search

File MRU

hashtag
What Is?

hashtag
Forensic Value:

Keeps track of files and paths opened within Office apps.

hashtag
File Location:

  • ntuser\Software\Microsoft\Office\<VERSION>\<APPNAME>\User MRU\LiveID_####\File MRU

    • Personal Microsoft Account

  • ntuser\Software\Microsoft\Office\<VERSION>\<APPNAME>\User MRU\ADAL_####\File MRU

    • Active Directory Authentication Library

  • NTUSER\Software\Microsoft\Office\<Version>\Word\Read Locations

    • Can show reading location and possible file existence.

    • Datetime shows when file was last closed.

      • Reg Explorer extracts these DateTime timestamps and uses for "Last Closed" column.

hashtag
Parse Data:

hashtag
Considerations:

  • Timestamps of each entry in Windows 64-bit Big Endian format

  • Place MRU has duplicative entries but sometimes updated when File MRU is not.

hashtag
Example:

hashtag
Analysis Tips:

hashtag
Anti-Forensics:

PreviousLastVisitedPidlMRUNextTrusted Documents

Last updated