Screenshots and Screen Recording

This section cannot be readily mitigated at a system level with preventive controls since it is based on the abuse of fundamental features of the system.

Settings data for Snipping Tool on Windows 11 is stored in a registry hive file located at C:\Users\JBeam\AppData\Local\Packages\Microsoft.ScreenSketch_8wekyb3d8bbwe\Settings\Settings.dat. Using a tool such as Registry Explorer, investigators can load this registry hive and review the contents. The value of two settings can help determine whether the subject has disabled automatic saving of screenshots (snips) or screen recordings: AutoSaveCaptures and AutoSaveScreenRecordings.

A value beginning with F0-FF-FF-FF-00 means this setting is disabled

• Automatic saving is off, use the fallback artifacts Snipping Tool TempState\Snips and Snipping Tool TempState\Recordings.

A value beginning with F0-FF-FF-FF-01 means this setting is enabled

• Automatic saving is on, which is the default behaviour, use the primary artifacts Snipping Tool Cached Screenshots and Snipping Tool Cached Recordings.

In Windows 11 the Snipping Tool utility, with default settings, saves screen recordings to the %USER%\Videos\Screen Recordings directory. The output directory can be changed in the Snipping Tool settings. These MP4 files use the naming convention Screen Recording YYYY-MM-DD HHMMSS.mp4, helping to identify when they were captured, alongside the Created and Modified timestamps. This artifact can potentially provide an insight into activities conducted by the subject, such as data exfiltration via media capture.

In Windows 11 the Snipping Tool utility, with default settings, saves screenshots to the %USER%\Pictures\Screenshots directory. The output directory can be changed in the Snipping Tool settings. These PNG files use the naming convention Screenshot YYYY-MM-DD HHMMSS.png, helping to identify when they were captured, alongside the Created and Modified timestamps. This artifact can potentially provide an insight into activities conducted by the subject, such as data exfiltration via screenshots.

In Windows 11 the Snipping Tool utility, when the “Automatically save original screen recordings” setting is manually toggled to disabled, will continue to save recordings to the %USER%\AppData\Local\Packages\Microsoft.ScreenSketch_8wekyb3d8bbwe\TempState\Recordings directory. This is a fallback artifact from DT131 Snipping Tool Cached Recordings. This artifact can potentially provide an insight into activities conducted by the subject, such as data exfiltration via screen recordings.

In Windows 11 the Snipping Tool utility, when the “Automatically save original screenshots” setting is manually toggled to disabled, will continue to save screenshots to the %USER%\AppData\Local\Packages\Microsoft.ScreenSketch_8wekyb3d8bbwe\TempState\Snips directory. This is a fallback artifact from DT129 Snipping Tool Cached Screenshots. These PNG files use the naming convention Screenshot YYYY-MM-DD HHMMSS.png, helping to identify when they were captured, alongside the Created and Modified timestamps. This artifact can potentially provide an insight into activities conducted by the subject, such as data exfiltration via screenshots.