Search Results

Linking USB Devices to User Accounts If the d evice you’re profiling is a mass storage class USBSTOR device , you can go a step further and try to tie the device to a specific user account. This is where the NTUSER.DAT  registry hive comes into play. ------------------------------------------------------------------------------------------------------- Why NTUSER.DAT Matters Each user on a system has an NTUSER.DAT hive , which keeps track of their personal settings and activity. When a user logs in, their NTUSER.DAT hive is loaded into memory . Inside this hive, there’s a key called: NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2 This key logs details about: Mounted volumes (like USB devices) Network shares accessed by the user If the Volume GUID  you identified earlier from the SYSTEM\MountedDevices  key appears in this MountPoints2 key, it means: The user was logged in when the device was connected. Or, it was the last account logged in before the device was introduced. ------------------------------------------------------------------------------------------------------- How to Check for User Activity Load NTUSER.DAT hives: Load all NTUSER.DAT hives for suspected users into Registry Explorer. Search for the Volume GUID: Use the Find  tool in Registry Explorer and search for the GUID (e.g., 7560496c-3102-11e8-9eb7-9eb6d0dc1465). Verify matches: If you find a sub-key matching the GUID, that user’s account interacted with or was active while the device was connected. The last write timestamp   of the sub-key can give you an idea of the last time the device was connected. ------------------------------------------------------------------------------------------------------- Important Notes Be cautious!   If a user logs out or reboots the system while the device is still connected, Windows may incorrectly attribute the device to the last logged-in account. This issue is common in older versions of Windows. To confirm user activity, cross-reference with: Logon/logoff events from Windows Event Logs. Other artifacts like browser history or shell items. Multiple accounts:  Don’t forget to check all NTUSER.DAT hives for matches if there are multiple users on the system. Non-USBSTOR devices:   If you’re profiling a device that isn’t a USB storage device, this method won’t work . Instead, use connection timestamps and Event Logs to link device usage to user activity. ------------------------------------------------------------------------------------------------------- Beyond USB Devices: Network Shares The MountPoints2 key doesn’t just track USB devices ; it also logs network shares accessed by the user. This can be helpful for: Tracking lateral movement in an investigation. Identifying systems accessed by an attacker or malicious insider. Example: A share named Ubuntu-24.04 was accessed by the user on the system #wsl.localhost# ------------------------------------------------------------------------------------------------------- Microsoft-Windows-Partition/Diagnostic.evtx for Device Profiling (Win10+) Windows 10 introduced a valuable custom log, Microsoft-Windows-Partition/Diagnostic.evtx , which records detailed information about connected and disconnected devices. This log, particularly Event ID 1006 , is a game-changer for investigating mass storage class (MSC) devices. What Event ID 1006 Captures Each Event ID 1006  entry logs detailed data when an MSC device is connected or disconnected , including: Device Details: Manufacturer, Model, Vendor ID (VID), and Product ID (PID). Disk capacity. SCSI Serial Number  (labeled as "SerialNumber"). iSerialNumber  (found in the "ParentId" field). Partition Data: Contents of the Master Boot Record (MBR) . Volume Boot Records (VBRs) f or up to three partitions. These logs provide historical records of device usage, including internal devices like SSD drives. Connection vs. Disconnection Events Capacity Field: Populated for connection events (records the device’s capacity). Displays " 0" for disconnection events . Pro Tip:  Be mindful of events triggered by sleep/hibernation or shutdown . For instance: If a device remains connected during sleep mode, a new connection event will be logged upon resumption , creating back-to-back connect events  without a corresponding disconnect event in between. Strengths and Limitations Advantages: Tracks every device connection and disconnectio n with comprehensive data. Provides timestamps for all events, helping to establish device activity timelines. Far surpasses earlier removable device logging capabilities. Limitations: The log may be cleared during major Windows updates , retaining only post-update data. Initially displays the message "For internal use only" in the Event Viewer, but the XML Details  view reveals all the detailed information. Pro Tip: Start with This Log If you're profiling devices on Windows 10 or later, begin your investigation with Microsoft-Windows-Partition/Diagnostic.evtx . It provides a wealth of data upfront, saving time and effort in the profiling process. While additional details like user accounts and drive letters may require further investigation, this log is an exceptional resource for building a foundational understanding of device activity . -------------------------------------------------------Dean------------------------------------

When investigating external media connected to a system, determining what files and folders were accessed on the media is critical. This can be achieved by linking LNK files  and Jump List shell items  to device details using the Volume Serial Number (VSN) . ------------------------------------------------------------------------------------------------------------ What Is a Volume Serial Number (VSN)? Found in the Volume Boot Record (VBR)  of FAT, exFAT, and NTFS file systems. Captured in LNK files  and Jump List entries  for every file or folder accessed on the device. Matching the VSN between a removable device and a shell item confirms the source of the accessed files or folders. How to Retrieve a Device’s VSN VSN can be retrieved through Windows artifacts , such as: 1. Microsoft-Windows-Partition/Diagnostic.evtx What it records: The Master Boot Record (MBR)  and Volume Boot Records (VBR)  for up to three partitions. Detailed data like disk signature, partition structure, and Volume Serial Numbers. How to extract VSN from raw data: Hex offsets: FAT: Offset 0x43 exFAT: Offset 0x64 NTFS: Offset 0x48 Important:  Convert the Little Endian  byte order to the correct format. Tools to simplify this process: Partition-4DiagnosticParser : Maps raw hex data to human-readable output. USB Detective: Extracts VSN and other device details automatically. ------------------------------------------------------------------------------------------------------------ 2. EMDMgmt Registry Key Location: SOFTWARE\Microsoft\Windows NT\CurrentVersion\EMDMgmt Details captured: Manufacturer, iSerialNumber, Volume Name, and Volume Serial Number (in decimal form). Note: Convert the decimal VSN to hex to match shell item records. This key may not be available on systems with SSDs , as it was o riginally tied to the now-defunct ReadyBoost feature. ----------------------------------------------------------------------------------------------------------------------------- Key Insights About VSNs VSN Changes: A device’s VSN changes every time the partition is reformatted. If the same iSerialNumber appears with different VSNs , it indicates the device was reformatted. U se timestamps from the Partition/Diagnostic log  or EMDMgmt key  to estimate when formatting occurred. Non-Windows File Systems: VSN data is not recorded for Mac, Linux, or GPT partitions. ----------------------------------------------------------------------------------------------------------------------------- Tools for USB Device Analysis 1. USB Detective What it offers: Automates the USB forensics process, pulling data from various sources: Registry keys (e.g., DeviceMigration, EMDMgmt). Event Logs (e.g., Microsoft-Windows-Partition/Diagnostic.evtx). Shell items (e.g., LNK files, Jump Lists, ShellBags). Volume Shadow Copies for historical analysis. Strengths: Provides an intuitive interface and links data to original sources for easy validation. Consolidates and simplifies device activity audits. First screenshot: 2nd Screenshot: 3rd After Processing Output: 2. parseUSBs.py ( https://github.com/khyrenz/parseusbs ) An open-source Python script by Kathryn Hedley. Parses registry hives and outputs findings in CSV format. Strengths: Simple and efficient for written reports. Useful for quick analyses. Limitations: Less comprehensive than USB Detective. Thank you for taking the time to dive into this deep exploration of USB device forensics and the critical tools and techniques that can simplify the process. By mastering these methods, you'll be equipped to uncover valuable insights during investigations efficiently. See you in the next article, where we'll explore more cutting-edge forensic strategies and tools. Until then, happy investigating! 🚀 --------------------------------------------Dean--------------------------------------------

When investigating devices connected to a computer, every small detail can help. Identifying Drive letter: For instance, the v olume name  used by a device can link it to files like LNK files , which store volume name The drive letter  assigned to the device can lead us to other artifacts like Prefetch files, RecentDocs, Jump Lists, ShellBags, and more. But there’s a catch: drive letter info isn’t always available . Windows only keeps records of the last device  assigned to a specific drive letter. Also, the same drive letter can be reused for multiple devices(This can be problematic in because most recent device and its associated information will be recorded). Still, certain artifacts, especially in newer Windows versions (10 and 11), tend to stick around longer, even after system updates. ------------------------------------------------------------------------------------------------------------ Let’s look at two key places where you can dig for drive letter and volume name info: VolumeInfoCache  and MountedDevices . 1. VolumeInfoCache: A Quick and Easy Check If you're using Windows 7 or later, this is your starting point. The VolumeInfoCache is located at: SOFTWARE\Microsoft\Windows Search\VolumeInfoCache This key contains sub-keys for each drive letter (like C:, D:, E:, etc.). Each sub-key has a VolumeLabel  value, which tells you the volume name of the last device connected to that drive letter. Why use it? Quick and simple:  It’s easier to read compared to other registry keys. Good for SCSI drives and VHDs:  Especially useful for modern devices like virtual hard drives or USB drives using UASP mode. Limitations: Only records the last device  assigned to each drive letter. Timestamps here (the “last write time” of sub-keys) aren’t always reliable for figuring out exactly when the device was connected. 2. MountedDevices: A More Detailed Look If VolumeInfoCache doesn’t give you what you need, try checking SYSTEM\MountedDevices : This key tracks drive letters and the devices mounted to them. It’s especially useful for USB thumb drives ( USBSTOR  devices). How it works: Look for values like \DosDevices\E:  (where "E:" is the drive letter). Inside the value data, search for the device's iSerialNumber . This links the drive letter to the specific device. Things to keep in mind: Devices can be mounted with different drive letters  over time, so check all drive letter values. You might not find a match if another device was mounted at the same drive letter later. ------------------------------------------------------------------------------------------------------------- Special Cases: Hard Drives and Partition Types Hard drives and SSDs (especially those with multiple partitions) are trickier to profil e. Here’s how they work based on the partition scheme: GPT Partitions: Values start with DMIO:ID. The last 16 bytes in the value are the Unique Partition GUID . Search for this GUID in the registry to find keys tied to the original device. For MBR Partitions: If you do not see DMIO:ID at the start of a drive letter value , and do not see a USBSTOR Device ID and iSerialNumber , you are likely looking at partition data from a device using the older Master Boot Record (MBR) partition scheme The first 4 bytes represent the Disk Signature . Search for this Disk Signature in the registry to uncover related keys that identify the device ------------------------------------------------------------------------------------------------------------- Why This Matters Understanding where and how to find drive letter and volume name info can make all the difference in your investigation. While VolumeInfoCache is a fast and easy starting point, SYSTEM\MountedDevices gives you a deeper dive , especially for older or more complex devices. With these tools, y ou’ll be able to connect devices to their artifacts and uncover the story behind what was plugged in and when. ------------------------------------------------------------------------------------------------------------- What’s a Volume GUID? A Volume GUID  (Globally Unique Identifier) is Windows’ way of identifying a specific volume or partition on a device. It’s a unique name enclosed in curly braces \??\Volume{???????-????-????-????-??????} For devices like USB flash drives ( MSC USBSTOR ), this Volume GUID can help us track down user activity tied to the device in later steps. How to Find Volume GUIDs for USB Devices If you’re profiling a USB flash drive, check the value data  of Volume GUID entries within the MountedDevices  key. Look for the device’s iSerialNumber  (the unique serial number). If it matches, you’ve found the Volume GUID for that device. Why Is This Step Important? This step lets you: Tie the device to a GUID:  This helps you match the device with its associated user account in later steps. Track user activity:  You’ll need this Volume GUID to dive deeper into the behavior of the device and its user. Special Note: This method only works for MSC USBSTOR  devices, like USB flash drives. For other device types, y ou’ll need to rely on Windows Event Logs to identify which user account was active at the time the device was connected or used. ------------------------------------------------------------------------------------------------------ I know this is alot of information and I want to make thing wasy for you So you ready lets start Lets say you +you’ve identified a unique identifier for your device, such as the iSerialNumber . Registry explorer lets you search across all loaded registry hives at once, saving you a lot of time. How to Search for Device Information Load the right hives Make sure you’ve loaded the SYSTEM , SOFTWARE , and user NTUSER.DAT  hives in Registry Explorer. These hives contain most of the data related to devices. Use the Find option: Go to Tools > Find  and search for the device’s iSerialNumber  (or another unique identifier diskid ). Review the results: If the device information is still present in the registry, you’ll likely see many search hits. Not all of them will be relevant, so focus on keys needed for device profiling. What to Look For Search results will typically include keys that provide: Device ID Last Mountpoint Drive Letter Volume GUID You may also find hits in less common locations, like Windows Portable Devices , which could provide additional details. Double-click any result of interest to jump directly to that registry key within Registry Explorer. Work Smarter, Not Harder While it’s possible to manually comb through the registry to profile a device, this process can be incredibly time-consuming—especially if you’re dealing with multiple devices. By using unique identifiers and leveraging tools like Registry Explorer’s search function, you can dramatically speed up the process. -----------------------------------------------Dean-------------------------------------------------

Volume Name When performing a forensic examination of connected devices, one of the key pieces of information we aim to gather is the volume name associated with the device. However, it’s important to note that not all device types maintain volume names, and these names are not always mandatory. In some cases, if a device does not have a volume name, Windows will record the last mounted drive letter instead. Windows Portable Devices  registry key This key stores valuable information about each device connected to the system , including the Device ID  and iSerialNumber   for each device . If a device has a volume name, it will be recorded here under the FriendlyName  value. SOFTWARE\ Microsoft\Windows Portable   Devices\Devices You can also grab the Volume Name and GUID , which can be handy for future reference. As i was doing analysis I recommend noting down iserial number as well diskid to match information in windows portable device My Personal recommendation use registry explorer this tool do all work for you --------------------------------------------------------------------------------------------------------- Different Device Classes Different device classes (e.g., USBSTOR , MSC , MTP ) store varying amounts of data in the registry. USBSTOR  devices are typically the most complete, providing Device ID , iSerialNumber , and FriendlyName . For other devices like smartphones using MTP , or UASP  drives, less information might be available. If you encounter a device that’s missing critical information, dig into the raw sub-keys where you might find additional identifiers like VID  (Vendor ID), PID  (Product ID), or even DiskID  for certain devices. --------------------------------------------------------------------------------------------------------- Handling SD Cards Interestingly, SD cards  can also be tracked in this registry key, even though they are not USB devices . If an SD card is connected through an SD card reader, you might find its associated volume name under the Windows Portable Devices  key as well . For instance, you could see a volume name like "SD_FILES"  for the attached SD card, which could be valuable for profiling purposes. --------------------------------------------------------------------------------------------------------- LNK Files to the Rescue Even if the drive letter isn't directly mapped, don't lose hope! Many LNK files include the Volume Name, sometimes alongside the drive letter. With timestamp analysis and LNK file correlation, you can often deduce the potential drive letter. --------------------------------------------------------------------------------------------------------- Conclusion When profiling devices through the Windows registry, the volume name can be a critical piece of evidence, especially when tracking devices that are used for malicious purposes or when identifying artifacts left behind by terminated employees. By focusing on the FriendlyName  value under the Windows Portable Devices  key, you can gather valuable information about the device, including its volume name, which can later be used to cross-reference other data and build a complete profile of the device’s activity on the system. -------------------------------------------Dean-------------------------------------------

