Windows Explorer Evidence Using Browsing History.

Windows Explorer Evidence Using Browsing History.

Hey readers, My last post on program execution touched on a way to see program execution using file explorer. However, today we will be looking at how you can get more information about: file access, internet browsing history, last visit time, visit count, and much more which is recorded by an unlikely program.

What you will need

Before we get started, if you want to follow along and test this process out yourself you will need the following things.

That’s it, not much to download this time. 🙂

Getting Started

Load up a fresh workbench or FTK if you are doing this from another box.

If you are going to pull this from another box keep reading. But, if you are going to test this from a live box you can skip to the next section.

Once FTK is loaded up and you have added the drive as an evidence item, drill down to the user in question and grab the following:

  • NTUSER.DAT :   C:\Users\<User>\NTUSER.DAT
  • HISTORY : C:\Users\<User>\AppData\Local\Microsoft\Windows\History
  • WebCache : C:\Users\<User>\AppData\Local\Microsoft\Windows\WebCache

Export each of these files/folders to a location of your choice (ex:Flashdrive).

Once you are on a clean box to investigate with, you will need to create the following folder structure for BrowsingHistoryView to parse the data.

Note: Make sure you swap out for the username of the user you are investigating.

BrowsingHistoryView

Once you have the BrowsingHistoryView executable downloaded, run it as Administrator.

  •  Since this is a standalone EXE you can use this as a portable tool for investigations.

You are then greeted with an Advanced Options menu. You can choose to filter by date/time, web browsers, and location. Then click “ok”.

Next, you are given loads of great information like the file path of files, URL history, Title, Visit count, and User Profile.

As you can see Barry researched how to hide files on GoDuckGo, then he created the hidden file “HiddenFile” on his Desktop. I know very creative example. Next, you can see Barry accessed the “HiddenFile” approximately 6 times.

Play around with this tool in your test environment to see how this tool and artifact work.

Notes

While running some tests with this artifact and tool I noticed the following. Let me know what you find by leaving a comment or emailing me at tristians_forensics@fastmail.com

  • This data will not be recorded until the user accesses a web browser for the first time. In other words, if a user never used the web this data will not be recorded.
  • Program access information is only shown if it is accessed through windows explorer itself. So, Command line access does not show up. However, we talked about some other artifacts in previous posts that can pick up command line access.
  • Once a user clears their browsing data the evidence is purged.
    • Clearing Internet Explorer history will clear the file access portion of the history.
    • The user would have to clear each of their browser’s history to get rid of all browsing history access.
    • Ex: Clear Firefox to clear Firefox data. Clear Chrome to clear its associated data.
  • Users can stop recording file access information by adjusting Internet Explorer settings.
  • The visit count will only update once per login session.
    • Ex: For Barry’s “HiddenFile” to register another Visit he would have to log out then log back in and finally access “HiddenFile” to register as 7th visit. So, if the file was accessed 10 times in one session it will only register as one visit.
  • Folder Visit Count does not increase.
  • As the example shows, even hidden files will show up in this data. Furthermore, so will recently deleted files.

TLDR/ Summary

Another artifact that can provide information of file access can actually be found using Internet Explorer history. By using the tool BrowsingHistoryView, you can answer questions like: What files does the user access? How many times has the file been accessed? When was the last time the file was accessed? What user access the file? What websites and searches have the user done? and much more. However, there are some caveats to this that can be found in the Notes section of the post. Hopefully, you found this artifact and tool useful.

Thanks again for taking the time to read my post. Have you tested this tool and artifact out? What did you find? Let me know by commenting or emailing me. Otherwise, Let me know what you thought of the article and let me know what else you would like to read. Thanks!

Tristians_Forensics@fastmail.com

Leave a Comment