Dialogue Boxes MRU

Dialog Box MRU in Windows Forensics

Dialog Box MRU (Most Recently Used) artifacts track user interactions with files and directories through common dialog boxes (e.g., Open, Save, Upload) in Windows. These artifacts reveal which files were accessed and the applications used, making them valuable in forensic investigations.

Key Registry Locations for Dialog Box MRU Artifacts

1. OpenSavePidlMRU

Path:

NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSavePidlMRU

Purpose: Stores file paths of recently opened, saved, or uploaded files.
Structure: Subkeys categorized by file extensions (e.g., .docx, .pdf).
- * Subkey: Tracks the 10 most recent files, regardless of extension.

2. LastVisitedPidlMRU

Path:

NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\LastVisitedPidlMRU

Purpose: Tracks the application and folder paths involved in file access.
Structure: Stores folder paths and the executables used, sometimes represented as GUIDs.

Forensic Value of Dialog Box MRU Artifacts

Evidence of File Access Tracks files accessed through dialog boxes, even if they are deleted.
Application Context Provides the executable responsible for accessing files (e.g., chrome.exe, excel.exe), offering context about how files were used.
Timeline Reconstruction Correlates file access with timestamps, aiding in building a sequence of events.
User Intent and Activity Shows user interaction with files, such as uploading sensitive data, modifying documents, or accessing specific directories.

Analysis Process

Using Registry Explorer (Eric Zimmerman's Tool)

Load NTUSER.DAT Hive:
- Extract the NTUSER.DAT file from the user's profile directory.
- Open it in Registry Explorer.
Navigate to Key Locations:
- Explore both OpenSavePidlMRU and LastVisitedPidlMRU.
Parse Data:
- Identify file paths, associated executables, and timestamps.
- Use the MRUListEx value to determine the sequence of recent file access.

Correlating Data:

OpenSavePidlMRU: Shows recently accessed files and their paths.
LastVisitedPidlMRU: Provides the folder path and the application responsible for accessing the file.

Practical Investigation Example

Case: Suspected Data Exfiltration

Incident: An employee is suspected of uploading sensitive financial data to an unauthorized cloud service.

Step 1: Analyze OpenSavePidlMRU

File Path: C:\Users\John\Documents\Finance\Confidential_Report.xlsx
Timestamp: Indicates the time the file was accessed/uploaded.

Step 2: Analyze LastVisitedPidlMRU

Folder Path: C:\Users\John\Documents\Finance
Associated Application: chrome.exe confirms the file was accessed via a web browser.

Step 3: Correlate with Network Logs

Network logs reveal a connection to an unknown cloud service at the same timestamp.

Conclusion

Dialog Box MRU artifacts provide a detailed account of user interactions with files through dialog boxes. They help investigators uncover critical evidence of file access, application usage, and potential data exfiltration. When combined with other forensic artifacts, such as network logs and event logs, they provide a comprehensive view of user activities during an incident.

PreviousRecent Files NextEvent Log Analysis

Last updated 1 year ago

hashtagDialog Box MRU in Windows Forensics

hashtagKey Registry Locations for Dialog Box MRU Artifacts

hashtag1. OpenSavePidlMRU

hashtag2. LastVisitedPidlMRU

hashtagForensic Value of Dialog Box MRU Artifacts

hashtagAnalysis Process

hashtagPractical Investigation Example

hashtagConclusion