Registry Parser
All articles

Registry forensics for insider data theft

7 min read

The call that starts an insider threat case is rarely a clean "someone stole the customer list." It is HR telling you a salesperson resigned Friday and joined a competitor Monday, and legal wants to know what they touched before they left. You have the laptop. The question is concrete: what did this user access, what did they copy, and where did it go. Insider threat registry forensics answers a large part of that, and it answers it with user attribution baked in — because the artifacts that matter live in per-user hives.

That last point is the whole game. The malware case asks "what ran on this host." The data theft case asks "what did this person do," and on a multi-user box, or a domain laptop with a roaming profile, "the host did it" is not an answer a tribunal accepts. The registry is good at attribution precisely because most of the interesting activity is recorded under NTUSER.DAT and UsrClass.dat, keyed to the user's SID. Pull the right hive for the right account and the activity is already attributed for you.

Here is how the artifacts fit together into a workflow, what each one actually gives you, and where the gotchas will bite. For the broader investigative framing — timeline-building, hive triage, correlation across artifact families — see the registry forensics investigations pillar.

The artifacts that matter

Group them by the question they answer: what device did the data leave on, what files and folders did the user touch, and what channel carried it off the box.

Removable media — the USB exfil path

  • USBSTOR (SYSTEM): every USB mass-storage device ever attached — vendor, product, and the device serial number. This is your device identity. Host-level, not per-user.
  • MountPoints2 (NTUSER.DAT): this is the per-user attribution bridge. MountPoints2 records the volume GUIDs a specific user mounted. A device in USBSTOR proves the stick touched the machine; the same volume GUID under a user's MountPoints2 proves that user had it mounted in their session.
  • WPD / portable devices (SOFTWARE, NTUSER.DAT): phones, cameras, and MTP devices that never present as a mass-storage volume and so never land in USBSTOR. People forget these. An iPhone plugged in over MTP and used to pull files is a real exfil channel and it shows up under the Windows Portable Devices keys, not the disk-storage ones.

File and folder access — what the user actually opened

  • ShellBags (UsrClass.dat): every folder the user browsed in Explorer, including folders on removable media and network shares, with volume serial numbers — surviving after the folder, and the device, are gone. The anchor artifact for "did they navigate here."
  • RecentDocs (NTUSER.DAT): the files the user recently opened, by extension, with MRU ordering. Document-level, not folder-level — the complement to ShellBags.
  • Open/Save MRU (comdlg32) (NTUSER.DAT): the common-dialog history — OpenSavePidlMRU and LastVisitedPidlMRU. This is where a Save As to a USB drive or a file → attach in a browser leaves a fingerprint. It captures the act of writing a file out, which is exactly the verb you care about in a theft case.

Exfil channels — typed destinations and transfer clients

  • TypedPaths and TypedURLs (NTUSER.DAT): paths the user typed into the Explorer address bar (\\fileserver\share, a OneDrive folder, a mapped drive) and URLs typed into the address bar. Intent, in the user's own keystrokes — a typed UNC path to a share they had no business in is a strong signal.
  • PuTTY and WinSCP saved sessions (NTUSER.DAT): saved hostnames, usernames, ports, key paths, and last-used directories for SSH/SFTP clients. When the exfil channel is "scp it to a box I control," this is where the destination host is written down.

A working order

Mount the hives and work the question in the order the data flows: identify the user, then the device, then what crossed onto it, then the off-box channel.

  1. Pull the right hives for the right account. NTUSER.DAT and UsrClass.dat for the suspect's profile — not the admin's, not the default. On a shared machine this is the single most common mistake. Add SYSTEM and SOFTWARE for the host-level device and portable-device history. Drop the .LOG1/.LOG2 files alongside so in-flight writes get replayed.
  2. Establish the device. USBSTOR (and the WPD keys) for the device identity and serial. Note the first/last connection where available.
  3. Attribute the device to the user. Match the volume GUID from MountPoints2 in the suspect's NTUSER.DAT to the device. Now you can say this user mounted this device, not just "the host saw it."
  4. Reconstruct navigation. ShellBags for folders browsed on that device's volume serial; RecentDocs for documents opened; comdlg32 Open/Save MRU for files written out via a dialog. These three together turn "a device was mounted" into "the user opened and saved these specific files to it."
  5. Map the off-box channels. TypedPaths/TypedURLs for shares and cloud folders; PuTTY/WinSCP sessions for SFTP destinations. A saved WinSCP session pointing at a personal VPS, last-used the week of resignation, tells its own story.
  6. Build the timeline and correlate. Drop every timestamped record onto one timeline and cross-check against file-system and log artifacts (below). The registry gives you the skeleton; the corroboration makes it stand up.

Gotchas

The registry shows access and connection, not contents. This is the cardinal rule and the one that gets misstated in reports. A RecentDocs entry for 2026_pipeline.xlsx proves the user opened a file with that name. It does not prove what was in it, and it does not prove the file was copied. ShellBags prove navigation, not exfiltration. Write your findings as access and connection facts, then corroborate the copy with file-system artifacts: the MFT and USN journal for file creation on the destination volume, LNK files and jump lists for precise open events, Prefetch for the transfer client actually executing.

Per-user means per-hive. Everything in NTUSER.DAT and UsrClass.dat belongs to one user. Parse the wrong profile and you have attributed the wrong person's activity. Confirm the SID-to-username mapping (SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList) before you write a name into a report.

Roaming profiles cross machines. On a domain with roaming profiles, a NTUSER.DAT may carry activity performed on a different host. The hive does not record which machine it was written on. Pin activity to a specific host with Prefetch and EVTX on that host, not registry timestamps alone.

MRU position is approximate, LastWrite is misread constantly. MRU ordering reflects last-updated, not strict chronology when sessions overlap. A subkey's LastWrite updates when its children change, which is not the same as a user-activity event. The ShellBags deep-dive walks through the lazy-write traps in detail — they apply across these MRU artifacts too.

Anti-forensic cleanup leaves holes, not silence. A user who clears RecentDocs or deletes a saved session removes that record but rarely the corroborating ones. Absence of a RecentDocs entry is not absence of access when the ShellBag, the LNK, and the USN record survive.

Work the case in your browser

You can run this entire workflow in the browser-based parser without uploading anything — the hives are read and parsed client-side and discarded when you close the tab, which keeps NTUSER.DAT and the rest inside your chain of custody. Drop the suspect's NTUSER.DAT and UsrClass.dat plus the host SYSTEM and SOFTWARE, and the relevant plugins route automatically: USBSTOR and MountPoints2, ShellBags, RecentDocs, comdlg32, TypedPaths/TypedURLs, and the PuTTY/WinSCP session parser.

Use the timeline view to merge the timestamped output from each plugin into one chronology, then export JSON/CSV/Markdown with the source hive's SHA-256 for your case notes. The narrative you want — user mounted device on date, navigated these folders, saved these files, then connected to this SFTP host — is what falls out when the per-user artifacts line up on a single timeline.

Related