Open/Save and Most Recently Used

When a user opens an application like Microsoft Word they will have the ability to see a list of most recently accessed documents. This list is stored by the operating system in what’s called ‘the Windows Registry’. This stores a log of files under the ‘open/save MRU’ (Most Recently Used) registry key,  storing records of recently opened web pages, documents, files, pictures, along with many other files. The last-visited MRU registry key then stores information linking the executable (eg. Microsoft Word) to the associated list of last visited documents.

In a forensic or incident response investigation, we use artifacts from the MRU to find evidence like: 

  • What documents have recently been open or saved
  • What applications have been used to open/save files
  • See the locations from where the file is launched (e.g. Notepad.exe was used to launch a file from C:\Users\John\Desktop folder)

These artifacts help build an understanding of what files may have been accessed and where they were accessed from. This information can help construct a timeline of user activity and what their intent may have been.