±Forensic Focus Partners
|New Today: 0||Overall: 33492|
|New Yesterday: 5||Visitors: 162|
Forensic Analysis of the Windows RegistryBack to top Back to main Skip to menu
Forensic Analysis of the Windows Registry
The following section highlights some of the important registry keys in Windows XP (Service Pack 2) and how they can be of benefit to help describing suspect activities on the computer.
MRU is the abbreviation for most-recently-used. This key maintains a list of recently opened or saved files via typical Windows Explorer-style common dialog boxes (i.e. Open dialog box and Save dialog box) (Microsoft, 2002). For instance, files (e.g. .txt, .pdf, htm, .jpg) that are recently opened or saved files from within a web browser (including IE and Firefox) are maintained. However, documents that are opened or saved via Microsoft Office programs are not maintained. Subkey * contains the full file path to the 10 most recently opened/saved files. Other subkeys in OpenSaveMRU contain far more entries related to previously opened or saved files (including the 10 most recent ones), which are grouped accordingly to file extension.
This key also maintains list of files recently executed or opened through Windows Explorer. This key corresponds to %USERPROFILE%\Recent (My Recent Documents). The key contains local or network files that are recently opened and only the filename in binary form is stored. It has similar grouping as the previous OpenSaveMRU key, opened files are organized according to file extension under respective subkeys. In addition, the Subkey Folder contains the folder (without drive letter and parent folder) of the recently open files. Subkey NetHood which corresponds to %USERPROFILE%\NetHood , contains only LAN shared folder path (server and folder name) which the file was opened. However, deleting this RentDocs key does not removed the content in both folders %USERPROFILE%\Recent and %USERPROFILE%\NetHood (Honeycutt, 2003, p. 102).