In most versions of Windows, a user can manually organize the order in which applications and application groups are displayed in the Start Menu. A user might, for example, drag a frequently-used application group to the top of the Start Menu and leave the remainder of the items in alphabetical order. The displayed order of items in the Start Menu is independent of the order in which %userprofile%\Start Menu is sorted in Windows Explorer.
Similarly, a user can manually rearrange items in the Favorites menu or Favorites Center of Internet Explorer (IE) independent of the displayed sort order of %userprofile%\Favorites.
These user-defined display settings are controlled by the Windows registry.
In a default installation of Windows XP, the the following registry keys are present:
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu2\Programs
These two registry keys contain subkeys named for each folder in the Start Menu and Favorites menu, respectively. For example, if an application has a Start Menu folder named “BadApp 3”, the related subkey would be:
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu2\Programs\BadApp 3
If a user creates a folder in the Favorites menu named “Bad Sites”, the related subkey would be:
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Favorites\Bad Sites
Each subkey contains a single REG_BINARY value named Order, which lists the contents of the related Start Menu or Favorites folder in a format similar to a FAT directory table. It is the Order value that stores information about the user-set display order of the Start Menu and of the IE Favorites menus.
Of importance to the forensic investigator is the fact that, in many cases, these subkeys and their respective Order values retain references to Start Menu and Favorites items after the related applications or favorites have been uninstalled or deleted. In some situations, there may be information of forensic value in these locations for an indefinite period of time after the user has removed the related applications or favorites. If a user has carefully removed an application, even employing file wiping utilities to clean up any files left by the uninstall routine, there is a good chance that evidence of the presence of the application may be left indefinitely in the HKCU\...\Start Menu2\Programs\* registry keys and Order registry values. Artifacts of IE Favorites in these locations is somewhat more ephemeral, but useful evidence may still be left in the registry indefinitely in some realistic usage scenarios.
This paper describes several common usage scenarios and the effect they have on the related registry keys and values.
The experiments leading to the findings described in this paper were conducted on the following virtual PC platform:
VMWare Player 3.1.4 build-385536
Windows XP Home, Service Pack 3 (VM)
IE 7.0.5730.13 (VM)
Windows 7 Home Premium (host)
Intel Core i7 2820QM CPU (host)
2.29 GHz (host)
12 GB RAM on host, 512 MB assigned to VM
For these tests, I created a VMWare virtual PC, installed Windows XP Home on it, and applied all available patches. I accepted all defaults during the installation process and left the Windows desktop and appearance in their default state. I installed IE 7 and applied all patches. I installed no software other than that being tested.
I downloaded the following four applications from download.cnet.com and installed them, accepting all defaults:
- BillQuick 2011 Lite
- File Shredder
- Free Internet Eraser
- PhotoScape 3.5
I then created an IE favorites folder named Banking and added the following five websites to it:
Through prior testing on other PCs, I had observed that the relevant registry keys and values are not created until the user opens the related application folders in the Start Menu or the favorites folder in the Favorites menu. Therefore, I viewed the contents of each application's Start Menu folder and the Banking folder in the Favorites menu. I launched regedit and verified that the keys and values were present.
After taking these steps, I created a backup copy of the VM. VMWare Player does not provide a snapshot option, so I used a manual copy-and-paste process to preserve the pristine test environment and began each iteration of testing from that point. For each of the scenarios below, I conducted several rounds of testing, each time copying the base VM image to a new location and starting the testing from scratch.
During each iteration of testing, I exported the relevant registry keys at several points. After exporting the keys on the VM, I copied them to the host PC and generated MD5 hash values with Slavasoft HashCalc. By comparing the MD5 values, I determined when the keys had been changed. Often, the changes were obvious, such as when the contents of the Order value were cleared entirely. When there were no obvious changes, however, the hashes served to demonstrate clearly whether the keys were changed or not.
In this manner, I tested ten potential scenarios in which a user might remove applications or IE favorites:
- Uninstalling an application with its native uninstall option
- Uninstalling an application with the Windows Add/Remove Programs function
- Deleting a single IE favorite through the Favorites drop-down menu
- Deleting a single IE favorite through the Favorites Center
- Deleting a single IE favorite from the user profile directory
- Deleting a single IE favorite from the user profile directory with a secure file deletion utility
- Deleting an IE favorites folder through the Favorites drop-down menu
- Deleting an IE favorites folder through the Favorites Center
- Deleting an IE favorites folder from the user profile directory
- Deleting an IE favorites folder from the user profile directory with a secure file deletion utility
Usage Scenario 1: Uninstalling an Application with Its Native Uninstall Option
During the setup of the VM image, I had verified that the relevant registry keys for each of the test applications had been created. I noted the presence of the expected registry keys for BillQuick 2011, File Shredder, Free Internet Eraser, and PhotoScape 3.5 (see Figure 1).
To begin this test, I verified that the expected information was present in each Order value. Opening the Order value under the BillQuick 2011 key, for example, displayed the information shown in Figure 2. Note that the format of information in this value closely resembles a FAT 32 directory table. I have not determined the significance of every piece of information in this value. For the purposes of this research, I was primarily interested in the question of the presence or absence of the values and file names within them. Further examination of the specific pieces of information included in the Order value will surely reveal additional artifacts of interest to the forensic investigator.
After verifying the presence of the relevant keys and values, I began testing the results when each application was uninstalled with its native uninstall routine. BillQuick 2011 does not provide a native uninstall option, so this scenario could only be tested with File Shredder, Free Internet Eraser, and PhotoScape 3.5. In successive iterations of testing, I uninstalled each application and recorded the resulting registry changes. I restored the base VM image after each application was tested. Whenever any uninstall processes presented a prompt requiring user action, I accepted the default response.
After uninstalling File Shredder, the File Shredder registry key was still present, but the contents of the Order value were cleared (see Figure 3). However, when the test was conducted on PhotoScape 3.5 and Free Internet Eraser, the relevant keys and values remained unchanged. The FAT-style contents of the Order value still contained the list of items that had been present in the Start Menu application group (see Figure 4). Thus, in two of the three tested cases, the native uninstall routine had no impact on either the relevant keys or Order values.
These findings indicate that an application's native uninstall process may or may not clear the contents of the relevant Order value, but that the parent key used by the application group is, at least in the four test cases, left intact even when the Order value is cleared. In investigations in which the presence of an application has evidentiary value, the application-specific HKCU\...\Start Menu2\Programs\* keys and Order values within them may be a valuable location to examine.
Usage Scenario 2: Uninstalling an Application with the Windows Add/Remove Programs Function
I next wanted to test whether the Windows Add/Remove Programs feature behaved differently from the various applications' native uninstall routines. In the case of the three applications tested and described above, the answer is “No”. Uninstalling the applications with Add/Remove Programs led to identical results.
BillQuick 2011, as noted above, provides no native uninstall process, so Add/Remove Programs was the only option available for testing. After uninstalling the application, I observed that, similar to the case with File Shredder, the relevant registry key and value were present, but the Order value had been cleared of information (see Figure 5).
These two test scenarios suggest the following: 1) that the application itself exerts some control over whether or not the Order value is cleared; and 2) that the application-specific key holding the Order value is generally left behind by uninstall processes.
Usage Scenario 3: Deleting a Single IE Favorite through the Favorites Drop-Down Menu
The IE Favorites Menu, much like the Start Menu, can be sorted manually by dragging folders and individual favorites to a preferred location. As noted above, a favorites folder named Banking, containing five banking websites, was used for testing the following scenarios. I verified that the relevant keys and values were present in the registry, as shown in Figure 6.
I first tested the scenario of a user clicking the Favorites drop-down menu, right-clicking a single favorite in the Banking folder, selecting Delete, and emptying the Recycle Bin.
After the deleting the favorite and emptying the Recycle Bin, I examined the relevant registry key and observed that it had not been changed. I verified that the MD5 hashes of the exported pre-delete and post-delete keys were the same. This initially suggested that deletes are not reflected in the Order value.
However, after I opened the Banking folder through the Favorites drop-down menu and verified that the favorite was in fact deleted, I returned to the registry key and found that the reference to the deleted favorite had been removed from the Order value.
Further testing confirmed that the Order value related to a favorites folder is refreshed when the relevant folder is viewed. That is, the reference to a deleted favorite will remain in the Order value until the next time a user opens the folder in which the favorite had been stored. Thus, any artifacts of a single deleted favorite are likely to be short-lived. There could be cases, however, when a user does not return to the favorites folder between the time of the deletion and the time of examination. In such cases, the prior existence of a deleted favorite may be demonstrated by the contents of the Order value.
Note that opening a folder in the Favorites drop-down menu to delete a subsequent favorite will trigger the refresh action and remove the reference to the first deleted favorite but leave the reference to the second deleted favorite. For example, consider the following case. The user deletes the Bank of America favorite on Monday and does not open the Banking folder again until Tuesday, when he opens it only to delete the US Bank favorite. The user does not open the folder again. In this scenario, the Bank of America favorite will be reflected in the Order value until the folder is opened on Tuesday. The act of opening the folder triggers the refresh action, and the previously-deleted reference to the Bank of America favorite is removed. The user then deletes the US Bank favorite. The reference to that favorite will continue to be reflected in the Order value until the user opens the Banking folder again.
Usage Scenario 4: Deleting a Single IE Favorite through the Favorites Center
In the next test, I accessed IE's Favorites Center by clicking on the “”star” icon on the IE Explorer Bar and “pinning” the Favorites Center to the left-hand side of the IE window. I selected a favorite from the Banking folder, deleted it with the context menu, and cleared the Recycle Bin. Interestingly, in this case, the deletion was reflected immediately in the Order value. It was not necessary to execute a separate read action on the folder. I found it surprising that the refresh action would be applied differently in this case than in the case of deleting a favorite through the Favorites drop-down menu.
It appears, therefore, that a user managing his or her favorites through the Favorites Center will leave fewer artifacts than a user managing them through the Favorites drop-down menu.
Usage Scenario 5: Deleting a Single IE Favorite from the User Profile Directory
For the next test, I browsed to the favorites directory in the user profile (C:\Documents and Settings\Owner\Favorites\Banking) and deleted a single favorite (i.e., its Internet Shortcut – *.url – file). The delete action did not trigger a refresh of the Order value. The reference to the deleted favorite remained in place until the next time the Banking folder was opened, at which time the refresh action was triggered and the reference to the deleted favorite was removed.
Usage Scenario 6: Deleting a Single IE Favorite from the User Profile Directory with a Secure File Deletion Utility
Deleting a favorite from the user profile with the File Shredder utility produced the same results as Usage Scenario 5. The delete was not reflected in the Order value until the next time the Banking folder was opened. Certainly, other file deletion utilities may behave differently, but I suspect it is unlikely that many remove these references to deleted files from the registry.
Usage Scenario 7: Deleting an IE Favorites Folder through the Favorites Drop-Down Menu
For the final four tests, I examined the registry before and after deleting the entire Banking folder. First, I deleted the Banking folder from the Favorites drop-down menu by right-clicking the folder, selecting Delete, and emptying the Recycle Bin.
This produced results similar to those produced by some of the application uninstall routines. The Banking key was left in the registry, but the Order value was cleared of all information (see Figure 7).
Subsequent testing demonstrated that the Order value is not cleared until the Recycle Bin is emptied. If the deleted folder is left in the Recycle Bin, the Order value retains all information on the favorites within the folder. Clearing the Recycle Bin triggers a refresh of the Order value but leaves the parent key intact.
Usage Scenario 8: Deleting an IE Favorites Folder through the Favorites Center
This test demonstrated that deleting a favorites folder through the Favorites Center resulted in the same behavior as deleting the folder from the Favorites drop-down menu. That is, the key related to the folder is left intact while the Order value is cleared once the Recycle Bin is emptied.
Usage Scenario 9: Deleting an IE Favorites Folder from the User Profile Directory
Deleting a favorites sub-directory from the user profile results in the same behavior as the previous two scenarios. Once the Recycle Bin is emptied, the Order value is cleared, while the key related to the deleted directory is left intact.
Usage Scenario 10: Deleting an IE Favorites Folder from the User Profile Directory with a Secure File Deletion Utility
Using the file deletion utility File Shredder to delete the directory did not change the behavior observed in the previous three scenarios.
The registry keys and values used by Windows to manage the display order of the Start Menu and IE Favorites menu present the forensic investigator the opportunity to uncover evidence of previously removed applications and favorites. In several realistic usage scenarios, significant artifacts may be left in these locations indefinitely. An investigator interested in the prior presence of a specific application would do well to test that application and determine what registry artifacts are left behind after the application is uninstalled, as some applications leave more artifacts behind than others.
The Order value appears to contain a significant amount of information on the Start Menu items or favorites it indexes. Further research into the information contained in this value is likely to uncover additional tools for the forensic investigator.
This post was featured on the DFI News Blogroll on November 30, 2011.