Home » Research » Part 6: USB Device Research – Open File Artifacts (LNK Files)

Part 6: USB Device Research – Open File Artifacts (LNK Files)

From the previous tests conducted, it has become apparent that for USB devices attached to a system, the transport protocol used by the device plays a role in the types of artifacts generated. This can also include the content and structure of those artifacts, as was seen with Shell BagMRU artifacts. In this post I will build from that realization one more time to show the differences between artifacts generated by opening files from an MSC device compared to an MTP device.

1.0 Test 3: Opening Files on a Device

The hypothesis entering into this test was that since files are accessed and presented to the user differently between MSC and MTP devices (due to differences in transport protocol implementations), that the operating system will also handle them differently. In effect, creating differences in the artifacts generated between devices using the different protocols.

1.0.1   Test 3: Additional Considerations

It should be noted that the types of files opened in this test was limited in scope and focused on document files. Also, the software used to open the files was either already provided by the Windows operating system, or was a document viewer such as Microsoft Office Doc Viewer. Other file types, as well as variations in the software used to open a file not test in the upcoming sections, may produce different artifacts than what will be presented.

1.1 Scenario 1: Opening Files on an MSC Device in Windows 7

As MSC devices have been well researched and reported, I will not go into great detail in this section. Instead, the information presented here will be used to set up the discussion for MTP device artifacts resulting from opening files from USB devices.

To identify artifacts as a result of opening files from an MSC device, the testing environment consisted of a clean install of Windows 7 with Service Pack 1 running as a virtual machine in VMWare. First, a device was inserted, the folder containing the files to be opened was navigated to and initial reports were pulled from the system. Then, using Windows Explorer, all files were opened directly from the device. Finally, change comparison reports were captured, and pertinent files were copied and cataloged. See image 1.1.1 for a look at the folder structure and file listing used in the scenario.

msc-folder-structure

1.1.1

1.1.1 Example: Opening Files on an HTC Magic Smartphone Using MSC

In this section we will be focusing on tests performed for one device, however, this test was performed on a number of MSC devices of varying types and overall the tests produced fairly consistent results for all devices.

After opening the files listed in image 1.1.1 in the previous section, the change reports captured several LNK files and their locations that were created. Below is a listing of the locations where LNK files were created:

  1. C:\Users\Win7SP1\AppData\Roaming\Microsoft\Windows\Recent: Contains LNK files for all files opened directly from the device as well as a LNK file for the folder that contained the files opened.
  2. C:\Users\Win7SP1\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations: Jump List files.
  3. C:\Users\Win7SP1\AppData\Roaming\Microsoft\Office\Recent: Contains LNK files only for .doc and .xls files opened directly from the device, as well as a LNK file for the folder that contained the files opened. (Note: Microsoft Office Doc and Excel Viewer was used in testing to open the .doc and .xls files)

lnk-file-locations

As is shown in image 1.1.1.1, a LNK file was created for every file opened from the MSC device. In addition, a LNK file was created for the folder on the device where the files were opened from.

For the above scenario, you can download the registry hives and LNK files here:

MSC-htc-magic-andrioid.zip

1.2 Scenario 2: Opening Files on an MTP Device in Windows 7

For MTP devices, the artifacts that get generated within Windows differs from what is generated for MSC devices. Basically, depending on the file type, or the application handling the file, Windows may or may not create LNK files. In addition, there are some caveats to what information is contained within some of the LNK files. For instance, if a Microsoft Office document is opened directly from an MTP device, a temporary folder is created within the directory C:\Users\<UserName>\AppData\Local\Temp\WPDNSE\{FolderGUID}\ (if not already present) and a copy of the file opened is placed within that folder. A LNK file also gets generated as a result of opening a .doc file, however, the LNK file points to the file copy located in the temporary folder within the WPDNSE directory, not the location on the MTP device where the file was truly opened from.

To identify artifacts as a result of opening files from an MTP device, the testing environment consisted of a clean install of Windows 7 with Service Pack 1 running as a virtual machine in VMWare. First, a device was inserted, the folders containing the files to be opened were navigated to and initial reports were pulled from the system. Then, using Windows Explorer, all files were opened directly from the device. Finally, change comparison reports were captured, and pertinent files were copied and cataloged.

1.2.1 Example: Opening Files on a Samsung Galaxy S3 Smartphone Using MTP

For this example, a folder structure was created that consisted of two test folders on each storage area of the device. Each folder contained the files to be opened for the test. All files and folder were uniquely named in order to differentiate between the artifacts generated. See image 1.2.1.1 below for the folder structure and file listing used.

mtp-folder-structure

1.2.1.1

Here is the sequence of events that occurred in this test:

  1. Opened file: Computer\SCH-I535\Card\Card_Test Folder 1\Card_Folder1-TestDOC.doc
  2. Opened file: Computer\SCH-I535\Card\Card_Test Folder 1\Card_Folder1-TestJPG.jpg
  3. Opened file: Computer\SCH-I535\Card\Card_Test Folder 1\Card_Folder1-TestPDF.pdf
  4. Opened file: Computer\SCH-I535\Card\Card_Test Folder 1\Card_Folder1-TestTXT.txt
  5. Opened file: Computer\SCH-I535\Card\Card_Test Folder 1\Card_Folder1-TestXLS.xls
  6. Opened file: Computer\SCH-I535\Card\Card_Test Folder 2\Card_Folder2-TestDOC.doc
  7. Opened file: Computer\SCH-I535\Card\Card_Test Folder 2\Card_Folder2-TestJPG.jpg
  8. Opened file: Computer\SCH-I535\Card\Card_Test Folder 2\Card_Folder2-TestPDF.pdf
  9. Opened file: Computer\SCH-I535\Card\Card_Test Folder 2\Card_Folder2-TestTXT.txt
  10. Opened file: Computer\SCH-I535\Card\Card_Test Folder 2\Card_Folder2-TestXLS.xls
  11. Opened file: Computer\SCH-I535\Phone\Phone_Test Folder 1\Phone_Folder1-TestDOC.doc
  12. Opened file: Computer\SCH-I535\Phone\Phone_Test Folder 1\Phone_Folder1-TestJPG.jpg
  13. Opened file: Computer\SCH-I535\Phone\Phone_Test Folder 1\Phone_Folder1-TestPDF.pdf
  14. Opened file: Computer\SCH-I535\Phone\Phone_Test Folder 1\Phone_Folder1-TestTXT.txt
  15. Opened file: Computer\SCH-I535\Phone\Phone_Test Folder 1\Phone_Folder1-TestXLS.xls
  16. Opened file: Computer\SCH-I535\Phone\Phone_Test Folder 2\Phone_Folder2-TestDOC.doc
  17. Opened file: Computer\SCH-I535\Phone\Phone_Test Folder 2\Phone_Folder2-TestJPG.jpg
  18. Opened file: Computer\SCH-I535\Phone\Phone_Test Folder 2\Phone_Folder2-TestPDF.pdf
  19. Opened file: Computer\SCH-I535\Phone\Phone_Test Folder 2\Phone_Folder2-TestTXT.txt
  20. Opened file: Computer\SCH-I535\Phone\Phone_Test Folder 2\Phone_Folder2-TestXLS.xls

1.2.2 Results of Scenario 2 Testing

For MTP devices, Windows does not treat all file types equally; meaning, that depending on the file type or the application handling the file, different artifacts will be generated, as was mentioned previously. To illustrate what this means for the files tested, the next sections will be divided based on file type, and the artifacts that were generated from opening these files will be discussed.

DOC Files

It should be noted that Microsoft Doc Viewer was used to open these types of files. After opening all four .doc files from the folders previously noted from the device (and I repeat, from the device), in the directory C:\Users\Win7SP1\AppData\Roaming\Microsoft\Office\Recent\, two LNK files for each .doc file were created:

  1. A LNK file pointing to the .doc file.
  2. A LNK file pointing to the folder where the .doc file is located.

1

However, there is something interesting about the LNK files shown above. Normally, when a file is opened on a removable device, a LNK file is generated that points to the location of the file on the device, but in the case of MTP devices, and due to the nature of how files are accessed on a device using the MTP transport protocol, Windows first creates a copy of the file and places the copy in a temporary directory C:\Users\Win7SP1\AppData\Local\Temp\WPDNSE\{FolderGUID}\. Consequently, the LNK files that were created as a result of opening the .doc files point to the temporary folder, not to the MTP device. To see that this is the case, the output of running lp64.exe on the directory C:\Users\Win7SP1\AppData\Roaming\Microsoft\Office\Recent\*.lnk is shown in the image below:

office-recent

JPG Files

The .jpg files were the only files opened from the device that created a true LNK file pointing back to the device. The file was doubled-clicked from Windows Explorer and viewed using Windows Photo Viewer. As a result, one LNK file for each .jpg file opened was created in the directory C:\Users\Win7SP1\AppData\Roaming\Microsoft\Recent\.

3

The LNK files above pointed back to the folder on the device where each .jpg file resides, not to the .jpg file itself. To see that this is the case, the ouput of running lp64.exe on the directory C:\Users\Win7SP1\AppData\Roaming\Microsoft\Recent\*.lnk is shown in the image below:

microsoft-recent

PDF, TXT & XLS Files

In my tests, opening the .pdf, .txt and .xls files from the MTP device produced no LNK files.

You can download the registry hives and LNK files of the files from this testing scenario here:

mtp-galaxys3-android.zip

1.2.3 Interesting MTP Artifact: The WPDNSE Temp Folder

As mentioned previously, the WPDNSE folder contains a copy of the files that were opened from an MTP device. For each folder on the MTP device where a file is opened from, a corresponding folder is created in the directory C:\Users\Win7SP1\AppData\Local\Temp\WPDNSE\.

Remember from the MTP example test in the previous section that files were opened from four different folders on the MTP device:

  1. Computer\SCH-I535\Card\Card_Test Folder 1\
  2. Computer\SCH-I535\Card\Card_Test Folder 2\
  3. Computer\SCH-I535\Phone\Phone_Test Folder 1\
  4. Computer\SCH-I535\Phone\Phone_Test Folder 2\

In the WPDNSE temp directory on the local drive the folders that get created are represented with GUIDs as their names.

wpdnse

Within each folder in the WPDNSE temp directory, there is a copy of every file that was opened from the MTP device, with the exception of the .jpg files.

wpdnse-contents

 

However, without additional information, we do not know what folder from the MTP device each GUID represents. This information can be obtained from the BagMRU entries in the registry for the MTP device. Let us look at how we can link this information together. In the below image, within the value 1 data snippet for the key UsrClass.DAT\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\7\0\0\, which represents the location Computer\SCH-I535\Card\Card_Test Folder 1\ there is a folder GUID listed of {02060188-0200-01BA-7701-7D017D015F01}. Looking at the WPDNSE folder list, it is listed there also. Using that information we are able to link the folder GUID found in the WPDNSE directory to the folder named “Card_Test Folder 1” originating from the MTP device.bagmru

An important item to note is that due to the location of the WPDNSE folder (SystemDrive:\Users\<Username>\AppData\Local\Temp), its contents are only temporarily kept by the operating system. It was observed during testing that when Windows was rebooted, the contents of this folder is deleted by the OS. However, although Windows deletes the folder’s contents, the data still remains until overwritten. Opening FTK Imager and loading the drive/image, you can navigate to the WPDNSE folder and see the deleted contents.

ftk-imager

Conclusion

Due the differences in implementation between the USB transport protocols, when a user opens files from those devices, the artifacts generated differ in what gets created and in the nature or content of those artifacts. MSC devices in testing created LNK files for all of the files that were opened, while MTP devices did not. Additionally, a little know artifact for MTP devices, which is the WPDNSE folder temporarily maintains complete copies of most files that were opened in testing. This could be useful to an examiner because, the problem with LNK files for MSC devices is that they can show that a file was opened from a device and has a name that matches a file of interest to an investigation, but without acquiring the contents of the device, it is difficult to say what the contents of that file is. With MTP devices, the WPDNSE folder maintains a copy of the file that was opened from the device, and if the data contained wiithin the WPDNSE folder has not been overwritten after deletion, an examiner can prove that a particular file was in fact present on the MTP device because the contents can potentially be recovered in its entirety.

Coming Up…

While this post concludes the findings of my research, in the next post I will attempt to summarize the results of all test performed as a quick reference.

commentscomments

  1. evild3ad says:

    Awesome! Great work! Thx.

  2. This is good information. I’ve seen this at least once (the deleted files in the temp folder). Thanks for sharing!

    Yogesh Khatri

  3. […] January 22nd, 2014 / No Comments Hello Reader,        Let’s get back to this series. If you’ve read Nicole Ibrahim’s blog you’ve already seen most of this data, I’m just doing my own testing to confirm her […]

  4. […] in the series we talked about the ability to recover MTP accesses from shellabgs, and if you read Nicole’s post you’ll see about her ability to recover files accessed from the WPDNSE directory. In my testing, using […]

  5. BigChiiken says:

    Adding my appreciation as well. Looking forward to what comes next.

    Daniel

  6. A great piece of research and very well documented. Thank you for taking the time to share your findings in such detail – very much appreciated.

    Cheers,
    John.

Leave a Reply