Win7 Enterprise SP1 system, the objective is to determine whether any files were accessed on external media, and if so to try and identify the media.
I have an image, viewing in FTK (and Imager), when I look in here….
C\Users\username\AppData\Roaming\Microsoft\Windows\Recent
….there is an empty AutomaticDestinations folder, a populated CustomDestinations folder, and no LNK files.
There are LNK files in C\Users\username\AppData\Roaming\Microsoft\Office\Recent
There are 7 Volume Shadow copies, they all exhibit the same symptoms except the number of LNK files in the Office\Recent folder varies from 34 to 42; some of the Office\Recent LNK files in the Image post-date the earliest VSC by up to 15 days, in fact one of them post-dates 5 of the 7 VSCs.
It appears as if all "regular" artefacts are present e.g. setupapi.dev.log, USB keys in registry, event logs.
I found on http//
UserAssist on the Image and VSCs shows no untoward applications being run as far as I can see, I haven't parsed Prefetch yet.
Manually accessing and deleting AutomaticDestinations is AFAIK non-trivial for bog-standard users, deleting LNK files in Recents is easy enough.
Would appreciate any comments/suggestions as to how to explain this scenario i.e. the empty AutomaticDestinations in the Image and all VSCs
Cheers
You have a theory (Clean recent documents), so test it.
Would you rather go into court and say I tested this, and it was consistent with what I say on the subject system? Or would you rather go into court and say some guy I don't know on the internet told me this is what happened?
Terry
if i were you i recover all of lnk files from the unallocated cluster because maybe it had been created by windows and deleted as spool files do all succes printed files allocated in unallocated clusters
You have a theory (Clean recent documents), so test it.
Would you rather go into court and say I tested this, and it was consistent with what I say on the subject system? Or would you rather go into court and say some guy I don't know on the internet told me this is what happened?
Terry
Sorry am not quite with you, maybe I misunderstood. There is no such key in the current image or in any of the VSCs, so testing it doesn't prove that this suspect did or did not implement it - just proves I couldn't see any sign of it?
If I saw the key then I would test to see if I could reproduce similar results. Hope that makes sense?
OK so out of interest I tested the theory.
Creating a value ClearRecentDocsOnExit in HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer with a value of one seems to do the trick
Re-start and there are no LNK files in the root of C\users\name\appdata\roaming\microsoft\recent and no *automaticdestinations-ms in the AutomaticDestinations sub-folder.
Worked every time.
But all the previously-extant LNK and *automaticdestinations-ms files appeared in FTK Imager with the red cross through them, which is not mirrored in the image.
So I'm still trying to work out how it's possible to have what seems to be completely virgin folders
C\users\name\appdata\roaming\microsoft\recent
C\users\name\appdata\roaming\microsoft\recent\AutomaticDestinations
Not even a $I30 file
Bearing in mind we have plentiful MRUs for Office and apparently good-to-go UserAssist and Prefetch
Oh and I processed the image in Field Mode in FTK and there are no deleted LNK files that I should know about
Anyone?
Since you mentioned - Win7 Enterprise SP1 system; is this a stand alone system or a client in managed client-server environment?
Also, what is the version of the application that you think should be listing items in the jump list? Since older applications can rely on SHAddToRecentDocs() method to utilize the recent folder might not have been implemented for newer operating system features like the jump list.
Look at the registry settings
HKCU\Software\Policies\Microsoft\Windows\Explorer\"NoPinningToDestinations"=
In the policy, most should be "Not Configured" by default, otherwise there are custom policy is in place. The system is centrally managed or hardenend for security or optimal performance. Not a default installation.
gpedit.msc
User Configuration -> Administrative Template -> Start Nemu and Taskbar
"Do not allow pinning items in Jump Lists"
This policy setting allows you to control pinning items in Jump Lists.
If you enable this policy setting, users cannot pin files, folders, websites, or other items to their Jump Lists in the Start Menu and Taskbar. Users also cannot unpin existing items pinned to their Jump Lists. Existing items already pinned to their Jump Lists will continue to show.
If you disable or do not configure this policy setting, users can pin files, folders, websites, and other items to a program's Jump List so that the items is always present in this menu.
OK so out of interest I tested the theory.
But all the previously-extant LNK and *automaticdestinations-ms files appeared in FTK Imager with the red cross through them, which is not mirrored in the image.
Please clarify? The deleted LNK files were found on the test system, which did have LNK files prior to flipping the switch in the Registry?
Terry
Sorry, been recovering from minor op, no access to case files, hence delay in replying
Since you mentioned - Win7 Enterprise SP1 system; is this a stand alone system or a client in managed client-server environment?
Client in managed client-server. This is an internal investigation, as far as I am aware all our systems are configured the same
Also, what is the version of the application that you think should be listing items in the jump list? Since older applications can rely on SHAddToRecentDocs() method to utilize the recent folder might not have been implemented for newer operating system features like the jump list.
How relevant is this? Even .txt, .exe, folders should have something in AutomaticDestinations. For the record though, MS Office 2010 and Acrobat Reader X would be the ones I'd expect to see. As far as MS Office is concerned, I'd likely see separate JumpLists for doc & docx, and xls and xlsx
Look at the registry settings
HKCU\Software\Policies\Microsoft\Windows\Explorer\"NoPinningToDestinations"=
No such key
User Configuration -> Administrative Template -> Start Nemu and Taskbar
"Do not allow pinning items in Jump Lists"
Where is this to be found?
Long and short of it, GPOs do not disable JumpLists, they are present on every other system I have looked at, which is plenty
Please clarify? The deleted LNK files were found on the test system, which did have LNK files prior to flipping the switch in the Registry?
Correct. Whereas the Recents folder in the system under investigation is completely empty when viewed in FTK Imager
HTH