File and Folder Access Investigation Guide

Complete DFIR Workflow & Cheatsheet

📚 Table of Contents

🎯 Artifact Priority Matrix

Quick Decision Guide: What to Check First?

Investigation Goal

Primary Artifacts

Secondary Artifacts

Timeframe

Recent Document Access

RecentDocs, LNK Files

OpenSaveMRU, Office MRU

5-15 min

Deleted Files

Recycle Bin ($I/$R), Thumbcache

Windows Search, IE History

15-30 min

User File Focus

Recent Folder, Jump Lists

LastVisitedMRU

10-20 min

Office Document Activity

Office File MRU, Trust Records

Reading Locations, OAlerts

15-30 min

Data Exfiltration

RecentDocs, LNK Files

OpenSaveMRU, LastVisitedMRU

30-45 min

Insider Threat

Office MRU, Recent Files

Trust Records, Search Terms

30-60 min

Malicious Documents

Office Trust Records

Office MRU, LNK Files

15-30 min

User Search Behavior

WordWheelQuery, TypedPaths

Recent Files

10-15 min

Network Share Access

LNK Files, IE History

LastVisitedMRU

20-30 min

🔍 Investigation Framework

Phase 1: Quick Triage (First 15 Minutes)

Determine Investigation Scope:

□ What the alert/incident type?
  - Data theft
  - Insider threat
  - Malware execution via document
  - Account compromise
  - Policy violation

□ Who is the user of interest?
□ What is the timeframe?
□ What file types are relevant?
□ Are we looking for deleted files?

Quick Wins - Check These Immediately:

# 1. Recent documents (last 150 files)
reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs"

# 2. Recent folders
reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs\Folder"

# 3. Run commands
reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU"

# 4. Search terms
reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\WordWheelQuery"

# 5. Check for macro-enabled documents
reg query "HKCU\Software\Microsoft\Office\16.0\Word\Security\Trusted Documents\TrustRecords"
reg query "HKCU\Software\Microsoft\Office\16.0\Excel\Security\Trusted Documents\TrustRecords"

Phase 2: Artifact Collection (Live System)

Critical Files to Collect:

# Create collection directory
New-Item -Path "C:\DFIR_Collection\FileAccess" -ItemType Directory -Force

# User profile path
$User = "username"
$UserProfile = "C:\Users\$User"

# 1. Registry Hives
reg save HKCU "$Env:TEMP\NTUSER.DAT" /y
Copy-Item "$Env:TEMP\NTUSER.DAT" -Destination "C:\DFIR_Collection\FileAccess\"

# Or for offline user
Copy-Item "$UserProfile\NTUSER.DAT" -Destination "C:\DFIR_Collection\FileAccess\"

# 2. LNK Files
Copy-Item "$UserProfile\AppData\Roaming\Microsoft\Windows\Recent\*" -Destination "C:\DFIR_Collection\FileAccess\LNK_Recent\" -Recurse
Copy-Item "$UserProfile\AppData\Roaming\Microsoft\Office\Recent\*" -Destination "C:\DFIR_Collection\FileAccess\LNK_Office\" -Recurse -ErrorAction SilentlyContinue

# 3. Thumbcache
Copy-Item "$UserProfile\AppData\Local\Microsoft\Windows\Explorer\thumbcache_*.db" -Destination "C:\DFIR_Collection\FileAccess\Thumbcache\"

# 4. Windows Search Database
Copy-Item "C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Windows.edb" -Destination "C:\DFIR_Collection\FileAccess\"
Copy-Item "C:\ProgramData\Microsoft\Search\Data\Applications\Windows\GatherLogs\*" -Destination "C:\DFIR_Collection\FileAccess\GatherLogs\" -Recurse

# 5. Recycle Bin (for specific user)
# Need to identify user SID first
$UserSID = (Get-WmiObject -Class Win32_UserAccount | Where-Object {$_.Name -eq $User}).SID
Copy-Item "C:\`$Recycle.Bin\$UserSID\*" -Destination "C:\DFIR_Collection\FileAccess\RecycleBin\" -Recurse -ErrorAction SilentlyContinue

# 6. WebCache (IE/Edge history)
Copy-Item "$UserProfile\AppData\Local\Microsoft\Windows\WebCache\WebCacheV*.dat" -Destination "C:\DFIR_Collection\FileAccess\"

# 7. Office OAlerts
Copy-Item "C:\Windows\System32\winevt\Logs\OAlerts.evtx" -Destination "C:\DFIR_Collection\FileAccess\" -ErrorAction SilentlyContinue

📋 MRU Artifacts Analysis

1. OpenSaveMRU

Overview:

Purpose: Track files opened/saved via Windows Open/Save dialogs
Location: NTUSER.DAT
Coverage: Office apps, browsers, chat clients, most GUI applications
Retention: Last 20 files per extension

Registry Locations:

NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSavePIDlMRU
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSavePidlMRU

Structure:

OpenSavePidlMRU\
├── * (all file types - most recent 20)
├── exe (executables)
├── txt (text files)
├── docx (Word documents)
├── xlsx (Excel files)
├── pdf (PDF files)
└── [any extension]

Key Features:

Each extension tracks last 20 files
* key = most recent files regardless of extension
MRUListEx = ordered list (most recent first)
Stores full path (as PIDL + filename)

Collection & Analysis:

Using Registry Explorer:

1. Load NTUSER.DAT
2. Navigate: Software → Microsoft → Windows → CurrentVersion → Explorer → ComDlg32 → OpenSavePidlMRU
3. Expand subkeys (* and specific extensions)
4. Review MRUListEx for order (first value = most recent)
5. Export to CSV

Manual Registry Query:

# Query OpenSaveMRU
reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSavePidlMRU" /s

# Query specific extension
reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSavePidlMRU\pdf" /s

Using RegRipper:

# Extract OpenSaveMRU
.\rr.exe -r "C:\Evidence\NTUSER.DAT" -p opensavemru > opensavemru.txt

PowerShell Parsing:

# Get all OpenSaveMRU extensions
$OpenSavePath = "HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSavePidlMRU"

Get-ChildItem $OpenSavePath | ForEach-Object {
    $Extension = $_.PSChildName
    
    # Get MRUListEx (order of access)
    $MRUList = Get-ItemProperty -Path $_.PSPath -Name "MRUListEx" -ErrorAction SilentlyContinue
    
    [PSCustomObject]@{
        Extension = $Extension
        LastWriteTime = $_.LastWriteTime
        EntryCount = ($_.Property | Where-Object {$_ -notlike "MRU*"}).Count
    }
} | Sort-Object LastWriteTime -Descending | Format-Table

Investigation Tips:

1. Recent File Access by Type:

Check specific extensions relevant to investigation:
- .docx, .xlsx, .pptx = Office documents
- .pdf = PDF files
- .ps1, .bat, .vbs = Scripts
- .exe = Executables
- .zip, .rar = Archives

2. Timeline Construction:

MRUListEx order + Registry LastWriteTime:
- Position 0 in MRUListEx = most recent
- Key LastWriteTime = when most recent file was accessed
- Build timeline of file access per extension

3. Red Flags:

🚩 Suspicious file extensions:
   - .ps1, .bat, .vbs in non-admin user context
   - .exe from Downloads or Temp directories
   
🚩 Sensitive document access:
   - Files with "confidential", "password", "secret" in paths
   
🚩 External drives:
   - Files from E:, F:, etc. (data exfiltration)
   
🚩 Network paths:
   - UNC paths (\\server\share) - lateral movement

2. LastVisitedMRU

Overview:

Purpose: Track applications and last folder they accessed
Forensic Value: Shows which app accessed which folder
Location: NTUSER.DAT

Registry Location:

NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\LastVisitedPidlMRU

Key Information:

Application executable name
Last folder path accessed by that application
Order of access (MRUListEx)

Collection & Analysis:

# Query LastVisitedMRU
reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\LastVisitedPidlMRU" /s

Using RegRipper:

.\rr.exe -r "NTUSER.DAT" -p comdlg32 > comdlg32.txt

Investigation Tips:

What to Look For:

1. Unusual applications accessing sensitive folders
   Example: notepad.exe accessing C:\Windows\System32\config

2. Office applications accessing unusual folders
   Example: WINWORD.EXE accessing C:\Users\Public\Downloads

3. Known attack tools
   Example: powershell.exe accessing C:\Temp

4. Hidden or system folders
   Example: cmd.exe accessing C:\$Recycle.Bin

Cross-Reference Strategy:

LastVisitedMRU shows: Application + Folder
         ↓
OpenSaveMRU shows: Specific files in that folder
         ↓
LNK Files show: Exact file opened + timestamps
         ↓
Complete picture of file access

📁 Recent Files Analysis

1. RecentDocs Registry Key

Overview:

Purpose: Track last 150 files/folders opened
Location: NTUSER.DAT per user
Organisation: By file extension + rollup key
Forensic Gold: Survives file deletion!

Registry Location:

NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs

Structure:

RecentDocs\
├── [Root - Last 150 files/folders opened]
├── Folder [Last 30 folders]
├── .docx [Last 20 .docx files]
├── .xlsx [Last 20 .xlsx files]
├── .pdf [Last 20 .pdf files]
└── [Any extension - Last 20 files each]

Key Features:

Component

Description

Retention

Timestamp

Root Key

All file types

Last 150

Key LastWriteTime = most recent

Folder Subkey

Folders only

Last 30

Key LastWriteTime

Extension Subkeys

Per file type

Last 20 each

Key LastWriteTime

MRUListEx

Access order

N/A

Ordered list

Collection & Analysis:

Manual Registry Query:

# Query all RecentDocs
reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs" /s

# Query specific extension
reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs\.pdf" /s

# Query folders
reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs\Folder" /s

Using Registry Explorer:

1. Load NTUSER.DAT
2. Navigate: Software → Microsoft → Windows → CurrentVersion → Explorer → RecentDocs
3. View root key for all files
4. Check "Folder" subkey for folder access
5. Check extension subkeys for specific file types
6. Review MRUListEx for chronological order
7. Export to CSV

Using RegRipper:

# Parse RecentDocs
.\rr.exe -r "NTUSER.DAT" -p recentdocs > recentdocs.txt

PowerShell Parsing:

# Parse RecentDocs with file names
function Parse-RecentDocs {
    param([string]$RegistryPath = "HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs")
    
    Get-ChildItem $RegistryPath | ForEach-Object {
        $Subkey = $_
        $Extension = $Subkey.PSChildName
        
        # Get MRU order
        $MRUList = Get-ItemProperty -Path $Subkey.PSPath -Name "MRUListEx" -ErrorAction SilentlyContinue
        
        # Get all value names (file entries)
        $Values = $Subkey.Property | Where-Object {$_ -notlike "MRU*"}
        
        foreach ($Value in $Values) {
            $Data = Get-ItemProperty -Path $Subkey.PSPath -Name $Value -ErrorAction SilentlyContinue
            
            [PSCustomObject]@{
                Extension = if ($Extension -eq "Folder") {"Folder"} else {$Extension}
                ValueName = $Value
                LastModified = $Subkey.LastWriteTime
                RawData = $Data.$Value
            }
        }
    }
}

Parse-RecentDocs | Export-Csv C:\Analysis\RecentDocs.csv -NoTypeInformation

Investigation Workflows:

1. Recent File Timeline:

Goal: Build chronological list of file access

Steps:
1. Check root RecentDocs key LastWriteTime (most recent file)
2. Parse MRUListEx for order
3. Check each extension subkey LastWriteTime
4. Correlate with LNK files for precise timestamps

2. Deleted File Detection:

RecentDocs persists after file deletion!

Check:
1. File paths in RecentDocs
2. Verify if files still exist on disk
3. If missing → File was deleted
4. Check Recycle Bin for recovery

3. Sensitive Document Access:

# Search for sensitive keywords in file names
.\rr.exe -r "NTUSER.DAT" -p recentdocs | 
    Select-String -Pattern "password|confidential|secret|salary|ssn|credit"

4. External Drive Usage:

Check RecentDocs for paths like:
- E:\, F:\, G:\ (removable drives)
- \\USB_DRIVE\
- Volume serial numbers indicate specific USB device

Red Flags:

🚩 Unusual file types for user role:
   - Financial files accessed by IT admin
   - HR documents by non-HR user
   
🚩 After-hours access:
   - Cross-reference timestamps with logon times
   
🚩 Mass file access:
   - Many files in short timeframe
   - Different file types (reconnaissance)
   
🚩 Deleted files:
   - Files in RecentDocs but not on disk
   - Potential evidence destruction
   
🚩 External drives:
   - Files accessed from E:, F:, etc.
   - Possible data exfiltration

2. Recent Folder (LNK Files Location)

Overview:

Physical Location: C:\Users\{Username}\AppData\Roaming\Microsoft\Windows\Recent
Contains: LNK shortcut files for recently accessed files
Forensic Value: Rich metadata + survives file deletion

What's Stored:

LNK files (Windows shortcuts)
Automatically created on file access
Persists after target file deletion
Contains target file metadata

Note: See detailed LNK Files section below for analysis

🔗 LNK Files Analysis

Overview

What are LNK Files?

Windows shortcut files
Automatically created when user opens file
Rich forensic metadata
Persist after target deletion

Locations:

Primary:
C:\Users\{Username}\AppData\Roaming\Microsoft\Windows\Recent\

Office Specific:
C:\Users\{Username}\AppData\Roaming\Microsoft\Office\Recent\

Others:
- Desktop
- Start Menu
- Taskbar (pinned items)

Key Forensic Information:

Data Point

Description

Source

LNK Creation Time

First time file of that name opened

LNK file metadata

LNK Modified Time

Last time file of that name opened

LNK file metadata

Target Created Time

When target file was created

Embedded in LNK

Target Modified Time

When target was last modified

Embedded in LNK

Target Accessed Time

When target was last accessed

Embedded in LNK

Target Path

Original location of file

Embedded in LNK

Target Size

Size of target file

Embedded in LNK

Volume Info

Drive name, type, serial number

Embedded in LNK

Network Share

UNC path if on network

Embedded in LNK

Machine ID

NetBIOS name of system

Embedded in LNK

Important Behaviors

1. LNK Overwriting (Pre-Windows 10):

Problem: Same filename = overwrite
Example:
  - User opens C:\Temp\report.docx → Creates report.docx.lnk
  - User opens C:\Users\John\Documents\report.docx → Overwrites report.docx.lnk
  
Result: Only latest location preserved

2. LNK with Extension (Windows 10+):

Fix: Extension added to LNK filename
Example:
  - report.docx → report.docx.lnk
  - report.txt → report.txt.lnk
  
Result: Both preserved (different extensions)

3. LNK Persistence:

✅ LNK file remains even after target file is deleted
✅ Timestamps preserved in LNK
✅ Can prove file existed and was accessed
✅ Can recover original path/location

Collection & Analysis

Collection:

# Collect LNK files
$User = "username"
$LNKPath = "C:\Users\$User\AppData\Roaming\Microsoft\Windows\Recent"
Copy-Item "$LNKPath\*" -Destination "C:\Analysis\LNK\" -Recurse

# Office-specific LNK files
$OfficeLNK = "C:\Users\$User\AppData\Roaming\Microsoft\Office\Recent"
Copy-Item "$OfficeLNK\*" -Destination "C:\Analysis\LNK_Office\" -Recurse -ErrorAction SilentlyContinue

Quick Analysis (Command Line):

:: Display LNK modification time (last time file opened)
dir /a filename.xlsx.lnk

:: Display LNK creation time (first time file opened)
dir /tc filename.xlsx.lnk

Using ExifTool:

# Extract all metadata
exiftool report.docx.lnk

# Extract specific fields
exiftool -TargetFileSize -LocalBasePath -VolumeLabel report.docx.lnk

# Batch process all LNK files
exiftool -csv -r C:\Analysis\LNK\ > lnk_metadata.csv

Using LECmd (Link Explorer Command Line):

# Single file analysis
.\LECmd.exe -f "C:\Users\john\AppData\Roaming\Microsoft\Windows\Recent\report.docx.lnk"

# With CSV output
.\LECmd.exe -f "C:\Users\john\AppData\Roaming\Microsoft\Windows\Recent\report.docx.lnk" --csv "C:\Analysis" --csvf report_lnk.csv

# Directory of LNK files
.\LECmd.exe -d "C:\Users\john\AppData\Roaming\Microsoft\Windows\Recent" --csv "C:\Analysis" --csvf all_lnk.csv -q

# Include all metadata
.\LECmd.exe -d "C:\Users\john\AppData\Roaming\Microsoft\Windows\Recent" --all --csv "C:\Analysis" --csvf detailed_lnk.csv

LECmd Output Analysis:

Key CSV Columns:
- SourceFile: LNK file path
- SourceCreated: First time file of that name opened
- SourceModified: Last time file opened  
- TargetCreated: Target file creation time
- TargetModified: Target file modification time
- TargetAccessed: Target file access time
- LocalPath: Original path of target
- FileSize: Target file size
- VolumeLabel: Drive name
- VolumeSerialNumber: Drive serial (unique per drive)
- MachineName: NetBIOS name
- NetworkPath: UNC path if on network

Investigation Workflows

1. File Access Timeline:

Reconstruct when user accessed specific file:

Step 1: Find LNK file for target
Step 2: LNK Creation = First access
Step 3: LNK Modified = Last access
Step 4: Compare with target file timestamps

2. Deleted File Recovery:

LNK persists after file deletion!

Evidence available:
✓ Original file path
✓ File size
✓ Access times
✓ Drive it was on (volume serial)
✓ Machine it was accessed from

Actions:
1. Check Recycle Bin for file
2. Check Volume Shadow Copies
3. Check file carving
4. Check network shares (if UNC path)

3. Network Share Access (Lateral Movement):

# Find LNK files with network paths
.\LECmd.exe -d "C:\Users\john\AppData\Roaming\Microsoft\Windows\Recent" --csv "C:\Analysis" --csvf lnk.csv

# Import and filter
$LNKData = Import-Csv C:\Analysis\lnk.csv

# Network shares
$LNKData | Where-Object {
    $_.NetworkPath -ne "" -or $_.LocalPath -match "^\\\\"
} | Select-Object SourceModified, LocalPath, NetworkPath, MachineName

# Admin shares (lateral movement indicator)
$LNKData | Where-Object {
    $_.LocalPath -match "\\\\.*\\[A-Z]\$" -or 
    $_.LocalPath -match "\\\\.*\\ADMIN\$"
}

4. USB Drive Tracking:

# Find files accessed from external drives
$LNKData = Import-Csv C:\Analysis\lnk.csv

# Filter by drive letter (E:, F:, etc.)
$LNKData | Where-Object {
    $_.LocalPath -match "^[E-Z]:\\"
} | Select-Object SourceModified, LocalPath, VolumeLabel, VolumeSerialNumber

# Group by volume serial (track specific USB device)
$LNKData | Where-Object {$_.LocalPath -match "^[E-Z]:\\"} |
    Group-Object VolumeSerialNumber |
    ForEach-Object {
        [PSCustomObject]@{
            VolumeSerial = $_.Name
            VolumeLabel = $_.Group[0].VolumeLabel
            FileCount = $_.Count
            FirstAccess = ($_.Group | Sort-Object SourceCreated | Select-Object -First 1).SourceCreated
            LastAccess = ($_.Group | Sort-Object SourceModified -Descending | Select-Object -First 1).SourceModified
            Files = ($_.Group.LocalPath | Select-Object -Unique)
        }
    }

5. Cross-Machine Activity:

# Find files accessed from different machines
$LNKData | Where-Object {
    $_.MachineName -ne $env:COMPUTERNAME -and $_.MachineName -ne ""
} | Select-Object SourceModified, MachineName, LocalPath, NetworkPath

Red Flags

🚩 Access to sensitive documents:
   - HR files, financial data, credentials
   - Files with "confidential", "password" in name
   
🚩 Network share access:
   - \\SERVER\C$ (admin share)
   - \\WORKSTATION\ADMIN$ 
   - Unusual servers for user's role
   
🚩 USB drive usage:
   - Large files to external drives
   - Multiple different USB devices
   - After-hours USB usage
   
🚩 Deleted file evidence:
   - LNK exists but target missing
   - Sensitive file deletion
   - Mass deletion patterns
   
🚩 Cross-machine access:
   - Files accessed from different machines
   - Machine names don't match user's assigned systems
   
🚩 Unusual file locations:
   - System directories (C:\Windows\System32\)
   - Hidden directories
   - Temp folders

Pro Tips

✅ Timeline Reconstruction: Combine LNK timestamps with file timestamps for complete picture

✅ USB Device Tracking: Volume serial number uniquely identifies USB device

✅ Network Mapping: LNK files show lateral movement paths

✅ Deleted Evidence: LNK survives deletion - crucial for proving file existed

⚠️ Filename Limitation: Pre-Win10 systems overwrite LNK for same filename

⚠️ Hidden Extensions: .lnk extension never shown in Windows Explorer

📄 Office Artifacts Analysis

1. Office File MRU

Overview:

Purpose: Track recent files per Office application
Advantage over RecentDocs: Includes full path + last opened time
Location: NTUSER.DAT per user
Office Versions:
- 16.0 = Office 2016/2019/Microsoft 365
- 15.0 = Office 2013
- 14.0 = Office 2010

Registry Locations:

Standard Office:

NTUSER.DAT\Software\Microsoft\Office\<Version>\<AppName>\File MRU

Examples:
NTUSER.DAT\Software\Microsoft\Office\16.0\Word\File MRU
NTUSER.DAT\Software\Microsoft\Office\16.0\Excel\File MRU
NTUSER.DAT\Software\Microsoft\Office\16.0\PowerPoint\File MRU

Microsoft 365 (Personal Account):

NTUSER.DAT\Software\Microsoft\Office\<Version>\<AppName>\User MRU\LiveId_####\File MRU

Microsoft 365 (Azure AD):

NTUSER.DAT\Software\Microsoft\Office\<Version>\<AppName>\User MRU\AD_####\File MRU

Collection & Analysis:

Manual Query:

# Word MRU
reg query "HKCU\Software\Microsoft\Office\16.0\Word\File MRU" /s

# Excel MRU
reg query "HKCU\Software\Microsoft\Office\16.0\Excel\File MRU" /s

# PowerPoint MRU
reg query "HKCU\Software\Microsoft\Office\16.0\PowerPoint\File MRU" /s

# Check all Office versions
reg query "HKCU\Software\Microsoft\Office" /s /f "File MRU"

Using Registry Explorer:

1. Load NTUSER.DAT
2. Navigate: Software → Microsoft → Office → 16.0 → Word → File MRU
3. Review "Item #" values (Item 1 = most recent)
4. Check User MRU subkeys for M365 accounts
5. Export to CSV

PowerShell Parsing:

# Parse Office MRU for all apps
function Get-OfficeMRU {
    param([string]$OfficeVersion = "16.0")
    
    $Apps = @("Word", "Excel", "PowerPoint", "Access")
    $Results = @()
    
    foreach ($App in $Apps) {
        $MRUPath = "HKCU:\Software\Microsoft\Office\$OfficeVersion\$App\File MRU"
        
        if (Test-Path $MRUPath) {
            $MRUData = Get-ItemProperty -Path $MRUPath -ErrorAction SilentlyContinue
            
            # Parse Item values
            $MRUData.PSObject.Properties | Where-Object {$_.Name -like "Item *"} | ForEach-Object {
                # Value format: [F00000000][T01D8...][O00000000]*C:\path\to\file.docx
                $Value = $_.Value
                
                if ($Value -match '\*(.*)$') {
                    $FilePath = $Matches[1]
                    
                    $Results += [PSCustomObject]@{
                        Application = $App
                        Position = $_.Name
                        FilePath = $FilePath
                        LastAccessed = (Get-Item $MRUPath).LastWriteTime
                    }
                }
            }
        }
    }
    
    return $Results
}

Get-OfficeMRU | Export-Csv C:\Analysis\Office_MRU.csv -NoTypeInformation

Investigation Workflows:

1. Recent Document Activity:

Goal: Identify what documents user recently opened

Steps:
1. Check File MRU for each Office app
2. Item 1 = most recent (descending order)
3. Extract file paths and names
4. Cross-reference with file existence

2. Sensitive Document Access:

# Search for sensitive file names
Get-OfficeMRU | Where-Object {
    $_.FilePath -match "password|confidential|secret|salary|budget|financial"
}

3. Network Share Document Access:

# Documents accessed from network shares
Get-OfficeMRU | Where-Object {
    $_.FilePath -match "^\\\\"
} | Select-Object Application, FilePath, LastAccessed

4. External Drive Documents:

# Documents on USB drives
Get-OfficeMRU | Where-Object {
    $_.FilePath -match "^[E-Z]:\\"
}

5. Deleted Document Evidence:

# Documents in MRU but not on disk
Get-OfficeMRU | ForEach-Object {
    if (-not (Test-Path $_.FilePath)) {
        [PSCustomObject]@{
            Application = $_.Application
            MissingFile = $_.FilePath
            LastKnownAccess = $_.LastAccessed
            Status = "DELETED or MOVED"
        }
    }
}

2. MS Word Reading Locations

Overview:

Feature: Word 2013+ tracks user's position in document
Forensic Value: Proves document was opened + how long user spent in it
Location: NTUSER.DAT

Registry Location:

NTUSER.DAT\Software\Microsoft\Office\<Version>\Word\Reading Locations

Key Information:

Document path
Last cursor position in document
Last closed time
Duration of reading session (with File MRU data)

Collection & Analysis:

# Query Reading Locations
reg query "HKCU\Software\Microsoft\Office\16.0\Word\Reading Locations" /s

Using Registry Explorer:

1. Load NTUSER.DAT
2. Navigate: Software → Microsoft → Office → 16.0 → Word → Reading Locations
3. Each subkey = document hash
4. Values show: Position, DateTime
5. Export to CSV

Investigation Use:

Proves user actually read/edited document:
✓ Document was opened
✓ User scrolled to specific position
✓ Time document was closed
✓ Duration of session (when combined with File MRU open time)

Example Timeline:
File MRU shows: Document opened at 10:00 AM
Reading Location shows: Document closed at 10:45 AM, position at page 15
Conclusion: User spent 45 minutes reading to page 15

3. Office Trust Records

Overview:

Purpose: Track documents where user enabled macros/editing
Security Significance: Macro-enabled documents = common malware vector
Location: NTUSER.DAT per Office app

Registry Locations:

NTUSER.DAT\Software\Microsoft\Office\<Version>\<AppName>\Security\Trusted Documents\TrustRecords

Examples:
HKCU\Software\Microsoft\Office\16.0\Word\Security\Trusted Documents\TrustRecords
HKCU\Software\Microsoft\Office\16.0\Excel\Security\Trusted Documents\TrustRecords
HKCU\Software\Microsoft\Office\16.0\PowerPoint\Security\Trusted Documents\TrustRecords

Key Information:

Document path (local or network)
Time document was trusted
Permissions granted (macros enabled, editing enabled)
Critical: Value ending in FF FF FF 7F = Macros enabled!

Collection & Analysis:

Manual Query:

# Check Word trust records
reg query "HKCU\Software\Microsoft\Office\16.0\Word\Security\Trusted Documents\TrustRecords" /s

# Check Excel trust records  
reg query "HKCU\Software\Microsoft\Office\16.0\Excel\Security\Trusted Documents\TrustRecords" /s

# Check PowerPoint trust records
reg query "HKCU\Software\Microsoft\Office\16.0\PowerPoint\Security\Trusted Documents\TrustRecords" /s

PowerShell - Find Macro-Enabled Documents:

# Search for documents with macros enabled
function Get-MacroEnabledDocs {
    $OfficeApps = @("Word", "Excel", "PowerPoint")
    $Results = @()
    
    foreach ($App in $OfficeApps) {
        $TrustPath = "HKCU:\Software\Microsoft\Office\16.0\$App\Security\Trusted Documents\TrustRecords"
        
        if (Test-Path $TrustPath) {
            $TrustRecords = Get-ItemProperty -Path $TrustPath -ErrorAction SilentlyContinue
            
            $TrustRecords.PSObject.Properties | Where-Object {$_.Name -notlike "PS*"} | ForEach-Object {
                $ValueName = $_.Name
                $ValueData = $_.Value
                
                # Check last 4 bytes for FF FF FF 7F (macros enabled)
                if ($ValueData.Length -ge 4) {
                    $LastBytes = $ValueData[-4..-1]
                    if ($LastBytes[0] -eq 0xFF -and $LastBytes[1] -eq 0xFF -and 
                        $LastBytes[2] -eq 0xFF -and $LastBytes[3] -eq 0x7F) {
                        
                        # Decode file path from value name
                        $FilePath = [System.Text.Encoding]::Unicode.GetString(
                            [System.Convert]::FromBase64String($ValueName)
                        )
                        
                        $Results += [PSCustomObject]@{
                            Application = $App
                            FilePath = $ValueName  # Base64 encoded path
                            DecodedPath = $FilePath
                            MacrosEnabled = "YES"
                            LastModified = (Get-Item $TrustPath).LastWriteTime
                        }
                    }
                }
            }
        }
    }
    
    return $Results
}

Get-MacroEnabledDocs | Export-Csv C:\Analysis\Macro_Enabled_Docs.csv -NoTypeInformation

Investigation Workflows:

1. Malicious Document Detection:

Goal: Find potentially malicious macro-enabled documents

Steps:
1. Extract all Trust Records
2. Filter for FF FF FF 7F (macros enabled)
3. Decode file paths
4. Check if files still exist
5. Check file locations (suspicious if from Downloads, Temp, Email attachments)
6. Cross-reference with:
   - Antivirus alerts
   - Email attachments
   - Web downloads
   - Process execution (4688) around same time

2. Timeline Correlation:

Trust Record timestamp = When user clicked "Enable Content"
         ↓
Check process execution (4688) shortly after
         ↓
If malicious process started = macro executed malware

3. Document Source Analysis:

# Categorize trusted documents by location
Get-MacroEnabledDocs | ForEach-Object {
    $Location = switch -Regex ($_.DecodedPath) {
        "^\\\\.*" { "Network Share" }
        "Downloads" { "Downloads Folder" }
        "Temp" { "Temp Folder" }
        "AppData" { "AppData" }
        "Users\\.*\\Documents" { "Documents Folder" }
        "Users\\.*\\Desktop" { "Desktop" }
        default { "Other" }
    }
    
    [PSCustomObject]@{
        FilePath = $_.DecodedPath
        Application = $_.Application
        Location = $Location
        Risk = if ($Location -in @("Network Share", "Downloads Folder", "Temp Folder")) {"HIGH"} else {"MEDIUM"}
    }
} | Group-Object Location | Sort-Object Count -Descending

Red Flags:

🚩🚩🚩 CRITICAL - Macro-Enabled Documents:
   - From Downloads folder
   - From email attachments  
   - From Temp directories
   - From network shares (phishing campaigns)
   - With suspicious names (invoice.xls, payment.doc)
   
🚩 Documents trusted during compromise window
🚩 Multiple macro documents trusted in short time
🚩 Macros enabled by non-technical users
🚩 Documents from external sources

Malware Investigation:

If macro-enabled document found:
1. Collect document for analysis
2. Check document hash (VirusTotal)
3. Extract macros (olevba)
4. Check process execution after trust time
5. Check network connections
6. Check file modifications ($J)
7. Check for lateral movement

4. Office OAlerts

Overview:

Purpose: Log Office application alerts/prompts
Location: OAlerts.evtx
Event ID: 300 (all Office apps)
Forensic Value: User interactions with Office

Location:

C:\Windows\System32\winevt\Logs\OAlerts.evtx

Key Information:

Office application name
Alert dialog message
User response
Timestamp

Collection:

# Copy OAlerts log
Copy-Item "C:\Windows\System32\winevt\Logs\OAlerts.evtx" -Destination "C:\Analysis\"

Analysis:

Using EvtxECmd:

# Parse OAlerts
.\EvtxECmd.exe -f "C:\Analysis\OAlerts.evtx" --csv "C:\Analysis" --csvf oalerts.csv

# Filter for Event ID 300
.\EvtxECmd.exe -f "C:\Windows\System32\winevt\Logs\OAlerts.evtx" --csv "C:\Analysis" --csvf oalerts.csv --inc 300

PowerShell Query:

# Query OAlerts events
Get-WinEvent -Path "C:\Analysis\OAlerts.evtx" -FilterXPath "*[System[EventID=300]]" |
    ForEach-Object {
        [PSCustomObject]@{
            TimeCreated = $_.TimeCreated
            Application = $_.Properties[0].Value
            Message = $_.Message
        }
    } | Export-Csv C:\Analysis\OAlerts_Parsed.csv -NoTypeInformation

Investigation Use:

Examples of what's logged:
- "Do you want to save changes?"
- "Enable editing?"
- "Enable content?"
- "File already exists, overwrite?"

Forensic Value:
✓ Proves user interaction with document
✓ Shows user decisions
✓ Timeline of Office activity
✓ Can correlate with Trust Records

🗑️ Deleted Items Investigation

1. Recycle Bin Analysis

Overview:

Windows 7+: Uses $I and $R files per deleted item
Location: C:$Recycle.Bin{User-SID}\
Forensic Value: Deleted file recovery + deletion timeline

Structure:

C:\$Recycle.Bin\
├── S-1-5-21-XXX-XXX-XXX-1001\  (User SID)
│   ├── $I6A3B9D.docx  (Metadata: original path, size, deletion time)
│   ├── $R6A3B9D.docx  (Content: actual deleted file - can be recovered)
│   ├── $IFDE892.xlsx
│   └── $RFDE892.xlsx
└── S-1-5-21-XXX-XXX-XXX-1002\  (Another user)

File Types:

$I files: Metadata (original filename, path, deletion time, size)
$R files: Actual deleted file content (recoverable)
6-character identifier: Links $I and $R files together

Key Information:

Data Point

Description

Source

Original Filename

Full original name

$I file

Original Path

Complete path before deletion

$I file

File Size

Size of deleted file

$I file

Deletion Time

When file was deleted

$I file

File Content

Actual file data

$R file

Collection & Analysis:

Collection:

# Identify user SID
$Username = "john"
$UserSID = (Get-WmiObject -Class Win32_UserAccount | Where-Object {$_.Name -eq $Username}).SID

# Copy Recycle Bin contents for specific user
Copy-Item "C:\`$Recycle.Bin\$UserSID\*" -Destination "C:\Analysis\RecycleBin\" -Recurse -Force

# Or collect for all users
Copy-Item "C:\`$Recycle.Bin\*" -Destination "C:\Analysis\RecycleBin\" -Recurse -Force

Using RBCmd (Recycle Bin Command Line):

# Parse single $I file
.\RBCmd.exe -f "C:\`$Recycle.Bin\S-1-5-21-XXX\`$I6A3B9D.docx"

# Parse all for specific user
.\RBCmd.exe -d "C:\`$Recycle.Bin\S-1-5-21-XXX\" --csv "C:\Analysis" --csvf recyclebin.csv -q

# Parse entire Recycle Bin
.\RBCmd.exe -d "C:\`$Recycle.Bin\" -q --csv "C:\Analysis" --csvf recyclebin_all.csv

PowerShell Parsing:

# List deleted items
function Get-RecycleBinItems {
    param([string]$UserSID)
    
    $RecyclePath = "C:\`$Recycle.Bin\$UserSID"
    
    Get-ChildItem $RecyclePath -Filter "`$I*" | ForEach-Object {
        $IFile = $_
        $RFile = $IFile.FullName -replace '^\$I', '$R'
        
        [PSCustomObject]@{
            MetadataFile = $IFile.Name
            ContentFile = (Split-Path $RFile -Leaf)
            ContentExists = (Test-Path $RFile)
            DeletedTime = $IFile.LastWriteTime
            Size = $IFile.Length
        }
    }
}

# Get user SID and parse
$SID = (Get-WmiObject Win32_UserAccount | Where-Object {$_.Name -eq "john"}).SID
Get-RecycleBinItems -UserSID $SID | Export-Csv C:\Analysis\DeletedItems.csv -NoTypeInformation

Investigation Workflows:

1. Deleted File Timeline:

Goal: Build timeline of file deletions

Steps:
1. Parse all $I files
2. Extract deletion times
3. Sort chronologically
4. Identify patterns (mass deletions, cleanup activity)

2. Sensitive File Deletion:

# Search for sensitive files in Recycle Bin
.\RBCmd.exe -d "C:\`$Recycle.Bin\" --csv "C:\Analysis"

$Deleted = Import-Csv C:\Analysis\*.csv

$Deleted | Where-Object {
    $_.OriginalPath -match "confidential|password|secret|financial|ssn"
} | Select-Object DeletedTime, OriginalPath, FileSize

3. Mass Deletion Detection:

# Find bulk deletions (possible evidence destruction)
$Deleted = Import-Csv C:\Analysis\recyclebin_all.csv

# Group by time windows
$Deleted | ForEach-Object {
    $_.DeletedTime = [DateTime]$_.DeletedTime
    $_
} | Group-Object {$_.DeletedTime.ToString("yyyy-MM-dd HH")} |
    Where-Object {$_.Count -gt 10} |
    Sort-Object Name |
    ForEach-Object {
        [PSCustomObject]@{
            TimeWindow = $_.Name
            ItemsDeleted = $_.Count
            Files = $_.Group.OriginalPath
        }
    }

4. File Recovery:

# Recover deleted files
$RFiles = Get-ChildItem "C:\`$Recycle.Bin\*\`$R*" -Recurse

foreach ($RFile in $RFiles) {
    # Find corresponding $I file for original name
    $IFile = $RFile.FullName -replace '^\$R', '$I'
    
    if (Test-Path $IFile) {
        # Parse $I to get original filename (would need proper parser)
        # For demo: copy with R filename
        Copy-Item $RFile.FullName -Destination "C:\Recovery\$($RFile.Name)"
    }
}

Red Flags:

🚩 Mass deletions:
   - Many files deleted in short time window
   - All files from specific folder
   - Deletion during/after suspicious activity
   
🚩 Sensitive file deletion:
   - Financial documents
   - HR files
   - Password files
   - Company confidential data
   
🚩 Evidence destruction:
   - Log files deleted
   - Security tool logs deleted
   - Recycle Bin emptied after suspicious activity
   
🚩 Cleanup activity:
   - Attacker tools deleted
   - Temporary files deleted
   - Downloaded malware deleted

Pro Tips:

✅ Recovery Possible: $R files are intact until overwritten

✅ Timeline Evidence: Deletion time preserved in $I files

✅ User Attribution: SID folder identifies who deleted files

⚠️ Bypass: Files deleted via command line with /F switch bypass Recycle Bin

⚠️ Size Limit: Very large files may bypass Recycle Bin

2. Thumbcache Analysis

Overview:

Purpose: Store thumbnail images of pictures, videos, documents
Location: Per-user Explorer folder
Forensic Value: Thumbnails survive file deletion!
Available: Windows Vista+

Location:

