When we talk about application analysis methodology, we need to consider how user interactions are saved by applications. User interaction and settings can be recorded in ini files, proprietary configuration files, or most commonly in the registry. In order to start an analysis, we need to identify application behaviors by examining the application itself.
In this case, it was interesting to see that Paint.Net kept an icon representation of all open files in its tool bar.
As we can see in the image to the left, I have three images open where the cat's face is pasted into a separate file and viewing that file placed the yellow star on the active image.
The original image that will be manipulated with the cat's face is also open.
Finally, the cat's face was pasted over the dog's face. The manipulated image also show up as an icon in the tool bar. Even though the image is low quality, it is clearly visible that our image was manipulated. Thus, finding the icon could tell us not just that the image exists on the drive, but also the image was opened in the application that is not just an image viewer, but an image editor.
At this point, we need to consider the possible storage places for these icons that were not generated by the user directly, but by the application as a "business record". After a few testing and analysis, we can determine the actual location of the configuration settings. In this case, it seems like the application stores user settings in the user's registry hive ntuser.dat ( HKEY_CURRENT_USER\Software\Paint.NET ).
As so many applications use the Most Recently Used ( MRU ) data, it was very interesting to see the MRU# where the # sign is an integer starting from 0. In this case, the highest value is 3 and it's file name same as teh file name of MRU2 where only the file extension changed. The file extension PDN is the default file extension for a newly created file. Now, the most important data value is the one that is associated to the MRU# data. It is MRU#Thumb that shows a clear relationship to MRU# because the # is identical. At this point, we need to know Base64 encoding and have a good pattern recognition for file signatures of common files. In some cases, we can just double click on the MRU#Thumb data to see its value, but in this case the value did not appear in the dialog box.
Therefore, the best way to extract the values were to export the whole Paint.NET key as text and extract the value from the resulted text file.
The result showed further pattern.
Value 72
Name: MRU3
Type: REG_SZ
Data: C:\Users\student\Pictures\Vizsla-12.pdn
Value 73
Name: MRU3Thumb
Type: REG_SZ
Data: iVBORw0KGgoAAAANSUhEUgAAADwAAAA8CAYAAAA6/NlyAAAAAXNSR0IArs4c6
QAAAARnQU1BAACxjwv8YQUAAAAJcEh
…
/YCBFgKDLIJ1iUcLDHdbj0MPYnxpr+bsZk8ESF2Y1CNDHDDpFTdw5mwsDNgFZTOi0n
wcBsAW+MFItsBR3cD1mziym26+FiTFvZZ69sC/m0C7f5ON1wcqTTM5ZHxaMYw9TPoufg9b0/xvP/7kGt//OP4v03JJcf5acyx2UAAAAASUVORK5CYII=
The ending equal sign is a telltale sign of a Base64 encoded data and iVBOR is a PNG file signature. Thus, if we decode the data, it will reveal the thumbnail image's PNG file header as show below.
‰PNG
Saving the resulting data as a png file, we can see the data that was recovered from a user's registry. We can recover not just one image, but multiple images that a user had open. In our case, this image was the last image MRU3Thumb where the recovered image is shown below.
The image is a low resolution image, but remember that we also know the location where this image was saved into and its file name. So, our investigation might not be done at this point, but now we have a visual clue to help us locate the full size image.
This blog was created to show how important it is to have an application analysis skill accompanied with pattern recognition since every application can save information that forensic tools are not able to handle by default.
