Recent Files

Recent Files in Windows Forensics

The Recent Files artifact in Windows is a crucial source of evidence that tracks user interaction with files and applications. It provides a clear picture of recently accessed files, offering forensic investigators valuable insights into user behavior, even if those files were not executed.

Key Locations of Recent Files Artifacts

1. Shortcut Files (LNK)

  • Location (File Explorer Visible):

    %USERPROFILE%\AppData\Roaming\Microsoft\Windows\Recent

    • Stores shortcut links (.LNK) for recently accessed files.

2. Registry Entry

  • Location (Registry Path in NTUSER.DAT Hive):

    NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs

    • Key Structure:

      • RecentDocs: Contains subkeys categorized by file type (e.g., .docx, .xlsx).

      • MRUListEx: Tracks the order in which files were accessed.

    • Data Stored:

      • Target Name: File or folder name.

      • Last Access Timestamp: When the file was last accessed.

      • Subkeys for Extensions: Categorizes access by file type.

Data Stored in Recent Files Artifacts

  • File Name: Name of the recently accessed file.

  • File Path: Location of the file on disk.

  • Timestamps: Last access date and time.

  • File Type: Categorized under subkeys by extensions such as .pdf, .xlsx, .exe.

Forensic Value of Recent Files

  1. Evidence of File Access

    • Tracks files that were opened, viewed, or modified.

    • Provides proof of access to files even if they were not executed.

  2. Reconstructing User Activity

    • RecentDocs shows a timeline of user interactions with files.

    • Helpful in understanding user intent and actions leading up to an incident.

  3. Tracking Sensitive Files

    • Detects unauthorized access to sensitive or classified documents.

    • Correlates with other artifacts like LNK files and event logs.

Using Recent Files in Investigations

1. Locating Accessed Files

  • Identify files accessed during a specific time window.

  • Filter file types to focus on particular categories:

    • Spreadsheets: .xlsx for financial or project data.

    • Documents: .docx for reports or contracts.

2. Tracking Insider Threats

  • Scenario: Investigating unauthorized access to sensitive project documents.

    • Investigators extract RecentDocs data.

    • Identify that files labeled "Confidential_Project.xlsx" were accessed during off-hours.

    • Correlate access timestamps with user login data to confirm the culprit.

3. Correlating with Other Artifacts

  • Combine RecentDocs data with:

    • Event Logs (e.g., Event ID 4624 for login).

    • Amcache or Shimcache for executable tracking.

    • Network Logs for file exfiltration evidence.

Data Leak Investigation

Case: A sensitive financial report was leaked.

Investigation:

  1. Analyze RecentDocs:

    • Extract data from NTUSER.DAT and load it into tools like Registry Explorer.

    • Detect a file named Financial_Report_Q3.xlsx accessed on Nov 10, 2024, at 9:15 PM.

  2. Correlate with Event Logs:

    • Event ID 4624 shows a login from the suspect’s user account at 9:12 PM.

  3. Conclusion:

    • RecentDocs confirms file access.

    • Event logs confirm user presence, supporting evidence of data theft.

Recommended Tools for Analysis

  1. Registry Explorer (Eric Zimmerman)

    • Allows direct parsing of NTUSER.DAT for RecentDocs.

    • Displays user activity in a structured format.

  2. RECmd (CLI Tool)

    • Automates extraction of RecentDocs data for timelines.

  3. Timeline Explorer

    • Visualize extracted data from RecentDocs, showing file access in a chronological timeline.

Key Points

The Recent Files artifact is a powerful tool in digital forensics, offering insights into user activity and file access. By analyzing RecentDocs and associated shortcuts, investigators can reconstruct critical timelines, uncover unauthorized access, and support legal actions in cases of data breaches or insider threats.

PreviousAmcacheNextDialogue Boxes MRU

Last updated