Dialogue Boxes MRU

Dialog Box MRU in Windows Forensics

Dialog Box MRU (Most Recently Used) artifacts track user interactions with files and directories through common dialog boxes (e.g., Open, Save, Upload) in Windows. These artifacts reveal which files were accessed and the applications used, making them valuable in forensic investigations.

Key Registry Locations for Dialog Box MRU Artifacts

1. OpenSavePidlMRU

  • Path:

    NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSavePidlMRU

  • Purpose: Stores file paths of recently opened, saved, or uploaded files.

  • Structure: Subkeys categorized by file extensions (e.g., .docx, .pdf).

    • * Subkey: Tracks the 10 most recent files, regardless of extension.

2. LastVisitedPidlMRU

  • Path:

    NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\LastVisitedPidlMRU

  • Purpose: Tracks the application and folder paths involved in file access.

  • Structure: Stores folder paths and the executables used, sometimes represented as GUIDs.

Forensic Value of Dialog Box MRU Artifacts

  1. Evidence of File Access Tracks files accessed through dialog boxes, even if they are deleted.

  2. Application Context Provides the executable responsible for accessing files (e.g., chrome.exe, excel.exe), offering context about how files were used.

  3. Timeline Reconstruction Correlates file access with timestamps, aiding in building a sequence of events.

  4. User Intent and Activity Shows user interaction with files, such as uploading sensitive data, modifying documents, or accessing specific directories.

Analysis Process

Using Registry Explorer (Eric Zimmerman's Tool)

  1. Load NTUSER.DAT Hive:

    • Extract the NTUSER.DAT file from the user's profile directory.

    • Open it in Registry Explorer.

  2. Navigate to Key Locations:

    • Explore both OpenSavePidlMRU and LastVisitedPidlMRU.

  3. Parse Data:

    • Identify file paths, associated executables, and timestamps.

    • Use the MRUListEx value to determine the sequence of recent file access.

Correlating Data:

  • OpenSavePidlMRU: Shows recently accessed files and their paths.

  • LastVisitedPidlMRU: Provides the folder path and the application responsible for accessing the file.

Practical Investigation Example

Case: Suspected Data Exfiltration

  • Incident: An employee is suspected of uploading sensitive financial data to an unauthorized cloud service.

Step 1: Analyze OpenSavePidlMRU

  • File Path: C:\Users\John\Documents\Finance\Confidential_Report.xlsx

  • Timestamp: Indicates the time the file was accessed/uploaded.

Step 2: Analyze LastVisitedPidlMRU

  • Folder Path: C:\Users\John\Documents\Finance

  • Associated Application: chrome.exe confirms the file was accessed via a web browser.

Step 3: Correlate with Network Logs

  • Network logs reveal a connection to an unknown cloud service at the same timestamp.

Conclusion

Dialog Box MRU artifacts provide a detailed account of user interactions with files through dialog boxes. They help investigators uncover critical evidence of file access, application usage, and potential data exfiltration. When combined with other forensic artifacts, such as network logs and event logs, they provide a comprehensive view of user activities during an incident.

PreviousRecent FilesNextEvent Log Analysis

Last updated