Updated on Jan 24, 2025 USB devices play a crucial role in digital forensics and IT security. Whether you're investigating a security incident, checking for unauthorized device usage, or simply maintaining logs, auditing USB device history is essential. One of the best places to start is the Windows Registry, specifically the SYSTEM\CurrentControlSet\Enum\USB key. Let’s break it down in an easy-to-follow manner. ----------------------------------------------------------------------------------------------------------- USB Registry Key Understanding the USB Registry Key The SYSTEM\CurrentControlSet\Enum\USB  key tracks all USB devices that have been connected to the system. USBSTOR  (Mass storage devices like flash drives and external hard drives) UASP  (Advanced storage devices) MTP/PTP  (Smartphones, digital cameras) HID  (Keyboards, mice, game controllers) USB Hubs  (External USB hubs for multiple connections) This registry key gives investigators a broad overview of USB activity on a machine, helping to track down unauthorized or suspicious devices. ----------------------------------------------------------------------------------------------------------- What Information Can You Extract? When auditing USB devices, the following information is critical: Device Type:  Identifies whether it's a storage device, keyboard, webcam, etc. Vendor ID (VID):  Represents the manufacturer of the device. Product ID (PID):  Identifies the specific product. Device iSerialNumber:  A unique identifier for tracking devices across different registry keys and logs. ParentIdPrefix (for UASP devices):  Helps associate devices with their storage controllers. Under each iSerialNumber sub-key, you’ll find key attributes like: DeviceDesc  – Provides a user-friendly description of the device. Service  – Indicates the type of service associated with the device. These values can be cross-referenced with databases like the USB IDs Repository  or DeviceHunt  to determine the manufacturer and device type. As u can see this screenshot Service is UBSTOR( There are multiple services avaible which help you determined what type of device connected) Understanding Service Types Common Service types are:******* Important to understand type of device****** USBSTOR (MSC USBSTOR) UASPSTOR (MSC UASP SCSI) HidUSB (HID input device) WUDFWpdMtp (MTP device like smartphone) usbvideo (Video device like webcam) usbaudio (Microphone) USBHUB3 (USB hub) BTHUSB (Bluetooth) vmusb (Vmware USB device pass-through) usbccgp (Composite USB device - a peripheral that has combined functionality from one or more device class. A keyboard with combined mouse input is one example) ----------------------------------------------------------------------------------------------------------- ********************************** With the arrival of USB 3.0, a new and improved transfer protocol called USB Attached SCSI Protocol (UASP) was introduced. UASP allowing for much faster and multi-threaded data transfers. It was primarily designed to handle high-speed solid-state drives (SSDs) and to maximize the faster data rates of USB 3.0. UASP works with USB 3.x SuperSpeed, Thunderbolt, and even USB4. Kindly Note: Modern systems using UASP don’t store their information there! Instead, UASP devices are logged under a different registry key called SCSI. This means that if you only look at USBSTOR, you could be missing some crucial evidence. ********************************** ----------------------------------------------------------------------------------------------------------- Real-World Example Let’s say you find a device with: VID: 1058  PID: 25A2 Service: USBSTOR  (Indicating it’s a mass storage device) Looking up these values online,( https://devicehunt.com/ ), ( http://www.linux-usb.org/usb.ids ) you can even find images of the exact device model. This level of detail can be invaluable in investigations. Yeah its true my Hardrive is belong to this vendor name ----------------------------------------------------------------------------------------------------------- Making this easy for you! Manually going through each registry key can be time-consuming, especially on systems with numerous USB connections. Tools like Registry Explorer  come with plugins that can extract and present USB audit data in a structured format. Best Practices: Sort by Device Name  to quickly find the devices of interest. Sort by Timestamp  (last write time of VID/PID key) to track activity within a specific investigation window. Be cautious: Registry timestamps may not always reflect the last usage time accurately. Cross-check with Event Logs for more precise data. ----------------------------------------------------------------------------------------------------------- USBSTOR Registry Key For mass storage devices (MSC USBSTOR) , additional details are available under SYSTEM\\Enum\USBSTOR. This key contains subkeys named after the Device ID , with one or more subkeys representing iSerialNumbers . By matching an iSerialNumber from USB to USBSTOR, we can extract further details such as: Device ID  (Stored in the USBSTOR sub-key name) FriendlyName  (Human-readable name of the device) First Time Device Connected Last Time Device Connected Last Removal Time Additionally, each USBSTOR entry contains a DiskId  value located at: The DiskId  correlates with Microsoft-Windows-Partition/Diagnostic.evtx , which provides further metadata and timestamps. Conclusion Whether investigating unauthorized access, tracking lost data, or analyzing security threats, this method provides a solid foundation for USB audits. Stay tuned for the next article, where we will analyze USB time tracking  in greater detail! ----------------------------------------------Dean--------------------------------------------------

ShellBags  can provide invaluable insights into a user’s activity— helping forensic analysts reconstruct deleted folders, track accessed directories, and correlate timestamps with other evidence. While parsing ShellBags manually is complex and tedious , ShellBags Explorer (SBE) by Eric Zimmerman  simplifies this process , offering a comprehensive, automated, and user-friendly  way to extract and analyze these artifacts. ----------------------------------------------------------------------------------------------------------- What is ShellBags Explorer (SBE)? ShellBags Explorer is a free, all-in-one forensic tool  designed to parse ShellBags artifacts effortlessly. It eliminates the need for laborious manual steps, automates the decoding of registry data, and helps investigators visually reconstruct  a user’s directory structure. Whether dealing with deleted folders or hidden user activity , SBE makes ShellBags analysis more efficient and insightful. SBE is available in both GUI and command-line versions , making it adaptable for different forensic workflows. The command-line version is particularly useful when scripting or integrating analysis into a broader forensic pipeline. ----------------------------------------------------------------------------------------------------------- Understanding the SBE Interface SBE is designed to be intuitive, especially for those familiar with forensic GUI tools . The interface consists of three main sections: 🔹 Tree View (Left Panel):  Displays a hierarchical representation of identified folders, directly sourced from the BagMRU registry key. 🔹 Table View (Right Panel):  Shows metadata for child folders, including timestamps (First Interacted, Last Interacted)  and additional Shell Item details. Sorting and filtering make it easier to pinpoint critical evidence. 🔹 Details & Summary View (Bottom Panel):  Provides in-depth insights into selected folders, including the full file path, registry key locations, NodeSlot references, and timestamps. ----------------------------------------------------------------------------------------------------------- How ShellBags Store Information The BagMRU key  is responsible for maintaining a list of child folders and an MRU (Most Recently Used) list , which records the order in which folders were interacted with. One crucial aspect of ShellBags analysis is that the most recently accessed folder (MRU Position #0)  is often referred to as the "Last Interacted" time , tells us the last time the user interacted with that folder. However, this creates a significant limitation: If a parent folder contains multiple child folders, only the most recently accessed one can be assigned a timestamp. The other child folders remain without a definitive timestamp , making it impossible to determine when they were last interacted with. Example Breakdown Let's take a practical example to better understand how this works. Suppose we have three folders under a parent folder, as seen in forensic tools like ShellBags Explorer . Only one folder  (e.g., "Windows") has a "Last Interacted" timestamp. That folder is also positioned as MRU Position #0  in the MRU list. we can see the following MRU sequence: Position 0  (most recently accessed) → Folder: "Windows" Position 1  → Folder: "Users" Position 2  → Folder: "Program data" The registry key timestamp of the parent folder (e.g., 2023-03-24 18:14:00.598 UTC ) is assigned only to MRU Position #0 , confirming that " Windows" was the last folder interacted with. Why This Matters in Forensics Understanding this timestamp limitation is crucial when reconstructing user activity. Investigators must be aware that: Not all accessed folders will have timestamps.  Only the most recently interacted folder within a parent directory will. Correlating with other forensic artifacts is necessary .  