1.Last Visted MRU
Tracks the specific executable used by an application to open the files documented in the OpenSaveMRU key.
In addition, each value also tracks the directory location for the last file that was accessed by that application.
Example: Notepad.exe was last run using the C:\Users\Rob\Desktop folder.
Location in the Registry
To get a glimpse into this trove of information, one need only venture into the registry. The LastVisitedPidMRU key resides at:
Command:-
reg query HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\
You will find this artifact in C:\Users\User<Name>\NTUSER.DAT
Collect All 3 Artifacts
From command prompt: Manual extraction of particular registry
Reg Save HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\LastVisitedPidMRU C:\Users\User\Downloads\output.hiv
(To Save hive details into hive file for further analysis in registry explorer)
Crafting a Seamless Forensic Workflow
To craft a seamless forensic workflow, consider the following steps:
KAPE Automation: Leverage the power of KAPE for efficient and automated artifact collection.
Manual Extraction: For those who prefer a more hands-on approach, manual extraction via registry exploration is a viable option.
Forensic Image Considerations: Ensure that the registry hive NTUSER.DAT is part of your forensics image to unlock a comprehensive array of artifacts.
If you using FTK Imager: Simple do this to collect all NTUSER.DAT Hive.
-------------------------------------------------------------------------------------------------------------
2.Office Recent Files
MS Office programs will track their own Recent Files list to make it easier for users to remember the last file they were editing.
Location:
NTUSER.DAT\Software\Microsoft\Office\VERSION
• 14.0 = Office 2010
• 12.0 = Office 2007
• 11.0 = Office 2003
• 10.0 = Office XP
Query through CMD:
Command : - reg query HKCU\Software\Microsoft\Office
Manual Save the artifact: (Later user registry explorer to analyze)
Command : - Reg Save
HKCU\Software\Microsoft\Office C:\Users\User\Downloads\output.hiv
Or you can complete capture of image of NTUSER.DAT while creating a image
Interpretation:
Similar to the Recent Files, this will track the last files that were opened by each MS Office application. The last entry added, per the MRU, will be the time the last file was opened by a specific MS Office application.
-------------------------------------------------------------------------------------------------------------
3. LNK Files
Get deep details about this artifact from my previous blog.
Blog 1: Unveiling the Significance of LNK Files in Digital Forensics
Blog 2 : Lnk files Analysis: Tool-->LECmd.exe
------------------------------------------------------------------------------------------------------------
4. Prefetch
Get deep details about this artifact from my previous blog.
Blog 1: Forensic Collection of Execution Evidence through Prefetch Analysis
https://www.cyberengage.org/post/forensic-collection-of-execution-evidence-through-prefetch-analysis
Blog 2 : Prefetch Analysis: Tool-->PECmd.exe
------------------------------------------------------------------------------------------------------------
5. JumpLists
Get deep details about this artifact from my previous blog.
Blog 1: Unveiling the Significance of Jump list Files in Digital Forensics
Blog 2 : Jump list Analysis: Tool-->JLECmd.exe
------------------------------------------------------------------------------------------------------------
Kommentare