±Forensic Focus Partners

Become an advertising partner

±Your Account


Forgotten password/username?

Site Members:

New Today: 0 Overall: 34159
New Yesterday: 0 Visitors: 122

±Latest Articles

RSS Feed Widget

±Follow Forensic Focus

Forensic Focus Facebook PageForensic Focus on TwitterForensic Focus LinkedIn GroupForensic Focus YouTube Channel

RSS feeds: News Forums Articles

±Latest Webinars

Forensic Analysis of the Windows Registry

Forensic Analysis of the Windows Registry

Page: 8/16


The following section highlights some of the important registry keys in Windows XP (Service Pack 2) and how they can be of benefit to help describing suspect activities on the computer.


MRU is the abbreviation for most-recently-used. This key maintains a list of recently opened or saved files via typical Windows Explorer-style common dialog boxes (i.e. Open dialog box and Save dialog box) (Microsoft, 2002). For instance, files (e.g. .txt, .pdf, htm, .jpg) that are recently opened or saved files from within a web browser (including IE and Firefox) are maintained. However, documents that are opened or saved via Microsoft Office programs are not maintained. Subkey * contains the full file path to the 10 most recently opened/saved files. Other subkeys in OpenSaveMRU contain far more entries related to previously opened or saved files (including the 10 most recent ones), which are grouped accordingly to file extension.


This key correlates to the previous OpenSaveMRU key to provide extra information. Whenever a new entry is added to the previous OpenSaveMRU key, registry value is created or updated in this key. Each binary registry value under this key contains a recently used program executable filename, and the folder path of a file to which the program has been used to open or save it. If a file is saved, the folder path refers to the saved file destination path; if a file is opened, the folder path refers to the file source path. New registry value will only be created to this key, if no existing registry values contain the program executable filename. However, if there is a matching executable filename in the existing values, only the folder path section of the related registry value is updated.


This key also maintains list of files recently executed or opened through Windows Explorer. This key corresponds to %USERPROFILE%\Recent (My Recent Documents). The key contains local or network files that are recently opened and only the filename in binary form is stored. It has similar grouping as the previous OpenSaveMRU key, opened files are organized according to file extension under respective subkeys. In addition, the Subkey Folder contains the folder (without drive letter and parent folder) of the recently open files. Subkey NetHood which corresponds to %USERPROFILE%\NetHood , contains only LAN shared folder path (server and folder name) which the file was opened. However, deleting this RentDocs key does not removed the content in both folders %USERPROFILE%\Recent and %USERPROFILE%\NetHood (Honeycutt, 2003, p. 102).

Previous Page Previous Page (7/16) - Next Page (9/16) Next Page