Unlike PTP, MTP allows two-way file transfers and enables simultaneous access to storage by both the device and the computer. In forensic investigations, MTP devices can be tricky. They don’t receive drive letters and are instead displayed under “Devices and Drives” in Windows 10+ o r “Portable Devices” on older systems. Additionally, accessing files on MTP devices may not create typical artifacts like .LNK files. To identify MTP or PTP devices, examine the following registry keys: SYSTEM\\Enum\USB SOFTWARE\Microsoft\Windows Portable Devices\Devices Artifacts like ShellBags and limited .LNK file records may also reference MTP. What Happens? When you open files from an MSC device (like a flash drive), you get these little LNK files. These files point back to what you opened and where it came from. ------------------------------------------------------------------------------------------------------------ Mass Storage Class (MSC) Devices Mass storage devices, such as external hard drives and flash drives, are among the most common USB devices . They leave behind a wealth of artifacts and are essential to examine in forensic investigations. Protocols for MSC Devices USB Storage Port (USBSTOR): This protocol supports the traditional Bulk-Only Transport (BOT) method, which allows straightforward data transfer. USB Attached SCSI Protocol (UASP): Introduced with USB 3.0, UASP enables faster, multi-threaded transfers and is commonly used with solid-state drives . UASP devices are recorded in the SCSI registry key rather than USBSTOR. MSC devices typically appear with a drive letter and are fully accessible for file transfers. They are recorded in the registry under USBSTOR or SCSI, depending on the protocol. ------------------------------------------------------------------------------------------------------------ Key Forensic Takeaways HID Devices: Look for suspicious timestamps and unexpected devices in the HID registry key. Even if attackers spoof VID/PID, the timing can provide valuable clues. MTP/PTP Devices: These devices leave fewer traces but can serve as potential data exfiltration points. Investigate their registry entries and any associated ShellBag or .LNK file artifacts. MSC Devices: These devices leave behind the most artifacts, making them easier to analyze. Pay attention to whether they use USBSTOR or SCSI protocols, as modern devices increasingly rely on UASP. By understanding these USB device types and the artifacts they leave behind, forensic investigators can better uncover and analyze suspicious activity on a system. -----------------------------------------Dean------------------------------------

Since their inception, r emovable devices have posed a significant threat to enterprise security. From insider threats and confidential data theft to data leakage and the propagation of malicious code, the challenges surrounding removable devices remain prevalent. With an estimated six billion USB devices in use worldwide , their ubiquity underscores the critical need for organizations to understand and manage their risks effectively. ---------------------------------------------------------------------------------------------------------- USB: The Dominant External Media Interface Among removable devices, USB (Universal Serial Bus) has long been the most widely adopted external media interface. While competitors such as FireWire (IEEE 1394) and eSATA once presented healthy alternatives, the industry has largely consolidated around USB. Fortunately, USB device usage leaves behind a wealth of digital artifacts . These artifacts enable investigators to piece together comprehensive stories of USB activity, including identifying connected devices, determining when they were introduced, and pinpointing the responsible users. ---------------------------------------------------------------------------------------------------------- Understanding USB Device Classes Not all USB devices are created equal. The USB Implementers Forum maintains over twenty distinct device classes , each with unique purposes and forensic footprints. While the Mass Storage Class —which includes external hard drives and flash drives—is often of primary interest Some notable USB device classes include: Human Interface Devices (HID):  This category includes keyboards, mice, microphones, and malicious devices like keyloggers. Identifying these peripherals can offer insights into unusual or suspicious activity. Media Transfer Protocol (MTP):  MTP devices, such as mobile phones, represent specialized USB-connected systems often relevant in investigations. Other Device Classes:  Beyond storage and HIDs, devices such as webcams, printers, and gaming controllers may also leave behind valuable artifacts. ---------------------------------------------------------------------------------------------------------- Investigative Techniques in USB Forensics Effective USB forensic investigations involve connecting disparate data points to form a cohesive narrative. By analyzing system logs, registry entries, and shell item data, investigators can determine: The types of devices connected to a system. The time and date of device introduction. The files and folders accessed via the device. The users responsible for the device’s connection and usage. Combining this information enables investigators to draw valuable conclusions about device activity and its potential implications for the enterprise. ---------------------------------------------------------------------------------------------------------- Challenges and Opportunities in USB Forensics USB forensics is not without its challenges. Device artifacts are often scattered across a system, requiring significant time and expertise to locate and interpret. Moreover, the diversity of device classes and the variety of data formats involved mean that investigators must remain adaptable, armed with the right tools and methodologies. USB device forensics is a powerful tool in combating insider threats, preventing data leaks, and uncovering malicious activity. By leveraging the insights provided by USB artifacts, organizations can enhance their security posture and respond more effectively to potential incidents. ---------------------------------------------------------------------------------------------------------- Conclusion By understanding the nuances of USB device classes and their associated artifacts, investigators can extract critical insights to address enterprise security risks. Although the process may require effort, the rich data obtained through USB forensics makes it an indispensable asset in the modern investigative toolkit. ---------------------------------------------Dean----------------------------------------------------

Linking USB Devices to User Accounts If the d evice you’re profiling is a mass storage class USBSTOR device , you can go a step further and try to tie the device to a specific user account. This is where the NTUSER.DAT  registry hive comes into play. ------------------------------------------------------------------------------------------------------- Why NTUSER.DAT Matters Each user on a system has an NTUSER.DAT hive , which keeps track of their personal settings and activity. When a user logs in, their NTUSER.DAT hive is loaded into memory . Inside this hive, there’s a key called: NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2 This key logs details about: Mounted volumes (like USB devices) Network shares accessed by the user If the Volume GUID  you identified earlier from the SYSTEM\MountedDevices  key appears in this MountPoints2 key, it means: The user was logged in when the device was connected. Or, it was the last account logged in before the device was introduced. ------------------------------------------------------------------------------------------------------- How to Check for User Activity Load NTUSER.DAT hives: Load all NTUSER.DAT hives for suspected users into Registry Explorer. Search for the Volume GUID: Use the Find  tool in Registry Explorer and search for the GUID (e.g., 7560496c-3102-11e8-9eb7-9eb6d0dc1465). Verify matches: If you find a sub-key matching the GUID, that user’s account interacted with or was active while the device was connected. The last write timestamp   of the sub-key can give you an idea of the last time the device was connected. ------------------------------------------------------------------------------------------------------- Important Notes Be cautious!   If a user logs out or reboots the system while the device is still connected, Windows may incorrectly attribute the device to the last logged-in account. This issue is common in older versions of Windows. To confirm user activity, cross-reference with: Logon/logoff events from Windows Event Logs. Other artifacts like browser history or shell items. Multiple accounts:  Don’t forget to check all NTUSER.DAT hives for matches if there are multiple users on the system. Non-USBSTOR devices:   If you’re profiling a device that isn’t a USB storage device, this method won’t work . Instead, use connection timestamps and Event Logs to link device usage to user activity. ------------------------------------------------------------------------------------------------------- Beyond USB Devices: Network Shares The MountPoints2 key doesn’t just track USB devices ; it also logs network shares accessed by the user. This can be helpful for: Tracking lateral movement in an investigation. Identifying systems accessed by an attacker or malicious insider. Example: A share named Ubuntu-24.04 was accessed by the user on the system #wsl.localhost# ------------------------------------------------------------------------------------------------------- Microsoft-Windows-Partition/Diagnostic.evtx for Device Profiling (Win10+) Windows 10 introduced a valuable custom log, Microsoft-Windows-Partition/Diagnostic.evtx , which records detailed information about connected and disconnected devices. This log, particularly Event ID 1006 , is a game-changer for investigating mass storage class (MSC) devices. What Event ID 1006 Captures Each Event ID 1006  entry logs detailed data when an MSC device is connected or disconnected , including: Device Details: Manufacturer, Model, Vendor ID (VID), and Product ID (PID). Disk capacity. SCSI Serial Number  (labeled as "SerialNumber"). iSerialNumber  (found in the "ParentId" field). Partition Data: Contents of the Master Boot Record (MBR) . Volume Boot Records (VBRs) f or up to three partitions. These logs provide historical records of device usage, including internal devices like SSD drives. Connection vs. Disconnection Events Capacity Field: Populated for connection events (records the device’s capacity). Displays " 0" for disconnection events . Pro Tip:  Be mindful of events triggered by sleep/hibernation or shutdown . For instance: If a device remains connected during sleep mode, a new connection event will be logged upon resumption , creating back-to-back connect events  without a corresponding disconnect event in between. Strengths and Limitations Advantages: Tracks every device connection and disconnectio n with comprehensive data. Provides timestamps for all events, helping to establish device activity timelines. Far surpasses earlier removable device logging capabilities. Limitations: The log may be cleared during major Windows updates , retaining only post-update data. Initially displays the message "For internal use only" in the Event Viewer, but the XML Details  view reveals all the detailed information. Pro Tip: Start with This Log If you're profiling devices on Windows 10 or later, begin your investigation with Microsoft-Windows-Partition/Diagnostic.evtx . It provides a wealth of data upfront, saving time and effort in the profiling process. While additional details like user accounts and drive letters may require further investigation, this log is an exceptional resource for building a foundational understanding of device activity . -------------------------------------------------------Dean------------------------------------

When investigating external media connected to a system, determining what files and folders were accessed on the media is critical. This can be achieved by linking LNK files  and Jump List shell items  to device details using the Volume Serial Number (VSN) . ------------------------------------------------------------------------------------------------------------ What Is a Volume Serial Number (VSN)? Found in the Volume Boot Record (VBR)  of FAT, exFAT, and NTFS file systems. Captured in LNK files  and Jump List entries  for every file or folder accessed on the device. Matching the VSN between a removable device and a shell item confirms the source of the accessed files or folders. How to Retrieve a Device’s VSN VSN can be retrieved through Windows artifacts , such as: 1. Microsoft-Windows-Partition/Diagnostic.evtx What it records: The Master Boot Record (MBR)  and Volume Boot Records (VBR)  for up to three partitions. Detailed data like disk signature, partition structure, and Volume Serial Numbers. How to extract VSN from raw data: Hex offsets: FAT: Offset 0x43 exFAT: Offset 0x64 NTFS: Offset 0x48 Important:  Convert the Little Endian  byte order to the correct format. Tools to simplify this process: Partition-4DiagnosticParser : Maps raw hex data to human-readable output. USB Detective: Extracts VSN and other device details automatically. ------------------------------------------------------------------------------------------------------------ 2. EMDMgmt Registry Key Location: SOFTWARE\Microsoft\Windows NT\CurrentVersion\EMDMgmt Details captured: Manufacturer, iSerialNumber, Volume Name, and Volume Serial Number (in decimal form). Note: Convert the decimal VSN to hex to match shell item records. This key may not be available on systems with SSDs , as it was o riginally tied to the now-defunct ReadyBoost feature. ----------------------------------------------------------------------------------------------------------------------------- Key Insights About VSNs VSN Changes: A device’s VSN changes every time the partition is reformatted. If the same iSerialNumber appears with different VSNs , it indicates the device was reformatted. U se timestamps from the Partition/Diagnostic log  or EMDMgmt key  to estimate when formatting occurred. Non-Windows File Systems: VSN data is not recorded for Mac, Linux, or GPT partitions. ----------------------------------------------------------------------------------------------------------------------------- Tools for USB Device Analysis 1. USB Detective What it offers: Automates the USB forensics process, pulling data from various sources: Registry keys (e.g., DeviceMigration, EMDMgmt). Event Logs (e.g., Microsoft-Windows-Partition/Diagnostic.evtx). Shell items (e.g., LNK files, Jump Lists, ShellBags). Volume Shadow Copies for historical analysis. Strengths: Provides an intuitive interface and links data to original sources for easy validation. Consolidates and simplifies device activity audits. First screenshot: 2nd Screenshot: 3rd After Processing Output: 2. parseUSBs.py ( https://github.com/khyrenz/parseusbs ) An open-source Python script by Kathryn Hedley. Parses registry hives and outputs findings in CSV format. Strengths: Simple and efficient for written reports. Useful for quick analyses. Limitations: Less comprehensive than USB Detective. Thank you for taking the time to dive into this deep exploration of USB device forensics and the critical tools and techniques that can simplify the process. By mastering these methods, you'll be equipped to uncover valuable insights during investigations efficiently. See you in the next article, where we'll explore more cutting-edge forensic strategies and tools. Until then, happy investigating! 🚀 --------------------------------------------Dean--------------------------------------------

When investigating devices connected to a computer, every small detail can help. Identifying Drive letter: For instance, the v olume name  used by a device can link it to files like LNK files , which store volume name The drive letter  assigned to the device can lead us to other artifacts like Prefetch files, RecentDocs, Jump Lists, ShellBags, and more. But there’s a catch: drive letter info isn’t always available . Windows only keeps records of the last device  assigned to a specific drive letter. Also, the same drive letter can be reused for multiple devices(This can be problematic in because most recent device and its associated information will be recorded). Still, certain artifacts, especially in newer Windows versions (10 and 11), tend to stick around longer, even after system updates. ------------------------------------------------------------------------------------------------------------ Let’s look at two key places where you can dig for drive letter and volume name info: VolumeInfoCache  and MountedDevices . 1. VolumeInfoCache: A Quick and Easy Check If you're using Windows 7 or later, this is your starting point. The VolumeInfoCache is located at: SOFTWARE\Microsoft\Windows Search\VolumeInfoCache This key contains sub-keys for each drive letter (like C:, D:, E:, etc.). Each sub-key has a VolumeLabel  value, which tells you the volume name of the last device connected to that drive letter. Why use it? Quick and simple:  It’s easier to read compared to other registry keys. Good for SCSI drives and VHDs:  Especially useful for modern devices like virtual hard drives or USB drives using UASP mode. Limitations: Only records the last device  assigned to each drive letter. Timestamps here (the “last write time” of sub-keys) aren’t always reliable for figuring out exactly when the device was connected. 2. MountedDevices: A More Detailed Look If VolumeInfoCache doesn’t give you what you need, try checking SYSTEM\MountedDevices : This key tracks drive letters and the devices mounted to them. It’s especially useful for USB thumb drives ( USBSTOR  devices). How it works: Look for values like \DosDevices\E:  (where "E:" is the drive letter). Inside the value data, search for the device's iSerialNumber . This links the drive letter to the specific device. Things to keep in mind: Devices can be mounted with different drive letters  over time, so check all drive letter values. You might not find a match if another device was mounted at the same drive letter later. ------------------------------------------------------------------------------------------------------------- Special Cases: Hard Drives and Partition Types Hard drives and SSDs (especially those with multiple partitions) are trickier to profil e. Here’s how they work based on the partition scheme: GPT Partitions: Values start with DMIO:ID. The last 16 bytes in the value are the Unique Partition GUID . Search for this GUID in the registry to find keys tied to the original device. For MBR Partitions: If you do not see DMIO:ID at the start of a drive letter value , and do not see a USBSTOR Device ID and iSerialNumber , you are likely looking at partition data from a device using the older Master Boot Record (MBR) partition scheme The first 4 bytes represent the Disk Signature . Search for this Disk Signature in the registry to uncover related keys that identify the device ------------------------------------------------------------------------------------------------------------- Why This Matters Understanding where and how to find drive letter and volume name info can make all the difference in your investigation. While VolumeInfoCache is a fast and easy starting point, SYSTEM\MountedDevices gives you a deeper dive , especially for older or more complex devices. With these tools, y ou’ll be able to connect devices to their artifacts and uncover the story behind what was plugged in and when. ------------------------------------------------------------------------------------------------------------- What’s a Volume GUID? A Volume GUID  (Globally Unique Identifier) is Windows’ way of identifying a specific volume or partition on a device. It’s a unique name enclosed in curly braces \??\Volume{???????-????-????-????-??????} For devices like USB flash drives ( MSC USBSTOR ), this Volume GUID can help us track down user activity tied to the device in later steps. How to Find Volume GUIDs for USB Devices If you’re profiling a USB flash drive, check the value data  of Volume GUID entries within the MountedDevices  key. Look for the device’s iSerialNumber  (the unique serial number). If it matches, you’ve found the Volume GUID for that device. Why Is This Step Important? This step lets you: Tie the device to a GUID:  This helps you match the device with its associated user account in later steps. Track user activity:  You’ll need this Volume GUID to dive deeper into the behavior of the device and its user. Special Note: This method only works for MSC USBSTOR  devices, like USB flash drives. For other device types, y ou’ll need to rely on Windows Event Logs to identify which user account was active at the time the device was connected or used. ------------------------------------------------------------------------------------------------------ I know this is alot of information and I want to make thing wasy for you So you ready lets start Lets say you +you’ve identified a unique identifier for your device, such as the iSerialNumber . Registry explorer lets you search across all loaded registry hives at once, saving you a lot of time. How to Search for Device Information Load the right hives Make sure you’ve loaded the SYSTEM , SOFTWARE , and user NTUSER.DAT  hives in Registry Explorer. These hives contain most of the data related to devices. Use the Find option: Go to Tools > Find  and search for the device’s iSerialNumber  (or another unique identifier diskid ). Review the results: If the device information is still present in the registry, you’ll likely see many search hits. Not all of them will be relevant, so focus on keys needed for device profiling. What to Look For Search results will typically include keys that provide: Device ID Last Mountpoint Drive Letter Volume GUID You may also find hits in less common locations, like Windows Portable Devices , which could provide additional details. Double-click any result of interest to jump directly to that registry key within Registry Explorer. Work Smarter, Not Harder While it’s possible to manually comb through the registry to profile a device, this process can be incredibly time-consuming—especially if you’re dealing with multiple devices. By using unique identifiers and leveraging tools like Registry Explorer’s search function, you can dramatically speed up the process. -----------------------------------------------Dean-------------------------------------------------

Volume Name When performing a forensic examination of connected devices, one of the key pieces of information we aim to gather is the volume name associated with the device. However, it’s important to note that not all device types maintain volume names, and these names are not always mandatory. In some cases, if a device does not have a volume name, Windows will record the last mounted drive letter instead. Windows Portable Devices  registry key This key stores valuable information about each device connected to the system , including the Device ID  and iSerialNumber   for each device . If a device has a volume name, it will be recorded here under the FriendlyName  value. SOFTWARE\ Microsoft\Windows Portable   Devices\Devices You can also grab the Volume Name and GUID , which can be handy for future reference. As i was doing analysis I recommend noting down iserial number as well diskid to match information in windows portable device My Personal recommendation use registry explorer this tool do all work for you --------------------------------------------------------------------------------------------------------- Different Device Classes Different device classes (e.g., USBSTOR , MSC , MTP ) store varying amounts of data in the registry. USBSTOR  devices are typically the most complete, providing Device ID , iSerialNumber , and FriendlyName . For other devices like smartphones using MTP , or UASP  drives, less information might be available. If you encounter a device that’s missing critical information, dig into the raw sub-keys where you might find additional identifiers like VID  (Vendor ID), PID  (Product ID), or even DiskID  for certain devices. --------------------------------------------------------------------------------------------------------- Handling SD Cards Interestingly, SD cards  can also be tracked in this registry key, even though they are not USB devices . If an SD card is connected through an SD card reader, you might find its associated volume name under the Windows Portable Devices  key as well . For instance, you could see a volume name like "SD_FILES"  for the attached SD card, which could be valuable for profiling purposes. --------------------------------------------------------------------------------------------------------- LNK Files to the Rescue Even if the drive letter isn't directly mapped, don't lose hope! Many LNK files include the Volume Name, sometimes alongside the drive letter. With timestamp analysis and LNK file correlation, you can often deduce the potential drive letter. --------------------------------------------------------------------------------------------------------- Conclusion When profiling devices through the Windows registry, the volume name can be a critical piece of evidence, especially when tracking devices that are used for malicious purposes or when identifying artifacts left behind by terminated employees. By focusing on the FriendlyName  value under the Windows Portable Devices  key, you can gather valuable information about the device, including its volume name, which can later be used to cross-reference other data and build a complete profile of the device’s activity on the system. -------------------------------------------Dean-------------------------------------------

Updated on Jan 24, 2025 USB devices play a crucial role in digital forensics and IT security. Whether you're investigating a security incident, checking for unauthorized device usage, or simply maintaining logs, auditing USB device history is essential. One of the best places to start is the Windows Registry, specifically the SYSTEM\CurrentControlSet\Enum\USB key. Let’s break it down in an easy-to-follow manner. ----------------------------------------------------------------------------------------------------------- USB Registry Key Understanding the USB Registry Key The SYSTEM\CurrentControlSet\Enum\USB  key tracks all USB devices that have been connected to the system. USBSTOR  (Mass storage devices like flash drives and external hard drives) UASP  (Advanced storage devices) MTP/PTP  (Smartphones, digital cameras) HID  (Keyboards, mice, game controllers) USB Hubs  (External USB hubs for multiple connections) This registry key gives investigators a broad overview of USB activity on a machine, helping to track down unauthorized or suspicious devices. ----------------------------------------------------------------------------------------------------------- What Information Can You Extract? When auditing USB devices, the following information is critical: Device Type:  Identifies whether it's a storage device, keyboard, webcam, etc. Vendor ID (VID):  Represents the manufacturer of the device. Product ID (PID):  Identifies the specific product. Device iSerialNumber:  A unique identifier for tracking devices across different registry keys and logs. ParentIdPrefix (for UASP devices):  Helps associate devices with their storage controllers. Under each iSerialNumber sub-key, you’ll find key attributes like: DeviceDesc  – Provides a user-friendly description of the device. Service  – Indicates the type of service associated with the device. These values can be cross-referenced with databases like the USB IDs Repository  or DeviceHunt  to determine the manufacturer and device type. As u can see this screenshot Service is UBSTOR( There are multiple services avaible which help you determined what type of device connected) Understanding Service Types Common Service types are:******* Important to understand type of device****** USBSTOR (MSC USBSTOR) UASPSTOR (MSC UASP SCSI) HidUSB (HID input device) WUDFWpdMtp (MTP device like smartphone) usbvideo (Video device like webcam) usbaudio (Microphone) USBHUB3 (USB hub) BTHUSB (Bluetooth) vmusb (Vmware USB device pass-through) usbccgp (Composite USB device - a peripheral that has combined functionality from one or more device class. A keyboard with combined mouse input is one example) ----------------------------------------------------------------------------------------------------------- ********************************** With the arrival of USB 3.0, a new and improved transfer protocol called USB Attached SCSI Protocol (UASP) was introduced. UASP allowing for much faster and multi-threaded data transfers. It was primarily designed to handle high-speed solid-state drives (SSDs) and to maximize the faster data rates of USB 3.0. UASP works with USB 3.x SuperSpeed, Thunderbolt, and even USB4. Kindly Note: Modern systems using UASP don’t store their information there! Instead, UASP devices are logged under a different registry key called SCSI. This means that if you only look at USBSTOR, you could be missing some crucial evidence. ********************************** ----------------------------------------------------------------------------------------------------------- Real-World Example Let’s say you find a device with: VID: 1058  PID: 25A2 Service: USBSTOR  (Indicating it’s a mass storage device) Looking up these values online,( https://devicehunt.com/ ), ( http://www.linux-usb.org/usb.ids ) you can even find images of the exact device model. This level of detail can be invaluable in investigations. Yeah its true my Hardrive is belong to this vendor name ----------------------------------------------------------------------------------------------------------- Making this easy for you! Manually going through each registry key can be time-consuming, especially on systems with numerous USB connections. Tools like Registry Explorer  come with plugins that can extract and present USB audit data in a structured format. Best Practices: Sort by Device Name  to quickly find the devices of interest. Sort by Timestamp  (last write time of VID/PID key) to track activity within a specific investigation window. Be cautious: Registry timestamps may not always reflect the last usage time accurately. Cross-check with Event Logs for more precise data. ----------------------------------------------------------------------------------------------------------- USBSTOR Registry Key For mass storage devices (MSC USBSTOR) , additional details are available under SYSTEM\\Enum\USBSTOR. This key contains subkeys named after the Device ID , with one or more subkeys representing iSerialNumbers . By matching an iSerialNumber from USB to USBSTOR, we can extract further details such as: Device ID  (Stored in the USBSTOR sub-key name) FriendlyName  (Human-readable name of the device) First Time Device Connected Last Time Device Connected Last Removal Time Additionally, each USBSTOR entry contains a DiskId  value located at: The DiskId  correlates with Microsoft-Windows-Partition/Diagnostic.evtx , which provides further metadata and timestamps. Conclusion Whether investigating unauthorized access, tracking lost data, or analyzing security threats, this method provides a solid foundation for USB audits. Stay tuned for the next article, where we will analyze USB time tracking  in greater detail! ----------------------------------------------Dean--------------------------------------------------

ShellBags  can provide invaluable insights into a user’s activity— helping forensic analysts reconstruct deleted folders, track accessed directories, and correlate timestamps with other evidence. While parsing ShellBags manually is complex and tedious , ShellBags Explorer (SBE) by Eric Zimmerman  simplifies this process , offering a comprehensive, automated, and user-friendly  way to extract and analyze these artifacts. ----------------------------------------------------------------------------------------------------------- What is ShellBags Explorer (SBE)? ShellBags Explorer is a free, all-in-one forensic tool  designed to parse ShellBags artifacts effortlessly. It eliminates the need for laborious manual steps, automates the decoding of registry data, and helps investigators visually reconstruct  a user’s directory structure. Whether dealing with deleted folders or hidden user activity , SBE makes ShellBags analysis more efficient and insightful. SBE is available in both GUI and command-line versions , making it adaptable for different forensic workflows. The command-line version is particularly useful when scripting or integrating analysis into a broader forensic pipeline. ----------------------------------------------------------------------------------------------------------- Understanding the SBE Interface SBE is designed to be intuitive, especially for those familiar with forensic GUI tools . The interface consists of three main sections: 🔹 Tree View (Left Panel):  Displays a hierarchical representation of identified folders, directly sourced from the BagMRU registry key. 🔹 Table View (Right Panel):  Shows metadata for child folders, including timestamps (First Interacted, Last Interacted)  and additional Shell Item details. Sorting and filtering make it easier to pinpoint critical evidence. 🔹 Details & Summary View (Bottom Panel):  Provides in-depth insights into selected folders, including the full file path, registry key locations, NodeSlot references, and timestamps. ----------------------------------------------------------------------------------------------------------- How ShellBags Store Information The BagMRU key  is responsible for maintaining a list of child folders and an MRU (Most Recently Used) list , which records the order in which folders were interacted with. One crucial aspect of ShellBags analysis is that the most recently accessed folder (MRU Position #0)  is often referred to as the "Last Interacted" time , tells us the last time the user interacted with that folder. However, this creates a significant limitation: If a parent folder contains multiple child folders, only the most recently accessed one can be assigned a timestamp. The other child folders remain without a definitive timestamp , making it impossible to determine when they were last interacted with. Example Breakdown Let's take a practical example to better understand how this works. Suppose we have three folders under a parent folder, as seen in forensic tools like ShellBags Explorer . Only one folder  (e.g., "Windows") has a "Last Interacted" timestamp. That folder is also positioned as MRU Position #0  in the MRU list. we can see the following MRU sequence: Position 0  (most recently accessed) → Folder: "Windows" Position 1  → Folder: "Users" Position 2  → Folder: "Program data" The registry key timestamp of the parent folder (e.g., 2023-03-24 18:14:00.598 UTC ) is assigned only to MRU Position #0 , confirming that " Windows" was the last folder interacted with. Why This Matters in Forensics Understanding this timestamp limitation is crucial when reconstructing user activity. Investigators must be aware that: Not all accessed folders will have timestamps.  Only the most recently interacted folder within a parent directory will. Correlating with other forensic artifacts is necessary .  