Trusted Documents

What Is?

Forensic Value:

Tracks documents that the user has given permissions to. Can be used to filter out documents that couldn't have executed or prove execution.

File Location:

• NTUSER\SOFTWARE\Microsoft\OFfice<Version><AppName>\Security\Trusted Documents\TrustedRecords

  • Trusted for editing: 0x01000000

  • Trusted for macro execution: 0xFFFFFF7F

Offline System

Live System

Parse Data:

Considerations:

Example:

Analysis Tips:

Anti-Forensics: