Computer Account Forensic Artifact Extractor (cafae)
cafae is a prototype version of a Windows registry parser that targets a few specific registry keys that help identify user activity as it pertains to files and program execution. Chosen are a handful of registry entries that are specific to an account's registry hive(s), which includes both a user's ntuser.dat hive and the usrclass.dat hive (for Vista and later). Collectively these registry hives contain artifacts useful in piecing together some sort of file/program activity that occurred on a specific account.
Why build another Windows registry parser when there are plenty of good registry parsers freely available on the Internet? The answer is simple. We listened to the feedback that was submitted to our shop by the forensics community, specifically to take some of the yaru functionality and make an easy to use command line tool. The desire was to use be able to use it in a batch processing mode while outputting the data into one of the more common formats so that it could be 'somewhat easily' fused together with varying artifacts from other sources.
So cafae consists of the same parsing engine that is in yaru but geared toward user activity artifacts and packaged into a console application. This version of cafae is labeled as a 'limited version', since there are some functional aspects of the tool we don't export (things like more complex command line syntax and additional output options that allows dumping carved out metadata associated with a specific entry). These latter capabilities are designed for the reverse engineer, and consequently, becomes a major source of confusion to the general user. As such, we tried to keep the tool 'user friendly' and less complicated.
Other useful aspects of cafae include the following:
- a. Can parse hives from a live system (same as yaru).
- b. Is ubiquitous across WinXP and Win7 (meaning it figures what version of the hive it is working on and then automatically adjusts which registry keys should be used).
- c. In some cases, it can parse deeper into the metadata and pull out additional artifacts than current registry parsers available.
- d. Non-Windows versions are available for those that choose to process Windows artifacts on a non-Windows operating system.
- e. The architecture is extremely extensible to include additional registry subkeys. For those that provide input for some new capability, it is useful to us if you also provide a justification as to what utility the additional capability would provide to the community.
How to use cafae
cafae is a console application that targets user registry hives (eg. ntuser.dat and usrclass.dat files). To use this tool on a live system, one will need to open the command prompt with administrator privileges first. One can display the menu options by typing in the executable name with no parameters. A screen shot of the menu is shown below. The menu groups the available artifacts by area of analysis, where each artifact can be extracted independently or combined per command issued. Since each artifact comes from a specific type of user hive, each option identifies which hive (either ntuser.dat or usrclass.dat) it expects to receive as input for it to successfully extract data.
The registry artifacts are grouped into the following categories: (a) running a program, (b) opening files, (c) searching/browsing and (d) network/computer settings. The output options include: (a) the default output, where each record is on a separate line and each field is separated by the pipe character, (b) the SleuthKit body-file format and (c) the log2timeline CSV (comma separated value) format.
To process a specified hive, one uses the –hive <location of hive to process> option with the specific artifact one is interested in. For example, assuming a user hive was extracted to the c:\dump directory, one could to review all the Microsoft Office documents accessed by this user by typing:
cafae –hive c:\dump\ntuser.dat -office_docs > office_docs.txt
Since the output that is generated is very wide, it is recommended that one redirect the output of the command into a file as show above. Then it can be reviewed in any text editor by turning off the word wrap option to see each record on one line.
Example Artifacts that are Extracted and Parsed
As a disclaimer, this version of cafae does not contain all the requisite registry keys that may be of interest to a computer forensic analyst, but it encompasses some of the more common ones. Furthermore, every attempt has been made to ensure that this tool parses data correctly; however, parsers are only as good as the sample datasets that were used during the development/testing process. Since we have a limited set of sample hives to test on, we cannot guarantee that the data in your registry hives will be parsed accurately.
Below are examples of the more interesting registry artifacts cafae can extract. Each subsection includes which registry keys were examined, the command line syntax that was used, and when available, a sample output with annotations.
Open -> Run Dialog
These keys track the program that was last used to access files listed in the Open/Save dialog box MRU subkey. With Vista and later, most of these entries record the timestamp that the program was executed. The MRU (Most Recently Used) value will show the order of the entries, from the most recently used. cafae makes use of this MRU value to sort the output from most to least recently accessed.
Example: cafae –hive user.win7.hive –openrun_mru > out.txt
This key contains values that identify programs executed by a user account. Entries are a mix of executable files and an associated link entry. Many of the entries contain the last execution time along with the number of times the application was run. While the last execution time seems reliable, the run count data is still under evaluation and is based on empirical data. Therefore the results of this output should be considered experimental.
Example: cafae –hive user.win7.hive –userassist > out.txt
The ProgramsCache key records which application was launched as well as when it was launched. The size of the file refers to the link file and not the target file the link points to. Not shown in the diagram below, but included in the truncated section on the right, is any parameters used with the link file as well as the target file the link points to.
Example: cafae cafae –hive user.winxp.hive –programs_cache > out.txt
- usrclass.dat\Local Settings\Software\Microsoft\Windows\Shell\MuiCache
The operating system records what applications are launched by a user account, by recording the name of the application as well as the "File Description" information that is part of the version information stored in the portable executable of the binary that was launched. Unfortunately, there is no temporal information associated with each entry.
Example: cafae –hive user.winxp.hive –muicache > out.txt
Run Key and Miscellaneous Applications
The Run and RunOnce registry keys cause programs to run each time that a user logs on. The SysInternals keys identifies which tool was run from the SysInternals suite.
Example: cafae –hive user.win7.hive –otherapps_run > out.txt
Recent Documents and Associated Keys
- ntuser.dat\Software\Microsoft\Windows\CurrentVersion\Applets\?*\Recent [File List]
- and others ...
For the standard ‘Explorer\RecentDocs’ item, this key contains the recent documents as identified in the Windows "My Recent Documents" menu. Within the key is a "MRUListEx" value that identifies the most recently viewed items. If one parses the MRUListEx, one can display the items in the order that they were accessed relative to each other. cafae will output this list of items in the proper order starting with the most recently viewed first. While there is no temporal information associated with each entry, one can use registry last modification time associated with the subkey to determine when the most recent item was opened.
Example: cafae –hive user.win7.hive –recent_docs > out.txt
Per the MSDN article 235994, the Streams registry entries store the size and location information for closed windows. Per the article, Windows saves this information for up to 28 different windows. The association for the Streams subkey with a particular window is stored in the StreamMRU subkey.
Example: cafae –hive user.winxp.hive –stream_mru > out.txt
Open -> Save Dialog
The operating system tracks files that have been opened or saved from an "Open/Save As" shell dialog box through this registry key. It contains values and a number of multiple subkeys. The subkeys group values by extension. With Vista and later, most of these entries record the timestamp that the action occurred. cafae sorts these entries by folder subkey and then by most recently used. The output includes an arrow to designate which item was the last one modified.
Example: cafae –hive user.win7.hive –opensave_mru > out.txt
Keys Associated with Office Documents
- ntuser.dat\Software\Microsoft\Office\?*\?*\Recent Files
- ntuser.dat\Software\Microsoft\Office\Office\?*\?*\File MRU
- ntuser.dat\Software\Microsoft\Office\Office\?*\?*\Place MRU
- and others ...
Per MSDN the article 826208, many Microsoft Office programs maintain a list of the most recently used (MRU) files. Additionally, the various Office programs display this MRU list on the File menu and in several other locations. These locations include the Open dialog box, the Save As dialog box, and the Insert Hyperlink dialog box. The purpose of this feature is to provide quick access to files that a user is working on.
Example: cafae –hive user.win7.hive –office_docs > out.txt
This registry key has a separate subkey for each extension of a file that was opened. Within each extension subkey, the list associates which application is used to open a file with that specific extension.
Example: cafae –hive user.win7.hive –open_with > out.txt
For completeness this important registry set of keys is just mentioned here. This option, however, was not made available with the public version of cafae, since the sbag tool can already parse these registry artifacts.
- ntuser.dat\Software\Microsoft\Search Assistant\ACMru
For Windows XP there is the ACMru key, which stores search terms that have been typed into a Windows search dialog box. The following subkeys define where the search term was used:
- 5001 - List of terms used for the Internet Search Assistant
- 5603 - List of terms used for the Windows XP files and folders search
- 5604 - List of terms used in the "word or phrase in a file" search
- 5647 - List of terms used in the "for computers or people" search
Unfortunately, Vista did not include a registry key for user searches. Windows 7, however, defines the WordWheelQuery subkey to record information about user searches. Below is an example of the WordWheelQuery data.
Example: cafae –hive user.win7.hive –search_history > out.txt
- ntuser.dat\Software\Microsoft\Internet Explorer\TypedURLs
Data in this key is added when a user types a (or adds via a copy/paste) URL directly into the browser. The list of URLs is sorted by number where the lowest number is the last (or most recently typed) URL.
Example: cafae –hive user.win7.hive –typed_urls > out.txt
This set of keys covers the shortcuts on the Windows Start Menu and the TaskBar, respectively. Show below is an example of the parsed output of the TaskBar shortcuts. The some of the data is truncated to the right of the output. The additional fields include a cmdline parameter (for the icon), if needed, and any reference data (target executable for the link).
Example: cafae –hive user.win7.hive –favorites > out.txt
- ntuser.dat\Software\Microsoft\Windows\CurrentVersion\Explorer\Map Network Drive MRU
- ntuser.dat\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
- and others ...
These last subsection is just a catch all for other useful artifacts that pertain to the computer configuration as set by (or indirectly affected by) the user.
Example: cafae –hive user.win7.hive –computer > out.txt
|32-bit Version||64-bit Version|
|Mac OS X:||cafae.v.0.14.osx.tar.gz||cafae.v.0.14.osx.tar.gz||md5/sha1|
|*32bit apps can run in a 64bit linux distribution if "ia32-libs" (and dependencies) are present.|