Wednesday, July 4, 2012

The Trouble with TypedUrlsTime

Recently there has been some information released on the new registry key found with Internet Explorer 10, that is found in the Windows 8 Operating system. Basically this key will keep track of when a site is typed into the browser bar within Internet Explorer 10. If you want to know more there has been previous research on this key.

My Initial research on Windows 8, which I mentioned this key is here.
Jason Hale did some research on it here.
Amanda Thomson also did some research here.

What am I showing you?
When I first looked into the keys I saw some interesting anti-forensic tactics that can be utilized by modification of the keys and their data. I will attempt to explain what I saw.
This is my default data set, which shows both the TypedUrls and TypedUrlsTime values from Regedit, as well as from a RegRipper Plugin that Jason Hale produced. 

Original TypedUrls Dataset

Original TypedUrlsTime Dataset

Original RegRipper Values

First Test: 
The first test that I did was to delete the Url3 key from the TypedUrls, I was interested to see the impact of the TypedUrlsTime key without the corresponding Key with the the TypedUrls. 

URL3 Deleted in TypedUrls

Url3 remains in the TypedUrlsTime

After I deleted the value from the TypedUrls key, I opened Internet Explorer 10, and went to a new website. This site populated in my Url1, shifting the previous url1 and url2 values down. Since the url3 value was missing, none of the other values increased. 
Adding a New TypedUrls to this
Looking at the TypedUrlsTime we can see that we still have 10 entries. If we look at the Data Value in Url4 we notice that it is the same value as it was previously. We also notice that the value in the previous version of Url3 is no longer retained. 

Values of TypedUrlsTime after addition of a new site. 

RegRipper Plugin Values

Second Test: 
Since we have identified the behavior with these two data sets if we delete a value from the TypedUrls, I was wondering what would happen if we deleted a value from the TypedUrlsTime and retain the corresponding key in the TypedUrls. I decided to delete the Url3 version that corresponded with my visit to Wired.com. 

Visiting Espn after deletion of TypedUrlsTime Key. 
Url4 corresponds to Wired.com, it is now 00. 

We can see that even though I deleted the value, when you type in a new address that is added to the TypedUrls keys it will recreate the the missing TypedUrlsTime value. Since the OS does not have the actual time that was visited to pass to this key, the value is now 00 00 00 00 00 00 00 00. Looking at the RegRipper data, we can see that the new visit to Wired happened Thu Jan 1 1970.

RegRipper Data.. 1970!!
As we can see from this data the TypedUrls key is the primary key in that if it is missing data is not parsed to the TypedUrlsTime keys, but if the TypedUrlsTime key is deleted then it is recreated with the default dataset. 

Third Test: 

We have seen how deletion of the keys impact each other, I decided to look and see what impact can happen if I would modify the names of the TypedUrls keys. 

Baseline Dataset

Baseline DataSet

I decided to switch the names of my Url1 and Url8 key, you can see the new values listed below.

Dataset after Url1 and Url8 change
Here is the RegRipper values right after I made the change in the registry. As we can see my ESPN visit according to the plugin happened on June 17th, while my SANS visit happened on July 4th. Looking at the report below we can see this. 

url1 and url8 dates messed up. 

From these I decided to visit a new website which will now increment my values so we can see the impact that this might have on the values in the registry values themselves. I made NO changes to the values in the TypedUrls. The only changes that were made were to the url1 and url8 in the TypedUrlsTimes that were shown in the previous example.

Visiting Mediacomcc.com

TypedUrlsTime after new site added. 

As we can see the modified url1 and url8 keys have incremented as they should, with url1 moving to url2 and url8 moving to url9. Looking at the RegRipper plugin we can see the evidence that something is incorrect. We can still see where according to the TypedUrlsTime value my ESPN and SANS visits are out of order. 

RegRipper Plugin Values after new site

The next test I did was to go and modify the values found in the TypedUrls. I will be modifing the values in TypedUrls found at url10 (google) and url3 (principal). I will leave alone the values in the TypedUrlsTime. 

After changing the Url3 and Url10 values. 

RegRipper after the change
After my changing the names between the Url3 and Url10, when I go to use the plugin I have convinced the Registry that I actually did visit Principal in June instead of just a few days ago. From within the Internet Explorer History tab the correct date that I originally viewed these sites show up. 


Closing Thoughts: 

The addition of TypedUrlsTime adds another layer to help with timeline analysis of internet activity to see when  user actually typed out the url to connect to. Though the ease of anti-forensic techniques to modify the the corresponding values between TypedUrls and TypedUrlsTime this Registry value may not be considered a very forensically sound and useful for investigation or timeline analysis when attempting to know what sites a user connected to by entering the url into the address bar. 


Please let me know if I have over looked another way to extract the correct values of when I might have typed the values into my web browser. 

**** Update 7/4/10 ****
My hives if you want to analyze them are here

I have used RegSlack in an attempt to pull back deleted files. I was unable to extract anything from the slack space. This was the only Deleted Key that was found.


### Deleted Key  ###

CsiTool-CreateHive-{00000000-0000-0000-0000-000000000000}\Software\Microsoft\MediaPlayer\Health\{E9B9E911-C122-4F81-9FBB-48D77FDA6481}
Offset: 0x7abb8 [Wed Jul  4 15:04:53 2012]
Number of values: 0

Recovered 1 keys and 0 values: #0 keys from allocated space.

Rejected 0 keys and 0 values.






1 comment:

  1. Ken,

    Great stuff. I'm still trying to summarize what you have found based on your tests.

    A couple of things I would consider trying if I wanted to check for the possibility of counter-forensics techniques such as these being used is (1) running Regslack against the user's hive to see if I could recover the deleted values, and (2) checking the value of the user's Applets key within the active hive, as well as those found in VSCs, to determine indications of the use of these techniques, as you've described them.

    Good stuff, and great thinking.

    ReplyDelete