Combining ShellBags analysis with other sources like Windows Event Logs, USN Journal, or Prefetch data can provide a more complete timeline of user activity. ----------------------------------------------------------------------------------------------------------- First Interacted Timestamps in ShellBags First Interacted timestamps are identified differently than Last Interacted times. Here's how it works: When a folder is added to BagMRU for the first time , a registry key is created. The last write time of that key becomes the First Interacted timestamp . If no subfolders unde r that key are later accessed , this timestamp remains unchanged. Why This Matters in Forensics Understanding both First and Last Interacted timestamps  is crucial when reconstructing user activity. Investigators should remember: Only folders without subfolders have First Interacted timestamps. L ast Interacted timestamps are reassigned when new folders are accessed within a parent directory. Correlating with other forensic artifacts like Windows Event Logs or USN Journal enhances timeline accuracy. ----------------------------------------------------------------------------------------------------------- Target Timestamps in ShellBags Created:  Records when the folder was first created . Modified:  Reflects when a file was last added or deleted within the folder . Accessed:  (If enabled in Windows) Indicates the last time a file was opened from the folder. These timestamps are recorded during the first interaction  with the folder and typically do not  get updated later . This makes them crucial in forensic investigations, especially if the folder was deleted, located on a removable device, or stored on a remote system . Example Use Cases: Detecting suspicious folder creation on a USB drive  on the day an employee was terminated. Identifying folders modified during a known external intrusion . ----------------------------------------------------------------------------------------------------------- MFT Entry and File System Identification in ShellBags ShellBags store the MFT Entry Number  / File System for a folder, which can be viewed in ShellBags Explorer. This can help forensic analysts match folder metadata with specific storage devices   (e.g., network shares, USB drives). Why is this important? *****Helps distinguish between removable media and system drives   (system drives are not formatted as FAT or exFAT)***. Allows precise correlation between ShellBags data and specific devices. ----------------------------------------------------------------------------------------------------------- Indicators of User Interaction with folder  in ShellBags Vincent Lo's research revealed that actions such as deleting, copying, and renaming a folder  can create ShellBags entries. This is why the t erm "interacted"  is preferred over "accessed"   when analyzing ShellBags data. User Interaction David Cowen and Eric Zimmerman found that the presence of settings values within a folder’s Bags key  is a strong indicator  that a user has explored that folder . The ShellBags Explorer  tool automatically detects this and marks such folders in the "Has Explored"  column. A checkmark  in this column suggests that at least two settings values exist, i ncreasing the likelihood that the user accessed the folder. However, modern operating systems are complex , and r are cases may exist where a folder has Bags settings data without direct user interaction . For critical forensic conclusions , it’s best to corroborate ShellBags findings  with other artifacts, such as LNK files  showing file access from that folder. ----------------------------------------------------------------------------------------------------------- SBECmd Command Line This tool offers the same capabilities and data extraction functionalities but in a command-line format, making it particularly useful for automation and large-scale forensic investigations . Running SBECmd Against Mounted Triage Images When working with a mounted forensic image , you can run SBECmd  against the entire Users  folder or a specific user's folder Since Eric Zimmerman's tools  support recursive searching , SBECmd will automatically scan subdirectories to locate and parse: NTUSER.DAT UsrClass.dat Each parsed hive will generate a separate CSV file  containing the extracted ShellBags data. Example Command Usage The following SBECmd command extracts ShellBags data and saves the output in CSV format: SBECmd.exe -d G:\G --csv "E:\Output for testing\Website investigation" --csvf shellbags.csv Output: ----------------------------------------------------------------------------------------------------------- Reference: ----------------------------------------------------------------------------------------------------------- Conclusion: ShellBags are a powerful forensic artifact  that provide critical insights into user activity on a Windows system. Because ShellBags store historical user activity , they are incredibly useful in intrusion investigations, insider threat cases, and digital forensic analysis . However, understanding and parsing them manually can be complex. Use Tool like SBECmd.exe and Shellbag explorer Thanks for staying with me on this journey see u in next article—so stay tuned! 🚀

When investigating user activity on a Windows system, ShellBags   are one of the most powerful yet misunderstood  forensic artifacts. They provide proof that a folder or virtual object was accessed , even if it has been deleted, moved, or no longer exists . However, ShellBags can be complex  to analyze, which often makes them intimidating for investigators. ------------------------------------------------------------------------------------------------------ 📌 What Are ShellBags? ShellBags  are Windows registry entries  that store user preferences  for how folders are displayed in File Explorer . However, beyond user preferences, these keys provide valuable forensic insights. Investigators can use ShellBags to answer critical questions such as: ✔ Did a user browse a folder before deleting it? ✔ Were external USB drives or cloud storage folders accessed? ✔ Did the user open password-protected or encrypted drives? ✔ What files and folders existed before deletion? But here’s the key forensic takeaway: 📌 If a ShellBag exists for a folder, it proves a user interacted with it via the Windows GUI (File Explorer). This means even if the folder is deleted or stored on a removable drive ,  ShellBags may still contain evidence of its existence. ------------------------------------------------------------------------------------------------------ How Do ShellBags Work? ShellBags track more than just regular folders. Windows also treats ZIP archives, mobile device filesystems, control panel applets , and more as folders. Notably, starting with Windows 11 22H2 , support was expanded to include 7-Zip, RAR, TAR, and Gzip  archives. This is particularly relevant because attackers frequently use archived files  to evade detection. With these updates, forensic analysts now have a new source of evidence in investigations. ShellBags store data in two main registry subkeys: BagMRU  – Maintains the hierarchy and names of folders interacted with. Bags  – Stores configuration details f or each folder. By examining timestamps stored in ShellBags, investigators can determine when a folder was first and last accessed , correlating this with other forensic artifacts. ------------------------------------------------------------------------------------------------------ 🗂 Where Are ShellBags Stored? ShellBags are registry entries  found in different locations depending on the Windows version: 📌 Windows 7 and later NTUSER.DAT\Software\Microsoft\Windows\Shell\BagMRU NTUSER.DAT\Software\Microsoft\Windows\Shell\Bags USRCLASS.DAT\Local Settings\Software\Microsoft\Windows\Shell\BagMRU USRCLASS.DAT\Local Settings\Software\Microsoft\Windows\Shell\Bags 📌 Windows XP  (Older storage format) NTUSER.DAT\Software\Microsoft\Windows\Shell\Bags NTUSER.DAT\Software\Microsoft\Windows\Shell\BagMRU NTUSER.DAT\Software\Microsoft\Windows\ShellNoRoam\Bags NTUSER.DAT\Software\Microsoft\Windows\ShellNoRoam\BagMRU NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\StreamMRU 💡 Tip:  The NTUSER.DAT  and USRCLASS.DAT  registry hives store this information per user . So, ShellBag entries are unique for each Windows account ------------------------------------------------------------------------------------------------------ ⏳ Timestamp Analysis in ShellBags One of the most important forensic aspects  of ShellBags is their timestamps . ✔When a user first accessed a folder (First Interacted time). ✔ When the folder settings were last modified (Last Interacted time). . 📌 Key Takeaway: This is especially useful for tracking user activity across removable storage devices, encrypted volumes, or cloud-based folders . ------------------------------------------------------------------------------------------------------ Making ShellBags Analysis Easier ShellBags analysis can be complex, but tools automate the parsing process, making it easier to focus on results rather than raw registry data . In my next article, I'll walk you through using automated tools to parse ShellBags , allowing you to focus solely on analysis rather than manual extraction. To better understand ShellBags in action, I highly recommend watching 13Cubed’s  YouTube episode on the topic: Watch here ------------------------------------------------------------------------------------------------------ 💡 Real-World Forensic Use Cases of ShellBags 1️⃣ Case Study: Investigating a Deleted Folder A suspect claims they never accessed  a sensitive folder that has since been deleted . 📌 Solution:  Investigate ShellBags! ✔ The folder still exists in the registry . ✔ The timestamps show  when it was last accessed. ✔ The folder was stored on a USB drive , proving removable storage was used. 2️⃣ Case Study: Proving Data Theft A company suspects an employee copied files  to an external drive before resigning. 📌 Solution: ✔ ShellBags reveal the USB drive name & letter .✔ The timestamps show  when folders on the USB were accessed. ✔ Jump Lists confirm that files from these folders were opened. 📢 Conclusion:  Even if files were deleted, ShellBags provide concrete evidence  of their existence! ------------------------------------------------------------------------------------------------------ 🔍 Final Thought: ShellBags might seem complex, but once you understand how they work, they become a powerful weapon  in digital forensic investigations. Whether tracking deleted evidence, removable storage access, or user activity , they provide an invaluable historical record  of what happened on a system. ----------------------------------------------Dean---------------------------------------------

Jump Lists are one of the most overlooked yet powerful artifacts  in Windows forensic investigations. Introduced in Windows 7 , they provide users with quick access  to recently or frequently used files, websites, and applications directly from the taskbar or Start menu . But for forensic analysts, Jump Lists offer something even more valuable: a deep history of user activity , revealing files and folders accessed, websites visited, and applications frequently used—often persisting even after deletion or file wiping. ---------------------------------------------------------------------------------------------------------- How Jump Lists Work: Destinations vs. Tasks Jump Lists are made up of two main components: 1️⃣ Destinations  – These track user interactions with files, folders, and websites . 2️⃣ Tasks  – These represent application-specific actions , such as opening a private browsing session or launching a virtual machine. According to Microsoft’s Windows Software Development Kit (SDK): Destinations   (t hings users interact with, such as files or folders ). Tasks  act ( actions that apply to all users, such as "Open New Tab" in a browser ). Because Destinations track user behavior , they hold significant forensic value. ---------------------------------------------------------------------------------------------------------- Types of Jump Lists: Automatic vs. Custom Jump Lists are categorized into two types: 🔹 AutomaticDestinations Jump Lists (Forensically Rich) These are automatically generated by Windows for each application, storing up to 2,000 entries  per application. They use a structured storage format (OLE CF) —essentially a container storing multiple data streams , including LNK files  (shortcut files). Each entry in an Automatic Jump List contains: ✅ Full file path and filename ✅ Timestamps (creation, modification, last accessed) ✅ File size and attributes ✅ Storage device information (drive serial number, network path, MAC address, etc.) ✅ MRU (Most Recently Used) order 📌 Forensic Insight: Even if a file is deleted or wiped from the system, its Jump List entry may still exist , providing proof of prior access. 🔹 CustomDestinations Jump Lists (Application-Specific) These are manually created by application developers for custom functionality , such as: ✅ Favorite files or frequently visited websites ✅ Recently closed tabs in browsers ✅ Cloud file access history Custom Jump Lists u se a simpler format  than Automatic Jump Lists, consisting of concatenated LNK files  without additional metadata. 📌 Forensic Insight: Since Custom Jump Lists are managed by applications , they don’t always follow predictable timestamp patterns. Analysts should be cautious when interpreting their data. ---------------------------------------------------------------------------------------------------------- Jump List Storage Locations Jump Lists are stored in the same location as user LNK files , under the user’s Recent Items folder : 🔹 AutomaticDestinations Jump Lists: C:\Users\[Profile]\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations Each file inside this folder corresponds to an application , using an AppID-based filename  (e.g., 5f7b5f1e01b83767.automaticDestinations-ms). 🔹 CustomDestinations Jump Lists: C:\Users\[Profile]\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations Similar to Automatic Jump Lists, each file represents an application using an AppID-based filename . ******************************************************************************************************************** Jump Lists and Recent Items Folder Visibility in Windows 10/11 If you're looking for .lnk files (shortcut files) and Jump Lists in Windows 10 or 11 , you might notice a d ifference in how they appear in File Explorer versus other tools . File Explorer View: Navigate to: C:\Users\{Username}\AppData\Roaming\Microsoft\Windows\ You will see Recent Items  instead of Recent . This folder contains shortcut files (.lnk), but Jump Lists (AutomaticDestinations, CustomDestinations) may not be visible. PowerShell & Forensic Tools: KAPE and other forensic tools can still extract these artifacts, confirming that they are present. Key Takeaway Even if you don’t see Jump Lists in File Explorer , they are still there and accessible through forensic methods. This is likely due to system behavior changes in newer Windows versions. ****************************************************************************************************************** Analyzing Jump Lists for Digital Forensics 1️⃣ Extracting Data from AutomaticDestinations Jump Lists Because Automatic Jump Lists use OLE CF structured storage , specialized tools are required to extract their contents. E ach entry contains a linked LNK file , providing valuable metadata. 🛠 Tools for Analysis: ✅ JumpList Explorer  / JLECmd – Parses Automatic Jump Lists and extracts LNK data. ✅ LECmd (by Eric Zimmerman)  – Processes Jump List LNK files for timestamp analysis. ✅ Forensic Suites (e.g., Autopsy, X-Ways)  – Some forensic tools have built-in Jump List parsers. 📌 Key Findings: Identify frequently accessed files  (even if deleted). Track external device use  (USB, network shares). Establish a timeline of file usage  using MRU lists. ------------------------------------------------------------------------------------------------------------- 2️⃣ Analyzing CustomDestinations Jump Lists Because CustomDestinations Jump Lists concatenate LNK files togethe r , they are simpler to analyze but lack MRU ordering and additional timestamps . 📌 Key Findings: Identify favorite or recently closed items  (e.g., browser history, cloud files). Review application-generated data  (e.g., remote desktop connections). Cross-reference with Automatic Jump Lists for verification. 🛠 Tools for Analysis: ✅ LECmd  – Extracts individual LNK files from concatenated lists. ✅ Hex Editors  – Manually inspect for unique artifacts (such as website URLs). ------------------------------------------------------------------------------------------------------------- Jump Lists are an essential artifact in Windows forensic investigations , helping analysts track user activity, file access, and application usage. However, one of the biggest challenges with Jump Lists is their naming convention —instead of being named after applications, they are stored under unique Application Identifiers (AppIDs) . 1b4dd67f29cb1962.automaticDestinations-ms What Are Jump List AppIDs? Every application that utilizes J ump Lists is assigned a unique AppID , which is derived from the full installation path  of the application. This ensures that even different versions  of the same application (e.g., Microsoft Word 2013 vs. Word 365) have separate Jump Lists and do not interfere with each other. Key Characteristics of AppIDs: ✅ Universally Consistent  – The same AppID for an application is used across all Windows systems. ✅ Path-Dependent  – If an application is installed in a non-standard location , its AppID may differ. ✅ Persistent After Uninstallation  – Jump Lists can remain on a system even after an application is removed , providing forensic evidence of prior use. Finding and Identifying Jump List AppIDs Since Windows does not label Jump Lists with application names , forensic analysts need to use other methods to determine which AppID corresponds to which application. 1️⃣ Checking Publicly Available AppID Lists Several repositories maintain AppID lookup tables , including: 📌 https://github.com/EricZimmerman/JumpList/blob/master/JumpList/Resources/AppIDs.txt These l ists allow investigators to match known AppIDs with common application s. 2️⃣ Using JLECmd for Automatic Identification JLECmd by Eric Zimmerman is a f orensic tool that automatically matches Jump List AppIDs to known applications  using a built-in databas e. 📌 If the AppID is recognized, JLECmd will display the application name. 📌 If the AppID is unknown, the analyst will need to manually determine its origin. AppIDs in Automatic vs. Custom Jump Lists Both Automatic and Custom Jump Lists  use the same AppID algorithm . However, there are key differences in their behavior: Jump List Type Location Metadata Stored Forensic Value Automatic AutomaticDestinations MRU order, timestamps, LNK files High  (rich data, timestamps) Custom CustomDestinations Concatenated LNK files, limited metadata Moderate  (useful but lacks MRU order) 📌 Since Custom Jump Lists are optional , they are often fewer in number and may not exist for all applications. 📌 Example:   CCleaner  has been observed to create Custom Jump Lists without an Automatic Jump List , emphasizing the need to check both folders . ------------------------------------------------------------------------------------------------------------- Forensic Case Study: Tracking User Activity with Jump Lists 🔍 Scenario: A company suspects an employee exfiltrated sensitive documents  via a USB drive before resigning. 🛠 Investigation Steps: 1️⃣ Extract AutomaticDestinations Jump Lists Locate files in AutomaticDestinations. Parse with JumpList Explorer /JLECmd to identify recently accessed documents . Extract linked LNK files  to reveal USB storage details . 2️⃣ Review CustomDestinations Jump Lists Inspect CustomDestinations for browser history  or cloud storage access . Identify recently closed web page s  (possible file uploads). 3️⃣ Cross-Check with Other Artifacts Compare Jump List entries  with RecentDocs registry keys. Analyze the Recycle Bin  for deleted files. Correlate USB serial numbers  with those from registry artifacts (USBSTOR). 📌 Key Findings: ✅ Employee accessed "Confidential_Plan.pdf"  from the company’s drive. ✅ LNK metadata reveals it was copied to a USB drive (serial number: ABC123) . ✅ Custom Jump Lists show Dropbox was accessed , suggesting potential cloud uploads . 