forensafe.com Open in urlscan Pro
84.16.226.109  Public Scan

Form analysis
0 forms found in the DOM

Text Content

Toggle navigation
 * About Us
 * ArtiFast
   
 * Contact
 * Resources
 * Blog
 * Free Version
 * Try
 * Buy Now

 * Free Version

 * About

 * ArtiFast

 * Careers

 * Contact

 * Resources

 * Blogs

 * Try
 * Free Version
 * Buy Now


BLOG >> LASTVISITEDMRU


INVESTIGATING LASTVISITEDMRU

03/08/2021 TUESDAY


LastVisitedMRU is a Windows registry key that tracks the applications used to
open or save files that are documented in the OpenSaveMRU key. The key also
tracks the location of the last file that was accessed (opened or saved) by that
application. This is how "Open"/"Save As" Windows shell dialog box keep track of
the last directory used by an application when the user is trying to open or
save a file. This key differs slightly between Windows XP and Windows versions
above XP (LastVisitedMRU on Windows XP and 2003; LastVisitedPidlMRU on Vista
through Windows 10 systems).



DIGITAL FORENSICS VALUE OF LASTVISITEDMRU ARTIFACTS


The LastVisitedMRU/LastVisitedPidlMRU key tracks the application used to
open/save files stored in OpenSaveMRU as well as the folder location of the last
file that was accessed (opened or saved) by that application. Being able to
track such information can be critical during the digital forensic analysis
process.



LOCATION OF LASTVISITEDMRU ARTIFACTS



Windows XP:
NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\LastVisitedMRU

Windows 7, 8 and 10:
NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\LastVisitedPidlMRU



STRUCTURE OF LASTVISITEDMRU ARTIFACTS


The key contains multiple values. These values/items are assigned numbers as
names (or letters for Windows XP). The items are numbered in an ascending order
according to their creation time and each item stores the data (the application
executables and full path) in binary format. LastVisitedMRU/LastVisitedPidlMRU
key also contains an ‘MRUListEx’ (or ‘MRUList’ for Windows XP) which lists the
order in which the files were accessed.

LastVisitedMRU key
LastVisitedPidlMRU key




ANALYZING LASTVISITEDMRU ARTIFACTS WITH ARTIFAST WINDOWS


This section discusses how to use ArtiFast Windows to analyze LastVisitedMRU
artifact from Windows machines and what kind of digital forensics insight we can
gain from the artifact.

After you have created your case and added evidence for investigation, at the
Artifacts Parser Selection Phase, you can select LastVisitedMRU Artifact:








Once ArtiFast parser plugins complete processing artifacts for analysis, it can
be reviewed via "Artifact View" or "Timeline View", with indexing, filtering,
and searching capabilities. Below is a detailed description of the Last Visited
MRU artifact in ArtiFast software.


Last Visited MRU Artifact

This artifact contains information related to the executables used to access the
files documented in the OpenSaveMRU key. The details you can view include:


 * File Name - The name of the application that was used to open/save the file.
 * Full Path - The directory location of the file that the application
   accessesed through the "Open"/"Save As" dialog.
 * Parent Key Modification Date - The date and time when the MRU registry key
   was last modified.
 * Registry Value Name - The name of the value within the registry key.
 * MRU Order - The order in which the folders were accessed by applications. A
   value of 1 indicates that the file was the most recently accessed.
 * Located At - The full path to the value within the registry key.



 * About Us
 * ArtiFast
 * Contact
   
 * Artifacts
   
 * Buy Now

 * Try
 * Events
 * Resources
 * Blog
 * Artifact of The Month
   
   


New York - USA
575 Underhill Blvd. Suite 209
Syosset, NY 11791 USA

Copyright © 2022 Forensafe - All Rights Reserved.