RecentApps

What Is RecentApps?

RecentApps Registry Key - Digital Forensics StreamDigital Forensics Stream

Forensic Value:

References to several applications and files that had been accessed on the system

File Location:

• NTUSER\Software\Microsoft\Windows\Current Version\Search\RecentApps

Offline System

Live System

Parse Data:

Considerations:

• The number of file GUID subkeys under each application GUID key appears to be limited to 10

• LastWriteTime of RecentItems subkeys are execution times of the file.

• The file GUID subkeys are arranged alphabetically by name

• When a new entry is added to RecentItems, the keys are rearranged alphabetically, removing the last entry from the list.

• LastAccessedTime in RecentItems is not updated on subsequent file accesses.

• RecentApps LastAccessedTime is updated on every execution.

• Time is in: 64-bit FILETIME format

Example:

Analysis Tips:

Anti-Forensics:

• Deletion of registry key