I need help making sense of ntuser.dat file internet history

checked regedit, looked at "typedURLS" but it had only two entries

Interesting idea. I'm not really sure how to do that, could you perhaps give a brief step-by-step? I'm scared if I do it wrong, I'll corrupt the file.

Sorry to be rude, but

It sounds like you are working on a live system and that you have no background in forensics. If there is any possibility that this could end up in court or an administrative hearing or that it could be used to carry out some sort of adverse action (e.g. termination/firing), you should stop now. You may have already caused serious damage to your case.

You should not be working on a live system to do an investigation. You should have a forensically sound duplicate of the target system and any potential modifications should be carried out on a working copy that you can replace if needed.

ntuser.dat is a part of the Windows registry as you previously acknowledged. You can view its contents with various registry editing/viewing tools and this would give you a much better sense of what you're looking at. The way you are describing things, it sounds like you're just doing a text search on the raw file or dumping the text out with "strings". You need context. With a registry viewer, you can see, for example, that "http//www.somesite.com" is listed under TypedURLS which indicates that the user (probably) typed the address into the Internet Explorer address bar. Without that context, you can't be sure where the URL came from or what it means.

-tracedf

checked regedit, looked at "typedURLS" but it had only two entries

Interesting idea. I'm not really sure how to do that, could you perhaps give a brief step-by-step? I'm scared if I do it wrong, I'll corrupt the file.

Sorry to be rude, but

It sounds like you are working on a live system and that you have no background in forensics. If there is any possibility that this could end up in court or an administrative hearing or that it could be used to carry out some sort of adverse action (e.g. termination/firing), you should stop now. You may have already caused serious damage to your case.

You should not be working on a live system to do an investigation. You should have a forensically sound duplicate of the target system and any potential modifications should be carried out on a working copy that you can replace if needed.

ntuser.dat is a part of the Windows registry as you previously acknowledged. You can view its contents with various registry editing/viewing tools and this would give you a much better sense of what you're looking at. The way you are describing things, it sounds like you're just doing a text search on the raw file or dumping the text out with "strings". You need context. With a registry viewer, you can see, for example, that "http//www.somesite.com" is listed under TypedURLS which indicates that the user (probably) typed the address into the Internet Explorer address bar. Without that context, you can't be sure where the URL came from or what it means.

-tracedf

I appreciate your concern, but this is absolutely not for anything that could end up in court. Yes, my knowledge with computer forensics is supbar at best, I'm trying to learn as much as I can.

Also it should be noted that the computer I'm testing this on is just that, a test computer. I'm using it as a dummy to look into the ntuser.dat file and what it stores. I was opening the raw file, but trust me, I wouldn't be if it were paramount that nothing happen to it.

And yes, I need context. That is why I made the thread in the first place. Regedit provides 0 context. I need something that does.

So please, if you know a way of connecting www.somesite.com with where it came from, lay it on me.

Here's some info about TypedURLs which are stored in the "Current User" registry keys in ntuser.dat https://crucialsecurityblog.harris.com/2011/03/14/typedurls-part-1/

The RegRipper tool will help you extract registry information from specific keys.

https://github.com/keydet89

And, to get you started, here's a Forensic Focus article about using RegRipper

https://articles.forensicfocus.com/2014/09/25/a-guide-to-regripper-and-the-art-of-timeline-building/

There are quite a few good forensics books out there. I would start with Harlan Carvey's Windows Forensic Analysis, 4th edition and Mastering Windows Network Forensics and Investigation by Anson et al.

Here's some info about TypedURLs which are stored in the "Current User" registry keys in ntuser.dat https://crucialsecurityblog.harris.com/2011/03/14/typedurls-part-1/

The RegRipper tool will help you extract registry information from specific keys.

https://github.com/keydet89

And, to get you started, here's a Forensic Focus article about using RegRipper

https://articles.forensicfocus.com/2014/09/25/a-guide-to-regripper-and-the-art-of-timeline-building/

There are quite a few good forensics books out there. I would start with Harlan Carvey's Windows Forensic Analysis, 4th edition and Mastering Windows Network Forensics and Investigation by Anson et al.

Are you also of the opinion that Firefox and Chrome usage wouldn't populate the ntuser.dat file? I think Google Toolbar searches are recorded in the registry, I'll have to check that as well.

Maybe we need to make a step back.

Regedit does NOT really-really access ntuser.dat (unless you load it as a hive see below), it creates a view of the Registry which is created by "smart merging" information from several files.

See
https://msdn.microsoft.com/en-us/library/ms724877(v=vs.85).aspx
as a general rule however there is not a univocal and direct correspondence between the "backing files" and the main Registry hives as some are created in a "volatile" manner and "on the fly" and are just "symlinks" to other data.

So, you make a backup of the ntuser.dat and then analyze it as a "self-standing" file.

You can "mount" the backup copy by "loading the hive" under HKLM, like
http//zeda.nl/index.php/en/load-user-registry-hive-in-regedit

then if you select the "Temp" in the example, you can "Export" it as a .reg file, which is a TEXT file (suitable for importing/exporting, similar to a .ini file in structure).

Or you can use "offline" this tool
http//www.nirsoft.net/utils/registry_file_offline_export.html

Of course the "text only" export has LESS information than the original hive file, but it is easier to manage and may give you a better idea of where (in which sub-hives or keys) those "internet related" values are.

But you can also use a "better" tool than Regedit, like
http//registry-finder.com/

(still you should use it on a "loaded" or "mounted" hive, this particular tool allows searching on a single selected hive or sub-hive/key) and also gives you some info on the time the entry was modified.

Additionally, a hive file is (it depends on how you see it) either a database or a file system, so it is entirely possible (unless it has been - again it depends whether you see it as a database or as a file system - "compacted" or "defragged") that there is something that you can find analyzing the RAW file that wouldn't come up in the mentioned tools.

jaclaz

Regedit does NOT really-really access ntuser.dat (unless you load it as a hive see below), it creates a view of the Registry which is created by "smart merging" information from several files.

[…]
jaclaz

I believe the "smart merging" is actually from memory, not the registry files themselves. Much of the registry is in RAM and is flushed intermittently to the actual non-volatile storage.

So please, if you know a way of connecting www.somesite.com with where it came from, lay it on me.

While the register usually is viewed as a navigational database, there is no overall schema or ruleset that says what it contains. Additionally, there's no guarantee that software X will do just the same thing in the current release as it did in the previous release – things may change without warning

If you discover something odd in registry, chances are fairly good you may need to research how it gets there yourself.

Jerry Honeycutt's book on Windows Registry (Microsoft Press) has a section that shows just how you do that, using the Sysinternals Process Explorer tool, set it up to show registry actions invoked by the application you're interested in, and then see what different user actions lead to different changes in registry.

Also check out the web page on Sysinternals Learning resources – especially the Defrag videos/webcasts – to get to grips with Process Explorer (or Process Monitor, which is now part of Process Explorer, I think). It's been quite some time since I watched these, but I think one of the videos on Process Monitor also described how to use the tool to identify registry settings used by some windows application.

I believe the "smart merging" is actually from memory, not the registry files themselves. Much of the registry is in RAM and is flushed intermittently to the actual non-volatile storage.

Yep ) , hence the reference to "volatile" in the immediately following snippet (the one that you did not quote ) wink

… as a general rule however there is not a univocal and direct correspondence between the "backing files" and the main Registry hives as some are created in a "volatile" manner and "on the fly" and are just "symlinks" to other data.
…

jaclaz

Maybe we need to make a step back.

Regedit does NOT really-really access ntuser.dat (unless you load it as a hive see below), it creates a view of the Registry which is created by "smart merging" information from several files.

See
https://msdn.microsoft.com/en-us/library/ms724877(v=vs.85).aspx
as a general rule however there is not a univocal and direct correspondence between the "backing files" and the main Registry hives as some are created in a "volatile" manner and "on the fly" and are just "symlinks" to other data.

So, you make a backup of the ntuser.dat and then analyze it as a "self-standing" file.

You can "mount" the backup copy by "loading the hive" under HKLM, like
http//zeda.nl/index.php/en/load-user-registry-hive-in-regedit

then if you select the "Temp" in the example, you can "Export" it as a .reg file, which is a TEXT file (suitable for importing/exporting, similar to a .ini file in structure).

Or you can use "offline" this tool
http//www.nirsoft.net/utils/registry_file_offline_export.html

Of course the "text only" export has LESS information than the original hive file, but it is easier to manage and may give you a better idea of where (in which sub-hives or keys) those "internet related" values are.

But you can also use a "better" tool than Regedit, like
http//registry-finder.com/

(still you should use it on a "loaded" or "mounted" hive, this particular tool allows searching on a single selected hive or sub-hive/key) and also gives you some info on the time the entry was modified.

Additionally, a hive file is (it depends on how you see it) either a database or a file system, so it is entirely possible (unless it has been - again it depends whether you see it as a database or as a file system - "compacted" or "defragged") that there is something that you can find analyzing the RAW file that wouldn't come up in the mentioned tools.

jaclaz

Just a bit of background about myself. I'm not a professional with this stuff by any means, I was hoping to go to school/get some training with forensics in year or two. So please guys, I know this is probably frusterating trying to explain this to me (repeatedly), but I honestly am extreamly appreciative of all the help from everyone. If you could bare with me for a bit longer, I would be very greatful! 😉

Anyway, I'm going to try and see if I understand this. Let me know if I'm on the right track.

1.The ntuser.dat isn't just a repeat of everything I can see from Regedit.

2. Reading the ntuser.dat file raw (which is potentially very bad) probably will yield more data such as fragmented data that will be difficult to associate with a specific application, but if I back it up as a "self-standing file"(which just means it isn't live and recording data?) and then mount it the way that link describes , it should help me figure out where it came from.

You say

"as a general rule however there is not a univocal and direct correspondence between the "backing files" and the main Registry hives as some are created in a "volatile" manner and "on the fly" and are just "symlinks" to other data."

Alright, so this has somewhat confused me. Going back to one of my original questions.. Does firefox or Chrome searchs, urls, webpage titles etc. etc. get recorded or stored in the ntuder.dat file.. I had assumed no, since they don't store anything in the registry. But knowing that the ntuser.dat file isn't actually the exact same as what is in regedit, does that open the door to possibly having firefox/chrome history items in the ntuser.dat files along with Internet Explorer?

kurt2121

I good method to answer your own questions is to

1) Install Windows fresh on a computer

2) Use a tool such as FTK Imager to create a forensic image of the freshly installed Windows computer. The goal is to create a forensic image of a computer with no user activity whatsoever and thus a pristine registry.

3) Perform specific tasks on the Windows computer such as installing Firefox and Chrome and then visiting a few websites.

4) Create a forensic image of the Windows computer that now contains evidence of known specific activities.

5) Use a program such as OSForensics to analyze and compare the original forensic image and the forensic image of the current-state computer. OSForensics has a nice step-by-step tutorial on how to do exactly this http//www.osforensics.com/faqs-and-tutorials/identifying_uninstalled_software.html

Basically, the idea is to perform a "controlled" experiment to identify exactly what traces, in the registry for example, specific user activities such as browsing to a website using Firefox leave.

BTW full credit goes to the good folks at Passmark, not me, for suggesting and publishing this scientific testing methodology.