5. Last Visited MRU/ Open Save MRU
When you "save or open a file,"
Have you ever noticed that it might remember the location you previously saved or opened a file?
Have you noticed that when you save or open a file, there is a drop-down dialog box that remembers your previous save or open locations or files that have been opened?
(i) Open Save MRU
It acts as a repository for a history of files accessed or saved by users, offering a panoramic view of their digital footprint.
NTUSER.Dat Hive:
NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\
Through CMD:
reg query HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\
To Learn In deep check out below blog
Blog Link:
Blog Name:
Artifacts for file download Part 1: Open/Save MRU Artifacts
(ii) Last Visited MRU
The Last Visited MRU (Most Recently Used) artifact tracks the specific executable files used by an application to open files documented in the OpenSaveMRU key. Additionally, each value within this artifact also records the directory location for the last file accessed by that application.
NTUSER.Dat Hive:
NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\
Through CMD:
reg query
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\LastVisitedPidlMRU
To Learn In deep check out below blog
Blog link
Bog Name:
Artifacts for Program execution Part 1: Last Visited MRU
In simpler term:
Last Visited Pid MRU :- Track application executable used to open files in Open save MRU and the last file path used (Program execution)
Open save pid MRU”- Values under this show items input in open save dialog without an extension (File knowledge)
* :-(track the most recent files of any extension input in open save dialog).
6. Last Commands executed:
NTUSER.DAT Hive:
NTUSER.DAT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\RunMRU
Command:
reg query HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\RunMRU
Akash Patel
Comentários