Trusted Documents

What Is?

Forensic Value:

Tracks documents that the user has given permissions to. Can be used to filter out documents that couldn't have executed or prove execution.

File Location:

  • NTUSER\SOFTWARE\Microsoft\OFfice<Version><AppName>\Security\Trusted Documents\TrustedRecords

    • Trusted for editing: 0x01000000

    • Trusted for macro execution: 0xFFFFFF7F

Parse Data:

Considerations:

Example:

Analysis Tips:

Anti-Forensics:

PreviousFile MRUNextRun MRU

Last updated