I need help making sense of ntuser.dat file internet history

The registry is a navigational database of information related to the configuration of the system and its applications (past and present). It contains namevalue tuples, organized in a key tree, somewhat similar to a file tree in a disk volume.

Yep ) , I have to repeat myself

Additionally, a hive file is (it depends on how you see it) either a database or a file system, so it is entirely possible (unless it has been - again it depends whether you see it as a database or as a file system - "compacted" or "defragged") that there is something that you can find analyzing the RAW file that wouldn't come up in the mentioned tools.

A hive is a database and at the same time it is a filesystem (with some starking similarities to NTFS, like permissions and softlinks or reparse points).
As a matter of fact there is (was) a filesystem driver for the Registry under Windows NT systems and there is a Linux project, hivexsh
http//libguestfs.org/hivexsh.1.html
that uses commands like cd, ls, and lsval to navigate the "filesystem tree".

jaclaz

I really think my skill level with all the different software and programs people are recommending to me would be too advanced for somebody like me, unfortunately (. And as you said, things can appear in the RAW file that wouldn't show up with previously mentioned programs, so even if I eventually figured it out, it wouldn't be certain I find what I'm looking for.

So as for the question I bumped on the last page, I take it none of you guys would be able to identify what program wrote them into the ntuser.dat just from the text I copied and pasted? Not even any hints about whether it was a browser or a toolbar or some other thing? I figured it was a long shot at best, but anything would be better than nothing.

Thanks again

I was looking through an offline ntuser.dat file when I came across some random search terms lumped together. I have absolutely no idea how to determine what application was used with these searches, […]

Then you better learn. Get a decent book that explains what the registry is. Myself, I recommend Jerry Honeycutt's book, but there are other possibilities. (That recommendation assumes you do want to learn.)

… so I figured I'd just copy and paste it and see if anybody here would be able to look at it and determine what wrote it there.

Yes, you do need to learn about registry.

The registry is a navigational database of information related to the configuration of the system and its applications (past and present). It contains namevalue tuples, organized in a key tree, somewhat similar to a file tree in a disk volume. The interpretation of a particular namevalue tuple depends to great extent on the path where it is located. There are reasonably few givens here an application can create its own paths for the data it needs to keep around. But it needn't document them, or register them or anything like that. Nor does it need to retain the same meaning of a configuration. That may mean that registry analysis depends very much on the versions of the software that created and used the keys and namevalues that are of interest.

Exaggerating a bit, your question is somewhat similar to 'I've found these terms somewhere in an image of a hard disk. Can anyone tell me what program wrote them?'

In fact, the similarities extend to the notion of unallocated blocks. The registry files contain deleted data, just as a disk image contains deleted data. Analysis will be just as difficult as tracing an unallocated block to the file it once was part of.

In this particular case, it sounds as if the RegFileExport tool from Nirsoft might be useful. You'll get a text file of all active contents in the registry file, and you can search that for the terms you have found. The path at which they are found may give you additional information – at the very least, you will be able to ask if anyone is familiar with that particular path, what application(s) that use it, and to what purpose. (Other tools may give you similar means of doing the same thing.)

However, tools won't help you understand. Again, get a decent book on Windows registry analysis.

Lets just forget about me trying to understand it for right now. I really just want to know exactly what put them there for my own reasons.

So this RegFileExport tool, is a non-experienced person like myself going to be able to figure this out relatively easy? If you could post a brief step-by-step, that would helpful. If not, I suppose I could try figuring it out on my own if it isn't complicated. ( I have no forensic training or background at all, but you probably could tell that 😉 )

So this RegFileExport tool, is a non-experienced person like myself going to be able to figure this out relatively easy?

It needs Windows. It needs the NTUSER.DAT file from the target computer as a file on your lab system. Let's assume you have both in your current directory, and that you have a command line window open in that directory

Then, just give the console command

RegFileExport NTUSER.DAT ntuser.txt

And the you have all (? not verified that) basic information data in the registry file (NTUSER.DAT) in textual, and relatively easy to read format in the ntuser.txt file.

Next, use your favourite text file editor to search through that for the keywords you identified. It may appear in a structure similar to this

[The registry key, whatever it may be called]
"name"="value"
"another name"="string containing your search keys"
"a third name"="2"

In which case the registry key and the 'another name' will form the basis for further investigation.

They may be well known, in which case you may find them by googling or by asking us again.

I think I'll bite 😯 .

The snippet you posted makes NO SENSE whatsoever, without the binary data and the context, the exact path inside the hive (if available), the installed (or not installed) tools/programs the general Internet history and cache analysis, and a full system timeline.

Anyway, just get the recommended tool
http//www.nirsoft.net/utils/registry_file_offline_export.html
And run it on that NTuser.dat.
Can you find in the (readable as plain text BUT missing a number of details) output the parts you posted the snippet of?
If yes, then that data is "viewable", i.e. it is not in the deleted/unindexed areas of the NTuser.dat.
If it is not then it is in those areas.

Other tools should be run to find more data, including the date the entry was modified, etc., some suggestions were given here
http//www.forensicfocus.com/Forums/viewtopic/p=6583260/#6583260
but more generally the more tools you throw at something the more probabilities you have to get all possible interpretation of the data.

Just do it!

But you are having anyway IMHO a (normal for a newcomer, don't worry) "wrong" view on the way it works.

You seem to believe that there is a one to one correspondence between action and reaction, you find *something* and there is one and only one action that caused the something, but this is not the case and - worse than that - very often you don't have the "whole" effect to analyse, but only a part of it.

Examining a system implies a number of assumptions and hypothesis, based on the analysis of the overall data that can be found on the system.

It is not much different from a medical diagnosis.
A doctor would visit you, examine the results of a number of analysis, take into account your age, weight, sex, looks and what not and only then he/she will provide a (hopefully correct) diagnosis.
What he/she tells you is a hypothesis based on several, concurrent observations leading to a same possible cause of the symptoms.

An Operating System is a complex assembly, though there are a few "direct correlations" between the behaviour of a given program (or a given user activity) and its effects, it is often not as straightforward as that.

You need to take a more holistic view on the matter, if you want to get in the end something that - besides making some sense - has some relevant probability of representing what happened.

The snippet you posted has some key names/values that are typical of
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Graphics Filters\Import\BMP
The reference to Google Chrome and/or (presumably) visited urls and/or (presumably) typed search terms might mean that those are in a non indexed area physically near the above key in the file dump, there could be several reasons why that happened, it is impossible to say anything more without the rest of the data and a timeline.
Example questions
1) are those keys connected with an install of MS Office?
2) if yes, is MS Office installed to the system?
3) if yes, when was Office installed?
4) when was the user (and thus the NTuser.dat) created?
5) do those "Google Chrome" references belong to unallocated space within the NTuser.dat file re-used by the install of Office?
6) etc. ….

jaclaz

I think I'll bite 😯 .

The snippet you posted makes NO SENSE whatsoever, without the binary data and the context, the exact path inside the hive (if available), the installed (or not installed) tools/programs the general Internet history and cache analysis, and a full system timeline.

Anyway, just get the recommended tool
http//www.nirsoft.net/utils/registry_file_offline_export.html
And run it on that NTuser.dat.
Can you find in the (readable as plain text BUT missing a number of details) output the parts you posted the snippet of?
If yes, then that data is "viewable", i.e. it is not in the deleted/unindexed areas of the NTuser.dat.
If it is not then it is in those areas.

Other tools should be run to find more data, including the date the entry was modified, etc., some suggestions were given here
http//www.forensicfocus.com/Forums/viewtopic/p=6583260/#6583260
but more generally the more tools you throw at something the more probabilities you have to get all possible interpretation of the data.

Just do it!

But you are having anyway IMHO a (normal for a newcomer, don't worry) "wrong" view on the way it works.

You seem to believe that there is a one to one correspondence between action and reaction, you find *something* and there is one and only one action that caused the something, but this is not the case and - worse than that - very often you don't have the "whole" effect to analyse, but only a part of it.

Examining a system implies a number of assumptions and hypothesis, based on the analysis of the overall data that can be found on the system.

It is not much different from a medical diagnosis.
A doctor would visit you, examine the results of a number of analysis, take into account your age, weight, sex, looks and what not and only then he/she will provide a (hopefully correct) diagnosis.
What he/she tells you is a hypothesis based on several, concurrent observations leading to a same possible cause of the symptoms.

An Operating System is a complex assembly, though there are a few "direct correlations" between the behaviour of a given program (or a given user activity) and its effects, it is often not as straightforward as that.

You need to take a more holistic view on the matter, if you want to get in the end something that - besides making some sense - has some relevant probability of representing what happened.

The snippet you posted has some key names/values that are typical of
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Graphics Filters\Import\BMP
The reference to Google Chrome and/or (presumably) visited urls and/or (presumably) typed search terms might mean that those are in a non indexed area physically near the above key in the file dump, there could be several reasons why that happened, it is impossible to say anything more without the rest of the data and a timeline.
Example questions
1) are those keys connected with an install of MS Office?
2) if yes, is MS Office installed to the system?
3) if yes, when was Office installed?
4) when was the user (and thus the NTuser.dat) created?
5) do those "Google Chrome" references belong to unallocated space within the NTuser.dat file re-used by the install of Office?
6) etc. ….

jaclaz

I kind of brushed off the URLs under Chrome as just a coincidence because I thought Chrome didn't write anything into the ntuser.dat file.. But it is possible those URLS were from Chrome?Or is it more likely that those chrome references just ended up near there by fluke with this unallocated space usage? I mean, I remember those two URLs in Explorer when I was looking at that history, so it could have been from that, and just happened to be near Google Chrome stuff in the RAW file.

I really feel overwhelmed trying to make sense of this. I'm going to give these programs a try hopefully tm night when I have more free time. Thanks for the advice guys, I'll probably be back to ask more ridiculous questions afterward.