Office Recent Files

Microsoft Office programs maintain a registry-based list of recent files to facilitate user access to previously opened documents. This feature is instrumental for digital forensic analysts when investigating a subject's document access patterns, as it records detailed information about the files accessed by MS Office applications. The registry keys involved vary by Office version and user account type, including specific paths for different Office applications and account configurations.

Key Insights:

Registry Path for Traditional Installations:
- NTUSER.DAT\Software\Microsoft\Office\<Version>\<AppName>\File MRU
  - Versions range from 10.0 (Office XP) to 16.0 (Office 2016/2019/M365), with each version number corresponding to a specific release of MS Office.
Registry Path for Microsoft 365 with LiveID:
- NTUSER.DAT\Software\Microsoft\Office\<Version>\UserMRU\LiveID_####\File MRU
  - This path is used for Microsoft 365 installations associated with a LiveID.
Registry Path for Microsoft 365 with Azure Active Directory (ADAL):
- NTUSER.DAT\Software\Microsoft\Office\<Version>\UserMRU\ADAL_####\File MRU
  - This path caters to Microsoft 365 installations linked to Azure Active Directory.

Deeper Dive

File MRU Registry Key:
- This key records the most recently used (MRU) files by each MS Office application, providing full path information along with the last opened timestamp. The File MRU key is critical for understanding user behavior, document access patterns, and potential evidence in digital investigations.
Version-Specific Paths:
- The registry paths change with the Office version, indicating the evolution of Office software and its configuration settings. Notably, 16.0 covers Office 2016, 2019, and Microsoft 365 versions, reflecting the transition to a subscription-based model.
UserMRU Key:
- The UserMRU key distinguishes between user accounts, particularly for Microsoft 365 users, either through LiveID or Azure AD. This distinction is crucial for investigations involving cloud-based services and enterprise environments.

Analyzing The Artifact

Identify Office Version: Determine the version of Office installed on the system to locate the correct registry path.
Navigate to the Registry Key: Use a registry editor or forensic tool to access the NTUSER.DAT hive and navigate to the respective File MRU path based on the Office version and account type.
Extract Recent File List: Analyze the entries within the File MRU key to identify recently accessed documents. Note the full path and last opened timestamp for each file.
Correlate with User Activity: Cross-reference the recent file list with other artifacts, such as file timestamps and user activity logs, to build a comprehensive picture of user behavior.

Tools for Analysis

Registry Editors: Tools like RegEdit or Registry Explorer can manually navigate and export the contents of NTUSER.DAT.
Forensic Software: Applications such as AccessData FTK or Magnet Axiom provide advanced capabilities to automatically extract and analyze registry data, including MRU lists.
Custom Scripts: PowerShell scripts or custom tools can automate the extraction and parsing of MRU registry keys, streamlining the analysis process.

PreviousRecent Files NextShell Bags

Last updated 1 year ago

Was this helpful?

Key Insights:

Registry Path for Traditional Installations:

NTUSER.DAT\Software\Microsoft\Office\<Version>\<AppName>\File MRU
- Versions range from 10.0 (Office XP) to 16.0 (Office 2016/2019/M365), with each version number corresponding to a specific release of MS Office.

Registry Path for Microsoft 365 with LiveID:

NTUSER.DAT\Software\Microsoft\Office\<Version>\UserMRU\LiveID_####\File MRU
- This path is used for Microsoft 365 installations associated with a LiveID.

Registry Path for Microsoft 365 with Azure Active Directory (ADAL):

NTUSER.DAT\Software\Microsoft\Office\<Version>\UserMRU\ADAL_####\File MRU
- This path caters to Microsoft 365 installations linked to Azure Active Directory.

Deeper Dive

File MRU Registry Key:

This key records the most recently used (MRU) files by each MS Office application, providing full path information along with the last opened timestamp. The File MRU key is critical for understanding user behavior, document access patterns, and potential evidence in digital investigations.

Version-Specific Paths:

The registry paths change with the Office version, indicating the evolution of Office software and its configuration settings. Notably, 16.0 covers Office 2016, 2019, and Microsoft 365 versions, reflecting the transition to a subscription-based model.

UserMRU Key:

The UserMRU key distinguishes between user accounts, particularly for Microsoft 365 users, either through LiveID or Azure AD. This distinction is crucial for investigations involving cloud-based services and enterprise environments.

Analyzing The Artifact

Identify Office Version: Determine the version of Office installed on the system to locate the correct registry path.

Navigate to the Registry Key: Use a registry editor or forensic tool to access the NTUSER.DAT hive and navigate to the respective File MRU path based on the Office version and account type.

Extract Recent File List: Analyze the entries within the File MRU key to identify recently accessed documents. Note the full path and last opened timestamp for each file.

Correlate with User Activity: Cross-reference the recent file list with other artifacts, such as file timestamps and user activity logs, to build a comprehensive picture of user behavior.

Tools for Analysis

Registry Editors: Tools like RegEdit or Registry Explorer can manually navigate and export the contents of NTUSER.DAT.

Forensic Software: Applications such as AccessData FTK or Magnet Axiom provide advanced capabilities to automatically extract and analyze registry data, including MRU lists.

Custom Scripts: PowerShell scripts or custom tools can automate the extraction and parsing of MRU registry keys, streamlining the analysis process.