Monday, August 3, 2015

More artifacts through PowerShell - Part 5

MS Office Trust Records.

When documents are downloaded from untrusted sources, a "trust" prompt is shown to the user when the user wants to edit the document. The full path of the document is saved under the below registry key when this happens.

Software\Microsoft\Office\*\PowerPoint\Security\Trusted Documents\TrustRecords (* should be replaced with the version of the MS Office installed in the system but for PowerShell gathering, we can still use the * as shown below:)

gp hkcu:'\Software\Microsoft\Office\*\Excel\Security\Trusted Documents\TrustRecords' | select * -ExcludeProperty PS*
gp hkcu:'\Software\Microsoft\Office\*\PowerPoint\Security\Trusted Documents\TrustRecords' | select * -ExcludeProperty PS*
gp hkcu:'\Software\Microsoft\Office\*\Word\Security\Trusted Documents\TrustRecords' | select * -ExcludeProperty PS*

Want to see all with one command?

gci -r hkcu:'\Software\Microsoft\Office\*\*\Security\Trusted Documents' | select -ExpandProperty Property

References:
http://blogs.technet.com/b/office2010/archive/2009/09/28/trusted-documents.aspx
http://forensicartifacts.com/2012/07/ntuser-trust-records/

Decrypting UserAssist key entries.

Forensic use of UserAssist keys are well known. It primarily stores information about actions the user took with the Shell; actions such as starting applications, double clicking shortcuts, etc. Entries in the UserAssist keys are ROT13 encrypted, the encrypted entries can be viewed by issuing the following one liner.


gp "hkcu:\Software\Microsoft\Windows\Currentversion\Explorer\Userassist\*\Count" | ft -auto -wrap

In order to decrypt the entries, we can use the function provided in this blog.

References:
http://forensicartifacts.com/2010/07/userassist/
http://blog.didierstevens.com/programs/userassist/

Chrome Local Storage entries.

Local storage in Chrome browser is part of HTML5 specification; it is designed to store persistent data (even after the browser is closed) local to the system such as the cookies. This is in SQLite format but can be accessed through PowerShell to get a rough idea about the web sites visited.

Here is the one liner for this:

dir $env:LOCALAPPDATA\'Google\Chrome\User Data\Default\Local Storage' | Sort-Object LastWriteTime -desc

Reference:
http://www.html5rocks.com/en/tutorials/offline/storage/