Notifications
Clear all

Recents problem

8 Posts
4 Users
0 Likes
733 Views
(@cults14)
Posts: 367
Reputable Member
Topic starter
 

Win7 Enterprise SP1 system, the objective is to determine whether any files were accessed on external media, and if so to try and identify the media.

I have an image, viewing in FTK (and Imager), when I look in here….
C\Users\username\AppData\Roaming\Microsoft\Windows\Recent

….there is an empty AutomaticDestinations folder, a populated CustomDestinations folder, and no LNK files.

There are LNK files in C\Users\username\AppData\Roaming\Microsoft\Office\Recent

There are 7 Volume Shadow copies, they all exhibit the same symptoms except the number of LNK files in the Office\Recent folder varies from 34 to 42; some of the Office\Recent LNK files in the Image post-date the earliest VSC by up to 15 days, in fact one of them post-dates 5 of the 7 VSCs.

It appears as if all "regular" artefacts are present e.g. setupapi.dev.log, USB keys in registry, event logs.

I found on http//best-windows.vlaurie.com/clean-recent-documents.html instructions on how to "Automatically Clear Recent Documents at Logoff in Windows Vista and Windows 7" (I haven't checked on my own system whether this works, but there is no such key on the suspect system in current hives or in VSCs)

UserAssist on the Image and VSCs shows no untoward applications being run as far as I can see, I haven't parsed Prefetch yet.

Manually accessing and deleting AutomaticDestinations is AFAIK non-trivial for bog-standard users, deleting LNK files in Recents is easy enough.

Would appreciate any comments/suggestions as to how to explain this scenario i.e. the empty AutomaticDestinations in the Image and all VSCs

Cheers

 
Posted : 12/03/2015 4:17 pm
(@twjolson)
Posts: 417
Honorable Member
 

You have a theory (Clean recent documents), so test it.

Would you rather go into court and say I tested this, and it was consistent with what I say on the subject system? Or would you rather go into court and say some guy I don't know on the internet told me this is what happened?

Terry

 
Posted : 12/03/2015 11:02 pm
nightworker
(@nightworker)
Posts: 134
Estimable Member
 

if i were you i recover all of lnk files from the unallocated cluster because maybe it had been created by windows and deleted as spool files do all succes printed files allocated in unallocated clusters

 
Posted : 12/03/2015 11:10 pm
(@cults14)
Posts: 367
Reputable Member
Topic starter
 

You have a theory (Clean recent documents), so test it.

Would you rather go into court and say I tested this, and it was consistent with what I say on the subject system? Or would you rather go into court and say some guy I don't know on the internet told me this is what happened?

Terry

Sorry am not quite with you, maybe I misunderstood. There is no such key in the current image or in any of the VSCs, so testing it doesn't prove that this suspect did or did not implement it - just proves I couldn't see any sign of it?

If I saw the key then I would test to see if I could reproduce similar results. Hope that makes sense?

 
Posted : 13/03/2015 1:57 am
(@cults14)
Posts: 367
Reputable Member
Topic starter
 

OK so out of interest I tested the theory.

Creating a value ClearRecentDocsOnExit in HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer with a value of one seems to do the trick

Re-start and there are no LNK files in the root of C\users\name\appdata\roaming\microsoft\recent and no *automaticdestinations-ms in the AutomaticDestinations sub-folder.

Worked every time.

But all the previously-extant LNK and *automaticdestinations-ms files appeared in FTK Imager with the red cross through them, which is not mirrored in the image.

So I'm still trying to work out how it's possible to have what seems to be completely virgin folders
C\users\name\appdata\roaming\microsoft\recent
C\users\name\appdata\roaming\microsoft\recent\AutomaticDestinations

Not even a $I30 file

Bearing in mind we have plentiful MRUs for Office and apparently good-to-go UserAssist and Prefetch

Oh and I processed the image in Field Mode in FTK and there are no deleted LNK files that I should know about

Anyone?

 
Posted : 13/03/2015 8:29 pm
zoltandfw
(@zoltandfw)
Posts: 27
Eminent Member
 

Since you mentioned - Win7 Enterprise SP1 system; is this a stand alone system or a client in managed client-server environment?

Also, what is the version of the application that you think should be listing items in the jump list? Since older applications can rely on SHAddToRecentDocs() method to utilize the recent folder might not have been implemented for newer operating system features like the jump list.

Look at the registry settings
HKCU\Software\Policies\Microsoft\Windows\Explorer\"NoPinningToDestinations"=

In the policy, most should be "Not Configured" by default, otherwise there are custom policy is in place. The system is centrally managed or hardenend for security or optimal performance. Not a default installation.
gpedit.msc

User Configuration -> Administrative Template -> Start Nemu and Taskbar
"Do not allow pinning items in Jump Lists"

This policy setting allows you to control pinning items in Jump Lists.

If you enable this policy setting, users cannot pin files, folders, websites, or other items to their Jump Lists in the Start Menu and Taskbar. Users also cannot unpin existing items pinned to their Jump Lists. Existing items already pinned to their Jump Lists will continue to show.

If you disable or do not configure this policy setting, users can pin files, folders, websites, and other items to a program's Jump List so that the items is always present in this menu.

 
Posted : 13/03/2015 9:47 pm
(@twjolson)
Posts: 417
Honorable Member
 

OK so out of interest I tested the theory.

But all the previously-extant LNK and *automaticdestinations-ms files appeared in FTK Imager with the red cross through them, which is not mirrored in the image.

Please clarify? The deleted LNK files were found on the test system, which did have LNK files prior to flipping the switch in the Registry?

Terry

 
Posted : 14/03/2015 3:14 am
(@cults14)
Posts: 367
Reputable Member
Topic starter
 

Sorry, been recovering from minor op, no access to case files, hence delay in replying

Since you mentioned - Win7 Enterprise SP1 system; is this a stand alone system or a client in managed client-server environment?

Client in managed client-server. This is an internal investigation, as far as I am aware all our systems are configured the same

Also, what is the version of the application that you think should be listing items in the jump list? Since older applications can rely on SHAddToRecentDocs() method to utilize the recent folder might not have been implemented for newer operating system features like the jump list.

How relevant is this? Even .txt, .exe, folders should have something in AutomaticDestinations. For the record though, MS Office 2010 and Acrobat Reader X would be the ones I'd expect to see. As far as MS Office is concerned, I'd likely see separate JumpLists for doc & docx, and xls and xlsx

Look at the registry settings
HKCU\Software\Policies\Microsoft\Windows\Explorer\"NoPinningToDestinations"=

No such key

User Configuration -> Administrative Template -> Start Nemu and Taskbar
"Do not allow pinning items in Jump Lists"

Where is this to be found?

Long and short of it, GPOs do not disable JumpLists, they are present on every other system I have looked at, which is plenty

Please clarify? The deleted LNK files were found on the test system, which did have LNK files prior to flipping the switch in the Registry?

Correct. Whereas the Recents folder in the system under investigation is completely empty when viewed in FTK Imager

HTH

 
Posted : 23/03/2015 3:28 pm
Share: