Wednesday, February 18, 2015

Dig Out Evidences Through Control Panel Forensics

Windows Operating System Control Panel is implemented as a series of applets and each of these applets is represented by .cpl file. These applets are usually stored in %system root%\System32 folder and can be opened through system binary ‘control.exe’ a control panel application. There are various ways available to access it and each of these methods can destine you with different artifacts which are also stored in varied places depending on the version of Windows.






Prefetch Files to Identify Control Panel Applet Execution

During control panel forensics firstly user can examine Windows OS that performs application and boot prefetching which is designed to speed up the loading of all the applications. This is done by storing all the data required by the program in a file named prefetch file. Windows prefetch folder holds all the application execution details with all the prefetch files. This prefetch folder is stored in the C:\Windows \Prefetch path and the file extension is .pf. File can be easily identified as it uses combination of name of application and hash of its file path. This hash value can also be useful to investigate control panel to make sure whether the application is stored in multiple locations.

The file has much useful information like number of times application was executed, time stamp and directs to the file system and files used by application. This folder can indicate applet execution that Control panel was opened. But it will not indicate which applet was used. Moreover, these prefetch files cannot be differentiated by users. To analyze these prefetch file in detail, you will have to use some external applications which can process these files. Or hash computation algorithms can be used to analyze this file in detail.

For Older Data Try UserAssist To Dig Out More

Windows Operating Systems records your each and every detail and step taken on your system in a sequential manner in one or other form. For e.g. if you just go to start menu you will find the recently used programs (unless they are intervened or manipulated). In fact, you also view the recently opened Office files, videos viewed, etc. At greater extent, Windows also has a record of all the programs launched and also number of times they were run. This piece of information can be found in Registry;

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist

UserAssist is recommended for investigators as it does not work for mere last 20 programs run, but can dig out last 1000 or more listed entries. The information however is encrypted and thus cannot be viewed directly. However, data can be viewed if the information is decoded safely using some special tools available which crack the information.


Easy to Reach Jumplists for Windows 7 & 8

Windows 7 & 8 versions underwent many changes with this UserAssist and made it reachable at an ease. Now users can simply right-click to the application pinned on taskbar and reach to the recently used application suing Jump Lists feature. Investigators can use Jumplists feature to carve out similar information. So if the system you are looking for artifacts belong to latest Windows versions 7 & 8 then Jumplists can take you to information recorded by Control Panel through which you easily do control panel forensics .


Jumplists are different for different users; in order to reach this information follow the below
mentioned path;

%user profile%\AppData\Roaming\Microsoft\Windows\Recent\

AutomaticDestinations\7e4dca80246863e3.automaticDestinations-ms

Of course one can delete certain reference so that the information can be removed, but luckily for investigators deletion will not remove the information from Jump Lists and the deletion can be detected as well which ease the task of control panel forensics.

Conclusion

The agony of technology is few things are always hidden from everyone and this makes the investigation easier. Of course there are some methods to completely remove trails of control panel applet execution but there are several other ways to make artifacts available as evidences. When any program is launched on the system, Operating System records every detail of this program, associated files, locations of your drive which are accessed and these records can be wisely utilized for analysis. Control Panel forensics is necessary to perform a reverse-engineering of incidence happening and helps to trace actions which took place.

No comments:

Post a Comment