Networking
- Networking
Windows
Linux
Enterprise Architecture
Mac
- Forensics
  - Page 3
Attacker Information
IR Playbook
- Activity from Unmanaged Host
- Recommendations
Reverse Engineering
- Python - Pyinstaller

Powered by GitBook

On this page

What Is?
Forensic Value:
File Location:
OpenSavePidlMRU
LastVisitedPidlMRU
Parse Data:
Considerations:
LastVisitedPidlMRU
OpenSavePidlMRU
Example:
Analysis Tips:
Anti-Forensics:

Windows

Forensics

Evidence of Execution

Office Apps Forensics

LastVisitedPidlMRU

PreviousOffice Apps Forensics NextFile MRU

Last updated 10 months ago

What Is?

Forensic Value:

File Location:

OpenSavePidlMRU

NTUSER\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSavePidlMRU
- Previously opened and saved items of the file type. At bottom of save box

LastVisitedPidlMRU

NTUSER\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\LastVisitedPidlMRU
NTUSER\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\LastVisitedPidlMRULegacy
- Last folder location an item was opened or saved to with an application.

Parse Data:

Considerations:

LastVisitedPidlMRU

Track application execution by user and what full path they last interacted with.
Best used to identify deleted files/locations.

Above artifacts are stored as shell data.
- Has MFT, ful path name, timestamps, file size

OpenSavePidlMRU

Previously opened and saved items of the file type
The * extension tracks most recent files of any extension input in an open/save dialogue.

Example:

Analysis Tips:

Anti-Forensics: