Windows Image & Video Evidence - nurit-cyber/Windows-Evidence GitHub Wiki

Image/Video Forensics Introduction

Different types of investigations require focus on different types of evidence. The focus of this resource will remain to introduce techniques and tools to investigate cases concerning child pornography and human trafficking.

Because of this focus, images and videos are incredibly important evidence to tackle in this resource, as they can be the main source of evidence in these cases.

Importance

It is not enough just to find the suspected images and/or videos on the devices; it is important to make sure that the images and videos were accessed and viewed also to secure a strong case. Not only that, illegal content is usually hidden on a device, so relying on just performing a Windows search for illicit content is not enough.

This resource will break down different types of evidence that can be found along with different ways to access the evidence and what are the implications.

Evidence

For investigations, mass amounts of evidence are needed, and always: the more evidence the better. The following will break down different types of evidence that can be found on a Windows device.

Thumbcache

Thumbcache is a Windows artifact that notes the icons and images that appear in File Explorer. When a user comes across and views the image in File Explorer, the image is noted in the thumbcache artifacts. This also applies to every time an image changes size within File Explorer.

The image size within File Explorer can be changed by selecting "View" at the top of the application and then selecting what format the files will be listed within File Explorer, as seen below.

image

The images are stored under \User\[username]\AppData\Local\Microsoft\Windows\Explorer under the format of thumbcache_xxx.db, which will be sorted by the size of the images.

Thumbcache requires a tool to view them, and an open-source, free option would be Eric Kutcher's Thumbcache Viewer.

To use the tool, select "Open", and then navigate to the thumbcache file desired and select it.

The thumbcache images will then appear as below.

image

This is an example of a hamster image downloaded during the data generation phase. However, some videos also generate thumbcache files.

image

The above image contains a thumbnail image of a hamster video that was downloaded and played on the local device.

Analysis

The images that were found using Thumbcache Viewer were:

  • hamster.jpg

image

  • strawberryfinch.jpg

image

  • strawberryfinch2.jpg

image

  • savannahcat.jpg

image

  • savannahcat2.jpg

image

  • kittens.jpg

image

  • kittens2.jpg

image

  • turtles.jpg

image

  • turtles2.jpg

image

The videos that were found using Thumbcache Viewer were:

  • strawberryfinch.mp4

image

  • hamsters.mp4

image

The reason why not all videos and images are found in thumbcache is that not all of the images were viewed in the File Explorer after they were downloaded. There is also a struggle in viewing images and videos in thumbcache viewer is that the original names are not how thumbcache is stored, and videos only contain the thumbnail of the video saved.

image

Just having one image from one thumbcache file does not necessarily mean that the image was intentionally viewed. Instead, it is possible that the thumbcache data was generated because the user was just browsing through the folder looking for something else, not explicitly looking for that image, whether it be illicit or not. This is because thumbcache information is generated from just looking through the File Explorer, not from actually opening up the image and/or video content.

But, if there is evidence in thumbcache viewer that an image was viewed in different sizes in the File Explorer, it does support the notion that the user was intentionally viewing the image, even if it was not explicitly opened.

Prefetch Files

Prefetch files are Windows-generated files that are created every time a new application is run on the system and updated every time the same application runs again. This file type collects more information than just about the application and its run times. Prefetch files also collect what folders and files that the application accesses.

In this case, finding the application the user might use to open and view photos and videos will allow one form of proof the videos and images were viewed on the device, and in this case, where they were stored.

Prefetch files, just like thumbcache, require a special tool to view and analyze the information that the evidence holds, and these files are located in \Windows\Prefetch. Eric Zimmerman created a command-line-based tool PECmd that is being used for this example.

Enter the following command in the Windows command prompt:

> [PECmd Path]\PECmd.exe -f [prefetch file path]

The following example is used for Windows Photos' prefetch file.

image

Above, Microsoft Photos' prefetch file shows that the application ran 6 times on the local machine. The prefetch file for Microsoft Photos also lists what times the application ran on the machine.

There are a lot of files and folders that applications access; however, since PECmd is a command-line-based tool, the output can be sorted to find the specific files that are being looked for. In this case, images and videos can be searched for using the following command:

> [PECmd path]\PECmd.exe -f [prefetch file] | findstr "[search term]"

In the following example, the command searched the Microsoft Photos' prefetch file for JPG files that were accessed.

image

This can apply to searching for PNG, MP4, and other file types that may have been accessed by other applications.

Analysis

The images found using PECmd were:

  • SAVANNAHCAT2.JPG
  • SAVANNAHCAT.JPG
  • STRAWBERRYFINCH2.JPG
  • STRAWBERRYFINCH.JPG
  • HAMSTERS2.JPG
  • HAMSTERS.JPG

The found images were found below:

image

The reason why not all of the images that were downloaded are found in the prefetch files is that not all of the images were opened using an application. Some of the images were just downloaded and not accessed in any way.

From this, it can be certain that these images were opened and viewed, as they were images that were opened by Microsoft photos. This means that the user on the system intentionally opened these photos.

DISCLAIMER

The default Windows video viewer, Movies & TV, does not generate a prefetch file. Currently, it is not sure why Movies & TV does not generate a prefetch file.

Recycle Bin

When a file is deleted from a system, it is not actually erased from the computer. Most of the time, the Windows machine just moves the file from the original file path to the Recycle Bin, where it will stay until the Recycle Bin is emptied.

Files that may have been intended to be deleted can appear in the Recycle Bin can be viewed, even when an image is taken from the suspected device. However, the Recycle Bin breaks the recycled file into 2 separate files.

$R____: This file starting with $R followed by a random string contains the actual contents of the file that has been recycled.

$I_____: This file is also followed by a random string, but it will be the same string as the corresponding $R file. Unlike $R file, $I contains the information about the recycled file, such as the filename, original file path, file size, and when the file was deleted.

To understand and read how the Recycle Bin files are broken down, a tool is also needed. For this project, RBCmd by Eric Zimmerman was used, which works similarly to PECmd.

To read about the files that have been recycled, enter the following command.

> [RBCmd path]\RBCmd.exe -d "[$Recycle.Bin path]"

The -d switch means that the program will go through the entire directory (hence the 'd'), which will output all of the recycled items in that directory.

image

As shown above, the program RBCmd breaks down the $I file from the files found in the recycle bin as the source file, which then shows the file size, file name & path, and when the file was deleted. In the example above, the file "puppies.jpg" was deleted from C:\Users\User\Downloads on 7 February 2021, at 22:43:26.

Now, sometimes there are a lot of files in the Recycle Bin, which can be a lot of information to parse through. For that, it is possible to output the directory into the desired file format, such as CSV.

> [RBCmd path]\RBCmd.exe -d "[Path to $Recycle.Bin]" --csv "[output file path]"

image

This output will show something similar to below: a standard CSV format that contains the desired information that can later be opened in an Excel or Sheets program.

image

Analysis

The images and videos found using RBCmd were:

  • puppies.jpg

The reason why all of the images and videos were found using the Recycle Bin artifacts is that not all of the files were recycled. Only the files that have been moved to the Recycle Bin will be found using this artifact.

There is little proof from $Recycle.Bin files that support the notion that a file, image, or video was viewed and accessed. However, these files do prove that the recycled contents once existed on the system.

Recent Items

Based on the data generation performed on the device, no jumplists were created.

Jumplists are a type of evidence that contains the most recent or most frequent file accessed by an application. For example, when right-clicking on a web browser, there may be entries that list the most common or the most frequent searches for that web browser. On File Explorer, these entries might be the most common folders/files visited or pinned entries.

image

This type of artifact is incredibly useful to gain insight into the user's habits on the system. However, the data generation performed on the test machines did not generate jumplist files.

However, there is a folder that was found titled "Recent Items". This folder contains files/items that were recently accessed by the user on the system, which provides similar information as jumplists. "Recent Items" is found in the following location:

  • Users\[user]\AppData\Roaming\Microsoft\Windows\Recent Items

image

"Recent Items" contains shortcuts to all of the files that have been recently accessed. While they may not have an actual copy of the files that can be viewed, they still provide information about each of them when right-clicking the file and selecting their "Properties".

image

This information includes the original file path of the recent item, file name, and file size. These files also remain in the folder even if they have been permanently deleted (e.g. kittens2.jpg), moved to the Recycle Bin (e.g. puppies.jpg), or the image has been removed from the machine because the external drive it was on has been removed (e.g. strawberryfinch2.jpg).

image

However, files that have been deleted or moved to the Recycle Bin (or moved since accessed) do not contain all of the information nor can they be directed to a copy to view the file.

image

"Recent Items" also contains external drives that were accessed on the local machine.

image

As shown above, drive letters and the device nicknames are shown in Recent Items:

  • Canada - F:
  • HDD Test - F:
  • SD Testing - F:

These are all of the drives with friendly names and all of the drives that contained information on them of images and videos of different animals.

Analysis

The images found using Recent Items were:

  • hamsters.jpg
  • hamsters2.jpg
  • kittens.jpg
  • kittens2.jpg
  • puppies.jfif
  • puppies2.jpg
  • savannahcat.jpg
  • savannahcat2.jpg
  • strawberryfinch.jpg
  • strawberryfinch2.jpg
  • turtles.jpg
  • turtles2.jpg

The videos found using Recent Items were:

  • hamsters.mp4
  • kittens.mp4
  • puppies.mp4
  • savannahcat.mp4
  • strawberryfinch.mp4

The reason why not all images and videos did not appear in Recent Items is that not all of the images and videos are deemed by Windows to have been "recently accessed".

These files that are shown in the folder are by no means a complete view into the content in the Windows machine; however, it does provide evidence that the files that do exist in this folder have been recently viewed by the user.

This folder in conjunction with other evidence, such as prefetch files, can solidify the notion that these files were intentionally viewed and accessed by the user, and the user has accessed these files recently in terms of using the device.

YARA

YARA is a really powerful search tool that can scan through an entire system looking for specific hashes, file extensions, and more. This type of scanning system is really useful when given a list of hashes of known illegal content that can then be scanned quickly over different drives or even specific folders.

Check out Using YARA for more background on how to use YARA on a Windows system.

YARA was very successful with hash searches after running the following command:

> [Path to YARA]\yara.exe [Path to YARA rule]\[rule] -r [Target]

An example is seen below.

image

"> output.txt" sends the output of the command to output.txt for later viewing

YARA successfully found the specified file, but YARA does take a long time to search through an entire drive. However, it is believed to be worth it, as many hashes can be searched for at once, and YARA can always run in the background while other queries are being pursued on a device.

image

To make a rule that searches for file types, more research was required as there is no built-in function that easily allows this.

To have a more reliable search, file signatures were chosen to search for file types, such as images or videos. File signatures are a series of hexadecimal bytes that start a file to tell the computer what it is reading. Each file type has its own unique series of bytes that define the file type, which is effective to use during investigations as even if someone renames a file from "suspicious.jpg" to "not-suspicious.exe", the original bytes still match with JPG instead of EXE.

After copying the file signatures for different file types of images and videos, some tests were needed to find the reliability of these searches.

image

The above shows that pointing YARA at a test folder to find a video was successful based on the file signature that was provided.

image

After, a rule was added for image searches that also provided to be successful.

However, searching an entire drive resulted in a lot of results, which during an investigation will result in a lot of false positives. Every image and video that was also created by Microsoft showed up in the results.

Analysis

All images and videos were found using YARA (with a lot of false positives).

YARA is an excellent tool that searches for matches on the drive or folder that it is pointed to search. YARA is especially excellent to search for specific hashes on a machine to find illegal content that is also previously known, which may be near other unknown content.

It is also possible to find previously unknown content using file signatures as discussed, but it comes with lots of false positives unless used appropriately.

DISCLAIMER

Searching with YARA for specific file extensions, especially for images and videos, creates a lot of false positives. Windows itself as a fresh install comes with many images already downloaded to the system that is picked up by YARA.

image

It is recommended when using YARA to search for file extensions to point the rule, not at the entire disk but specific folders that mainly contain user content.

For example, try pointing the YARA rule at the following:

  • Users\[user]\Downloads
  • Users\[user]\Desktop folders
  • Users\[user]\AppData\Local
  • Users\[user]\AppData\Roaming
  • temp

Try not pointing the YARA rule at the following (will result in A LOT of non-malicious and unwanted results):

  • Program Files
  • Program Files (x86)
  • Windows

Implications

Some illegal content is illegal regardless of whether the image or video has been viewed or not, as the possession of the content is illegal in itself. However, this is not always the case with images and videos. Proof that the files have been viewed through thumbcache images to prove that it was viewed in File Explorer or from prefetch files in an image viewing program is essential to make sure that there is evidence that the images were accessed.

To find images and videos on a system can be greatly assisted with YARA, especially when there are hashes of a specific file that is being looked for. Thumbache and YARA can both prove that illicit images and videos have existed on the system, and RBCmd can assist in viewing and finding deleted images that have once existed on the system.