TypedURLs (Part 1)

by Paul Nichols

Forensic examiners many times rely on the TypedURLs Registry key in order to ascertain certain user-based web browsing activity.  Based on the name, this artifact would seem to contain any URL (Uniform Resource Locator) that is typed into the Internet Explorer browser.

But is this always the case?  [The impetus for writing this blog came after reading about a court case in Connecticut involving a substitute school teacher named Julie Amero who was convicted of a crime based on certain web-browsing artifacts found on the computer in her classroom.]

A little about this Registry key itself:

The TypedURLs entry can be found in the root key HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TypedURLs, meaning that it is specific to the user currently logged in to Windows.  This key’s purpose is to increase the overall user experience by populating the URL drop down menu and allowing for AutoComplete functions based on previously visited websites.  Microsoft attempts to make their applications more user friendly by remembering user preferences.

The following is a screenshot of this registry key as seen through Regedit:

Figure 1 - TypedURLs key viewed with Regedit

From this image you can see that the keys are stored as string values with the naming convention of url1, url2, etc, with the resource saved as the value for the key.  The key url1 represents the most recently updated entry.  When a new URL is typed, it is designated as url1 and the original url1 becomes url2.  The Registry can store a maximum of 25 entries in this key before purging older records.

But how do theseTypedURLs make their way into the Registry?  In order to ascertain the answer to this question, the function of Internet Explorer (IE), the operating system and the Registry were tested and analyzed.

Not only is the TypedURLs key populated by the user typing in a website, for instance, it is also updated and populated with URLs completed by the browser’s AutoComplete functionality.  For instance, if http://espn.com has previously been typed, if the user typed “es,” they would be prompted to select “espn.com.”  If they did, the Registry key would be updated, with url1 being set as “espn.com.”  Also, if the user selected the arrow for the URL address bar drop-down menu and selected a URL, this would also update the Registry key appropriately (as the URL drop-down menu in IE6 is populated by the TypedURLs key).  In IE8, the top entries of the drop-down menu are parsed from the TypedURLs key, while the sections “History” and “Favorites” are culled from the user’s index.dat file.

If a link is copied and pasted from a web page to the URL address bar and the user hits enter, this will also populate the key, as this is akin to physically typing in the entire address.  If an invalid address of a webpage or resource that cannot be located is entered, the key will not be populated until either the connection or the request is completed (whether it succeeded or failed).  If IE’s Stop function is selected before the connection is finished or the resource is located, the key will not be populated.

It is important to note that websites visited with the browser via hyperlinks, redirects, the IE Favorites menu or the user’s home page will not populate this key.  Also, when a user selects to delete their browsing history using IE’s built-in function, this key is cleared.

The TypedURLs key is populated differently for different versions of both Internet Explorer and Windows.  For IE6, the Registry key is only written when the browser is closed properly.  If the iexplore.exe process is killed with the Task Manager or using the command line operation taskkill, for instance, this key would NOT be populated.  In IE8, the key is populated in real time, regardless of whether the browser is opened, closed properly or the iexplore.exe process is killed.

When looking at Figure 1 above, the resource “C:\Program Files” appears in the TypedURLs key.  Why is this?  Well in Windows XP (tested on SP2 and SP3), when a resource, file or directory is typed into the Windows Explorer address bar, this Registry key is written.  Again, this key is written when Windows Explorer is closed properly and may shed some light on a user’s actions on a given computer.

On the other hand, the TypedURLs key is not written in Windows 7 when a file or directory is entered into the Windows Explorer address bar (tested on Windows 7 Ultimate).

Is there any other mechanism for writing to the TypedURLs key, other than the aforementioned ways?  Can it possibly be written by actions which have not been typed by the user or AutoCompleted by the browser?

Stay tuned for Part 2 of this blog entry…or go here.

Comments are closed.