# RecentApps

### What Is RecentApps?

{% embed url="<https://df-stream.com/2017/10/recentapps/>" %}

<figure><img src="https://3278866189-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2Fu4e057u3LTRKJEHFetwE%2Fuploads%2FBBsmfSLDaGmnb4MiaJI8%2Fimage.png?alt=media&#x26;token=c8fb249d-ad58-4af4-aee8-5bd47d31f3f2" alt=""><figcaption></figcaption></figure>

### Forensic Value:

References to several applications and files that had been accessed on the system

### File Location:

* NTUSER\Software\Microsoft\Windows\Current Version\Search\RecentApps

{% tabs %}
{% tab title="Offline System" %}

{% endtab %}

{% tab title="Live System" %}

{% endtab %}
{% endtabs %}

### Parse Data:

### Considerations:

<figure><img src="https://3278866189-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2Fu4e057u3LTRKJEHFetwE%2Fuploads%2FgKdhBtho9mXSkAEFLiEp%2Fimage.png?alt=media&#x26;token=4b483989-9e27-429f-9671-7ecfebe69c99" alt=""><figcaption></figcaption></figure>

* The number of file GUID subkeys under each application GUID key appears to be limited to 10
* LastWriteTime of RecentItems subkeys are execution times of the file.
* The file GUID subkeys are arranged alphabetically by name
* When a new entry is added to RecentItems, the keys are rearranged alphabetically, removing the last entry from the list.
* LastAccessedTime in RecentItems is not updated on subsequent file accesses.

<figure><img src="https://3278866189-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2Fu4e057u3LTRKJEHFetwE%2Fuploads%2FbNw7KOdl9MuvwI67xsVo%2Fimage.png?alt=media&#x26;token=d4452e6e-85b6-4328-8938-fcb5183994ce" alt=""><figcaption></figcaption></figure>

* RecentApps LastAccessedTime is updated on every execution.
* Time is in: 64-bit FILETIME format

### Example:

### Analysis Tips:

### Anti-Forensics:

* Deletion of registry key