Information Security News
The TSA is failing spectacularly at cybersecurity
That sound you just heard was the collective rage-scream of 40,000 information security professionals who endured TSA security theatre to fly to RSA San Francisco last February and the 20,000 expected to fly to Las Vegas for Black Hat and DEFCON in July.
How to install the ubuntuBSD operating system using USB flash drive
If you are interested in learning how to install ubuntuBSD operating system on your PC/laptop using a USB flash drive, Jon Boden has prepared a good tutorial for you. Boden who is a ubuntuBSD developer has published new tutorial, aimed at those who are ...
When we want to know if a document (.doc, .pdf, whatever) has been opened by the user, in a Windows environment our information goldmine place is the Registry and particularly its MRUs keys. However, it seems this is not always the case.
During the analysis of the Retefe case I wrote about in my previous diary, I came across a Registry behavior I did not expect, or at least I was not aware of, about how to verify if the file contained within the zip archive had been opened or not. Regarding WinZip, there are mainly two keys of interest in the NTUSER.dat Registry hive:
In that specific Retefe case, from an initial triage via RegRipper 2.8, I could only find an entry in the mru\archives subkey, while the extract key was empty
However, I knew from the network IOCs that the .js file was run by the user, but from the registry it looks like the archive has not been extracted. This caught my attention: if a file is run within the WinZip explorer window, does it get stored in the MRU registry key as usually expected?
Analysis and Tests Results
I started searching online but the closest thing I got was a post from Patrick Olsen WinZip MRU Tool Check : interesting read to understand a bit more about the registry key content, but not answering my question. Therefore, I made some tests myself with the following scenarios (running WinZip 20.0 on a Windows 7 machine):
Test results were the following:
The case of the Office document is a particular one apparently. That is due to the so-called Pick were you left  feature introduced with Office 2013. On the other case, the pdf file is not listed in any MRU registry key or anywhere else. Moreover, since it is not extracted there were no traces on the MFT either.
If a user opens a document/file contained inside a zip archive by double clicking directly from the WinZip explorer view, it will not be recorded in the Registry. The only case you may have some luck is if all the following three conditions are met:
In such case, you will have evidence in the NTUSER.dat reading locations key (\Software\Microsoft\Office\15.0\
Are you aware of other files other than Office documents that may get stored somewhere else in the registry, for this WinZip scenario?
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.