When a user opens an application like Microsoft Word they will have the ability to see a list of most recently accessed documents. This list is stored by the operating system in what’s called ‘the Windows Registry’. This stores a log of files under the ‘open/save MRU’ (Most Recently Used) registry key, storing records of recently opened web pages, documents, files, pictures, along with many other files. The last-visited MRU registry key then stores information linking the executable (eg. Microsoft Word) to the associated list of last visited documents.
In a forensic or incident response investigation, we use artifacts from the MRU to find evidence like:
- What documents have recently been open or saved
- What applications have been used to open/save files
- See the locations from where the file is launched (e.g. Notepad.exe was used to launch a file from C:\Users\John\Desktop folder)
These artifacts help build an understanding of what files may have been accessed and where they were accessed from. This information can help construct a timeline of user activity and what their intent may have been.