Networking
- Networking
Windows
Linux
Enterprise Architecture
Mac
- Forensics
  - Page 3
Attacker Information
IR Playbook
- Activity from Unmanaged Host
- Recommendations
Reverse Engineering
- Python - Pyinstaller

Powered by GitBook

On this page

What Is?
Forensic Value:
File Location:
Parse Data:
Considerations:
Example:
Analysis Tips:
Anti-Forensics:

File MRU

PreviousLastVisitedPidlMRU NextTrusted Documents

Last updated 8 months ago

What Is?

Forensic Value:

Keeps track of files and paths opened within Office apps.

File Location:

ntuser\Software\Microsoft\Office\<VERSION>\<APPNAME>\User MRU\LiveID_####\File MRU
- Personal Microsoft Account
ntuser\Software\Microsoft\Office\<VERSION>\<APPNAME>\User MRU\ADAL_####\File MRU
- Active Directory Authentication Library

NTUSER\Software\Microsoft\Office\<Version>\Word\Read Locations
- Can show reading location and possible file existence.
- Datetime shows when file was last closed.
  - Reg Explorer extracts these DateTime timestamps and uses for "Last Closed" column.

Parse Data:

Considerations:

Timestamps of each entry in Windows 64-bit Big Endian format
Place MRU has duplicative entries but sometimes updated when File MRU is not.

Example:

Analysis Tips:

Anti-Forensics: