#Recentapps registry forensics windows
The list of files recently opened directly from Windows Explorer are stored into HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs This key correlates to the previous OpenSaveMRU key to provide extra information: each binary registry value under this key contains a recently used program executable filename, and the folder path of a file to which the program has been used to open or save it.
Whenever a new entry is added to OpenSaveMRU key, registry value is created or updated in HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\LastVisitedMRU
This key maintains a list of recently opened or saved files via Windows Explorer-style dialog boxes ( Open/Save dialog box).įor instance, files (e.g. .txt, .pdf, htm, .jpg) that are recently opened or saved files from within a web browser are maintained.ĭocuments that are opened or saved via Microsoft Office programs are not maintained. MRU is the abbreviation for most-recently-used. Let’s analyze the main keys… Recent opened Programs/Files/URLs HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU Windows registry is an excellent source for evidential data, and knowing the type of information that could possible exist in the registry and location is critical during the forensic analysis process. Windows registry contains information that are helpful during a forensic analysis
0 kommentar(er)
