File and Folder Opening
Open/Save Most Recently Used (MRU)
Description: The OpenSave MRU data is stored in a User’s NTUSER.DAT registry hive. It’s in two different locations depending on the version of Windows. They both have the same structure, though, which is sub-keys based on the file extension, such as “docx”, “txt”, or “zip”. This key tracks files opened or saved within a Windows shell dialog box. This big data set includes Microsoft Office applications, web browsers, chat clients, and the most commonly used applications.
Location:
Interpretation:
Each extension sub-key can contain up to 20 values. Their name is a counter (0 to 19), and the value is a binary structure that contains the path (and other data). However, the path is not stored as an easy-to-read string. Instead, it is stored as a “PIDL”, a list of IDs representing entries in a folder. The file name is stored in the value, though in ASCII and UTF-16.
A “MRUListEx” value contains an ordered list of counters (i.e. 0 to 19) representing what order the files were last used. In the below example, you can see that two was the most recent, then 1, and then 0.
The “*” key – This subkey tracks the most recent files of any extension input in an OpenSave dialog
.??? (Three-letter extension) – This subkey stores file info from the OpenSave dialog by specific extension
Recent Files
Description: The Recents Folder artifact contains files and folders that were recently opened or saved. It is closely related to the Windows MRU and JumpList artifacts. The registry key tracks the last files and folders opened. How is a Windows Recents Folder Artifact Useful in DFIR? It is useful to a DFIR investigator because it can show what files the user was recently focused on. In an intrusion case with an account takeover, this list could show what files the attacker was interested in. These could be documents with intellectual property or configuration files for their attack tools.
For an insider threat case, it can show the documents the user was opening. In a general investigation, knowing what documents the user recently opened can reveal what they used the computer for.
It can also list file paths and times for files that have since been deleted or were on a removable drive.
Location:
Interpretation:
RecentDocs – Rollup key tracking the order of the last 150 files or folders opened. MRU list tracks the temporal order in which each file/folder was opened.
.??? – These subkeys store the last 20 files opened by the user of each extension type. MRU list tracks the temporal order in which each file was opened. The most recently used (MRU) item is associated with the last write time of the key, providing one timestamp of file opening for each file extension type.
Folder – This subkey stores the last 30 folders opened by the user. The most recently used (MRU) item in this key is associated with the last write time of the key, providing the time of opening for that folder.
MS Word Reading Locations
Description: Beginning with Word 2013, the user's last known position within a Word document is recorded.
Location:
NTUSER\Software\Microsoft\Office<Version>\Word\Reading Locations Interpretation
Another source tracking recent documents opened
The last closed time is also tracked along with the last position within the file.
The last session duration can be determined with the last opened date in the Office File MRU key.
Last Visited Most Recently Used (MRU)
Description: Tracks applications in use by the user and the directory location for the last file accessed by the application.
Location:
Note: The RecentDocs key is found at:
Other items of interest are related to folders that are accessed by a Windows application using the common Open/Save dialog which is found at:
Or files that are accessed by a Windows application using the common Open File or Save File dialog found at:
Finally, items of interest regarding commands a user runs via the Windows Run utility are found at:
Interpretation: We get two important pieces of information from this key: applications executed by the user and the last place in the file system that those applications interacted with. Interesting and hidden directories are often identified via this registry key. Tools for investigation
Regedit or other registry viewer applications.
Shortcut (LNK) Files
Description: Windows uses the folder C:\Users%USERNAME%\AppData\Roaming\Microsoft\Windows\Recent to store LNK files associated with files a user has recently accessed, typically by double-clicking on it in a Windows Explorer window.
If the file is reopened, it will be overwritten with the latest file access regardless of whether the file exists in a different directory.
In Windows 10 and later, Microsoft started adding the extension of the LNK file and preventing supersecretfile.xlsx from overwriting the LNK file for supersecretfile.txt.
Even so, it’s good to remember that only the latest open is recorded for a given file name. It is also important to note that LNK files persist in the Recent directory despite the file itself having been deleted. When viewing the directory in Windows Explorer, the .lnk extension is never shown, even when “show file extensions” is selected in the folder options.
Shortcut files are automatically created by Windows, tracking files and folders opened by a user.
Location:
Note: these are the primary locations of LNK files. They can also be found in other locations.
Interpretation:
Date/Time file of that name was first opened
Creation Date of Shortcut (LNK) File
Date/Time file of that name was last opened
Last Modification Date of Shortcut (LNK) File
LNK Target File (Internal LNK File Information) Data:
Modified, Access, and Creation times of the target file
Volume Information (Name, Type, Serial Number)
Network Share information
Original Location
Name of System Tools for Investigation
Exiftool :
Parse with Zimmerman Tool (Link Explorer Commandline (LECmd)) Single file:
Directory of files:
Office Recent Files
Description: MS Office programs track their own recent file list to make it easier for users to access previously opened files.
Location:
NTUSER.DAT\Software\Microsoft\Office<Version><AppName>\File MRU
16.0 = Office 2016/2019/M365
15.0 = Office 2013
NTUSER.DAT\Software\Microsoft\Office<Version><AppName>\User MRU\LiveId_####\File MRU
Microsoft 365
NTUSER.DAT\Software\Microsoft\Office<Version><AppName>\User MRU\AD_####\File MRU
Microsoft 365 (Azure Active Directory) Interpretation
Similar to the Recent Files registry key, this tracks the last files opened by each MS Office application
Unlike the Recent Files registry key, full path information is recorded along with the last opened time for each entry
Office Trust Records
Description: Records trust relationships afforded to documents by a user when presented with a security warning. This is stored so the user is only required to grant permission the first time the document is opened.
Location:
Interpretation:
Can identify documents opened by the user and user interaction in trusting the file
Records file path, time the document was trusted, and which permissions were granted
Tools for investigation:
Whenever a user clicks on 'Enable Editing; or 'Enable Content', Microsoft Office will add the path to the document as a Registry value under the program's TrustRecords key. The last four bytes of the trusted document's value data are set to FF FF FF 7F, which means that the user enabled macros in the document, which is a very common vector for a computer to become infected. We can check for potential malicious documents whose macros have been enabled by checking the values under the following keys and then collecting the documents for further forensics.
From the CLI:
Office OAlerts
Description: MS Office programs produce alerts for the user when they attempt actions such as closing a file without saving it first.
Location:
OAlerts.evtx
Interpretation:
All Office applications use Event ID 300
Events include the program name and dialog message, showing some user activity within the application.
Tools for investigation:
EvtxECmd – Windows Event Log Parser
Note: Use in combination with EventLogs2Process Script
Internet Explorer/Edge file
Description: Internet Explorer History databases have long-held information on local and remote file access (via network shares), giving us an excellent means for determining files accessed on the system per user. Information can be present even on Win11+ systems missing the Internet Explorer application. Location The Edge cached files stored in the following directory:
The Edge last active browsing session is stored in the following directory:
Internet Explorer:
Both Edge and IE history records are stored in the same database:
Interpretation:
Entries recorded as: *file:C:/directory/filename.ext
This does not mean the file was opened in a browser
Deleted Items and File Existence
Thumbs.db
Description: Hidden file in the directory where images on the machine exist stored in smaller thumbnail graphics. Thumbs.db catalogues pictures in a folder and stores a copy of the thumbnail even if the pictures were deleted. Location Each folder maintains a separate Thumbs.db file after being viewed in thumbnail view (OS version dependent)
Interpretation:
Thumbnail image of the original picture
Last Modification Time (XP Only)
Original Filename (XP Only)
Most relevant for XP systems, but Thumbs.db files can be created on more modern OS versions in unusual circumstances, such as when folders are viewed via UNC paths.
Windows Search Database
Description: Windows Search indexes more than 900 file types, including email and file metadata, allowing users to search based on keywords. Location
Interpretation:
Database in Extensible Storage Engine format
Gather logs contain a candidate list for files to be indexed over each 24 hours
Extensive file metadata and even partial content can be present
Thumbcache
Description: Thumbnails of pictures, documents, and folders exist in a set of databases called the thumbcache. It is maintained for each user based on the thumbnail sizes viewed (e.g., small, medium, large, and extra large). It can catalogue the previous contents of a folder even upon file deletion. (Available in Windows Vista+)
Location:
Interpretation:
Database files are named similarly to: Thumbcache_256.db
Each database file represents thumbnails stored in different sizes or to fit different user interface components
Thumbnail copies of pictures can be extracted, and the Thumbnail Cache ID can be cross-referenced within the Windows Search Database to identify the filename, path, and additional file metadata.
Tools
Recycle Bin
Description When a user deletes a file, the file is moved into a temporary storage location for deleted files named Recycle Bin. Windows creates two files each time a file is placed in the Recycle Bin $I and $R with a string six-character identifier generated for each file. $R file is a renamed copy of the “deleted” file. While the $I file replaces the usage INFO2 file as the source of accompanying metadata.
Location:
Hidden System Folder
Interpretation:
Each user is assigned a SID sub-folder that can be mapped to a user via the Registry
Win7+: Files preceded by $I###### contain original filename and deletion date/time
Win7+: Files preceded by $R###### contain original deleted file contents Deleted Items and File Existence
Forensic Value
The original file name and path
The deleted file size
The date and time of deletion
Tools:
RBCmd.exe, Rifiuti2, Recbin exe, EnCase, FTK, Autopsy, RecycleDump.py, $ I_Parse.exe
Internet Explorer file
Description: Internet Explorer History databases have long held information on local and remote (via network shares) file access, giving us an excellent means for determining files accessed on the system, per user. Information can be present even on Win11+ systems missing the Internet Explorer application.
Location:
Interpretation:
It does not mean the file was opened in a browser
WordWheelQuery
Description: WordWheelQuery is a registry key that stores keywords searched from the folder search menu bar. Keywords are added in Unicode and listed in the temporal order in an MRU list. It maintains an ordered list of terms in the File Explorer search dialog.
Location:
Investigator Notes: Keywords are added in Unicode and listed in the temporal order in an MRU list User Typed Paths. Users can type a path directly into the File Explorer path bar instead of navigating the folder structure to locate a file. Folders accessed in this manner are recorded in the TypedPaths key.
Location:
Interpretation:
This indicates a user had knowledge of a particular file system location
It can expose hidden and commonly accessed locations, including those present on external drives or network shares
Tools:
Forensic Value:
User Activity
Last folder search conducted (Last Write Time
Keywords searched
Last updated