C:\Users\{Username}\AppData\Local\Microsoft\Windows\Explorer\

Files:

thumbcache_16.db     (16x16 thumbnails - icons)
thumbcache_32.db     (32x32 thumbnails)
thumbcache_48.db     (48x48 thumbnails)
thumbcache_96.db     (96x96 thumbnails)
thumbcache_256.db    (256x256 thumbnails)
thumbcache_1024.db   (1024x1024 thumbnails)
thumbcache_1280.db   (1280x1280 thumbnails)
thumbcache_1600.db   (1600x1600 thumbnails - HD)
thumbcache_2560.db   (2560x2560 thumbnails - extra large)
thumbcache_sr.db     (Stream thumbnails)
thumbcache_idx.db    (Index file)

Key Information:

Thumbnail image (visual)
Thumbnail Cache ID
File hash
Image can be extracted even if original deleted

Collection:

# Collect thumbcache databases
$User = "username"
Copy-Item "C:\Users\$User\AppData\Local\Microsoft\Windows\Explorer\thumbcache_*.db" -Destination "C:\Analysis\Thumbcache\"

Analysis:

Using thumbcache_viewer.exe:

1. Run thumbcache_viewer.exe
2. Load thumbcache database (e.g., thumbcache_256.db)
3. View thumbnail images
4. Export thumbnails
5. Note Cache Entry IDs for cross-reference

Using thumbs_viewer.exe:

Similar GUI tool:
1. Load database
2. Browse thumbnails
3. Export images
4. Save metadata

Investigation Workflows:

1. Deleted Image Recovery:

Goal: Recover images of deleted files

Process:
1. Extract thumbnails from thumbcache
2. Visually review images
3. Identify relevant images
4. Cross-reference with Windows Search Database using Cache ID
5. Determine original filename and path

2. Content Verification:

Use cases:
- Verify file contents before deletion
- Identify inappropriate images
- Confirm data exfiltration
- Prove file existence

3. Timeline Construction:

Thumbcache + Windows Search + MFT:
1. Thumbcache shows image existed
2. Cache ID → Windows Search → Filename
3. Filename → MFT → Timestamps
4. Complete timeline of image activity

Cross-Reference Strategy:

thumbcache_256.db → Extract thumbnail → Get Cache ID
         ↓
Windows.edb (Search Database) → Match Cache ID → Get filename, path
         ↓
$MFT → Match filename → Get full timestamps
         ↓
Complete picture: Image + Name + Path + Timestamps

3. Windows Search Database

Overview:

Purpose: Index files for fast searching
Format: ESE database (Extensible Storage Engine)
Location: System-wide (not per-user)
Forensic Value: File metadata + partial content + survives deletion

Location:

C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Windows.edb

Gather Logs (candidate files for indexing):
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\GatherLogs\SystemIndex\

Key Information:

File paths
File metadata (size, dates, properties)
Partial file content (indexed text)
Email metadata
Document properties
Over 900 file types indexed

Collection:

# Copy Windows.edb (may be locked - use forensic tools)
# Using Volume Shadow Copy
$VSS = (Get-WmiObject -List Win32_ShadowCopy).Create("C:\", "ClientAccessible")
$Shadow = Get-WmiObject Win32_ShadowCopy | Where-Object {$_.ID -eq $VSS.ShadowID}
$ShadowPath = $Shadow.DevicePath + "\ProgramData\Microsoft\Search\Data\Applications\Windows\"

Copy-Item "$ShadowPath\Windows.edb" -Destination "C:\Analysis\"
$Shadow.Delete()

# Or use RawCopy
RawCopy.exe /FileNamePath:"C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Windows.edb" /OutputPath:"C:\Analysis"

Analysis:

Using ESEDatabaseView (NirSoft):

1. Run ESEDatabaseView
2. Open Windows.edb
3. Browse tables
4. Search for keywords
5. Export results

Using KAPE:

.\kape.exe --target WindowsSearchDatabase --tdest C:\Analysis

Investigation Workflows:

1. Deleted File Search:

Windows Search may contain metadata of deleted files:
- Original path
- File size
- Creation/modification dates
- File properties
- Partial content

2. Keyword Search:

Search database for:
- Sensitive keywords
- Filenames
- Document content
- Email content

3. Email Investigation:

Outlook emails indexed:
- Sender/recipient
- Subject lines
- Body content (partial)
- Attachments

4. Thumbs.db (Legacy - Windows XP)

Overview:

Purpose: Store thumbnails per folder
Available: Windows XP (can appear on modern systems via UNC)
Location: Each folder with images
Forensic Value: Thumbnails + filenames (XP only)

Key Information (XP):

Thumbnail image
Original filename
Last modification time

Modern Systems:

Thumbs.db may be created when viewing folders via UNC paths
Limited metadata compared to XP

Collection:

# Find all Thumbs.db files
Get-ChildItem C:\ -Recurse -Filter "Thumbs.db" -Force -ErrorAction SilentlyContinue |
    Copy-Item -Destination "C:\Analysis\ThumbsDB\" -Force

5. Internet Explorer File Access History

Overview:

Purpose: IE history contains local file access via file:/// protocol
Forensic Value: Tracks file opening even if not opened in browser
Location: WebCache database
Persists: Even on Windows 11 without IE!

Location:

C:\Users\{Username}\AppData\Local\Microsoft\Windows\WebCache\WebCacheV01.dat

Key Information:

Local file paths
Access times
File:/// protocol entries
Network share (UNC) access

Format:

file:///C:/Users/John/Documents/report.docx
file:///C:/Temp/malware.exe
file:///\\SERVER\Share\confidential.xlsx

Collection:

# Copy WebCache database
$User = "username"
Copy-Item "C:\Users\$User\AppData\Local\Microsoft\Windows\WebCache\WebCacheV*.dat" -Destination "C:\Analysis\"

Analysis:

Using Nirsoft BrowsingHistoryView:

1. Run BrowsingHistoryView
2. Advanced Options → Load history from specific profile
3. Filter for "file:///" entries
4. Export to CSV

Using ESEDatabaseView:

1. Open WebCacheV01.dat
2. Browse Container_# tables
3. Search for "file:///" URLs
4. Export results

Investigation Use:

File access logged even when:
✓ File double-clicked in Explorer
✓ File opened from network share
✓ Not actually opened in browser

Important for:
- File access timeline
- Network share access
- Deleted file evidence (path preserved)

1. WordWheelQuery

Overview:

Purpose: Store Windows Search keywords from File Explorer
Location: NTUSER.DAT per user
Forensic Value: Shows what user searched for

Registry Location:

NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\WordWheelQuery

Key Information:

Search keywords (Unicode)
Temporal order (MRUListEx)
Last search (registry LastWriteTime)

Collection & Analysis:

# Query WordWheelQuery
reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\WordWheelQuery" /s

Using Registry Explorer:

1. Load NTUSER.DAT
2. Navigate: Software → Microsoft → Windows → CurrentVersion → Explorer → WordWheelQuery
3. Review numbered values (MRU order)
4. Last value in MRUListEx = most recent search
5. Export to CSV

Using RegRipper:

.\rr.exe -r "NTUSER.DAT" -p wordwheelquery > wordwheelquery.txt

Investigation Workflows:

1. Keyword Analysis:

What was user searching for?
- Filenames
- Document content
- Sensitive keywords
- Tool names

2. Incident Investigation:

# Search for incident-related keywords
reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\WordWheelQuery" /s |
    Select-String -Pattern "password|confidential|payroll|credential"

Red Flags:

🚩 Suspicious searches:
   - "password", "credential", "confidential"
   - Company secrets
   - Tools (mimikatz, procdump)
   - How to delete evidence
   - Data exfiltration methods
   
🚩 Timeline correlation:
   - Searches during compromise window
   - Searches before file access
   - Searches before data theft

2. TypedPaths

Overview:

Purpose: Track paths typed directly into File Explorer address bar
Location: NTUSER.DAT
Forensic Value: Shows user knowledge of specific locations

Registry Location:

NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\TypedPaths

Key Information:

Paths manually typed by user
Order of entry (url1, url2, etc.)
Indicates intentional navigation

Collection & Analysis:

# Query TypedPaths
reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\TypedPaths" /s

Using Registry Explorer:

1. Load NTUSER.DAT
2. Navigate: Software → Microsoft → Windows → CurrentVersion → Explorer → TypedPaths
3. Review url1, url2, url3... values
4. Export to CSV

Investigation Workflows:

1. Hidden Location Detection:

TypedPaths shows user knew specific path:
- Hidden folders
- System directories
- Network shares
- External drives

2. Intentional Access:

Difference between:
- Browsing to folder (not in TypedPaths)
- Typing path directly (in TypedPaths) ← More suspicious

Red Flags:

🚩 Suspicious paths:
   - C:\Windows\System32\config (registry hives)
   - C:\$Recycle.Bin (deleted files)
   - \\SERVER\C$ (admin shares)
   - Hidden directories
   - Temp folders with specific malware paths
   
🚩 External shares:
   - \\WORKSTATION\C$ (lateral movement)
   - \\SERVER\ADMIN$
   
🚩 Knowledge indicator:
   - User shouldn't know these paths
   - Typed complex paths from memory
   - System/hidden folders

📚 Investigation Playbooks

Playbook 1: Data Exfiltration Investigation

Objective: Detect and quantify data theft

Phase 1: Document Access (30 min)

□ Check RecentDocs for recently accessed files
□ Identify file types and sensitivity
□ Check Office MRU for document access
□ Review LNK files for exact access times
□ Cross-reference with user's normal behavior

Phase 2: External Media (30 min)

□ Check LNK files for E:, F:, G: drive letters
□ Extract volume serial numbers (USB device tracking)
□ Check RecentDocs for external drive paths
□ Review Jump Lists for USB file access
□ Correlate with logon/logoff times

Phase 3: Network Shares (30 min)

□ Check LNK files for UNC paths (\\SERVER\)
□ Review LastVisitedMRU for network locations
□ Check IE file history for file:// network access
□ Identify destination servers
□ Correlate with authentication logs

Phase 4: Timeline Construction (45 min)

□ Build timeline using:
  - RecentDocs LastWriteTime
  - LNK file timestamps (creation = first access, modified = last access)
  - Office MRU access times
  - Event logs (4624 logons)
□ Identify exfiltration windows
□ Correlate with USB insertion events

Phase 5: Quantification (30 min)

□ List all accessed documents
□ Check file sizes (from LNK or MFT)
□ Calculate total data volume
□ Identify most sensitive documents
□ Determine exfiltration method (USB, network, email)

Playbook 2: Malicious Document Investigation

Objective: Investigate macro-enabled document compromise

Phase 1: Trust Record Analysis (15 min)

□ Check Office Trust Records for macro-enabled docs
□ Extract documents with FF FF FF 7F signature
□ Note trust timestamps
□ Identify document locations (Downloads? Email?)

Phase 2: Document Source (20 min)

□ Check Office MRU for document open time
□ Review LNK files for document access
□ Check RecentDocs for document path
□ Determine source:
  - Email attachment?
  - Web download?
  - Network share?
  - USB drive?

Phase 3: Execution Timeline (30 min)

□ Trust Record time = When macros enabled
□ Check process execution (Event 4688) after trust time
□ Look for:
  - PowerShell execution
  - cmd.exe spawning
  - Unusual processes
  - Network connections
□ Window: 0-5 minutes after macro enablement

Phase 4: Impact Assessment (45 min)

□ Check if malicious processes executed
□ Review network activity (SRUM)
□ Check file modifications ($J)
□ Look for lateral movement
□ Check for persistence (Run keys, services, tasks)
□ Review Prefetch for malware execution

Phase 5: IOC Extraction (30 min)

□ Document hash (if file still exists)
□ Document metadata
□ Macro code (if available)
□ Process tree
□ Network indicators
□ File modifications

Playbook 3: Insider Threat - Document Access

Objective: Investigate unauthorized document access

Phase 1: Scope Definition (15 min)

□ Identify suspected insider
□ Determine timeframe
□ List sensitive documents/folders
□ Define normal access patterns for user

Phase 2: Recent Activity (30 min)

□ Check RecentDocs for accessed files
□ Review Office MRU (Word, Excel, PowerPoint)
□ Check OpenSaveMRU for document types
□ Analyze Reading Locations (time spent in documents)
□ Review LNK files for detailed timeline

Phase 3: Anomaly Detection (45 min)

□ Compare recent activity vs. baseline:
  - File types accessed
  - Folders accessed
  - Time of day
  - Frequency
  
□ Red flags:
  - Access to files outside normal scope
  - After-hours access
  - Mass document opening
  - Access to HR/Finance/IP documents

Phase 4: Search Behaviour (20 min)

□ Check WordWheelQuery for searches
□ Review TypedPaths for deliberate navigation
□ Correlate searches with file access
□ Look for sensitive keyword searches

Phase 5: Exfiltration Check (45 min)

□ Check for USB device usage (LNK files)
□ Review network share access
□ Check email activity (if available)
□ Review file copying patterns
□ Check Recycle Bin for evidence destruction

Playbook 4: Deleted File Recovery

Objective: Recover and analyze deleted files

Phase 1: Recycle Bin (20 min)

□ Parse Recycle Bin with RBCmd
□ Extract $I files (metadata)
□ Identify $R files (recoverable content)
□ Build deletion timeline
□ Identify sensitive deleted files

Phase 2: Artifact Persistence (30 min)

Deleted files may still appear in:
□ RecentDocs registry
□ LNK files (Recent folder)
□ Office MRU
□ Jump Lists
□ IE file history
□ Windows Search database

Extract:
- Original filenames
- Original paths
- Access times
- File sizes

Phase 3: Visual Evidence (30 min)

□ Extract thumbcache databases
□ Recover thumbnail images
□ Identify deleted images visually
□ Cross-reference Cache IDs with Windows Search
□ Determine original filenames

Phase 4: File System Analysis (60 min)

□ Check $J (UsnJrnl) for deletion records
□ Review $MFT for file records (may still exist)
□ Check $LogFile for recent operations
□ Use file carving tools if necessary
□ Check Volume Shadow Copies

Phase 5: Timeline Construction (30 min)

□ When files were created (MFT, LNK)
□ When files were last accessed (LNK, RecentDocs)
□ When files were deleted (Recycle Bin $I)
□ User who deleted (Recycle Bin SID folder)
□ Context around deletion (Event logs)

🛠️ Tool Reference

Registry Analysis Tools

Registry Explorer (GUI) - Eric Zimmerman

Download: https://ericzimmerman.github.io/
Usage: Load NTUSER.DAT, SOFTWARE, SAM hives
Features: Bookmarks, search, export, live system loading

RegRipper (CLI) - H. Carvey

Download: https://github.com/keydet89/RegRipper3.0
Usage: .\rr.exe -r NTUSER.DAT -p [plugin] > output.txt

Common plugins:
- recentdocs
- opensavemru
- comdlg32
- wordwheelquery
- runmru
- userassist

RECmd (CLI) - Eric Zimmerman

Download: https://ericzimmerman.github.io/
Usage: .\RECmd.exe -f NTUSER.DAT --csv C:\Output

Features: Batch processing, CSV output, live system support

LNK File Analysis Tools

LECmd (CLI) - Eric Zimmerman

Download: https://ericzimmerman.github.io/

Single file:
.\LECmd.exe -f file.lnk --csv C:\Output

Directory:
.\LECmd.exe -d "C:\Users\john\AppData\Roaming\Microsoft\Windows\Recent" --csv C:\Output -q

All metadata:
.\LECmd.exe -d Recent --all --csv C:\Output

ExifTool (CLI)

