LastVisitedPidlMRU
What Is?
Forensic Value:
File Location:
OpenSavePidlMRU
NTUSER\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSavePidlMRU
Previously opened and saved items of the file type. At bottom of save box
LastVisitedPidlMRU
NTUSER\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\LastVisitedPidlMRU
NTUSER\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\LastVisitedPidlMRULegacy
Last folder location an item was opened or saved to with an application.
Parse Data:
Considerations:
LastVisitedPidlMRU
Track application execution by user and what full path they last interacted with.
Best used to identify deleted files/locations.
Above artifacts are stored as shell data.
Has MFT, ful path name, timestamps, file size
OpenSavePidlMRU
Previously opened and saved items of the file type
The * extension tracks most recent files of any extension input in an open/save dialogue.
Example:
Analysis Tips:
Anti-Forensics:
Last updated
