Windows operating systems record and store a mine of information specific to actions taken by a user account. Among the information tracked is the recent files and folders accessed by the user. Information about the files that were recently opened/saved and the folders that were opened are maintained in the RecentDocs registry key.
In the previous versions of Windows, this data is used to populate the recent items menu of the Start menu. Recent items menu is no longer populated in the Start menu of Windows 10, however, recent files and folders accessed by the user can be found in the “Recent Items” folder in the Users directory.
Being able to retrieve a list of the recent files and folders accessed by the user can be crucial in a forensic examination. RecentDocs MRU artifact can unfold useful information about the suspect’s activities on a device such as accessing unauthorized documents. What makes this artifact more valuable is the fact that the information can be maintained within the RecentDocs key long after the source file or folder has ceased to exist on the system.
Information about the recent files and folders accessed by the user is maintained in the RecentDocs key at
the following location:
RecentDocs key itself contains multiple values as seen in the figure below. These values are assigned
numbers as names and each value contains binary data. The value named “MRUListEx” tracks the order in which
these files/folders were accessed.
This section discusses how to use ArtiFast Windows to analyze RecentDocs MRU artifact from Windows machines
and what kind of digital forensics insight we can gain from the artifact.
After you have created your case and added evidence for the investigation, at the Artifacts Parser Selection Phase, you can select RecentDocs MRU Artifact:
Once ArtiFast parser plugins complete processing artifacts for analysis, it can be reviewed via “Artifact View” or “Timeline View”, with indexing, filtering, and searching capabilities. Below is a detailed description of RecentDocs MRU artifact in ArtiFast.
RecentDocs MRU Artifact
This artifact contains information related to the recent files and folders accessed. The details you can view include: