With a little bit digging you can discover treasure trove of information, which can be utilized in your digital forensic investigation.
In this technical guide, we will be focusing only on NTUSER.DAT and not on related registry hives or artifacts that are not located within NTUSER hive. This file which stores user profile and settings information can be useful in many use cases. We can gain evidence of program executions, torrent clients, or other unapproved applications that should not be present on the workstation. It can help us create rough timeline during forensic investigation or provide proof of tampering with file timestamps. Also, it can be very useful when searching for evidence of execution or access to specific file, or reassembling user activity. We can gain evidence of folder access/presence on the system, evidence of access or user activity. It can help us gain insight in user behavior during investigation of disgruntled employee or insider threat, finding out if user opened malicious file or accessed sensitive documents. We can find evidence of execution for files accessed on network share or removable media. It is a good place to look for persistence created by PUA, trojans or malwares running under permissions of a user.
NTUSER.DAT file is part of Windows OS, which stores user profiles and settings. All the profile changes you make during your live user session such as accessing folders, opening files, mapping network shares, changing wallpaper, adding printer etc. gets
stored in HKEY_CURRENT_USER registry hive. Windows stores all the changes during live session into a backup copy of NTUSER.DAT called NTUSER.DAT.LOG1 and 2. At logoff all the changes get saved in NTUSER.DAT file, from which the user settings get loaded during the next logon into HKEY_CURRENT_USER. With a little bit digging you can discover treasure trove of information, which can be utilized in your digital forensic investigation.
We can explore NTUSER.dat hive with tools such as: windows native regedit, registry ripper, registry viewer, Registry Explorer (By Eric Zimmerman). And further explore registries with another set of tools such as cafae. In this article we will be using Registry explorer. We chose this tool because it has excellent documentation, versatility (GUI, plugins, CMD) and it is overall pleasure to work with, compared with some other alternatives. Most of the entries we will go through are easily accessible through bookmark tab in registry explorer. If you know what you are searching for you can use this feature to speed up your investigation.
Download technical guide and learn how NTUSER.DAT file can be utilized in digital forensic investigation