File knowledge and access

Windows Searches — For years, one challenge in digital investigative analysis has been proving a user not only had something significant to an investigation on their computer, but that he knew it was on there. Two of the easiest ways help prove knowledge of a file is to prove the user was searching for it or accessed it. In order for Microsoft to enhance the user experience, Windows tracks the names of files you access and search for in multiple locations. As previously discussed, the Windows registry is essentially several databases called registry hives. Each user has his own primary registry hive called the NTUSER.DAT.

This registry hive tracks information specific to each user’s activity and preferences. Starting in Windows 7, when a user conducts a search on his computer using the Windows search function or the “Charm Bar” in Windows 8-10 (the magnifying glass that appears when you move your mouse to the right edge of the screen), Windows records each search in temporal order in the “NTUSER.DAT\ Software\ Microsoft\ Windows\ CurrentVersion\ Explorer\Word Wheel Query” registry key. Because the searches are recorded in temporal order, an analyst can frequently see indications of the user’s thought process as he searched for particular files.  File Access —– Windows also records in numerous artifacts when a user opens or attempts to open non-executable files. Four of the most useful digital artifacts to identify files opened or attempted to be opened are “LNK” files (pronounced as “link” files), Jump Lists, and several “most recently used” registry keys. 

LNK files —  A LNK File is an artifact that has existed since Windows XP. LNK files are also known as a “Windows Shortcut” files and are created anytime a user opens or attempts to open a nonexecutable file. A LNK file is created even if the file opened is on a network or external drive. When an opened file is later deleted, its LNK file does not get deleted with it. Windows creates and stores approximately 149 LNK files in the user’s home directory under the “App Data\Roaming\Microsoft\ Windows\Recent” directory. LNK files contain a wealth of information including the modified, accessed, and created dates and times of the file opened; the full directory path, volume name, and volume serial number from which the file was last opened; and the file size.  Starting in Windows 10, Microsoft added rules to when LNK files would be created in addition to when files are opened. On earlier versions of Windows 10, a LNK file was created for the directory to which any file was copied. The creation of a LNK file for the directory a file was copied to was stopped on later versions of Windows 10.

However, on versions as early as version 1607, Microsoft created a LNK file for the directory a file is opened from. Additionally, when a directory is created, Windows creates a LNK file for the directory created and for the created directories “parent” and “grandparent” directory. In addition to all the information LNK files record, LNK files also record the last time a file was opened.  Jump Lists —  One of the newest artifacts to identify files opened by a user are “Jump Lists.”  Starting in Windows 7, Microsoft introduced two types of jump lists: “Automatic Destinations” and “Custom Destinations.”  Automatic and Custom jump lists are created and stored in their respective directory in each user’s home directory under the “App Data\ Roaming\ Microsoft\ Windows\Recent” directory. Each application can incorporate its own jump lists as a “mini-start” menu. Automatic Destinations allow a user to quickly “jump” to or access files they recently or frequently used, usually by right-clicking the application in the Windows taskbar. Custom Destinations allow a user to pin recent tasks, such as opening a new browser window or create a new spreadsheet to the jump list.  Jump lists are essentially mega LNK files. Each jump list can record upwards of the last 1,000 files opened by each application. As jump lists are essentially compound LNK files, they contain all the same information as LNK files, such as when each file was opened, modified, accessed, and created; dates and times that the file was opened; the full directory path, volume name, and volume serial number from where the file was last opened; and the file size.  Most Recently Used (MRU) Registry Keys – As previously mentioned, the Windows Registry is a series of massive databases that track system configuration and user activity. There are several registry keys that track most recently used items. An analysis of these registry keys can help an analyst quickly identify files accessed.

Every application developer has the option of creating registry keys specific to his “NTUSER.DAT\ Software\ Microsoft\ Windows\ CurrentVersion\ Explorer\Word Wheel Query” registry key. Because the searches are recorded in temporal order, an analyst can frequently see indications of the user’s thought process as he searched for particular files.  File Access —– Windows also records in numerous artifacts when a user opens or attempts to open non-executable files. Four of the most useful digital artifacts to identify files opened or attempted to be opened are “LNK” files (pronounced as “link” files), Jump Lists, and several “most recently used” registry keys.  LNK files —  A LNK File is an artifact that has existed since Windows XP. LNK files are also known as a “Windows Shortcut” files and are created anytime a user opens or attempts to open a nonexecutable file. A LNK file is created even if the file opened is on a network or external drive.

When an opened file is later deleted, its LNK file does not get deleted with it. Windows creates and stores approximately 149 LNK files in the user’s home directory under the “AppData\Roaming\Microsoft\ Windows\Recent” directory. LNK files contain a wealth of information including the modified, accessed, and created dates and times of the file opened; the full directory path, volume name, and volume serial number from which the file was last opened; and the file size.  Starting in Windows 10, Microsoft added rules to when LNK files would be created in addition to when files are opened. On earlier versions of Windows 10, a LNK file was created for the directory to which any file was copied. The creation of a LNK file for the directory a file was copied to was stopped on later versions of Windows 10. However, on versions as early as version 1607, Microsoft created a LNK file for the directory a file is opened from. Additionally, when a directory is created, Windows creates a LNK file for the directory created and for the created directories “parent” and “grandparent” directory.

In addition to all the information LNK files record, LNK files also record the last time a file was opened.  Jump Lists —  One of the newest artifacts to identify files opened by a user are “Jump Lists.”  Starting in Windows 7, Microsoft introduced two types of jump lists: “Automatic Destinations” and “Custom Destinations.”  Automatic and Custom jump lists are created and stored in their respective directory in each user’s home directory under the “App Data\ Roaming\ Microsoft\ Windows\Recent” directory. Each application can incorporate its own jump lists as a “mini-start” menu. Automatic Destinations allow a user to quickly “jump” to or access files they recently or frequently used, usually by right-clicking the application in the Windows taskbar. Custom Destinations allow a user to pin recent tasks, such as opening a new browser window or create a new spreadsheet to the jump list.  Jump lists are essentially mega LNK files.

Each jump list can record upwards of the last 1,000 files opened by each application. As jump lists are essentially compound LNK files, they contain all the same information as LNK files, such as when each file was opened, modified, accessed, and created; dates and times that the file was opened; the full directory path, volume name, and volume serial number from where the file was last opened; and the file size.  Most Recently Used (MRU) Registry Keys – As previously mentioned, the Windows Registry is a series of massive databases that track system configuration and user activity. There are several registry keys that track most recently used items. An analysis of these registry keys can help an analyst quickly identify files accessed. Every application developer has the option of creating registry keys specific to his