RecentDocs

What Is?

What is MRU (Most Recently Used)? - Magnet ForensicsMagnet Forensics

Forensic Analysis of the Windows Registry - Forensic FocusForensic Focus

Forensic Value:

File Location:

• NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs

Offline System

Live System

Parse Data:

• Reg Explorer

Considerations:

• Only tracks filename.

• Last 150 opened of any type of file in parent RecentDocs key

• Starting in Windows 10: Tracks files created and folders opened. Similiar to LNK files.

• Each subkey keeps track of the last 20 files that were opened with an MRU list.

• Keeps track of last 30 folders opened.

• Tracks website visits in search bar with .com, etc extensions.

• Tracks failed downloads with .crdownload extension.

Example:

Analysis Tips:

• Tracks the last execution time of the 0th MRU position by using the last modified time of the registry key.

• RecentDocs key lists the MRU position of each last execute file and includes the last modified time of the registry key. If multiple for the same extension are present, it will only track the last opened time of the 0th MRU position in the file extension registry key.

Time:

All registry key has a value called “LastWrite” time, which is similar to file’s last modification time. In fact, this value is a FILETIME structure, which is the same as file’s MAC (Modified, Accessed, Created) time (Tan, 2001). The FILETIME structure is a 64-bit value representing the number of 100-nanosecond intervals since January 1, 1601 UTC (MSDN, 2005c)

Anti-Forensics:

• Deleting RecentDocs registry key