Recent docs

On February 19, 2011, in analysis, Forensics, by MegaDeus

A Good place to examine is RecentDocs which is also known as “Recently used documents”.
There are 2 places you can check out for clues.

1>
Navigate to the following;
C:\Users\\AppData\Roaming\Microsoft\Windows\Recent

2>
And finally examining the NTUSER registry.
NTUSER\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs

3>
I used a cool tool called RegRipper. RegRipper is a Windows Registry data extraction and correlation tool. It goes through specific Registry hive files in order to access and extract specific keys, values, and data, and does so by bypassing the Win32API. And this is the end result.

 

One Response to Recent docs

  1. RegRipper is one of the most used tools in my Windows analysis arsenal… and the biggest motivator I’ve had to learn Perl. There are so many registry keys, and many change between OS versions, so it was nice to find a blog that goes over one – helps me to remember it! Hope to hear more from you!

Leave a Reply

Your email address will not be published. Required fields are marked *


× 6 = twenty four