1. Search History:
The "WordWheelQuery" registry key is a valuable artifact found in the Windows registry of Windows 7 to Windows 10 systems. It stores information about keywords searched for from the START menu bar, providing insights into user search behavior and interests.
NTUSER.DAT Hive.
NTUSER.DAT\Software\Microsoft\ Windows\CurrentVersion\Explorer\WorkWheelQuery
To Learn In deep check out below blog:
Blog Name:
Artifacts for Deleted File or File Knowledge Part 2: Search -WordWheelQuery
Blog Post
2. Typed Path:
This key will show when you have manually typed a path into the Start menu or into the Explorer bar. This key would be useful in a situation where you are trying to show that the user had specific knowledge of a location.
NTUSER.DAT hive.
NTUSER.DAT\Software\Microsoft\ Windows\CurrentVersion\Explorer\TypedPaths
3. Recent Docs:
Registry Key that tracks the last files and folders opened, populating data in the "Recent" menus of the Start menu, is a crucial component for understanding user activity and accessing recent documents and folders efficiently.
Located within the NTUSER.DAT hive,
NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs
To Learn In deep check out below blog
Blog Name:
Artifacts for File Opening/Creation Part 1: Recent Files
Blog Link:-
4. Microsoft Office Recent Docs
(i). Identifying Office Versions in the Registry:
By navigating to specific registry keys, investigators can uncover the version of Office installed on the system. The following versions correspond to specific registry keys:
Office 2010 (Version 14.0)
Office 2003 (Version 11.0)
Office 2007 (Version 12.0)
Office XP (Version 10.0)
Office 2016 (Version 16.0)
Office 2013 (Version 15.0
(ii). Registry Keys for Office Versions:
Forensic investigators can locate information about Office versions within the Windows registry, specifically in the NTUSER.DAT hive.
NTUSER.DAT\Software\Microsoft\Office\VERSION
This key stores information about the Office version, where VERSION can be either 16.0 or 14.0.
NTUSER.DAT\Software\Microsoft\Office\VERSION\User MRU\LiveID_####\File MRU
This key contains information about recently accessed files and documents within specific Office applications.
"PlaceMRU," which shows the path of the location of the previously opened file in that directory.
NTUSER.DAT Hve (HKLM)
Software\Microsoft\Office\14;0\Word\File MRU
Software\Microsoft\Office\14.0\Excel\File MRU
Software\Microsoft\Office\16 .. 0\Pow,erpoint\User MRU\LiveID_####\File MRU
Will continue in next blog.....................
Akash Patel
To Learn In deep check out below blog
Comments