🚀 Outcome:   Jump Lists helped prove data exfiltration , strengthening the case against the employee. ------------------------------------------------------------------------------------------------------------- Preventing Data Loss: Disabling Jump Lists Jump Lists store a massive amount of historical user activity , which can be a security risk. Organizations can disable Jump Lists  via: 1️⃣ Control Panel: Personalization -> Start -> "Show recently opened items in Jump Lists on Start or the taskbar" [Disable] 2️⃣ Group Policy (for enterprises): Computer Configuration -> Administrative Templates -> Start Menu and Taskbar -> Do not use the search-based method when resolving shell shortcuts. 📌 Note:   Disabling Jump Lists wipes existing records  but does not prevent recovery from unallocated disk space . ------------------------------------------------------------------------------------------------------------- Final Thoughts: Why Jump Lists Matter in Forensics Jump Lists are an invaluable resource for forensic investigators , offering a historical record of file access, browsing activity, and application usage . Their persistence—even after file deletion—makes them a crucial artifact for proving user intent and reconstructing events . ✅ Key Takeaways: Automatic Jump Lists store detailed metadata and MRU lists . Custom Jump Lists track browser and cloud activity . Even deleted files can leave traces in Jump Lists . Jump List analysis is essential for insider threat investigations . -------------------------------------------------------------------------------------------------------------

Microsoft OneDrive  is the most widely used cloud storage service, thanks to its default integration in Windows  and its enterprise adoption via Microsoft 365 . Understanding OneDrive forensic artifacts  is crucial for investigations involving data exfiltration, insider threats, or deleted cloud files . We will cover: ✅ How to locate and analyze OneDrive data on a Windows system ✅ Key forensic artifacts, including logs, databases, and registry entries ✅ How to determine OneDrive activity, authentication, and file synchronization history ✅ How OneDrive’s new sync model affects forensic investigations ✅ Tracking cloud-only files & deleted data ✅ Using OneDrive’s forensic artifacts to recover missing evidence ---------------------------------------------------------------------------------------------------------- 1️⃣ Locating OneDrive Files on a Windows System By default, synced OneDrive files are stored in: %UserProfile%\OneDrive 💡 Important: If a user changes the default storage location , the original OneDrive folder remains empty . The true OneDrive folder location  can be found in the Windows registry . Registry Key to Identify OneDrive Folder Location NTUSER\Software\Microsoft\OneDrive\Accounts\Personal This key contains: UserFolder  → The actual OneDrive sync folder  location cid/UserCid  → A unique Microsoft Cloud ID UserEmail  → The email used for the Microsoft account LastSignInTime  → Last authentication timestamp (Unix epoch format) 💡 Why This Matters: If OneDrive is enabled , this registry key must exist . Investigators can track user activity  even if OneDrive files have been moved or deleted. ---------------------------------------------------------------------------------------------------------- 2️⃣ Analyzing OneDrive File Metadata & Sync Database OneDrive stores metadata and sync information  in: %UserProfile%\AppData\Local\Microsoft\OneDrive\settings This folder contains key artifacts, including: 📌 SyncEngineDatabase.db (Main OneDrive Database) Tracks both local and cloud-only files Lists file names, folder structure, and metadata Provides timestamps for file sync operations 💡 Why This Matters: Even cloud-only files  (not only stored locally) are recorded here . Investigators can track deleted or moved files  that no longer exist on the device. ---------------------------------------------------------------------------------------------------------- 3️⃣ OneDrive Logs: Tracking Uploads, Downloads, & File Changes OneDrive keeps detailed logs  of file sync activities  in: %UserProfile%\AppData\Local\Microsoft\OneDrive\logs These logs store up to 30 days  of data and record: ✅ File uploads & downloads ✅ File renames & deletions ✅ Shared file access events 💡 Forensic Insight: Log files can reveal file activity , even if the user deleted local copies . Timestamps  in .odl logs can correlate file transfers   with other system activity. ---------------------------------------------------------------------------------------------------------- 4️⃣ OneDrive for Business: Additional Registry Artifacts Users with OneDrive for Business (Microsoft 365)  will have a separate registry key: NTUSER\Software\Microsoft\OneDrive\Accounts\Business1 This key includes: UserFolder : Location of root of OneDrive local file storage UserEmail : Email tied to Microsoft cloud account LastSignInTime : Date and time of last authentication (Unix epoch time) ClientFirstSignInTimestamp : Time of first authentication of the account (Unix epoch time) SPOResourceID : SharePoint URL for OneDrive instance 💡 Why This Matters: Business OneDrive accounts store work-related data —a key forensic focus. The SPOResourceID  can link OneDrive for Business files  to a SharePoint instance . ---------------------------------------------------------------------------------------------------------- 5️⃣ Investigating Shared Files & Synced Data from Other Users OneDrive supports file sharing and folder synchronization across multiple accounts . Shared folders are tracked under: NTUSER\Software\Microsoft\OneDrive\Accounts\Personal\Tenants NTUSER\Software\Microsoft\OneDrive\Accounts\Business1\Tenants This key logs shared folders synced to OneDrive . It tracks files shared via Microsoft Teams & SharePoint . 💡 Forensic Insight: Shared folders may not be stored in the default OneDrive folder . Investigators should check all Tenant folders  to avoid missing critical evidence . ---------------------------------------------------------------------------------------------------------- 6️⃣ SyncEngines Key: Advanced OneDrive Tracking A final high-value artifact  for OneDrive investigations is: NTUSER\Software\SyncEngines\Providers\OneDrive It contains: MountPoint  → Local file storage location (useful for tracking shared folders) UrlNamespace  → Specifies whether the folder belongs to OneDrive, SharePoint, or Teams LastModifiedTime  → The last time the folder was updated 💡 Why This Matters: Identifies all folders being synced , even if they are not in the default OneDrive location . Correlates data across Microsoft cloud services  (OneDrive, Teams, SharePoint) . ---------------------------------------------------------------------------------------------------------- 7️⃣ Tracking OneDrive Web Access (Cloud-Only Activity) If a user accessed OneDrive through a web browser  (instead of the local app), artifacts may appear in: Browser History  (Edge, Chrome, Firefox) Windows Event Logs Cloud Access Logs (if available from Microsoft 365) OneDrive web access URLs look like this: https[:]/onedrive.live.com/?cid=310ff47e40c97767&id=310ff47e40c97767!145750 💡 Forensic Insight: The cid value  in the URL matches the UserCid in registry keys —helpful for tracking multiple accounts . The res id parameter  refers to specific files or folders  accessed via the web client. ---------------------------------------------------------------------------------------------------------- 🛑 Key Challenges in OneDrive Forensics 🚨 1. Cloud-Only Files May Not Be Stored Locally Files accessed via " Files on Demand"  may never be fully downloaded . Investigators must analyze metadata & sync logs  to track cloud-only data. 🚨 2. Remote Deletions Can Hide Evidence Files deleted in OneDrive sync across all devices . Investigators may need Volume Shadow Copies or Microsoft 365 logs  to recover data. 🚨 3. Personal & Business OneDrive Accounts Can Be Mixed Users often log into both accounts  on the same system. Check registry keys  to differentiate personal vs. business data . ---------------------------------------------------------------------------------------------------------- OneDrive as a Crucial Forensic Artifact Microsoft OneDrive leaves behind substantial forensic evidence , even for files that no longer exist locally . We will explore more about OneDrive  in the next article (Advanced OneDrive Forensics: Investigating Cloud-Only Files & Synchronization) , so stay tuned! See you in the next one. --------------------------------------------Dean-------------------------------------------------

Windows Jump Lists  are a goldmine  for forensic investigators, offering detailed insights into file access, user activity, and application usage . To efficiently analyze these artifacts, JLECmd , developed by Eric Zimmerman, provides comprehensive parsing of Jump List data , ensuring no valuable evidence is overlooked . ------------------------------------------------------------------------------------------------------------- 📁 Understanding Jump Lists: AutomaticDestinations vs and CustomDestinations Jump Lists are stored in a user’s Recent folder , but there are two different types: Jump List Type Location Metadata Stored Forensic Value Automatic AutomaticDestinations MRU order, timestamps, LNK files, file paths High  (detailed tracking) Custom CustomDestinations Concatenated LNK files, limited metadata Moderate  (useful but lacks MRU order) 🔹 Automatic Jump Lists  are system-generated for frequently used applications. 🔹 Custom Jump Lists  are application-defined and may store favorites, pinned items, or recent actions. Since Automatic Jump Lists contain far more forensic data , they are prioritized in most investigations . ------------------------------------------------------------------------------------------------------------- 🛠 How to Use JLECmd for Jump List Analysis 1️⃣ Parsing a Single Jump List JLECmd.exe -f "G:\C\Users\Akash's\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\1c7a9be1b15a03ba.automaticDestinations-ms" 🚀 Use Case:   If investigating whether Microsoft Word 2016  opened a sensitive file, JLECmd reveals when it was last accessed  and from which system location . 2️⃣ Running JLECmd on an Entire User's Recent Folder To extract ALL Jump Lists for a user , run: JLECmd.exe -d G:\C\ --csv "E:\Output for testing\Website investigation" -q --csvf jlcmd.csv 🚀 Use Case:  In a data theft investigation , sorting by last accessed timestamps  may uncover unauthorized file access  from network shares or external USB devices. ------------------------------------------------------------------------------------------------------------- Single File Output Analysis: Key Points from JLECmd Output: AppID Identification: The top-left section of the output shows the AppID and its description. If no match is found, it may return Unknown AppID , requiring manual inference. DestList Information(Metadata): Automatic Jump Lists include metadata like the expected vs. actual number of entries . Discrepancies between these values may indicate missing or uncorrelated entries. The DestList version  changes across Windows versions, requiring updates to forensic tools. (DestList Entries) Timestamps & Interaction Tracking: Created time  is linked to the Birth DROID  timestamp (often before the actual file creation). (Can be ignored) Last modified time  is more relevant as it tracks the l ast access of a file or URL . (Very important)**** Newer Jump Lists include an interaction count  that records file openings. Deep Parsing with JLECmd: By default , JLECmd limits displayed .lnk data . Using --fd enables full .lnk details (timestamps, paths, volume info). The --dumpTo option extracts shell items into individual .lnk files for deeper analysis. Automatic vs. Custom Jump Lists: Automatic Jump Lists  contain DestList  data, timestamps, and interaction counts. Custom Jump Lists  store fewer details and lack DestList  information. ------------------------------------------------------------------------------------------------------------- Multiple File Output Analysis: (Request Use Excel its easy to analyse there) Filter out Important columns which u should keep for investigation: AppId, AppIdDescription, MRU, LastModified(Also called Last opened), Path, InteractionCount ,TargetCreated,TargetModified , FileSize , DriveType , VolumeSerialNumber LocalPath Last Opened time stamp is :---- Jump List Metadata (When this file was last opened as per Jump List) File in question created and modified is :---- NTFS Metadata (File System Metadata (When the file was originally created/modified) ------------------------------------------------------------------------------------------------------------- Extracting Detailed LNK Data with JLECmd Now, JLECmd does not parse most .lnk details during single Jump List parsing . For example, an Automatic Jump List may include hundreds of .lnk files , which can be overwhelming. How to Extract Full LNK Data Use the --fd option in JLECmd to parse full shell item information , including: Target timestamps File size and attributes Absolute path and volume details Extra block information Command: .\JLECmd.exe -f "G:\C\Users\Akash's\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\1c7a9be1b15a03ba.automaticDestinations-ms" --fd | more ***Due to the large amount of data, redirect the output to a text file or html for better readability****. Command: .\JLECmd.exe -f "G:\C\Users\Akash's\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\fb3b0dbfee58fac8.automaticDestinations-ms" --fd --html "E:\Output for testing\Website investigation\out.html" -q Way: For extracting all .lnk files fir particular automatic destination, use the --dumpTo option. This allows you to analyze them with other forensic tools. Command: .\JLECmd.exe -f "G:\C\Users\Akash's\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\fb3b0dbfee58fac8.automaticDestinations-ms" --dumpTo "E:\Output for testing\Website investigation" Once you open the folder You will see all the .lnk  files extracted, allowing you to analyze them using any tool, such as LNK Tool . ------------------------------------------------------------------------------------------------------------- The best alternative tool for analyzing Jump Lists and .lnk files, created by Eric Zimmerman, is JumpList Explorer (JLE) . Why Use JumpList Explorer? Unlike JLECmd, which requires command-line parsing, JumpList Explorer  provides a graphical interface  that makes it easier to understand and analyze Jump List data. If u click on any Lnk file at right hand side bottom: If you need a GUI-based  tool for easier .lnk and Jump List analysis, JumpList Explorer  is the best option! 🚀 ------------------------------------------------------------------------------------------------------------- 🚀 Quick Reference: Analysis 🚀 Quick Reference: Essential JLECmd Commands Command Purpose JLECmd.exe -f [JumpListPath] Parse a single Jump List JLECmd.exe -d [RecentFolder] --csv/json/html [OutputDir] Parse all Jump Lists for a user JLECmd.exe -f [JumpListPath] --fd Extract full LNK (shell item) data JLECmd.exe -f [JumpListPath] --dumpTo [Folder] Extract all shell items as individual LNK files ------------------------------------------------------------------------------------------------------------- 🚀 Get Started with JLECmd Today! 🔹 Download JLECmd  as part of the Zimmerman Tools 🔹 Test it on a sample Jump List  to see how much forensic evidence you can extract! Need help with a Jump List investigation? Let me know! I’m here to guide you through it.  🔍🚀 ----------------------------------------Dean----------------------------------------------

When investigating digital forensics on a Windows system, LNK (shortcut) files  serve as one of the most valuable sources of user activity . Even if a user never explicitly creates a shortcut, Windows does— automatically tracking files, folders, and devices accessed . These artifacts are incredibly useful for proving file access, tracking external devices, and even recovering traces of deleted files . --------------------------------------------------------------------------------------------------------- What Are LNK Files and Why Do They Matter? LNK files, or Windows shortcuts , are automatically created when a user opens, interacts with, or saves a file . Unlike regular files that contain user data, LNK files store metadata about the original file , including: ✅ Full file path  – The original location of the accessed file ✅ Timestamps  – When the file was first accessed, last accessed, and modified ✅ Volume information  – Drive letter, network path, and even USB device details ✅ File extension and type  – Identifies the kind of file opened ✅ MAC address (for network shares)  – Provides forensic evidence of file access across shared drives These characteristics make LNK files a goldmine  for forensic analysts, especially in cases where users have deleted files, accessed removable media, or interacted with files stored on network shares . --------------------------------------------------------------------------------------------------------- Where Are LNK Files Stored? LNK files are stored in each user's "Recent" folder , automatically tracking recent file activity. Their locations differ slightly based on Windows versions: 📌 Windows 7, 8, 10, 11: C:\Users\\AppData\Roaming\Microsoft\Windows\Recent\ C:\Users\\AppData\Roaming\Microsoft\Office\Recent\ (Office-specific shortcuts) 📌 Windows XP: C:\Documents and Settings\\Recent\ These Recent  folders store shortcuts for non-executable files, including documents, images, and media files . However, command-line access does not generate LNK files , making them primarily useful for GUI-based user actions. --------------------------------------------------------------------------------------------------------- How LNK Files Help in Forensics 1️⃣ Proving File Access (Even if Deleted) One of the biggest forensic advantages of L NK files is that they persist even after the original file is deleted . 🚀 Example: A user opens "akash.docx"  from a USB drive. Even if the user later deletes "akash.docx , the LNK file remains in the Recent  folder. The LNK file contains USB details , proving that the file was accessed from external storage. 🔍 Forensic Insight: Investigators can reconstruct deleted file activity  using LNK metadata. --------------------------------------------------------------------------------------------------------- 2️⃣ Tracking USB Devices and External Drives When a file is opened from a USB drive or external storage , Windows not only creates an LNK file for the file but also for the parent folder on the device . 🚀 Example: A user accesses a folder from a USB drive (D:\data). An LNK file is generated for the folder itself. The metadata includes the USB device serial number and volume label . 🔍 Forensic Insight: This allows forensic analysts to determine which USB devices were used  on a system, even if they are no longer connected. --------------------------------------------------------------------------------------------------------- 3️⃣ Understanding User Navigation and Folder Access LNK files also provide information on f olders frequently accessed by the user . 🚀 Example: A u ser accesses a folde r containing illegal files (C:\open\tools) Even if no specific file is opened , an LNK file for the folder itself  is created. 🔍 Forensic Insight: This helps track which folders a user frequently interacts with , even if no direct file evidence remains. --------------------------------------------------------------------------------------------------------- ***Changes to LNK Files in Windows 10 & 11*** Microsoft has made several updates to LNK file behavior , improving forensic usefulness: 1️⃣ LNK files are now created when a file is first saved (not just when opened). Before Windows 10, LNK files were only created after a file was opened. Now, saving a file using "Save As" generates an LNK file immediately. 2️⃣ More detailed folder tracking. If a user creates a new folder, LNK files are also created for its parent and grandparent folders . 3️⃣ LNK file storage limits have changed. Windows historically stored only 149  LNK files per user. In newer Windows 10/11 versions, 300+ LNK files   can be found via forensic tools. 4️⃣ File extensions may now be included in LNK names. Example: secret.pdf.lnk (helpful for quick identification). 5️⃣ Multiple LNK files for the same folder can now exist. Instead of just tracking the first and last time  a folder was accessed, Windows now creates new LNK files for repeated access , giving more timestamps to analyze . 🔍 Forensic Insight: These updates provide more data points  for forensic analysts, making LNK files even more powerful for investigations. --------------------------------------------------------------------------------------------------------- Best Practices for Investigating LNK Files ✅ Check unallocated space for deleted LNK files. Older LNK files may still be recoverable from disk slack space . ✅ Correlate LNK timestamps with system logs. Cross-check with Windows Event Logs and Prefetch data. ✅ Use forensic tools for deeper analysis. Tools like Eric Zimmerman's LECmd  can extract and parse LNK metadata efficiently. ✅ Look for USB drive metadata in LNK files. This can help prove external storage use in data theft or insider threat cases . ✅ Use command-line tools to bypass GUI limitations. The Windows GUI hides extra LNK files , but they can still be accessed via command-line or forensic software. --------------------------------------------------------------------------------------------------------- Conclusion LNK files are one of the oldest yet most powerful forensic artifacts  in Windows investigations. Whether you're tracking accessed files, proving USB activity, or reconstructing deleted evidence , these automatically generated shortcuts hold a wealth of forensic intelligence . With Windows 10 and 11 introducing new behaviors , investigators now have even more data points  to work with—if they know where to look. Parsing Lnk files step-by-step guide in next article --------------------------------------------------Dean-----------------------------------------------------

This article have been updated on 22 January 2025 When investigating user activity on a Windows system, LNK (shortcut) files  serve as a vital source of evidence. However, analyzing them manually or with incomplete tools can result in missing key data. Enter LECmd (LNK Explorer Command Line Edition) —a tool developed by Eric Zimmerman  to fully decode and extract every bit of information from LNK files. ----------------------------------------------------------------------------------------------------- Why LECmd? A Tool That Doesn't Hide Data Many forensic tools process LNK files, but not all of them extract every available piece of metadata . Some tools selectively drop or ignore certain data structures without notifying the examiner. LECmd was created to ensure that all  metadata from an LNK file is preserved and presented to the investigator. Even if certain data structures appear irrelevant in most cases. ----------------------------------------------------------------------------------------------------- What Does LECmd Extract from an LNK File? LNK files contain a wealth of metadata  about accessed files and folders. LECmd extracts and organizes this information into several key sections: 1️⃣ Header Information The header  contains essential details about the file, including: ✅ File Timestamps  – Creation, modification, and last access times. ✅ File Attributes & Flags  – File properties like hidden, system, or read-only status. ✅ File Path & Size  – The original location of the file and its size. ✅ Working Directory & Relative Path  – The folder the file was stored in and its location relative to system paths. 🔍 Forensic Insight: The creation time of an LNK file  represents the first time a user accessed that file , while the modification time  indicates the last time the file was opened . On Live System: (Can be used for collected lnk files) ----------------------------------------------------------------------------------------------------- 2️⃣ Link Information The Link Information  section reveals how the file was accessed: ✅ Drive Type  – Whether the file was on a local drive, removable USB, or network share .✅ Volume Serial Number  – Unique identifier for the storage device ✅ UNC Path (if applicable)  – Network location if the file was accessed via a shared drive. 🔍 Forensic Insight: If an LNK file points to a USB drive , forensic analysts can match the volume serial number  with known USB devices to track data transfers. ----------------------------------------------------------------------------------------------------- 3️⃣ Target ID Information**** This section contains shell items  similar to those found in Windows ShellBags , including ✅ Master File Table (MFT) Information  – Links to the file’s original NTFS metadata ✅ Timestamps for Folders & Files  – Indicates when each part of the file path was created and accessed. 🔍 Forensic Insight: The absolute path  in this section can reconstruct the full location of a file or folder , even if it was moved. --------------------------------------------------------------------------------------------------------- 4️⃣ Extra Blocks Information LNK files often contain additional undocumented metadata , stored in Extra Blocks . This data includes: ✅ Console Properties  – Information about terminal activity. ✅ Property Store Structures  – Additional file metadata, sometimes including user interaction details . 🔍 Forensic Insight: Some Extra Blocks store remnants of file paths  or folder interactions , even if they are no longer in use. --------------------------------------------------------------------------------------------------------- How to Use LECmd for Large-Scale Investigations 🔍 Parsing a Single LNK File To extract all metadata from a single  LNK file, use: LECmd.exe -f "C:\Users\Akash's\AppData\Roaming\Microsoft\Windows\Recent\Microsoft Edge.lnk" 🔍 Forensic Insight: This command provides the most detailed breakdown  of a single LNK file , useful when analyzing a specific file of interest . --------------------------------------------------------------------------------------------------------- 🔍 Parsing an Entire Directory of LNK Files For bulk analysis , u se the -d option to parse all LNK files in a folder: LECmd.exe -d G:\G\Users --csv "E:\Output for testing" --csvf lnkfile.csv 🔍 Forensic Insight: This is the best method for quickly reviewing user activity , as i t produces a CSV report  containing timestamps, file paths, and device details. --------------------------------------------------------------------------------------------------------- Using Timestamps to Uncover User Activity LNK files contain two sets of timestamps : 1️⃣ Source Timestamps   (LNK file timestamps) Indicate when the shortcut was created or last updated  (i.e., when the user first and last opened the file). 2️⃣ Target Timestamps   (File metadata timestamps) Indicate the original file’s creation, modification, and last accessed times . 🔍 Forensic Insight: By comparing source and target timestamps , investigators can determine if a file was copied or moved . 🚀 Example: A file is copied from a USB drive (D:)  to the local system (C:) . The target creation timestamp  on the C: drive will be newer than the target modification timestamp  from the D: drive. This proves the file was copied from the USB drive  rather than created locally. --------------------------------------------------------------------------------------------------------- Example: Tracking USB File Transfers with LECmd Imagine an employee is suspected of stealing company documents  using a USB drive. I nvestigators could use LECmd to analyze their LNK files and reveal when and where files were accessed . 🚀 Case Study Walkthrough 1️⃣ Run LECmd on the suspect’s user profile Recent folder: 2️⃣ Review the CSV output and look for references to the USB drive (e.g., D: or E:). Target ID Section  may include a Volume Serial Number  linked to a specific USB. T arget Creation Timestamp s  may indicate when files were copied to the device . 3️⃣ Confirm that sensitive files were accessed just before removal of the USB. If L NK timestamps align with the suspect's departure time , the case for data theft strengthens. --------------------------------------------------------------------------------------------------------- Conclusion: Why LECmd is a Must-Have Forensic Tool LECmd provides deep insight into user activity  on a Windows system. By fully decoding every piece of metadata  from LNK files, investigators can: ✅ Track accessed files and folders ✅ Identify USB devices and removable media use ✅ Prove file movement and copying activity ✅ Analyze timestamps to reconstruct user actions Whether conducting an insider threat investigation, data exfiltration case, or simply tracking user activity , LECmd is an essential tool  for forensic professionals. --------------------------------------------Dean------------------------------------------------------ Example of Output Source File Source Created Source Modified Source Accessed Target Created Target Modified Target Accessed Drive Type Target ID Absolute Path File Size Working Directory Volume Serial Number Local Path Target MFT Entry Number Machine ID Machine MAC Address G:\G\Users\Jean-Luc\Desktop\Microsoft Edge.lnk 24-03-2023 17:20 24-03-2023 17:22 21-01-2025 19:41 11-04-2022 18:47 21-03-2023 18:47 24-03-2023 17:22 Fixed storage media (Hard drive) This PC\C:\@shell32.dll,-21817\Microsoft\Edge\Application\msedge.exe 4055968 C:\Program Files (x86)\Microsoft\Edge\Application 60562114 C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe 0x18207 xspace2197 44:e5:17:ed:50:3e