Windows Operating System Control Panel is implemented as a series
of applets and each of these applets is represented by .cpl file. These applets
are usually stored in %system
root%\System32 folder and can be opened through system binary ‘control.exe’
a control panel application. There are various ways available to access it and
each of these methods can destine you with different artifacts which are also
stored in varied places depending on the version of Windows.
During control panel
forensics firstly user can examine Windows OS that performs application and boot
prefetching which is designed to speed up the loading of all the applications.
This is done by storing all the data required by the program in a file named prefetch
file. Windows prefetch folder holds
all the application execution details with all the prefetch files. This
prefetch folder is stored in the C:\Windows \Prefetch path and the file
extension is .pf. File can be easily identified as it uses combination of name
of application and hash of its file path. This hash value can also be useful to
investigate control panel to make sure whether the application is stored in
multiple locations.
The file has much useful
information like number of times application was executed, time stamp and
directs to the file system and files used by application. This folder can
indicate applet execution that Control panel was opened. But it will not
indicate which applet was used. Moreover, these prefetch files cannot be
differentiated by users. To analyze these prefetch file in detail, you will
have to use some external applications which can process these files. Or hash
computation algorithms can be used to analyze this file in detail.
For
Older Data Try UserAssist To Dig Out More
Windows Operating Systems
records your each and every detail and step taken on your system in a
sequential manner in one or other form. For e.g. if you just go to start menu
you will find the recently used programs (unless they are intervened or
manipulated). In fact, you also view the recently opened Office files, videos
viewed, etc. At greater extent, Windows also has a record of all the programs
launched and also number of times they were run. This piece of information can
be found in Registry;
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist
UserAssist is recommended
for investigators as it does not work for mere last 20 programs run, but can dig
out last 1000 or more listed entries. The information however is encrypted and
thus cannot be viewed directly. However, data can be viewed if the information
is decoded safely using some special tools available which crack the
information.
Easy
to Reach Jumplists for Windows 7 & 8
Windows 7 & 8 versions
underwent many changes with this UserAssist and made it reachable at an ease. Now
users can simply right-click to the application pinned on taskbar and reach to
the recently used application suing Jump Lists feature. Investigators can use
Jumplists feature to carve out similar information. So if the system you are
looking for artifacts belong to latest Windows versions 7 & 8 then
Jumplists can take you to information recorded by Control Panel through which
you easily do control panel forensics .
Jumplists are different
for different users; in order to reach this information follow the below
mentioned path;
%user
profile%\AppData\Roaming\Microsoft\Windows\Recent\
AutomaticDestinations\7e4dca80246863e3.automaticDestinations-ms
Of course one can delete
certain reference so that the information can be removed, but luckily for
investigators deletion will not remove the information from Jump Lists and the
deletion can be detected as well which ease the task of control panel forensics.
Conclusion
The agony of technology is
few things are always hidden from everyone and this makes the investigation
easier. Of course there are some methods to completely remove trails of control
panel applet execution but there are several other ways to make artifacts
available as evidences. When any program is launched on the system, Operating
System records every detail of this program, associated files, locations of
your drive which are accessed and these records can be wisely utilized for
analysis. Control Panel forensics is necessary to perform a reverse-engineering
of incidence happening and helps to trace actions which took place.
No comments:
Post a Comment