Registry Data for Forensics, Incident Response, Pentest and Pivot – Part 2



Description of Keys

The Windows Operating System uses a common feature to help applications track and determine what content access requests (e.g. Files) has most recently been requested from with in the application. This is referred to as Most Recently Used which is abbreviated to the acronym of MRU. Most of this tracking information is stored in the registry hives in Windows under key names which contain the acronym MRU.

When using the Windows Operating System the ability to open and save content to the file system is normally done using the dialogue boxes provided by the Common Dialog library Comdlg32.dll. When using this feature for opening or saving files, this librarywill also record MRU details in the registry under the OpenSaveMRU key.

The Comdlg32.dllwill maintain the details of the files that were opened or saved using its common dialogue feature under a sub key of “*“. With in the OpenSaveMRU sub keys, the MRU values are maintained under alphabetic key names (i.e. a, b,c,d,e,) and the key name with the oldest MRU entry (i.e. The entry has not been used recently) will be reassigned to any new MRU value that is needed to be recorded. The order of the last use is maintained under the key name MRUList, with the most recently used entry keyname being first in the value followed directly by the next recently value without any deliminators(e.g. Jadefg, would indicated MRU under key name “j” was most recently used, followed by MRU held in keyname “a”, and so on).

The Comdlg32,dllwill also maintain separate sub keys of MRU lists based open the file extension of the content that was access through the open and saveAs dialogue boxes. Therefore, you may additional and older file MRU for files such as *.zip, *.mpg, etc under the specific sub keys.

Windows 7 changes
It seems that under Windows 7 (which probably means Vista also), the keyname has changed to OpenSavePidlMRU. Also, the key name as now numeric.

Of note, software developers can set a flag in their applications so that MRU information is not recorded by Comdlg32.dll in the registry hive under the OpenSaveMRU key. Also, the MRU feature for Comdlg32.dllcan be disabled by policy by setting the key

       HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Comdlg32\NoFileMRU = 1

(a value of 0 will enable it again)

FIRPP details

Forensics: The OpenSaveMRU offers a fantastic means for forensic investigators to determine what end users may have been opening and saving recently, and where they may have been saving that content, even if it has been deleted from the file system. You can also create a timeline of usage by analysing the LastWrite timestamp on the MRU keys to determine just when a file was last used via this mechanism.

As the majority of end users may be careful covering their track by deleting files and potentially clearing the Explorer history database, not many are aware of the tracking information that is recorded in the registry hives. If you find that an end user has used “history clearing/privacy” application (which is likely to remove the MRU information), do no forget to look at the registry hive snapshots recorded under the System Volume store. Most applications of this sort will not go to the length of analysing the snapshot hives.

Incident Response: Similar to the benefits to forensics, the OpenSaveMRU can provide an incident responder supporting evidence of historic use, that may support the theory of events that the responder is working under. Of even more value, it may provide additional clues that provide the responder an alternative theory of events, and therefore allow for a quicker remediation of the incident (i.e. An end user claims not to have installed any new software, but the *.exe subkey MRU shows an suspicious cracked executable was run). The file locations recorded in the MRU’s may be of support to an incident responder if it is found an file share was accessed that the “normal” end user did not access.

Pentest:The value of the OpenSaveMRU for the penetration tester (or Capture the Flag contestant) is that it offers clues to potentially important directories, and network shares that may contain sensitive information. Also, as network shares are recorded in the MRU’s, it offers infrastructure intelligence to the penetration tester as to what systems may also exist on the network, and what roles those systems play for the organisation.

Pivot:The OpenSaveMRU record values do store network file share information. Therefore, this data can be used as targets for as a basis to social engineer others to execute applications from a seemly safe location (i.e. An internal file share). This can be especially nasty with Metasploits new capability to encode the meterpeter into an existing application without breaking the functionality of that application. The OpenSaveMRU values can also be used to provide target information to determine if network shares are vulnerable, and therefore available for further pivoting.


LINKS – NoMRU Policy


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: