1. Open/Save MRU Artifacts:
It acts as a repository for a history of files accessed or saved by users, offering a panoramic view of their digital footprint.
Location in the Registry
To get a glimpse into this trove of information, one need only venture into the registry. The Open/Save MRU key resides at:
Command:-
reg query HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\
You will find this artifact in C:\Users\User<Name>\NTUSER.DAT
Collect All 3 Artifacts
From command prompt: Manual extraction of particular registry
Reg Save HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSavePIDlMRU C:\Users\User\Downloads\output.hiv
(To Save hive details into hive file for further analysis in registry explorer)
Crafting a Seamless Forensic Workflow
To craft a seamless forensic workflow, consider the following steps:
KAPE Automation: Leverage the power of KAPE for efficient and automated artifact collection.
Manual Extraction: For those who prefer a more hands-on approach, manual extraction via registry exploration is a viable option.
Forensic Image Considerations: Ensure that the registry hive NTUSER.DAT is part of your forensics image to unlock a comprehensive array of artifacts.
If you using FTK Imager: Simple do this to collect all NTUSER.DAT Hive.
--------------------------------------------------------------------------------------------------------
2. Recent Files
Registry Key that tracks the last files and folders opened, populating data in the "Recent" menus of the Start menu, is a crucial component for understanding user activity and accessing recent documents and folders efficiently. Located within the NTUSER.DAT hive, specifically under
Through Registry
NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs
Through Cmd: Query
Reg Query
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs\
Through Cmd: Manual extraction
Reg Save
HKCU\ Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs\
C:\Users\User\Downloads\output.hiv
RecentDocs key reveals several important subkeys:
Overall: This key tracks the overall order of the last 150 files or folders opened. The Most Recently Used (MRU) list within this key maintains the temporal order in which each file or folder was opened. The last entry and modification time of this key corresponds to the time and location of the last file with a specific extension that was opened.
Specific Extension: This subkey stores the last files with a particular extension that were opened. Similar to the Overall key, the MRU list within this subkey tracks the temporal order of file openings. The last entry and modification time of this key signifies the time and location of the last file with the specified extension that was opened.
Folder: This subkey records the last folders that were opened. Similar to the Specific Extension subkey, the MRU list within this key maintains the temporal order of folder openings. The last entry and modification time of this key indicate the time and location of the last folder opened.
------------------------------------------------------------------------------------------------------------
3. Shell Bags
Get deep details about this artifact from my previous blog.
Blog 1: Understanding Shell Bags in Windows Forensics
Blog 2 : Shell Bags Analysis: Tool-->SBECmd.exe or ShellBagsExplorer- GUI Version (Very Important artifact)
-----------------------------------------------------------------------------------------------------------
Comments