1. Last Visited MRU
Description: The Last Visited MRU (Most Recently Used) artifact tracks the specific executable files used by an application to open files documented in the OpenSaveMRU key. Additionally, each value within this artifact also records the directory location for the last file accessed by that application.
Location:
Path: NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\LastVisitedPidlMRU
Commands:
Registry Query: Using CMD Live system reg query HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\LastVisitedPidlMRU (Can also use HKLM)
From registry explorer
Registry Save: To save Registry using CMD on live system. reg save HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\LastVisitedPidlMRU C:\Users\User\Downloads\output.hiv
Analysis Tool:
One effective tool for analyzing this artifact is reg-ripper or Registry Explorer. These tools can determine if the hive is dirty and provide insights into the registry data. Alternatively, REcmd or Kape can also be used for analysis purposes.
-------------------------------------------------------------------------------------------------------------
2. Application Compatibility Cache
Get deep details about this artifact from my previous blog.
Blog 1:Forensic Collection of Execution Evidence through AppCompatCache(Shimcache) /Amcache.hiv
Blog 2 :Shimcache/Amcache Analysis: Tool-->AppCompactCacheParser.exe/AmcacheParser.exe
Blog 3 :Amcache.hiv Analysis: Tool--> Registry explorer
-------------------------------------------------------------------------------------------------------------
3. Prefetch
Get deep details about this artifact from my previous blog.
Blog 1 :Forensic Collection of Execution Evidence through Prefetch Analysis
https://www.cyberengage.org/post/forensic-collection-of-execution-evidence-through-prefetch-analysis
Blog 2 :Prefetch Analysis: Tool-->PECmd.exe
------------------------------------------------------------------------------------------------------
Comentários