File MRU

What Is?

Forensic Value:

Keeps track of files and paths opened within Office apps.

File Location:

  • ntuser\Software\Microsoft\Office\<VERSION>\<APPNAME>\User MRU\LiveID_####\File MRU

    • Personal Microsoft Account

  • ntuser\Software\Microsoft\Office\<VERSION>\<APPNAME>\User MRU\ADAL_####\File MRU

    • Active Directory Authentication Library

  • NTUSER\Software\Microsoft\Office\<Version>\Word\Read Locations

    • Can show reading location and possible file existence.

    • Datetime shows when file was last closed.

      • Reg Explorer extracts these DateTime timestamps and uses for "Last Closed" column.

Parse Data:

Considerations:

  • Timestamps of each entry in Windows 64-bit Big Endian format

  • Place MRU has duplicative entries but sometimes updated when File MRU is not.

Example:

Analysis Tips:

Anti-Forensics:

PreviousLastVisitedPidlMRUNextTrusted Documents

Last updated