Solved

recent accessed documents on windows 7 computers

Posted on 2016-08-19
2
80 Views
Last Modified: 2016-08-25
aside from c:\users\username\appdata\roaming\microsoft\windows\recent and c:\users\username\appdata\roaming\microsoft\office\recent

are there any others folders on a windows 7 machine that would give clues about files a user has recently accessed? I have read about a "recent places" folder but cant find it on a copy of a users hdd.
0
Comment
Question by:pma111
2 Comments
 
LVL 4

Accepted Solution

by:
Alexandre Michel earned 250 total points
ID: 41762521
There are many places that keep track of where a user has been.
Each application uses its own method for tracking this.
A lot of it is in the Registry, some are in "INI" files in the clear, some are in encrypted files

If you use CCleaner, it will remove these tracks. See http://www.piriform.com/ccleaner
If you download CCEnhancer it will delete 100's of other files, logs, history & links. See https://singularlabs.com/software/ccenhancer/

If you want to forensically analyse a computer, then you could start CCleaner, BUT do NOT use this further than just to "Analyse"  

In addition, every file that you open could leave hidden traces on your hard drive that could indicate file content. A program like Recuva can find this "crumbs" . See https://www.piriform.com/recuva/download

And here is a free utility that can make your life a little easier if your purpose is to do a forensic analysis:

http://www.nirsoft.net/utils/open_save_files_view.html

OpenSaveFilesView is a simple tool that displays the list of files that you previously opened with the standard open/save dialog-box of Windows. For every file in the list, the following information is displayed: Filename, Extension, Order (The order that the files were opened for every file extension), Open Time (Available only for the last opened file of every file type), File Modified/Created Time, File Size, and File Attributes.

Actually that web site has other utilities that you might find interesting for forensic purpose
0
 
LVL 61

Assisted Solution

by:btan
btan earned 250 total points
ID: 41762696
Some area of interest
-  Recently opened files from Windows Explorer
- Items recently ran from the "Run" bar
- ComDlg32 recently opened/saved files
- ComDlg32 recently opened/saved folders
- Recent Docs
- Recycle Bin
- Internet Explorer Temp Folder (IE Cache)
- IE Typed URLs
- Recently Opened Office Docs
- Files recently accessed by Windows Media Player

http://www.irongeek.com/i.php?page=security/windows-forensics-registry-and-file-system-spots

also on anti-forensic attempts
RecentDocs
Most of us are familiar with the RecentDocs key within the user hive.  This is one of the classic MRU keys, as the key itself and all of it's subkeys contain values, and on Windows 7 systems, one of the values is named MRUListEx, and contains the MRU order of the other keys. The other values beneath each key are numbered, and the data is a binary format that contains the name of the file accessed, as well as the name of an associated shortcut/LNK file.

Each of the subkeys beneath this key are named for various file extensions, and as such, not only provide information about which files the user may accessed, but also which applications the user may have had installed.

A means for determining the possible use of counter-forensics techniques is to compare the list of value names against the contents of the MRUListEx value; numbers in this value that do not have corresponding value names may indicate attempts to delete individual values.

Tools: RegRipper recentdocs.pl plugin
Drill into the registry for more info as it is not necessary only in 'Recent' folder
MS Office File/Place MRU Values
Each of the applications within MS Office 2010 maintains an MRU list of not only files accessed, but places from which files have been accessed (in separate keys).  In addition to the paths to the files or folders, respectively, the value string data contain entries that look like, "[T01CD76253F25ECD0]", which is a string representation of a 64-bit FILETIME time stamp.  As such, these keys aren't MRU keys in the more traditional sense of having an MRUList or MRUListEx value.

Tools: RegRipper office2010.pl plugin

Application-specific MRUs
A number of file viewers (Adobe Reader, MS Paint, etc.) maintain their own MRU lists.  Most often when interacting with the application, if you click on File in the menu bar of the app, the drop-down menu will contain (usually toward the bottom) a list of recently accessed files.  Many times, that information can be found in the Registry.

Tools:  RegRipper applets.pl and adoberdr.pl plugins

On Windows 8, the Photos key in the user's USRCLASS.DAT hive is used to track photos opened via the Photos app on the Windows 8 desktop (many thanks to Jason Hale for sharing his research on this topic).

Tools: RegRipper photos.pl plugin
Less possibly but gives hint on intent to access
TypedPaths
Similar to the shellbags artifacts, the TypedPaths key in the user's NTUSER.DAT hive maintains a list of folders that the user accessed; however, for this artifact, the paths were typed into the Windows Explorer Address Bar.

Users can also disable this feature, so if you find no values in the TypedPaths key, check for the AutoSuggest value.

Tools: RegRipper typedpaths.pl plugin
http://windowsir.blogspot.sg/2013/07/howto-determine-user-access-to-files.html

Useful tool includes
LastActivityView - displays a log of actions made by the user and events occurred on this computer. @ http://www.nirsoft.net/utils/computer_activity_view.html

RecentFilesView - display the list of all recently opened files, and allows you to delete unwanted filename entries @ http://www.nirsoft.net/utils/recent_files_view.html
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

A Bare Metal Image backup allows for the restore of an entire system to a similar or dissimilar hardware. They are highly useful for migrations and disaster recovery. Bare Metal Image backups support Full and Incremental backups. Differential backup…
If you need to start windows update installation remotely or as a scheduled task you will find this very helpful.
This Micro Tutorial will go in depth within Systems and Security in Windows 7 and will go into detail regarding Action Center, Windows Firewall, System, etc. This will be demonstrated using Windows 7 operating system.
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.

758 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

22 Experts available now in Live!

Get 1:1 Help Now