I just found the coolest tool, and had to tell everyone about it.
Apparently the Windows registry keeps track of the display size of a folder window across different sessions. This information is stored in the registry, and is not cleaned up when the associated folders are deleted.
Is anybody drooling yet?
Even better, it keeps these values for folders that reside on external storage! Ever want to know what the folder structure on a suspect's USB stick that you didn't get looked like? Read on!
The data is stored as binary blobs under the following registry keys:
- HKCU\Software\Microsoft\Windows\Shell\BagMRU
- HKCU\Software\Microsoft\Windows\Shell\Bags
- HKCU\Software\Microsoft\Windows\ShellNoRoam\BagMRU
- HKCU\Software\Microsoft\Windows\ShellNoRoam\Bags
Back in December of 2004, a guy named Michal Mutl of MiTeC, in collaboration with Allen S. Hay of the Northumbria Police, produced a program to interpret these values. The program was enhanced over the following year to do a number of other things such as:
- Decrypt ROT13 User Assist Keys
- Parse the Streams MRU
- Output the Access time of files or folders plus
the attributes of the files or folders contained within. - Mount the SAM file
- Display Installed Program Attributes.
- Handle exported Registry entries from the System Volume Information folder (Restore Points).
The program, Windows Registry Analyzer (WRA), was provided free of charge (per it's included license agreement) from MiTeC's web site until they were acquired by Paraben. After much dedicated searching (Google is your friend!) I found the last publicly released version (1.5.2) in the Internet archive at bibalex. I'd be unfair to Paraben if I didn't mention that they're now selling a descendent of this program, Registry Analyzer v1.0, for a nominal charge of $129.
Here's where I found the reference to the first of the mirrored copies that I ultimately discovered.
And here's a reference to where I read about this first (sorry to those who don't have Guidance forum access).
And another such reference
I was just about to give up on being able to easily provide complete details on how WRA works its magic decoding-fu. Once upon a time, this information was available here, but that's gone since Paraben acquired MiTeC. Just as I was about to upload this article, however, I thought to try feeding the above URL into the bibalex archive where I'd found the zip file. Isn't the Internet grand?
I'd repeat the salient bits here, but they run to several pages, and Allen Hay did a good job illustrating the explanation anyway, so check it out there.
I'd already submitted this article for review, but I pulled it back for revision when found some more cool bits that deserve mention. The tool and paper referenced above actually document some other registry keys as well:
- HKCU\Software\Microsoft\Windows\Currentversion\Explorer\StreamMRU
- HKCU\Software\Microsoft\Windows\Currentversion\Explorer\Streams
These keys contain information similar to that found in ShellBags. Both ShellBags and StreamMRU also include a snapshot of file/folder MACtime data.
An even cooler facet of this is that Windows Restore Points archive copies of NTUSER.DAT which can be opened with this tool. So you can potentially browse through a significant amount of historical file/folder data. As there are a limited number of these entries (According to this page, by default there are 28 StreamMRUs and according to this page, there are 200 local folder bags entries and 200 network folder bags entries) these entries will cycle through, and different restore points may contain different data. There would appear to be some overlap in the functioning of these two registry mechanisms, but it's not clear to me how this is resolved.
Additionally, the Registry Analyzer tool decodes several other registry keys/values, including ProgramsCache (can't find a reference, sorry) and Userassist.
I also downloaded the demo of the current version from Paraben, and a cursory examination shows no significant differences from the free version.
If you liked this article, want to add something to it, or simply want to call me on the carpet for some inaccuracy, please feel free to leave a comment.
John McCash, GCFA Silver #2816, is currently a Forensic Investigator employed by a fortune 500 telecommunications equipment provider.
.png "Finding_Evil_WMI_Event_Consumers_with_Disk_Forensics_-Blog_(1).png")
.png "Blog_teaser_images_(19).png")
