Windows 8.1 Search Charm |
Windows 8 Search Charm |
When a user runs a search using the search charm in Windows 8, specifically selecting "Files" as the search category, the search term is added as a value to an MRU list (maintained by an MRUListEx value) in the user's NTUSER.DAT under \Software\Microsoft\Windows\CurrentVersion\Explorer\SearchHistory\ Microsoft.Windows.FileSearchApp. If the "Settings" or "Apps" category is selected, the search term does not appear to be added as a value to the MRU list (nor is a separate subkey created in the SearchHistory key).
Windows 8.1 also utilizes the SearchHistory key to maintain an MRU list of search terms, but within the SearchHistory\EXPLORER.EXE subkey instead. Additionally, it appears that all search terms executed using the search charm are stored as a value here (as opposed to only the terms executed against the "Files" category). An MRUListEx value is used to maintain the list here as well and the search term itself is stored in Unicode as type REG_BINARY.
In addition to the SearchHistory subkey, it appears that Windows 8.1 maintains another set of artifacts in the form of LNK files in the user's AppData\Local\Microsoft\Windows\ ConnectedSearch\History directory. Interestingly, the LNK files associated with the search charm history that I've examined consist of only the LNK header and a shell item ID list containing the search term. This means that if your tool does not parse shell item ID lists, it will not extract the search term from these files. The LNK files I've examined that are associated with the search charm do not contain embedded FILETIME timestamps in the LNK header or DOSDate timestamps in the shell item ID list. Further, if the user runs the same search term at a later date, there appears to be no change to the file content or file system timestamps of the LNK file. This means that the file system timestamps associated with these files can only be used to identify the first time a particular search was conducted.
The search charm LNK files could be quite useful during an examination, despite the fact that the search terms are also stored in the user's NTUSER.DAT. For example, these files can help determine a specific time that each search term was used, provide additional artifacts to support that a particular search term was/wasn't used, and may be useful if the user has taken steps to remove his or her search charm history. When the search charm history is cleared (via search & apps settings), the entire SearchHistory subkey and the LNK files in the ConnectedSearch\History directory are deleted. The existence of these LNK files provides another possible avenue to recover previously used search terms. One thing to note with respect to these files is that they are likely to be resident, given the fact that they contain only the LNK header and a small shell item ID list.
The testing I've conducted with regard to the Windows 8 and 8.1 search charm history has been with the default settings. The Preview version of Windows 8.1 Professional was used for all testing related to 8.1. At the time of this writing, the option to search the Internet using Bing is not a default option and thus was not tested. It will be interesting to see if/how this option changes the artifacts available to an examiner. At any rate, the Windows search charm, both with and without the "Search Everywhere" feature, provides additional forensic artifacts to help examiners piece together user activity in a Windows environment.
Fuente: http://dfstream.blogspot.com/2013/09/windows-8-and-81-search-charm-history.html
No hay comentarios:
Publicar un comentario