Download: https://exiftool.org/

Extract metadata:
exiftool file.lnk

Batch CSV:
exiftool -csv -r C:\LNK\ > output.csv

Recycle Bin Tools

RBCmd (CLI) - Eric Zimmerman

Download: https://ericzimmerman.github.io/

Single file:
.\RBCmd.exe -f $I6A3B9D.docx

Directory:
.\RBCmd.exe -d "C:\$Recycle.Bin\S-1-5-21-XXX" --csv C:\Output -q

All users:
.\RBCmd.exe -d "C:\$Recycle.Bin" --csv C:\Output

Rifiuti2 (CLI)

Download: https://github.com/abelcheung/rifiuti2

Usage: rifiuti-vista.exe -x -o output.xml "C:\$Recycle.Bin\S-1-5-21-XXX"

Thumbcache Tools

thumbcache_viewer.exe - Thumbsviewer Project

Download: https://thumbsviewer.github.io/
Usage: GUI - Load database, export thumbnails

thumbs_viewer.exe - Vinetto Project

Usage: Extract and view thumbnails from thumbcache

Event Log Tools

EvtxECmd (CLI) - Eric Zimmerman

Download: https://ericzimmerman.github.io/

Parse OAlerts:
.\EvtxECmd.exe -f OAlerts.evtx --csv C:\Output --inc 300

Database Tools

ESEDatabaseView - NirSoft

Download: https://www.nirsoft.net/utils/ese_database_view.html
Usage: Open Windows.edb, WebCacheV01.dat

DB Browser for SQLite

Download: https://sqlitebrowser.org/
Usage: Open SQLite databases

Collection Tools

KAPE - Kroll Artifact Parser and Extractor

Download: https://www.kroll.com/kape

Collect MRU artifacts:
.\kape.exe --target RecentFileCache,LNKFiles,RegistryHives --tdest C:\Collection

Full file access artifacts:
.\kape.exe --target FileExplorerArtifacts --tdest C:\Collection

FTK Imager

Download: https://www.exterro.com/ftk-imager
Usage: Mount images, collect locked files

📊 Quick Reference Cards

Artifact Comparison Matrix

Artifact

File Path

Deleted Files

Timestamps

User Attribution

File Size

Network Shares

RecentDocs

✅ Yes

✅ Survives

⚠️ Key time

✅ Per user

❌ No

✅ UNC paths

OpenSaveMRU

✅ Yes

✅ Survives

⚠️ Key time

✅ Per user

❌ No

✅ UNC paths

LastVisitedMRU

⚠️ Folder

✅ Survives

⚠️ Key time

✅ Per user

❌ No

✅ UNC paths

LNK Files

✅ Yes

✅ Survives

✅ Multiple

✅ Per user

✅ Yes

✅ Full UNC

Office MRU

✅ Full path

✅ Survives

✅ Last open

✅ Per user

❌ No

✅ UNC paths

Trust Records

✅ Yes

✅ Survives

✅ Trust time

✅ Per user

❌ No

✅ UNC paths

Recycle Bin

✅ Original

✅ Content!

✅ Delete time

✅ SID folder

✅ Yes

❌ No

Thumbcache

⚠️ Via ID

✅ Thumbnails

❌ No

✅ Per user

❌ No

IE History

✅ file:///

✅ Survives

✅ Access

✅ Per user

❌ No

✅ file://

Collection Priority (Live System)

First 5 Minutes:

1. Recycle Bin (evidence destruction risk)
2. RecentDocs registry query (quick overview)
3. Office Trust Records (macro-enabled docs)
4. Running process list
5. Active network connections

Next 15 Minutes:

6. LNK files (Recent folder)
7. NTUSER.DAT (all MRU data)
8. Thumbcache databases
9. Office MRU registry keys
10. WordWheelQuery (searches)

Next 30 Minutes:

11. Windows.edb (Search database)
12. WebCache (IE history)
13. Office OAlerts.evtx
14. Event logs (4688, 4624)
15. $MFT, $J (file system)

Investigation Time Estimates

Task

Estimated Time

Quick triage (RecentDocs, searches)

10-15 min

LNK file analysis (50-100 files)

20-30 min

Office artifact analysis

30-45 min

Recycle Bin analysis

15-30 min

Thumbcache extraction

30-60 min

Complete file access timeline

2-3 hours

Data exfiltration investigation

3-4 hours

Insider threat comprehensive analysis

4-6 hours

🎓 Pro Tips

Cross-Referencing Strategy

Always cross-reference multiple artifacts:

RecentDocs → Shows file was accessed
     ↓
LNK Files → Provides exact timestamps + original path
     ↓
Office MRU → Confirms application used + open time
     ↓
Reading Locations → Proves document was actually read
     ↓
Trust Records → Shows if macros were enabled
     ↓
Event 4688 → Shows processes executed after
     ↓
Complete attack chain

Timeline Construction

Build comprehensive timeline:

1. Logon time (Event 4624)
2. File searched (WordWheelQuery)
3. Folder navigated (TypedPaths)
4. File accessed (LNK creation time)
5. File opened (RecentDocs, Office MRU)
6. Macros enabled (Trust Records)
7. Process executed (Event 4688)
8. File deleted (Recycle Bin)
9. Logoff (Event 4634)

Result: Complete picture of user activity

Common Pitfalls

❌ Only checking RecentDocs (missing LNK details)
❌ Ignoring deleted files (artifacts persist!)
❌ Not checking Office-specific MRU
❌ Missing Trust Records (macro investigation)
❌ Forgetting network share access (IE history)
❌ Not cross-referencing timestamps
❌ Ignoring thumbnail evidence
❌ Missing search terms (intent evidence)

Red Flag Summary

🚩🚩🚩 CRITICAL INDICATORS:

1. Macro-enabled documents from Downloads/Email
2. Mass file deletion in short time window
3. Sensitive files accessed by unauthorised user
4. Files accessed from USB drives
5. Network admin share access (\\C$)
6. Searches for "password", "confidential", "delete"
7. After-hours document access
8. File paths typed manually (TypedPaths)
9. Recycle Bin emptied after suspicious activity
10. Documents accessed then immediately deleted

Use this guide for comprehensive file and folder access investigations. Remember: Artifacts persist after deletion - always check multiple sources!

PreviousProgram Execution Artifacts Investigation Guide NextFile Download and Browser Activity Investigation Guide

Last updated 14 days ago

Complete DFIR Workflow & Cheatsheet

📚 Table of Contents

🎯 Artifact Priority Matrix

Quick Decision Guide: What to Check First?

🔍 Investigation Framework

Phase 1: Quick Triage (First 15 Minutes)

Phase 2: Artifact Collection (Live System)

📋 MRU Artifacts Analysis

1. OpenSaveMRU

2. LastVisitedMRU

📁 Recent Files Analysis

1. RecentDocs Registry Key

2. Recent Folder (LNK Files Location)

🔗 LNK Files Analysis

Overview

Important Behaviors

Collection & Analysis

Investigation Workflows

Red Flags

Pro Tips

📄 Office Artifacts Analysis

1. Office File MRU

2. MS Word Reading Locations

3. Office Trust Records

4. Office OAlerts

🗑️ Deleted Items Investigation

1. Recycle Bin Analysis

2. Thumbcache Analysis

3. Windows Search Database

4. Thumbs.db (Legacy - Windows XP)

5. Internet Explorer File Access History

🔍 Search and Navigation History

1. WordWheelQuery

2. TypedPaths

📚 Investigation Playbooks

Playbook 1: Data Exfiltration Investigation

Playbook 2: Malicious Document Investigation

Playbook 3: Insider Threat - Document Access

Playbook 4: Deleted File Recovery

🛠️ Tool Reference

Registry Analysis Tools

LNK File Analysis Tools

Recycle Bin Tools

Thumbcache Tools

Event Log Tools

Database Tools

Collection Tools

📊 Quick Reference Cards

Artifact Comparison Matrix

Collection Priority (Live System)

Investigation Time Estimates

🎓 Pro Tips

Cross-Referencing Strategy

Timeline Construction

Common Pitfalls

Red Flag Summary