Since Windows Vista, the root key is found at HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDLg32\OpenSavePidlMRU Under each extension-based key, there is a list of file paths. They both have the same structure, though, which is sub-keys based on the file extension, such as “docx”, “txt”, or “zip”. It’s in two different locations depending on the version of Windows. The OpenSave MRU data is stored in a User’s NTUSER.DAT registry hive. It can also list file paths and times for files that have since been deleted or were on a removable drive. In a general investigation, knowing what documents the user recently opened can reveal what they used the computer for.For an insider threat case, it can show what kinds of documents the user was opening.These could be documents with intellectual property or configuration files for their attack tools. In an intrusion case with an account take over, this list could show what files the attacker was interested in.It is useful to a DFIR investigator because it can show what files the user was recently focused on: How Is a Windows OpenSave MRU Useful in DFIR? This feature makes it easier for users to re-use a name. This data exists so that Windows can give a list of previously used file names. It is in the “ Data Accessed” artifact category, which stores what files a user opened. The Windows OpenSaveMRU stores references to files that were selected by a user when using a standard Windows dialog to open or save a file. Or continue reading below What Is a Windows OpenSave MRU Artifact?
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |