# Search History in File explorer #### **1. Introduction** WordWheelQuery is a Windows artifact that stores the user’s search history inside File Explorer. It allows the examiner to identify: * Search terms typed by the user * Quantity and frequency of searches * Indicators of user intent (e.g., *“password”, “secret”, “.zip”, “.pdf”*) * Recent activity on the system * Possible attempts to locate sensitive or deleted files **Storage location:** ``` NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\WordWheelQuery ``` Each entry is indexed numerically: ``` 0, 1, 2, 3... ``` And contains the corresponding search term. *** #### **2. Tools** #### **Registry Explorer (Eric Zimmerman)** *Search History in File Explorer: WordWheelQuery key and search keywords* Allows you to open **NTUSER.DAT** and navigate to the WordWheelQuery key. It displays: * Numbered list of search terms * Chronological order (MRU) * Associated timestamps (when available) * Decoded and well-organized data *** #### **3. Practical Example: Analyzing WordWheelQuery** **Obtain the NTUSER.DAT hive** ``` C:\Users\\NTUSER.DAT ``` *** #### **Method 1: Using Registry Explorer** 1. Open **Registry Explorer** 2. Go to **File → Load Hive → select NTUSER.DAT** 3. Navigate to: ``` Software\Microsoft\Windows\CurrentVersion\Explorer\WordWheelQuery ``` You may see something like: **Practical Interpretation:** * Entry **0** is the **most recent** search term. * Searches such as `*.zip` may indicate interest in compressed files. * Terms like *"password"*, *"secret"*, *"key"* usually indicate intentional searching. * Sensitive search terms help identify user behavior before an incident. *** #### **Method 2: Using RegRipper** **Command:** ``` rip.exe -r NTUSER.DAT -p wordwheelquery ``` **Typical output:** ``` [WordWheelQuery] 0 -> "password" 1 -> "report2024" 2 -> "*.pdf" MRUOrder: 0,1,2 ``` **Interpretation:** * Displays search terms clearly * Shows precise execution order * Excellent for including directly in a forensic report