ISO 9660 - Structure Part 2

The file structure is based on the control of the Primary Volume Descriptor that points to the Root Directory Structure and to the Path Table.  The Path Table Records point back to the Root Directory Structure to locate the actual file content in the proper directory.  It is worth spending time with the date/time entry and digest its structure.  It is very interesting how you can pick up a pattern if you know what you are looking for.

i.e. In this example the file name is "acrobat_installer.exe".  The MAC time for the file as shown in Windows is:

                         Monday, July 01, 2002 - 4:33:00 a.m.

Data shown below: 66 07 01 05 21 00 F0

Year=1900+0x66(102)=2002

Month=07

Day=01

Hour=05

Minute=0x21(33)

Seconds=00

TimeZone Offset = 0xF0(-16)

GMT offset is from -48(West) to +52(East) that makes for 25 hours a day for some reason. 

So, GMT offset -16 is in 15 minute intervals, thus the offset it -16/4= -4 ( EST ).  In my experiments, it seems like some of the burning tools only record the GMT time with offset 00 without applying the actual offset.  I'm still researching why the recoded 5 hours at -4 offset is displayed in Daylight Central Time at -5 as 4 a.m. instead of 5.  If you know it, let me know.

The logical size of the file can be found as the first 4 bytes at offset 10 of the directory record. 009F3020 = 10,432,544 bytes

To find the file contents, we only need to look at the 4 bytes at offset 2 ( little endian ).  In this case, 20010000->0x00000120->288.  Thus, we can jump to logical sector 288 to see the content of this file.

Directory Records

length
     in bytes  contents
     --------  ---------------------------------------------------------
        1      R, the number of bytes in the record (which must be even)
        1      0 [number of sectors in extended attribute record]
        8      number of the first sector of file data or directory
                 (zero for an empty file), as a both endian double word
        8      number of bytes of file data or length of directory,
                 excluding the extended attribute record,
                 as a both endian double word
        1      number of years since 1900
        1      month, where 1=January, 2=February, etc.
        1      day of month, in the range from 1 to 31
        1      hour, in the range from 0 to 23
        1      minute, in the range from 0 to 59
        1      second, in the range from 0 to 59
                 (for DOS this is always an even number)
        1      offset from Greenwich Mean Time, in 15-minute intervals,
                 as a twos complement signed number, positive for time
                 zones east of Greenwich, and negative for time zones
                 west of Greenwich (DOS ignores this field)
        1      flags, with bits as follows:
                 bit     value
                 ------  ------------------------------------------
                 0 (LS)  0 for a norma1 file, 1 for a hidden file
                 1       0 for a file, 1 for a directory
                 2       0 [1 for an associated file]
                 3       0 [1 for record format specified]
                 4       0 [1 for permissions specified]
                 5       0
                 6       0
                 7 (MS)  0 [1 if not the final record for the file]
        1      0 [file unit size for an interleaved file]
        1      0 [interleave gap size for an interleaved file]
        4      1, as a both endian word [volume sequence number]
        1      N, the identifier length
        N      identifier
        P      padding byte: if N is even, P = 1 and this field contains
                 a zero; if N is odd, P = 0 and this field is omitted
    R-33-N-P   unspecified field for system use; must contain an even
                 number of bytes

Path Table Record

 
     length
     in bytes  contents
     --------  ---------------------------------------------------------
        1      N, the name length (or 1 for the root directory)
        1      0 [number of sectors in extended attribute record]
        4      number of the first sector in the directory, as a
                 double word
        2      number of record for parent directory (or 1 for the root
                 directory), as a word; the first record is number 1,
                 the second record is number 2, etc.
        N      name (or 0 for the root directory)
      0 or 1   padding byte: if N is odd, this field contains a zero; if
                 N is even, this field is omitted

Ref: http://alumnus.caltech.edu/~pje/iso9660.html
 

ISO9660 - Primary Volume Descriptor

CDs and DVDs might not be as popular these days as they used to be, but their structure is very interesting from a forensic point-of-view when someone is learning about data structures.  It is interesting how a value can be saved in little-endian and in big-endian formats to provide access regardless of the platform.  The date and time stamps are also not in "standard format" that we seen in most forensic investigations on storage devices.  The application identifier might also be of use in investigations.

 

BytePosition	Field Name	Content
1	Volume Descriptor Type	1
2 - 6	Standard Identifier	CD001
7	Volume Descriptor Version	1
8	Unused Field	(00)17  byte
9 - 40	System Identifier	a-characters allowed18
41 - 72	Volume Identifier	d-characters allowed19
73 - 80	Unused Field	(00) bytes
81 - 88	Volume Space Size	Number of logical blocks in the Volume
89 - 120	Unused Field	(00) bytes
121 - 124	Volume Set Size	The assigned Volume Set size of the Volume
125 - 128	Volume Sequence Number	The ordinal number of the volume in the Volume Set
129 - 132	Logical Block Size	The size in bytes of a Logical Block
133 - 140	Path Table Size	Length in bytes of the path table
141 - 144	Location of Type L Path Table	Logical Block Number of first Block allocated to the Type L
		Path Table, Type L meaning multiple byte numerical values are
		recorded with least significant byte first.  This value is also
		recorded with least significant byte first.
145 - 148	Location of Optional Type L Path Table	0 if Optional Path Table was not recorded, otherwise, Logical
		Block Number of first Block allocated to the Optional Type L
		Path Table.
149 - 152	Location of Type M Path Table	Logical Block Number of first Block allocated to the Type M
		Path Table, Type M meaning multiple byte numerical values are
		recorded with most significant byte first.  This value is also
		recorded with most significant byte first.
153 - 156	Location of Optional Type M Path Table	0 if Optional Path Table was not recorded, otherwise, Logical
		Block Number of first Block allocated to the Type M Path Table.
157 - 190	Directory record for Root Directory	This is the actual directory record for the top of the directory
		structure.  See the section on directory records for the format of this data.
191 - 318	Volume Set Identifier	Name of the multiple volume set of which this volume is a
		member.  d-characters allowed.
319 - 446	Publisher Identifier	Identifies who provided the actual data contained in the files.  a-characters allowed.
447 - 574	Data Preparer Identifier	Identifies who performed the actual creation of the current
		volume. a-characters allowed.
575 - 702	Application Identifier	Identifies the specification of how the data in the files are
		recorded.  For example, this field might contain SGML if the
		files were recorded according to the Standard Generalized Markup
		Language
703 - 739	Copyright File Identifier	Identifies the file in the root directory that contains the
		copyright notice for this volume.  If there is no copyright file,
		this field should contain all spaces (20) Level 1 interchange
		restrictions apply.20
740 - 776	Abstract File Identifier	Identifies the file in the root directory that contains the abstract
		statement for this volume.  If there is no copyright file, this
		field should contain all spaces (20) Level 1 interchange
		restrictions apply.
777 - 813	Bibliographic File Identifier	Identifies the file in the root directory that contains
		bibliographic records.  ISO-9660 does not specify the format of
		these records.  If there is no copyright file, this field should
		contain all spaces (20) Level 1 interchange restrictions apply.
814 - 830	Volume Creation Date and Time	Date and time at which the volume was created.
		Represented by seven bytes:
		1: Number of years since 1900
		2: Month of the year from 1 to 12
		3: Day of the Month from 1 to 31
		4: Hour of the day from 0 to 23
		5: Minute of the hour from 0 to 59
		6: second of the minute from 0 to 59
		7: Offset from Greenwich Mean Time in
		number of 15 minute intervals from -48(West) to +52(East)
831 - 847	Volume Modification Date and Time	Date and time at which the volume was last modified.
		Represented the same as the Volume Creation Date and Time
848 - 864	Volume Expiration Date and Time	Date and Time at which the information in the volume may be
		considered obsolete.  Represented the same as the Volume
		Creation Date and Time
865 - 881	Volume Effective Date and Time	Date and Time at which the information in the volume may be
		used.  Represented the same as the Volume Creation Date and Time
882	File Structure Version	1
883	Reserved for future standardization	(00)
884 - 1395	Application Use	This field is reserved for application use.  Its content is not
		specified by ISO-9660.
1396 - 2048	Reserved for future standardization	All bytes must be set to (00).

17 Numbers surrounded by parentheses () are hexadecimal numbers.
18  a-characters are A-Z, 0-9, _, space, !, ", %, &, ', (, ), *, +, ,, -, ., /, :, ;, <, =, >, ?
  see ISO-9660:1988, Annex A, Table 15
19 d-characters are A-Z, 0-9, _
  see ISO-9660:1988, Annex A, Table 14

20 For a description of the level 1 interchange restrictions, see page <?>

Ref: "Introduction to ISO 9660", Disc Manufacturing, Inc., by Clayton Summers

 

Oracle VM VirtualBox

Abstract

Virtual machines are gaining corporate and home user acceptance in every day computing environments.  Virtual machines are created easily or downloaded from the Internet as preconfigured Operating Systems ( called appliances ).  The preconfigured Operating Systems in most cases are Linux based Operating Systems since Linux can be distributed for free, but proprietary Operating Systems can’t without complying with licensing agreements.  In general, the host Operating System ( configured to run the virtual machine software ) needs only hard drive space to hold the guest Operating System (running inside the virtual machine ) virtual hard drive ( in most cases, a single file, but in some cases it can be divided into 2GB portions ).  Besides the hard drive space, virtual machines need their own memory space that can’t be shared with the host, so host machines need to have extended amount of physical memory in order to host other ( virtual ) machines.  Virtual machines share the host hardware resources in a fashion that virtual machines see their hardware as physical hardware.  Thus, virtual machines can operate just like any physical computer.  The way virtual machines are configured to interact with the physical machine’s hardware is stored in configuration files.  Users create virtual machines using a wizard like environment where users are asked to dedicate a portion of the physical device or simulate a physical device via a hardware proxy that communicates between the physical device and the virtual environment.  Depending on these settings, computers can change their identity in network communication where a single physical device can look like multiple devices communicating on the network.  In addition, virtual machines can support other than the host Operating System, like Microsoft host can run a Linux guest.  The guest Operating System support is vendor dependent, thus users need to select the virtual machine software that will support the guest Operating System they intend to run as guest.  Users can also create reference points ( snapshots ) where the state of the virtual machine is saved and the state of the virtual machine can be restored.  That is significant since all user data can be eliminated is a user decides to “roll-back” the Operating System state to a previous state that will contain no user activity.  This document will examine multiple virtual machines’ installed files, configuration files, and user interaction of creating new virtual machines. 

Summary

Major folder installed or files added

c:\Program Files\Oracle\VirtualBox

c:\ProgramData\Microsoft\Windows\Start Menu\Programs\Oracle VM VirtualBox

c:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Oracle VM VirtualBox

c:\Users\<UID>\.VirtualBox

c:\Windows\System32\DriverStore\FileRepository\

c:\Windows\System32\DRVSTORE

c:\Windows\Installer\

Link files

c:\ProgramData\Microsoft\Windows\Start Menu\Programs\Oracle VM VirtualBox\License (English).lnk

c:\ProgramData\Microsoft\Windows\Start Menu\Programs\Oracle VM VirtualBox\Oracle VM VirtualBox.lnk

c:\ProgramData\Microsoft\Windows\Start Menu\Programs\Oracle VM VirtualBox\User manual (CHM, English).lnk

c:\ProgramData\Microsoft\Windows\Start Menu\Programs\Oracle VM VirtualBox\User manual (PDF, English).lnk

c:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Oracle VM VirtualBox\License (English).lnk

c:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Oracle VM VirtualBox\Oracle VM VirtualBox.lnk

c:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Oracle VM VirtualBox\User manual (CHM, English).lnk

c:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Oracle VM VirtualBox\User manual (PDF, English).lnk

c:\Users\Public\Desktop\Oracle VM VirtualBox.lnk

c:\Users\{UID}\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Oracle VM VirtualBox.lnk

Global Configuration and logs

c:\Users\{UID}\.VirtualBox\VBoxSVC.log

c:\Users\{UID}\.VirtualBox\VirtualBox.xml

c:\Users\{UID}\.VirtualBox\VirtualBox.xml-prev

Registry

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VBox…

HKEY_CLASSES_ROOT\progId_VirtualBox.Shell. …

HKEY_CLASSES_ROOT\VirtualBox. …

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\DIFx

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\SUN_VBOXNETFLTMP

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_VBOXDRV

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\DeviceClasses\{cac88484-7515-4c03-82e6-71a87abac361}\##?#ROOT#SUN_VBOXNETFLTMP

HKEY_CURRENT_USER\Software\Oracle\VirtualBox\Install

HKEY_CLASSES_ROOT\.hdd "(Default)"

HKEY_CLASSES_ROOT\.hdd "Content Type"

HKEY_CLASSES_ROOT\.ova "Content Type"

HKEY_CLASSES_ROOT\.ovf "Content Type"

HKEY_CLASSES_ROOT\.vbox "(Default)"

HKEY_CLASSES_ROOT\.vbox "Content Type"

HKEY_CLASSES_ROOT\.vbox-extpack "(Default)"

HKEY_CLASSES_ROOT\.vbox-extpack "Content Type"

HKEY_CLASSES_ROOT\.vdi "(Default)"

HKEY_CLASSES_ROOT\.vdi "Content Type"

HKEY_CLASSES_ROOT\.vhd "(Default)"

HKEY_CLASSES_ROOT\.vhd "Content Type"

HKEY_CLASSES_ROOT\.vmdk "Content Type"

HKEY_CLASSES_ROOT\Installer\Products\

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\

HKEY_LOCAL_MACHINE\SOFTWARE\Oracle\VirtualBox

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\VBoxUSBMon

UserAssist

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count "P:\Hfref\Choyvp\Qrfxgbc\Benpyr IZ IveghnyObk.yax"

                                                                             // ROT-13 decoded - C:\Users\Public\Desktop\Oracle VM VirtualBox.lnk"

C:\windows\prefetch

VBOXTESTOGL.EXE-93C3FDFA.pf

VIRTUALBOX.EXE-473C564D.pf

VBOXSVC.EXE-C578C37C.pf

Virtual Machine Specific Files

c:\Users\{UID}\VirtualBox VMs\{VMname}\{VMname}.vbox*

c:\Users\{UID}\VirtualBox VMs\{VMname}\{VMname}.vbox-prev

c:\Users\{UID}\VirtualBox VMs\{VMname}\{VMname}.vdi

c:\Users\{UID}\VirtualBox VMs\{VMname}\Logs\VBox.log

c:\Users\{UID}\VirtualBox VMs\{VMname}\Snapshots\{HardDisk uuid}.vdi    //*uuid from XML

c:\Users\{UID}\VirtualBox VMs\{VMname}\Snapshots\{Date}T{Time}-#########Z.sav

Signatures

VM specific

.vdi - <<< Oracle VM VirtualBox Disk Image >>>

.sav - VirtualBox SavedState V2.0                                 // where  is 7f as the first character

.xml - <VirtualBox xmlns="http://www.innotek.de/VirtualBox-settings" version="1.12-windows"><Machine …

The image below shows that each virtual machine’s XML settings will store the MAC Address of the virtual machine and if the virtual machine is set to bridge the network connection, the bridged network interface card will also be listed.  Thus, the communication will be passed through the physical NIC, but the DHCP server or other network devices will see the virtual machine as another physical machine.  The virtual machine will receive a DHCP assigned IP address, so the DHCP server will have log entries for the virtual machine.

 

 App Specific

.log - VirtualBox (XP)COM Server 4.1.18 r78361 win.x86

.xml - <VirtualBox xmlns="http://www.innotek.de/VirtualBox-settings" version="1.12-windows"><Global> …

Global Settings Relevant (c:\Users\{UID}\.VirtualBox\VirtualBox.xml)

<ExtraDataItem name="GUI/RecentListCD" value="C:\helix.iso;"/>           //iso file assigned to CD/DVD

<ExtraDataItem name="GUI/ProxySettings" value="proxyEnabled,10.10.10.100,5000,authEnabled,testuser,testpassword"/>           //proxy settings

<MachineEntry uuid="{84396bae-3fdf-4830-b3ac-8c0a2861b6b6}" src="C:/Users/{UID}/VirtualBox VMs/VBox-test1-machine/VBox-test1-machine.vbox"/>                                       //list of virtual machines

<ExtraDataItem name="GUI/LastVMSelected" value="84396bae-3fdf-4830-b3ac-8c0a2861b6b6"/>

//from the list of virtual machine uuid, we can see what virtual machine was launched last

 <DHCPServer networkName="HostInterfaceNetworking-VirtualBox Host-Only Ethernet Adapter" IPAddress="200.168.56.100" networkMask="255.255.255.0" lowerIP="200.168.56.101" upperIP="200.168.56.254" enabled="1"/>                                                                                     //DHCP settings

<SystemProperties defaultMachineFolder=" C:\Users\{UID}\VirtualBox VMs" defaultHardDiskFormat="VDI" VRDEAuthLibrary="VBoxAuth" webServiceAuthLibrary="VBoxAuth" LogHistoryCount="3"/>       //system defaults
 

DHCP Lease Obtain Time Decode

Key Name:          HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Tcpip\Parameters\Interfaces\{D0A6FF00-EC55-4A29-8114-0037BAB929C0}

Class Name:             <NO CLASS>

Last Write Time:       7/13/2012 - 2:34 PM

Value 11

  Name:                    LeaseObtainedTime

  Type:                     REG_DWORD

  Data:            0x500066f3

Monitor Registry Changes

Abstract

Microsoft introduced the concept of registry in its operating system Windows 95.  It was introduced to accommodate the growing need of application and system settings that were kept in INI files prior to Win95.  Instead of the slow consecutive search, the registry created a fast and robust database for configuration settings.  Configurations are stored by applications in configuration files, INI files, or in most cases in the registry.  Understanding and monitoring the registry is a crucial skill in digital forensics in order to validate findings and to research application behaviors.  In this paper, we examine the process of searching of data and monitoring the results to locate artifacts that can identify if a user searched for keywords in the past and in what order.  Knowing the structure of the registry and the concept of hives, we can predict that user typed keywords will be kept user specific, thus if the keywords are saved in the registry, they will be saved in the ntused.dat user specific registry hive.  In this paper, we explore this assumption and show the process of locating answers to questions related to specific user activity on Windows 7 Professional operating system.

Summary

Value Characteristics: UNICODE encoded binary value

Registry Key:  HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\WordWheelQuery

Registry Hive:C:\Users\<UID>\ntuser.dat

Time of Last Search:  Last written time to registry key \Software\Microsoft\Windows\CurrentVersion\Explorer\WordWheelQuery

Search Order Determination:MRUListEX data value

Maximum Values Before Overwritten:100

Relevance: User Specific

Value terminator:UNICODE 00 or 0x00, 0x00

MRListEx Terminator:0xFF 0xFF 0xFF 0xFF

Example of Search History

The last data value searched can be identified by its name ( index value ) since if the keyword is already in the list, only its index value moved into the first position in MRUListEx.  If the keyword is not already in the list, a new name ( index value ) is created as the highest index value in the list.

	Index Value
Index Value ( 32 bits )	0	1	2	3	4	5	6	7	8
Data	zero	100	200	300	400	500	600	700	800
MRUListEx	876543210
Search for	400
MRUListEx	487653210
Search for	700
MRUListEx	748653210
Search for	200
MRUListEx	274865310

Base Case

If a user types in Windows Explorer a keyword, Windows seems to remember previously used keywords and suggest the user those keywords, see image below.  That suggests that Windows keeps a list of previously used keywords in a list somewhere. 

Figure 1: Suggested keywords as the search term is typed

If the keywords were saved in the registry, we could just do a simple keyword search and locate where Windows keeps these keywords.  Unfortunately, it is not the case with these keywords. 

Figure 2: Search registry for previously used keywords ( regedit )

If we search for these keywords, the result will be that these keywords are not located in the registry. 

Figure 3: Searching for keywords in the registry result in no "hits" at all

Setup and Monitoring

In order to minimize the irrelevant data captured by this process, we need to stop any unnecessary processes and applications.  Since the operating system can start tasks, updates, and applications can have triggered events, we do not want to capture those events that are not relevant to our tests.  We can’t avoid capturing irrelevant events since the operating system needs to function and will make changes to the registry and file system without human interaction.  We can only minimize this data and use heuristic approach to identify what is part of the “normal” operating system operation and what is part of the tested procedures.  We can build procedures for a test platform as our baseline to use as a testing machine and to create a scientific base of all such tests. 

In our case, we’ll be using InCtrl5 (http://www.hiren.info/downloads/freeware-tools/page/8 ).  This application will allow us to take a basic snapshot of the operating system registry and file system, perform our test and compare the results to the original snapshot.  This way, we will only capture our interaction with the operating system and changes saved as a result.

Install InCtrl5 ( on Windows 7 or higher, you might have to run it in compatibility mode )

Figure 4: Set compatibility mode for InCtrl5 executable

Run InCtrl5 as administrator to get access to the whole system and registry.

Run InCtrl5 and adjust the drive list it will monitor.  If you have the operating system on C:\ drive and the application will be installed onto the same drive, then only leave C:\ drive listed.

Figure 5: Remove drives from the list that will not be involved in the test procedures

Click GO! To take the baseline snapshot of the system.  InCtrl5 will reform the snapshot and will terminate.  After the application terminate only perform changes that you need to capture and do not perform any other functions since they will increase the “noise” in the captured data.

Figure 6: After the initial snapshot, the application terminates

Digital Forensics is about recognizing patterns and build hypothesis based on those patterns.  So, when you type in keywords to search for in Windows Explorer, type words that have minimum difference and the difference is consecutive in ASCII values.  In this case, I have chosen values that are text based, but a single digit is consecutively increasing.  The values were typed in were exampleSearch1, exampleSearch2,  exampleSearch3, exampleSearch4, exampleSearch5, and exampleSearch6.  We can see that Windows must be keeping these keywords in order of type from the latest to the earliest. 

Figure 7: Typed keywords

After typing the keywords, we have to launch InCtrl5 again, but this time the interface will be different.  This time, we have to tell the application that we are completed our installation process.  Even though we have not installed anything, our interaction with Windows Explorer will be captured with other events that happened while we type our keywords.  Even if we’ll have some “noise” in our capture, it will still be much less data to analyze than analyzing the entire registry.

Click on “Install complete” to finish the process.

Figure 8: After the user interaction, we have to take another snapshot and compare the results to the baseline

The results can be viewed as HTML, CSV, or text.  I like to use the HTML for initial review and searching.  Click on the HTM radio button and click Launch to open the report in your default browser. 

Figure 9: Report view options

This is where experience in pattern recognition can come handy, but we can see the simple consecutive pattern emerging in the report.  I know, I selected digits as my consecutive variables and started it with 1 where 1 is represented as 0x31 in hex value.  Therefore, the pattern was easy to recognize as something to do with the keywords that were typed in.  We can see that we are looking at HKEY_CURRENT_USER top level key that is user specific and related to the ntuser.dat file of the currently logged in user.  

Figure 10: Registry pattern recognized in report

We can take the identified sting and try to convert it to see if we can identify any more patterns.  It does look like that each hex value is followed by a double zero that is a pattern for UNICODE characters.  Using a quick search on the web, we can identify websites that can help us in this conversion.  The results might not be exact, but as you can see below, the keyword string is visible and we can see that we located our keywords.

http://www.rishida.net/tools/conversion/

65, 00, 78, 00, 61, 00, 6D, 00, 70, 00, 6C, 00, 65, 00, 53, 00, 65, 00, 61, 00, 72, 00, 63, 00, 68, 00, 36, 00, 00, 00

Figure 11: Converting Hex to ASCII

Another method we can use is using Notepad++ or any other text editor were we can replace the pattern , 00, with : for other websites to convert for a better looking results.

Figure 12: Use Notepad++ to identify pattern to replace

We can use the software to help us quickly replace the pattern without removing anything relevant to our message.

Figure 13: Global replace of pattern

The result might not be very clean, but we will only have format discrepancies at the end of the string that we can easily correct by hand.  This format will work better with tools to convert to ASCII format.

http://www.dolcevie.com/js/converter.html

65:78:61:6D:70:6C:65:53:65:61:72:63:68:36

This time, the conversion will be cleaner without extensive extra work and the result is verifiable.

Figure 14: Clean conversion of Hex to ASCII

At this point, we can open the identified registry key and verify our findings by searching for more keywords and pressing F5 in regedit to refresh the screen.  We can see that we have located the correct subkey that keeps track of typed keywords, but it keeps the keywords as UNICODE encoded binary string that was not identified by the built in regedit search feature.  Now we know why. 

Figure 15: Registry Subkey is identified and verified in regedit

We can select the values and delete them for further verification and to learn about the MRUListEx data values.

Figure 16: Clear the registry subkey for further test

Since the identified subkey HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\WordWheelQuery does not have any other subkeys, so we can identify by the last time this subkey was updated the last time the user searched for a keyword.  In order to do that, we can export the registry subkey as text to see the time stamp the registry subkey was last updated.

Figure 17: Export the registry subkey as "text" to reveal the time stamp the user last search for keyword

Key Name:          HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\WordWheelQuery

Class Name:        <NO CLASS>

Last Write Time:   7/25/2012 - 12:37 PM

Further testing established that index values start at 0 and extend to 99 at that point the list rolls over to itself and starts overwriting keywords at index 0.

Figure 18:  Index maximum 99 ( 100 values are listed and then the old values overwritten )

Appendix

Process of order determination

MRUListEx shows 2,1,0 for values typed 1,2,3 where index 0=1, index 1=2, index 2=3. 

Typed 1 again, the MRUListEx changed to 0,2,1 or equivalent value list of 1,3,2, moving the value 1 to the front as the most recently searched value.

Typed 2 again, the MRUListEx changed to 1,0,2 or equivalent value list of 2,1,3  moving the value 2 to the front as the most recently searched value.

This is a “blind” example to see if the prediction can be verified.  In this case, MRUListEx shows index list of 4,7,6,5,3,…, therefore the last value search was the value at name ( index ) 4, that is 3400 3500 0000.  Converting the hex values to UNICODE shows 45 was searched last time.