Important Artifacts In Windows-II

This chapter talks about some more important artifacts in Windows and their extraction method using Python.

User Activities

Windows having NTUSER.DAT file for storing various user activities. Every user profile is having hive pke NTUSER.DAT, which stores the information and configurations related to that user specifically. Hence, it is highly useful for the purpose of investigation by forensic analysts.

The following Python script will parse some of the keys of NTUSER.DAT for exploring the actions of a user on the system. Before proceeding further, for Python script, we need to install third party modules namely Registry, pytsk3, pyewf and Jinja2. We can use pip to install them.

We can follow the following steps to extract information from NTUSER.DAT file −

First, search for all NTUSER.DAT files in the system.

Then parse the WordWheelQuery, TypePath and RunMRU key for each NTUSER.DAT file.

At last we will write these artifacts, already processed, to an HTML report by using Jinja2 fmodule.

Python Code

Let us see how to use Python code for this purpose −

First of all, we need to import the following Python modules −

from __future__ import print_function
from argparse import ArgumentParser

import os
import StringIO
import struct

from utipty.pytskutil import TSKUtil
from Registry import Registry
import jinja2

Now, provide argument for command-pne handler. Here it will accept three arguments - first is the path to evidence file, second is the type of evidence file and third is the desired output path to the HTML report, as shown below −

if __name__ ==  __main__ :
   parser = argparse.ArgumentParser( Information from user activities )
   parser.add_argument( EVIDENCE_FILE ,help = "Path to evidence file")
   parser.add_argument( IMAGE_TYPE ,help = "Evidence file format",choices = ( ewf ,  raw ))
   parser.add_argument( REPORT ,help = "Path to report file")
   args = parser.parse_args()
   main(args.EVIDENCE_FILE, args.IMAGE_TYPE, args.REPORT)

Now, let us define main() function for searching all NTUSER.DAT files, as shown −

def main(evidence, image_type, report):
   tsk_util = TSKUtil(evidence, image_type)
   tsk_ntuser_hives = tsk_util.recurse_files( ntuser.dat , /Users ,  equals )
   
   nt_rec = {
       wordwheel : { data : [],  title :  WordWheel Query },
       typed_path : { data : [],  title :  Typed Paths },
       run_mru : { data : [],  title :  Run MRU }
   }

Now, we will try to find the key in NTUSER.DAT file and once you find it, define the user processing functions as shown below −

for ntuser in tsk_ntuser_hives:
   uname = ntuser[1].sppt("/")

open_ntuser = open_file_as_reg(ntuser[2])
try:
   explorer_key = open_ntuser.root().find_key("Software").find_key("Microsoft")
      .find_key("Windows").find_key("CurrentVersion").find_key("Explorer")
   except Registry.RegistryKeyNotFoundException:
      continue
   nt_rec[ wordwheel ][ data ] += parse_wordwheel(explorer_key, uname)
   nt_rec[ typed_path ][ data ] += parse_typed_paths(explorer_key, uname)
   nt_rec[ run_mru ][ data ] += parse_run_mru(explorer_key, uname)
   nt_rec[ wordwheel ][ headers ] =  nt_rec[ wordwheel ][ data ][0].keys()
   nt_rec[ typed_path ][ headers ] =  nt_rec[ typed_path ][ data ][0].keys()
   nt_rec[ run_mru ][ headers ] =  nt_rec[ run_mru ][ data ][0].keys()

Now, pass the dictionary object and its path to write_html() method as follows −

write_html(report, nt_rec)

Now, define a method, that takes pytsk file handle and read it into the Registry class via the StringIO class.

def open_file_as_reg(reg_file):
   file_size = reg_file.info.meta.size
   file_content = reg_file.read_random(0, file_size)
   file_pke_obj = StringIO.StringIO(file_content)
   return Registry.Registry(file_pke_obj)

Now, we will define the function that will parse and handles WordWheelQuery key from NTUSER.DAT file as follows −

def parse_wordwheel(explorer_key, username):
   try:
      wwq = explorer_key.find_key("WordWheelQuery")
   except Registry.RegistryKeyNotFoundException:
      return []
   mru_pst = wwq.value("MRUListEx").value()
   mru_order = []
   
   for i in xrange(0, len(mru_pst), 2):
      order_val = struct.unpack( h , mru_pst[i:i + 2])[0]
   if order_val in mru_order and order_val in (0, -1):
      break
   else:
      mru_order.append(order_val)
   search_pst = []
   
   for count, val in enumerate(mru_order):
      ts = "N/A"
      if count == 0:
         ts = wwq.timestamp()
      search_pst.append({
          timestamp : ts,
          username : username,
          order : count,
          value_name : str(val),
          search : wwq.value(str(val)).value().decode("UTF-16").strip("x00")
})
   return search_pst  

Now, we will define the function that will parse and handles TypedPaths key from NTUSER.DAT file as follows −

def parse_typed_paths(explorer_key, username):
   try:
      typed_paths = explorer_key.find_key("TypedPaths")
   except Registry.RegistryKeyNotFoundException:
      return []
   typed_path_details = []
   
   for val in typed_paths.values():
      typed_path_details.append({
         "username": username,
         "value_name": val.name(),
         "path": val.value()
      })
   return typed_path_details

Now, we will define the function that will parse and handles RunMRU key from NTUSER.DAT file as follows −

def parse_run_mru(explorer_key, username):
   try:
      run_mru = explorer_key.find_key("RunMRU")
   except Registry.RegistryKeyNotFoundException:
      return []
   
   if len(run_mru.values()) == 0:
      return []
   mru_pst = run_mru.value("MRUList").value()
   mru_order = []
   
   for i in mru_pst:
      mru_order.append(i)
   mru_details = []
   
   for count, val in enumerate(mru_order):
      ts = "N/A"
      if count == 0:
         ts = run_mru.timestamp()
      mru_details.append({
         "username": username,
         "timestamp": ts,
         "order": count,
         "value_name": val,
         "run_statement": run_mru.value(val).value()
      })
   return mru_details

Now, the following function will handle the creation of HTML report −

def write_html(outfile, data_dict):
   cwd = os.path.dirname(os.path.abspath(__file__))
   env = jinja2.Environment(loader=jinja2.FileSystemLoader(cwd))
   template = env.get_template("user_activity.html")
   rendering = template.render(nt_data=data_dict)
   
   with open(outfile,  w ) as open_outfile:
      open_outfile.write(rendering)

At last we can write HTML document for report. After running the above script, we will get the information from NTUSER.DAT file in HTML document format.

LINK files

Shortcuts files are created when a user or the operating system creates shortcut files for the files which are frequently used, double cpcked or accessed from system drives such as attached storage. Such kinds of shortcut files are called pnk files. By accessing these pnk files, an investigator can find the activity of window such as the time and location from where these files have been accessed.

Let us discuss the Python script that we can use to get the information from these Windows LINK files.

For Python script, install third party modules namely pylnk, pytsk3, pyewf. We can follow the following steps to extract information from lnk files

First, search for lnk files within the system.

Then, extract the information from that file by iterating through them.

Now, at last we need to this information to a CSV report.

Python Code

Let us see how to use Python code for this purpose −

First, import the following Python pbraries −

from __future__ import print_function
from argparse import ArgumentParser

import csv
import StringIO

from utipty.pytskutil import TSKUtil
import pylnk

Now, provide the argument for command-pne handler. Here it will accept three arguments – first is the path to evidence file, second is the type of evidence file and third is the desired output path to the CSV report, as shown below −

if __name__ ==  __main__ :
   parser = argparse.ArgumentParser( Parsing LNK files )
   parser.add_argument( EVIDENCE_FILE , help = "Path to evidence file")
   parser.add_argument( IMAGE_TYPE , help = "Evidence file format",choices = ( ewf ,  raw ))
   parser.add_argument( CSV_REPORT , help = "Path to CSV report")
   args = parser.parse_args()
   main(args.EVIDENCE_FILE, args.IMAGE_TYPE, args.CSV_REPORT)

Now, interpret the evidence file by creating an object of TSKUtil and iterate through the file system to find files ending with lnk. It can be done by defining main() function as follows −

def main(evidence, image_type, report):
   tsk_util = TSKUtil(evidence, image_type)
   lnk_files = tsk_util.recurse_files("lnk", path="/", logic="endswith")
   
   if lnk_files is None:
      print("No lnk files found")
      exit(0)
   columns = [
       command_pne_arguments ,  description ,  drive_serial_number ,
       drive_type ,  file_access_time ,  file_attribute_flags ,
       file_creation_time ,  file_modification_time ,  file_size ,
       environmental_variables_location ,  volume_label ,
       machine_identifier ,  local_path ,  network_path ,
       relative_path ,  working_directory 
   ]

Now with the help of following code, we will iterate through lnk files by creating a function as follows −

parsed_lnks = []

for entry in lnk_files:
   lnk = open_file_as_lnk(entry[2])
   lnk_data = { lnk_path : entry[1],  lnk_name : entry[0]}
   
   for col in columns:
      lnk_data[col] = getattr(lnk, col, "N/A")
   lnk.close()
   parsed_lnks.append(lnk_data)
write_csv(report, columns + [ lnk_path ,  lnk_name ], parsed_lnks)

Now we need to define two functions, one will open the pytsk file object and other will be used for writing CSV report as shown below −

def open_file_as_lnk(lnk_file):
   file_size = lnk_file.info.meta.size
   file_content = lnk_file.read_random(0, file_size)
   file_pke_obj = StringIO.StringIO(file_content)
   lnk = pylnk.file()
   lnk.open_file_object(file_pke_obj)
   return lnk
def write_csv(outfile, fieldnames, data):
   with open(outfile,  wb ) as open_outfile:
      csvfile = csv.DictWriter(open_outfile, fieldnames)
      csvfile.writeheader()
      csvfile.writerows(data)

After running the above script, we will get the information from the discovered lnk files in a CSV report −

Prefetch Files

Whenever an apppcation is running for the first time from a specific location, Windows creates prefetch files. These are used to speed up the apppcation startup process. The extension for these files is .PF and these are stored in the ”RootWindowsPrefetch” folder.

Digital forensic experts can reveal the evidence of program execution from a specified location along with the details of the user. Prefetch files are useful artifacts for the examiner because their entry remains even after the program has been deleted or un-installed.

Let us discuss the Python script that will fetch information from Windows prefetch files as given below −

For Python script, install third party modules namely pylnk, pytsk3 and unicodecsv. Recall that we have already worked with these pbraries in the Python scripts that we have discussed in the previous chapters.

We have to follow steps given below to extract information from prefetch files −

First, scan for .pf extension files or the prefetch files.

Now, perform the signature verification to epminate false positives.

Next, parse the Windows prefetch file format. This differs with the Windows version. For example, for Windows XP it is 17, for Windows Vista and Windows 7 it is 23, 26 for Windows 8.1 and 30 for Windows 10.

Lastly, we will write the parsed result in a CSV file.

Python Code

Let us see how to use Python code for this purpose −

First, import the following Python pbraries −

from __future__ import print_function
import argparse
from datetime import datetime, timedelta

import os
import pytsk3
import pyewf
import struct
import sys
import unicodecsv as csv
from utipty.pytskutil import TSKUtil

Now, provide an argument for command-pne handler. Here it will accept two arguments, first would be the path to evidence file and second would be the type of evidence file. It also accepts an optional argument for specifying the path to scan for prefetch files −

if __name__ == "__main__":
   parser = argparse.ArgumentParser( Parsing Prefetch files )
   parser.add_argument("EVIDENCE_FILE", help = "Evidence file path")
   parser.add_argument("TYPE", help = "Type of Evidence",choices = ("raw", "ewf"))
   parser.add_argument("OUTPUT_CSV", help = "Path to write output csv")
   parser.add_argument("-d", help = "Prefetch directory to scan",default = "/WINDOWS/PREFETCH")
   args = parser.parse_args()
   
   if os.path.exists(args.EVIDENCE_FILE) and 
      os.path.isfile(args.EVIDENCE_FILE):
   main(args.EVIDENCE_FILE, args.TYPE, args.OUTPUT_CSV, args.d)
else:
   print("[-] Suppped input file {} does not exist or is not a ""file".format(args.EVIDENCE_FILE))
   sys.exit(1)

Now, interpret the evidence file by creating an object of TSKUtil and iterate through the file system to find files ending with .pf. It can be done by defining main() function as follows −

def main(evidence, image_type, output_csv, path):
   tsk_util = TSKUtil(evidence, image_type)
   prefetch_dir = tsk_util.query_directory(path)
   prefetch_files = None
   
   if prefetch_dir is not None:
      prefetch_files = tsk_util.recurse_files(".pf", path=path, logic="endswith")
   
   if prefetch_files is None:
      print("[-] No .pf files found")
      sys.exit(2)
   print("[+] Identified {} potential prefetch files".format(len(prefetch_files)))
   prefetch_data = []
   
   for hit in prefetch_files:
      prefetch_file = hit[2]
      pf_version = check_signature(prefetch_file)

Now, define a method that will do the vapdation of signatures as shown below −

def check_signature(prefetch_file):
   version, signature = struct.unpack("^<2i", prefetch_file.read_random(0, 8))
   
   if signature == 1094927187:
      return version
   else:
      return None
   
   if pf_version is None:
      continue
   pf_name = hit[0]
   
   if pf_version == 17:
      parsed_data = parse_pf_17(prefetch_file, pf_name)
      parsed_data.append(os.path.join(path, hit[1].lstrip("//")))
      prefetch_data.append(parsed_data)

Now, start processing Windows prefetch files. Here we are taking the example of Windows XP prefetch files −

def parse_pf_17(prefetch_file, pf_name):
   create = convert_unix(prefetch_file.info.meta.crtime)
   modify = convert_unix(prefetch_file.info.meta.mtime)
def convert_unix(ts):
   if int(ts) == 0:
      return ""
   return datetime.utcfromtimestamp(ts)
def convert_filetime(ts):
   if int(ts) == 0:
      return ""
   return datetime(1601, 1, 1) + timedelta(microseconds=ts / 10)

Now, extract the data embedded within the prefetched files by using struct as follows −

pf_size, name, vol_info, vol_entries, vol_size, filetime, 
   count = struct.unpack("<i60s32x3iq16xi",prefetch_file.read_random(12, 136))
name = name.decode("utf-16", "ignore").strip("/x00").sppt("/x00")[0]

vol_name_offset, vol_name_length, vol_create, 
   vol_serial = struct.unpack("<2iqi",prefetch_file.read_random(vol_info, 20))
   vol_serial = hex(vol_serial).lstrip("0x")
   vol_serial = vol_serial[:4] + "-" + vol_serial[4:]
   vol_name = struct.unpack(
      "<{}s".format(2 * vol_name_length),
      prefetch_file.read_random(vol_info + vol_name_offset,vol_name_length * 2))[0]

vol_name = vol_name.decode("utf-16", "ignore").strip("/x00").sppt("/x00")[0]
return [
   pf_name, name, pf_size, create,
   modify, convert_filetime(filetime), count, vol_name,
   convert_filetime(vol_create), vol_serial ]

As we have provided the prefetch version for Windows XP but what if it will encounter prefetch versions for other Windows. Then it must have to display an error message as follows −

epf pf_version == 23:
   print("[-] Windows Vista / 7 PF file {} -- unsupported".format(pf_name))
   continue
epf pf_version == 26:
   print("[-] Windows 8 PF file {} -- unsupported".format(pf_name))
   continue
epf pf_version == 30:
   print("[-] Windows 10 PF file {} -- unsupported".format(pf_name))
continue

else:
   print("[-] Signature mismatch - Name: {}
Path: {}".format(hit[0], hit[1]))
continue
write_output(prefetch_data, output_csv)

Now, define the method for writing result into CSV report as follows −

def write_output(data, output_csv):
   print("[+] Writing csv report")
   with open(output_csv, "wb") as outfile:
      writer = csv.writer(outfile)
      writer.writerow([
         "File Name", "Prefetch Name", "File Size (bytes)",
         "File Create Date (UTC)", "File Modify Date (UTC)",
         "Prefetch Last Execution Date (UTC)",
         "Prefetch Execution Count", "Volume", "Volume Create Date",
         "Volume Serial", "File Path" ])
      writer.writerows(data)

After running the above script, we will get the information from prefetch files of Windows XP version into a spreadsheet.