Trusted Documents
What Is?
Forensic Value:
Tracks documents that the user has given permissions to. Can be used to filter out documents that couldn't have executed or prove execution.
File Location:
NTUSER\SOFTWARE\Microsoft\OFfice<Version><AppName>\Security\Trusted Documents\TrustedRecords
Trusted for editing: 0x01000000
Trusted for macro execution: 0xFFFFFF7F
Parse Data:
Considerations:
Example:
Analysis Tips:
Anti-Forensics:
Last updated