Combining ShellBags analysis with other sources like Windows Event Logs, USN Journal, or Prefetch data can provide a more complete timeline of user activity. ----------------------------------------------------------------------------------------------------------- First Interacted Timestamps in ShellBags First Interacted timestamps are identified differently than Last Interacted times. Here's how it works: When a folder is added to BagMRU for the first time , a registry key is created. The last write time of that key becomes the First Interacted timestamp . If no subfolders unde r that key are later accessed , this timestamp remains unchanged. Why This Matters in Forensics Understanding both First and Last Interacted timestamps  is crucial when reconstructing user activity. Investigators should remember: Only folders without subfolders have First Interacted timestamps. L ast Interacted timestamps are reassigned when new folders are accessed within a parent directory. Correlating with other forensic artifacts like Windows Event Logs or USN Journal enhances timeline accuracy. ----------------------------------------------------------------------------------------------------------- Target Timestamps in ShellBags Created:  Records when the folder was first created . Modified:  Reflects when a file was last added or deleted within the folder . Accessed:  (If enabled in Windows) Indicates the last time a file was opened from the folder. These timestamps are recorded during the first interaction  with the folder and typically do not  get updated later . This makes them crucial in forensic investigations, especially if the folder was deleted, located on a removable device, or stored on a remote system . Example Use Cases: Detecting suspicious folder creation on a USB drive  on the day an employee was terminated. Identifying folders modified during a known external intrusion . ----------------------------------------------------------------------------------------------------------- MFT Entry and File System Identification in ShellBags ShellBags store the MFT Entry Number  / File System for a folder, which can be viewed in ShellBags Explorer. This can help forensic analysts match folder metadata with specific storage devices   (e.g., network shares, USB drives). Why is this important? *****Helps distinguish between removable media and system drives   (system drives are not formatted as FAT or exFAT)***. Allows precise correlation between ShellBags data and specific devices. ----------------------------------------------------------------------------------------------------------- Indicators of User Interaction with folder  in ShellBags Vincent Lo's research revealed that actions such as deleting, copying, and renaming a folder  can create ShellBags entries. This is why the t erm "interacted"  is preferred over "accessed"   when analyzing ShellBags data. User Interaction David Cowen and Eric Zimmerman found that the presence of settings values within a folder’s Bags key  is a strong indicator  that a user has explored that folder . The ShellBags Explorer  tool automatically detects this and marks such folders in the "Has Explored"  column. A checkmark  in this column suggests that at least two settings values exist, i ncreasing the likelihood that the user accessed the folder. However, modern operating systems are complex , and r are cases may exist where a folder has Bags settings data without direct user interaction . For critical forensic conclusions , it’s best to corroborate ShellBags findings  with other artifacts, such as LNK files  showing file access from that folder. ----------------------------------------------------------------------------------------------------------- SBECmd Command Line This tool offers the same capabilities and data extraction functionalities but in a command-line format, making it particularly useful for automation and large-scale forensic investigations . Running SBECmd Against Mounted Triage Images When working with a mounted forensic image , you can run SBECmd  against the entire Users  folder or a specific user's folder Since Eric Zimmerman's tools  support recursive searching , SBECmd will automatically scan subdirectories to locate and parse: NTUSER.DAT UsrClass.dat Each parsed hive will generate a separate CSV file  containing the extracted ShellBags data. Example Command Usage The following SBECmd command extracts ShellBags data and saves the output in CSV format: SBECmd.exe -d G:\G --csv "E:\Output for testing\Website investigation" --csvf shellbags.csv Output: ----------------------------------------------------------------------------------------------------------- Reference: ----------------------------------------------------------------------------------------------------------- Conclusion: ShellBags are a powerful forensic artifact  that provide critical insights into user activity on a Windows system. Because ShellBags store historical user activity , they are incredibly useful in intrusion investigations, insider threat cases, and digital forensic analysis . However, understanding and parsing them manually can be complex. Use Tool like SBECmd.exe and Shellbag explorer Thanks for staying with me on this journey see u in next article—so stay tuned! 🚀

When investigating user activity on a Windows system, ShellBags   are one of the most powerful yet misunderstood  forensic artifacts. They provide proof that a folder or virtual object was accessed , even if it has been deleted, moved, or no longer exists . However, ShellBags can be complex  to analyze, which often makes them intimidating for investigators. ------------------------------------------------------------------------------------------------------ 📌 What Are ShellBags? ShellBags  are Windows registry entries  that store user preferences  for how folders are displayed in File Explorer . However, beyond user preferences, these keys provide valuable forensic insights. Investigators can use ShellBags to answer critical questions such as: ✔ Did a user browse a folder before deleting it? ✔ Were external USB drives or cloud storage folders accessed? ✔ Did the user open password-protected or encrypted drives? ✔ What files and folders existed before deletion? But here’s the key forensic takeaway: 📌 If a ShellBag exists for a folder, it proves a user interacted with it via the Windows GUI (File Explorer). This means even if the folder is deleted or stored on a removable drive ,  ShellBags may still contain evidence of its existence. ------------------------------------------------------------------------------------------------------ How Do ShellBags Work? ShellBags track more than just regular folders. Windows also treats ZIP archives, mobile device filesystems, control panel applets , and more as folders. Notably, starting with Windows 11 22H2 , support was expanded to include 7-Zip, RAR, TAR, and Gzip  archives. This is particularly relevant because attackers frequently use archived files  to evade detection. With these updates, forensic analysts now have a new source of evidence in investigations. ShellBags store data in two main registry subkeys: BagMRU  – Maintains the hierarchy and names of folders interacted with. Bags  – Stores configuration details f or each folder. By examining timestamps stored in ShellBags, investigators can determine when a folder was first and last accessed , correlating this with other forensic artifacts. ------------------------------------------------------------------------------------------------------ 🗂 Where Are ShellBags Stored? ShellBags are registry entries  found in different locations depending on the Windows version: 📌 Windows 7 and later NTUSER.DAT\Software\Microsoft\Windows\Shell\BagMRU NTUSER.DAT\Software\Microsoft\Windows\Shell\Bags USRCLASS.DAT\Local Settings\Software\Microsoft\Windows\Shell\BagMRU USRCLASS.DAT\Local Settings\Software\Microsoft\Windows\Shell\Bags 📌 Windows XP  (Older storage format) NTUSER.DAT\Software\Microsoft\Windows\Shell\Bags NTUSER.DAT\Software\Microsoft\Windows\Shell\BagMRU NTUSER.DAT\Software\Microsoft\Windows\ShellNoRoam\Bags NTUSER.DAT\Software\Microsoft\Windows\ShellNoRoam\BagMRU NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\StreamMRU 💡 Tip:  The NTUSER.DAT  and USRCLASS.DAT  registry hives store this information per user . So, ShellBag entries are unique for each Windows account ------------------------------------------------------------------------------------------------------ ⏳ Timestamp Analysis in ShellBags One of the most important forensic aspects  of ShellBags is their timestamps . ✔When a user first accessed a folder (First Interacted time). ✔ When the folder settings were last modified (Last Interacted time). . 📌 Key Takeaway: This is especially useful for tracking user activity across removable storage devices, encrypted volumes, or cloud-based folders . ------------------------------------------------------------------------------------------------------ Making ShellBags Analysis Easier ShellBags analysis can be complex, but tools automate the parsing process, making it easier to focus on results rather than raw registry data . In my next article, I'll walk you through using automated tools to parse ShellBags , allowing you to focus solely on analysis rather than manual extraction. To better understand ShellBags in action, I highly recommend watching 13Cubed’s  YouTube episode on the topic: Watch here ------------------------------------------------------------------------------------------------------ 💡 Real-World Forensic Use Cases of ShellBags 1️⃣ Case Study: Investigating a Deleted Folder A suspect claims they never accessed  a sensitive folder that has since been deleted . 📌 Solution:  Investigate ShellBags! ✔ The folder still exists in the registry . ✔ The timestamps show  when it was last accessed. ✔ The folder was stored on a USB drive , proving removable storage was used. 2️⃣ Case Study: Proving Data Theft A company suspects an employee copied files  to an external drive before resigning. 📌 Solution: ✔ ShellBags reveal the USB drive name & letter .✔ The timestamps show  when folders on the USB were accessed. ✔ Jump Lists confirm that files from these folders were opened. 📢 Conclusion:  Even if files were deleted, ShellBags provide concrete evidence  of their existence! ------------------------------------------------------------------------------------------------------ 🔍 Final Thought: ShellBags might seem complex, but once you understand how they work, they become a powerful weapon  in digital forensic investigations. Whether tracking deleted evidence, removable storage access, or user activity , they provide an invaluable historical record  of what happened on a system. ----------------------------------------------Dean---------------------------------------------

Jump Lists are one of the most overlooked yet powerful artifacts  in Windows forensic investigations. Introduced in Windows 7 , they provide users with quick access  to recently or frequently used files, websites, and applications directly from the taskbar or Start menu . But for forensic analysts, Jump Lists offer something even more valuable: a deep history of user activity , revealing files and folders accessed, websites visited, and applications frequently used—often persisting even after deletion or file wiping. ---------------------------------------------------------------------------------------------------------- How Jump Lists Work: Destinations vs. Tasks Jump Lists are made up of two main components: 1️⃣ Destinations  – These track user interactions with files, folders, and websites . 2️⃣ Tasks  – These represent application-specific actions , such as opening a private browsing session or launching a virtual machine. According to Microsoft’s Windows Software Development Kit (SDK): Destinations   (t hings users interact with, such as files or folders ). Tasks  act ( actions that apply to all users, such as "Open New Tab" in a browser ). Because Destinations track user behavior , they hold significant forensic value. ---------------------------------------------------------------------------------------------------------- Types of Jump Lists: Automatic vs. Custom Jump Lists are categorized into two types: 🔹 AutomaticDestinations Jump Lists (Forensically Rich) These are automatically generated by Windows for each application, storing up to 2,000 entries  per application. They use a structured storage format (OLE CF) —essentially a container storing multiple data streams , including LNK files  (shortcut files). Each entry in an Automatic Jump List contains: ✅ Full file path and filename ✅ Timestamps (creation, modification, last accessed) ✅ File size and attributes ✅ Storage device information (drive serial number, network path, MAC address, etc.) ✅ MRU (Most Recently Used) order 📌 Forensic Insight: Even if a file is deleted or wiped from the system, its Jump List entry may still exist , providing proof of prior access. 🔹 CustomDestinations Jump Lists (Application-Specific) These are manually created by application developers for custom functionality , such as: ✅ Favorite files or frequently visited websites ✅ Recently closed tabs in browsers ✅ Cloud file access history Custom Jump Lists u se a simpler format  than Automatic Jump Lists, consisting of concatenated LNK files  without additional metadata. 📌 Forensic Insight: Since Custom Jump Lists are managed by applications , they don’t always follow predictable timestamp patterns. Analysts should be cautious when interpreting their data. ---------------------------------------------------------------------------------------------------------- Jump List Storage Locations Jump Lists are stored in the same location as user LNK files , under the user’s Recent Items folder : 🔹 AutomaticDestinations Jump Lists: C:\Users\[Profile]\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations Each file inside this folder corresponds to an application , using an AppID-based filename  (e.g., 5f7b5f1e01b83767.automaticDestinations-ms). 🔹 CustomDestinations Jump Lists: C:\Users\[Profile]\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations Similar to Automatic Jump Lists, each file represents an application using an AppID-based filename . ******************************************************************************************************************** Jump Lists and Recent Items Folder Visibility in Windows 10/11 If you're looking for .lnk files (shortcut files) and Jump Lists in Windows 10 or 11 , you might notice a d ifference in how they appear in File Explorer versus other tools . File Explorer View: Navigate to: C:\Users\{Username}\AppData\Roaming\Microsoft\Windows\ You will see Recent Items  instead of Recent . This folder contains shortcut files (.lnk), but Jump Lists (AutomaticDestinations, CustomDestinations) may not be visible. PowerShell & Forensic Tools: KAPE and other forensic tools can still extract these artifacts, confirming that they are present. Key Takeaway Even if you don’t see Jump Lists in File Explorer , they are still there and accessible through forensic methods. This is likely due to system behavior changes in newer Windows versions. ****************************************************************************************************************** Analyzing Jump Lists for Digital Forensics 1️⃣ Extracting Data from AutomaticDestinations Jump Lists Because Automatic Jump Lists use OLE CF structured storage , specialized tools are required to extract their contents. E ach entry contains a linked LNK file , providing valuable metadata. 🛠 Tools for Analysis: ✅ JumpList Explorer  / JLECmd – Parses Automatic Jump Lists and extracts LNK data. ✅ LECmd (by Eric Zimmerman)  – Processes Jump List LNK files for timestamp analysis. ✅ Forensic Suites (e.g., Autopsy, X-Ways)  – Some forensic tools have built-in Jump List parsers. 📌 Key Findings: Identify frequently accessed files  (even if deleted). Track external device use  (USB, network shares). Establish a timeline of file usage  using MRU lists. ------------------------------------------------------------------------------------------------------------- 2️⃣ Analyzing CustomDestinations Jump Lists Because CustomDestinations Jump Lists concatenate LNK files togethe r , they are simpler to analyze but lack MRU ordering and additional timestamps . 📌 Key Findings: Identify favorite or recently closed items  (e.g., browser history, cloud files). Review application-generated data  (e.g., remote desktop connections). Cross-reference with Automatic Jump Lists for verification. 🛠 Tools for Analysis: ✅ LECmd  – Extracts individual LNK files from concatenated lists. ✅ Hex Editors  – Manually inspect for unique artifacts (such as website URLs). ------------------------------------------------------------------------------------------------------------- Jump Lists are an essential artifact in Windows forensic investigations , helping analysts track user activity, file access, and application usage. However, one of the biggest challenges with Jump Lists is their naming convention —instead of being named after applications, they are stored under unique Application Identifiers (AppIDs) . 1b4dd67f29cb1962.automaticDestinations-ms What Are Jump List AppIDs? Every application that utilizes J ump Lists is assigned a unique AppID , which is derived from the full installation path  of the application. This ensures that even different versions  of the same application (e.g., Microsoft Word 2013 vs. Word 365) have separate Jump Lists and do not interfere with each other. Key Characteristics of AppIDs: ✅ Universally Consistent  – The same AppID for an application is used across all Windows systems. ✅ Path-Dependent  – If an application is installed in a non-standard location , its AppID may differ. ✅ Persistent After Uninstallation  – Jump Lists can remain on a system even after an application is removed , providing forensic evidence of prior use. Finding and Identifying Jump List AppIDs Since Windows does not label Jump Lists with application names , forensic analysts need to use other methods to determine which AppID corresponds to which application. 1️⃣ Checking Publicly Available AppID Lists Several repositories maintain AppID lookup tables , including: 📌 https://github.com/EricZimmerman/JumpList/blob/master/JumpList/Resources/AppIDs.txt These l ists allow investigators to match known AppIDs with common application s. 2️⃣ Using JLECmd for Automatic Identification JLECmd by Eric Zimmerman is a f orensic tool that automatically matches Jump List AppIDs to known applications  using a built-in databas e. 📌 If the AppID is recognized, JLECmd will display the application name. 📌 If the AppID is unknown, the analyst will need to manually determine its origin. AppIDs in Automatic vs. Custom Jump Lists Both Automatic and Custom Jump Lists  use the same AppID algorithm . However, there are key differences in their behavior: Jump List Type Location Metadata Stored Forensic Value Automatic AutomaticDestinations MRU order, timestamps, LNK files High  (rich data, timestamps) Custom CustomDestinations Concatenated LNK files, limited metadata Moderate  (useful but lacks MRU order) 📌 Since Custom Jump Lists are optional , they are often fewer in number and may not exist for all applications. 📌 Example:   CCleaner  has been observed to create Custom Jump Lists without an Automatic Jump List , emphasizing the need to check both folders . ------------------------------------------------------------------------------------------------------------- Forensic Case Study: Tracking User Activity with Jump Lists 🔍 Scenario: A company suspects an employee exfiltrated sensitive documents  via a USB drive before resigning. 🛠 Investigation Steps: 1️⃣ Extract AutomaticDestinations Jump Lists Locate files in AutomaticDestinations. Parse with JumpList Explorer /JLECmd to identify recently accessed documents . Extract linked LNK files  to reveal USB storage details . 2️⃣ Review CustomDestinations Jump Lists Inspect CustomDestinations for browser history  or cloud storage access . Identify recently closed web page s  (possible file uploads). 3️⃣ Cross-Check with Other Artifacts Compare Jump List entries  with RecentDocs registry keys. Analyze the Recycle Bin  for deleted files. Correlate USB serial numbers  with those from registry artifacts (USBSTOR). 📌 Key Findings: ✅ Employee accessed "Confidential_Plan.pdf"  from the company’s drive. ✅ LNK metadata reveals it was copied to a USB drive (serial number: ABC123) . ✅ Custom Jump Lists show Dropbox was accessed , suggesting potential cloud uploads . 🚀 Outcome:   Jump Lists helped prove data exfiltration , strengthening the case against the employee. ------------------------------------------------------------------------------------------------------------- Preventing Data Loss: Disabling Jump Lists Jump Lists store a massive amount of historical user activity , which can be a security risk. Organizations can disable Jump Lists  via: 1️⃣ Control Panel: Personalization -> Start -> "Show recently opened items in Jump Lists on Start or the taskbar" [Disable] 2️⃣ Group Policy (for enterprises): Computer Configuration -> Administrative Templates -> Start Menu and Taskbar -> Do not use the search-based method when resolving shell shortcuts. 📌 Note:   Disabling Jump Lists wipes existing records  but does not prevent recovery from unallocated disk space . ------------------------------------------------------------------------------------------------------------- Final Thoughts: Why Jump Lists Matter in Forensics Jump Lists are an invaluable resource for forensic investigators , offering a historical record of file access, browsing activity, and application usage . Their persistence—even after file deletion—makes them a crucial artifact for proving user intent and reconstructing events . ✅ Key Takeaways: Automatic Jump Lists store detailed metadata and MRU lists . Custom Jump Lists track browser and cloud activity . Even deleted files can leave traces in Jump Lists . Jump List analysis is essential for insider threat investigations . -------------------------------------------------------------------------------------------------------------