Search terms are saved on a per user basis. In Windows 8, this is stored as an MRU (Most Recently Used) list in the NTUSER.dat file under the key:
Software\Microsoft\Windows\CurrentVersion\Explorer\SearchHistory\Microsoft.Windows.FileSearchApp
 |
| Figure 1 - Search history (MRU) in Windows 8 registry |
Windows 8.1
On Windows 8.1 this has changed! These entries are no longer stored in the registry, instead they are stored on disk at:\Users\
They are stored as individual link (LNK) files. Each link file holds a single previously searched for keyword (or phrase).
 |
| Figure 2 - Search history in Windows 8.1 stored as LNK files |
The format of this link file is similar to the one we are familiar with from earlier versions of windows, however, no dates or other details typically seen in link files are included. All it contains is a link header and a shell item id list. The shell item id list contains the keyword/phrase searched for. Current link file parser scripts/tools will not be able to parse this correctly as they are either not parsing the Shell item id list or not (yet) looking for this specific information. (A shell item id list is seen in many places in the registry, one of the more popular artifacts that uses it is the 'shell bags').
 |
| Figure 3 - Search history LNK file showing searched term 'enscript' |
Forensic Importance
From a forensic perspective, this ties a search keyword to a user and a date. This means that we now know the date and time when a particular user searched for a specific keyword on the machine. The last modified timestamp gives us the first time that keyword is searched and it does not get updated after, even if the search is repeated. On my machines, all 4 timestamps (created, accessed, modified, entry modified) hold the same value for a single file (see figure 2 above) and don't seem to get updated/altered once created.Fuente: http://www.swiftforensics.com/2014/04/search-history-on-windows-8-and-81.html
Entradas
No hay comentarios:
Publicar un comentario