Recent Files

The "Recent Files" functionality in Windows is a critical artifact for forensic investigators, as it records the files and folders that have been accessed most recently by a user. This data is used to populate areas such as the "Recent" menus found in some versions of the Start menu, offering quick access back to recently used resources.

Key Insights:

  • Registry Path:

    • NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs

Within this key, Windows tracks the user's recently accessed files and folders, organizing this information in a way that can be highly informative for digital forensic analysis.

  • RecentDocs:

    • The RecentDocs key acts as a rollup, tracking the overall order of the last 150 files or folders opened. It maintains a Most Recently Used (MRU) list that records the temporal order in which each file or folder was accessed.

  • Extension-Specific Subkeys (.???):

    • These subkeys are named after the file extensions (e.g., .docx, .xlsx) and store information about the last 20 files opened of each type. Like the RecentDocs key, they also maintain an MRU list, with the last write time of the key indicating the time at which the most recently used item of that file type was opened.

  • Folder Subkey:

    • This subkey specifically tracks the last 30 folders opened by the user. The most recently used item within this key has its last write time updated to reflect the time of the most recent folder access.

Deeper Dive

The structure of the RecentDocs key and its subkeys provides a multi-faceted view of user behavior, showing not only the files and folders a user has accessed but also when they were accessed. This can be pivotal in investigations, offering clues about the sequence of user actions and their interaction with specific data.

Analyzing The Artifact

To analyze the "Recent Files" artifact, forensic analysts can follow these steps:

  1. Access the NTUSER.DAT file of the user profile in question to locate the RecentDocs key.

  2. Review the MRU list in the RecentDocs key for an overview of the last 150 accessed files or folders.

  3. Examine the extension-specific subkeys to identify the last 20 files opened for each file type, using the last write time as a timestamp for the most recent access.

  4. Investigate the Folder subkey to understand the user's recent folder access patterns, again using the last write time for the most recent access indication.

  5. Correlate this information with other forensic artifacts to build a comprehensive timeline of user activity.

Tools for Analysis

  • Registry Editors: Tools like RegEdit can manually explore the Windows Registry, but for forensic purposes, more specialized tools are preferred.

  • AccessData Registry Viewer: A tool designed for forensic analysis of the Windows Registry, allowing for easy navigation, search, and analysis of keys like RecentDocs.

  • NirSoft RegScanner: This utility allows for quick searching and exporting of specific Registry keys, making it useful for locating and analyzing the RecentDocs key and its subkeys.

PreviousFolder/File Opening/CreationNextOffice Recent Files

Last updated

Was this helpful?