Pages

Tuesday, 1 April 2014

Search history on Windows 8 and 8.1

Windows 8 introduced a new feature of saving previously searched terms/keywords. I am refering to the Windows Search functionality which moved from the Start-menu in Windows 7 to the Charms bar in Windows 8.

Search terms are saved on a per user basis. In Windows 8, this is stored as an MRU (Most Recently Used) list in the NTUSER.dat file under the key:
Software\Microsoft\Windows\CurrentVersion\Explorer\SearchHistory\Microsoft.Windows.FileSearchApp

Figure 1 - Search history (MRU) in Windows 8 registry

Windows 8.1

On Windows 8.1 this has changed! These entries are no longer stored in the registry, instead they are stored on disk at:
\Users\<USER>\AppData\Local\Microsoft\Windows\ConnectedSearch\History

They are stored as individual link (LNK) files. Each link file holds a single previously searched for keyword (or phrase).

Figure 2 - Search history in Windows 8.1 stored as LNK files

The format of this link file is similar to the one we are familiar with from earlier versions of windows, however, no dates or other details typically seen in link files are included. All it contains is a link header and a shell item id list. The shell item id list contains the keyword/phrase searched for. Current link file parser scripts/tools will not be able to parse this correctly as they are either not parsing the Shell item id list or not (yet) looking for this specific information. (A shell item id list is seen in many places in the registry, one of the more popular artifacts that uses it is the 'shell bags').

Figure 3 - Search history LNK file showing searched term 'enscript'
As seen in figure 3 above, this link file has the same header as well as basic format. The link guid at offset 0x4 is also the same. Link flags (0x80) indicate only a Shell Item Id List will be present and all other fields are blank (zero). The shell item id list contains a single property identified by guid '{F29F85E0-4FF9-1068-AB91-08002B27B3D9}'. This guid identifies the Microsoft Office Summary Information Properties. Only a single value is populated and that is the keyword/phrase searched for.

Forensic Importance

From a forensic perspective, this ties a search keyword to a user and a date. This means that we now know the date and time when a particular user searched for a specific keyword on the machine. The last modified timestamp gives us the first time that keyword is searched and it does not get updated after, even if the search is repeated. On my machines, all 4 timestamps (created, accessed, modified, entry modified) hold the same value for a single file (see figure 2 above) and don't seem to get updated/altered once created.

3 comments:

  1. What is interesting about this is that it looks as though that the txt_, set_, and site_ values that lead off these terms are based on whether you select a "suggested" search. For example, I did a search for "apple support" and it showed a website to hit before I hit "search" -> Instead of selecting search, I selected the website, so a LNK file with site_ appeared.

    The same thing occurs for system settings. i did a search for "recovery" and many suggestions came up including "creating a recovery drive." I selected that instead of hitting search and apparently the "set_" value shows that the user selected the suggested "settings" instead of a standard keyword search across everywhere.

    ReplyDelete
    Replies
    1. Rob,
      Windows has 'search as you type' functionality. But not everything you type is actually a relevant keyword. It becomes a relevant searched keyword under two conditions:

      1. User types out the whole keyword/phrase and hits 'Enter' (or search button).

      2. User clicks on one of the interim results (before hitting enter or search button), by doing so he confirms the keyword as relevant.

      Both these activities confirm the search completion and windows will proceed to log that keyword under a txt_, site_ or set_ link file.

      Also, thanks for pointing out the other types that I did not mention (txt_, set_, site_). There is also app_ and act_.

      Delete
    2. Also interesting to note is that windows will log searched keywords (as link files) that have produced no hits at all. So windows does not really discriminate and logs everything, regardless of results! But the search has to be completed (as noted above). If the user just typed in a keyword and then waited a few seconds and did not click on the results or the search key, then nothing will be recorded.

      Delete