Blog >> OpenSaveMRU

Investigating OpenSaveMRU

30/07/2021 Friday

OpenSaveMRU is a Windows registry key that tracks files that have been accessed by any application through the "Open" or "Save As" Windows shell dialog box. This key differs slightly between Windows XP and Windows Vista and beyond (OpenSaveMRU on Windows XP and 2003; OpenSavePidMRU on Vista through Windows 10 systems).

Digital Forensics Value of OpenSaveMRU Artifact

OpenSaveMRU/OpenSavePidMRU key contains the full path of the file that was accessed by any application through the Open/Save As dialog box. This type of information is critical during the forensic analysis process as it can reveal details regarding downloaded files and the last files accessed by the user.

Location of OpenSaveMRU Artifact

Windows XP: NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU

Windows 7/8/10: NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSavePIDlMRU

Structure of OpenSaveMRU Artifact

There are multiple subkeys within the OpenSaveMRU/OpenSavePidMRU key. The first subkey is the "*" subkey. This key contains the last 20 files (10 in Windows XP) of any extension that has been accessed through the "Open" or "Save As" dialogs. The rest of the subkeys correspond to different file extensions and they store only files with the same extension.

Within each subkey, items are assigned numbers as names (or letters for Windows XP) in an ascending order according to their creation time. These items store the full path of the file accessed by any application through "Open" or "Save As" dialog window in binary format (or string format in Windows XP). OpenSaveMRU/OpenSavePidMRU key also contains an "MRUListEx" (or "MRUList" for Windows XP) that lists the order in which the files were opened or saved by any applications.

Windows XP and 2003
Windows Vista through Windows 10

Analyzing OpenSaveMRU Artifact with ArtiFast Windows

This section will discuss how to use ArtiFast Windows to analyze OpenSaveMRU artifact from Windows machines and what kind of digital forensics insight we can gain from the artifact.

After you have created your case and added evidence for the investigation, at the Artifacts Parser Selection Phase, you can select OpenSaveMRU Artifact:

Once ArtiFast parser plugins complete processing artifacts for analysis, it can be reviewed via "Artifact View" or "Timeline View," with indexing, filtering, and searching capabilities. Below is a detailed description of the Open Save MRU artifact in ArtiFast software.

Open Save MRU Artifact

This artifact contains information related to the files accessed by any application through the "Open" or "Save As" dialog box.The details you can view include: