Last Visited MRU

Last Visited MRU (Most Recently Used) tracks the last accessed file or directory in an application, recording both the application used and the last location accessed within the file system.

Artifacts and Their Purpose:

Tracks Application Usage: Records the applications that have been used.
Records Last Accessed Directories: Notes the last directory that the user interacted with through an application.
Facilitates User Convenience: Enhances the GUI by allowing quick navigation to recently accessed locations.
Aids Forensic Analysis: Provides evidence of user activity and potentially unauthorized access.

Registry Key Locations

Windows XP:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\LastVisitedMRU

Windows 7 and Newer:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\LastVisitedPidlMRU

Structure and Data

The data within these keys typically includes binary values that correspond to:
- The Executable Name: The application that accessed the file.
- The File Path or Object Identifier (PIDL): The PIDL (Pointer to an Item ID List) is used to uniquely identify a folder or item within the shell namespace. This can reference locations not necessarily represented by a file system path.

Forensic Importance

Incident Reconstruction: By examining the Last Visited MRU, an analyst can determine what files were accessed by which application, crucial when investigating unauthorized data access or exfiltration.
Identifying Malicious Activity: Discovery of unusual or hidden directories within these keys may suggest stealthy behavior, like the use of a hidden directory to store or execute malicious files.
Timeline Correlation: When combined with timestamps from other forensic artifacts, the Last Visited MRU can help create a timeline of user actions, useful in understanding the scope of an incident.

Example in Incident Response

A digital forensic analyst is investigating a potential breach. By examining the LastVisitedPidlMRU, they discover entries for an encryption tool executed from a USB drive, which was then used to access specific documents within a secure network drive. This information suggests that the documents may have been encrypted prior to exfiltration.

User GUI Experience

For the end-user, the Last Visited MRU impacts the experience by:

Populating Recent Items: In applications, the recent items or places list is populated based on this data, allowing users to quickly return to the last item or location used.
Streamlining File Dialogs: When opening or saving files, the dialog boxes may default to the last visited directory, facilitating ease of use.

PreviousUserAssist NextRunMRU

Last updated 1 year ago

Was this helpful?

Last Visited MRU

Last Visited MRU (Most Recently Used) tracks the last accessed file or directory in an application, recording both the application used and the last location accessed within the file system.

Artifacts and Their Purpose:

Tracks Application Usage: Records the applications that have been used.
Records Last Accessed Directories: Notes the last directory that the user interacted with through an application.
Facilitates User Convenience: Enhances the GUI by allowing quick navigation to recently accessed locations.
Aids Forensic Analysis: Provides evidence of user activity and potentially unauthorized access.

Registry Key Locations

Windows XP:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\LastVisitedMRU

Windows 7 and Newer:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\LastVisitedPidlMRU

Structure and Data

The data within these keys typically includes binary values that correspond to:
- The Executable Name: The application that accessed the file.
- The File Path or Object Identifier (PIDL): The PIDL (Pointer to an Item ID List) is used to uniquely identify a folder or item within the shell namespace. This can reference locations not necessarily represented by a file system path.

Forensic Importance

Incident Reconstruction: By examining the Last Visited MRU, an analyst can determine what files were accessed by which application, crucial when investigating unauthorized data access or exfiltration.
Identifying Malicious Activity: Discovery of unusual or hidden directories within these keys may suggest stealthy behavior, like the use of a hidden directory to store or execute malicious files.
Timeline Correlation: When combined with timestamps from other forensic artifacts, the Last Visited MRU can help create a timeline of user actions, useful in understanding the scope of an incident.

Example in Incident Response

User GUI Experience

For the end-user, the Last Visited MRU impacts the experience by:

Populating Recent Items: In applications, the recent items or places list is populated based on this data, allowing users to quickly return to the last item or location used.
Streamlining File Dialogs: When opening or saving files, the dialog boxes may default to the last visited directory, facilitating ease of use.

PreviousUserAssist NextRunMRU

Last updated 1 year ago

Was this helpful?