28.04.2020

Reconstructing User Activity for Forensics with FeatureUsage

Oleg Skulkin
Senior Digital Forensics Analyst at Group-IB
I'm sure, you already heard about some forensic-friendly features introduced in Windows 10. A good example is Windows 10 Timeline. Recently I spotted another useful feature that can help forensic analysts and incident responders to reconstruct user activities. It's called FeatureUsage.
So what does it track and where are forensic artifacts located? It tracks events associated with Task Bar, for example, when a user runs an application pinned to it. FeatureUsage artifacts are located in NTUSER.DAT registry file under the following key:

NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\FeatureUsage
You can find a few subkeys under this key:
Figure 1. FeatureUsage subkeys
Let's look inside every subkey:

AppBadgeUpdated. This subkey keeps track of badge updates for applications on Task Bar. For example, if you use Telegram and get a new message, you can see a red icon on application's badge with number of new messages. So here we can find application's path and the number of badge updates:
Figure 2. The number of Telegram badge updates
AppLaunch. This subkey logs launches of applications, which are pinned to Task Bar. Of course, not every user pins applications, but if he or she does, you'll have a good amount of digital evidence:
Figure 3. Microsoft Edge launch count
AppSwitched. This subkey logs left clicks on Task Bar applications when a user wants to switch from one to another. This subkey is most interesting from a forensic perspective as it may contain a great number of records, which may be the source of evidence of execution:
Figure 4. Evidence of Mimikatz execution
ShowJumpView. This subkey tracks right clicks on Task Bar applications. A user may do it, for example, to check or open recent files. This may be an additional artifact pointing to most frequently used applications:
Figure 5. ShowJumpList data for Microsoft Word
TrayButtonClicked. This subkey tracks left clicks on the following Task Bar items: Clock button, Start button, Notification Center button and Search box. As in previous examples, you can see the number of clicks on each item:
Figure 6. The number of clicks on Task Bar items
Windows registry has always been a good source of digital evidence, and it's always good to have another useful artifact source it may offer. There are many different sources of evidence of execution, but it's always not enough, because you'll never know where you can find the key artifact at your next forensic examination or incident response engagement.