RecentDocs

Author Name
Joe Garcia


Artifact Name
RecentDocs


Operating System
Windows XP, Vista, Win7


Description
When starting a forensic examination, a great first artifact to check out is RecentDocs (or Recently Used Documents).   By default, Windows will display 15 items in the “My Recent Documents” menu option.  This will include .doc, .jpg, .pdf, etc files.  This is a great way to get a quick look at what files the subject of your investigation has opened recently. For example, for Law Enforcement officers, this is a great place to look if you have to investigate a suspicious death.   Your victim may have actually created a suicide note on their computer and this artifact can help you find it.  For Corporate investigators, your subject may have been snooping around for the recipe of your company’s “Secret Sauce” (or whatever proprietary data you wish to insert here).  This artifact might show the document being opened on your subject’s computer.  This can be used to corroborate other evidence obtained during your investigation.

When opening this artifact in a program such as MiTeC’s Windows Registry Recovery or AccessData’s Registry Viewer, you will see the following:



RecentDocs artifact in Windows Registry Recovery by MiTeC
If you look at the Data in the “MRUListEx” Value, it will always start with the document that was opened most recently and work it’s way back. So in this case, document “08″ was opened most recently. Each entry in the “MRUListEx” is four bytes in length. So going back four bytes from “08″, we can see that “07″ was the next most recent document opened in this example.

You can also use everyone’s favorite registry parsing tool RegRipper to accomplish the same goal (and better might I add). RegRipper displays the RecentDocs in order from last opened to first opened. Again, this is defined by the default max number. Other documents opened earlier on will not be listed here.



RecentDocs displayed in RegRipper


Registry Keys
NTUSER.dat


File Locations
NTUSER\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs


Research Links
- Default Max Number of Recent Docs (Microsoft TechNet): http://technet.microsoft.com/en-us/library/cc975956.aspx


Forensic Programs of Use
AccessData’s Registry Viewer
Harlan Carvey’s RegRipper
MiTeC’s Windows Registry Recovery


轉自 http://forensicartifacts.com/2011/02/recentdocs/

0 意見: