Hello, and welcome back to Windows Registry Forensics, Course 3, the NT user.dat hive, Section 9, Microsoft Office MRU, most recently used. This subkey tracks Microsoft Office recently used documents. Before we get started, a quick review of what we have covered in Course 3, the NT user.dat hive file, recent doc subkey. These are documents that are recently accessed by a specific user. This also includes recent documents by file extension in separate MRU lists. Typed URLs Section 2, this tracks URLs typed into the Internet Explorer address bar. This becomes populated when a user types or uses the autocomplete function to type a URL web address into the Internet Explorer address bar. Section 3, this subkey maintains a list of items such as programs, shortcuts, and control panel applets that a user has accessed, making these programs accessible to the user from the Start menu. Recent apps, Section 4, these are applications accessed by a specific user. This also will show files in some cases that were accessed with the application. The run and run once subkey in Section 5, this is user specific being in the NT user.dot hive, and this shows user versus specific programs that are set to run it startup, with no interaction from the user other than logging into Windows. Com dialog 32 in Section 6. This tracks application usage relating to the open save MRU. When a user opens or saves a file using the Windows Explorer open saved dialog box. Run MRU in Section 7, these are programs or applications that are launched through the windows run box. Typed paths. Typed paths is created when a user types a path to a directory, a file or an application into the Windows Explorer. Files can be opened and programs can also be executed from typing the full path along with the executable or the file name, as we demonstrated in Section 8. In this section, Section 9, we're going to cover Microsoft Office MRU, most recently used. This will contain an MRU order, a key last access date, a full file path, a filename, and a last access date for each individual files, and this is only for Microsoft Office applications. Here we see a visual representation of what we would see using one of our tools. We can see that we have more than one version of Office that was installed on this particular computer. We see Office 14.0 and Office 15.0, and beneath there we see the applications; Excel, PowerPoint and Word. The versions are highlighted or outlined in purple, and the applications are outlined in blue. If we expand the Excel subkey, we can see our file MRU. This is going to list the files that are most recently used, and we see account of 35, and we see a key last fright time of 2018-03-17 at a time of 11:00:19. If we look to the right, we see our MRU list order, starting from one and going down. To the right of that, we see some brackets with some numbers which we're going to talk about very shortly, and we also see the full file path and the file name. We can see that there was a user, we can see the user's name, we can see it was on his desktop, we can see the directory it was in, and we can also see the name of the file, if we're looking at the first one. Taking a closer look at the order, we can see them outlined. If we move to the right, outlined in pink, that second set of brackets, and that very long number, we see a t followed by hexadecimal values. This is where the time is stored. This is location of the file time for each of those files. Next slide, the file time format is Windows 64-bit big-endian. We would read it from left to right. We disregard the t, the t stands for time, and we're reading the hexadecimal values to the right of the t, and we're reading them from left to right. Using dCode, we can decode these values, and you can see here we've taken the value outlined in green, plugged it into dCode, we use the function of Windows 64-bit hex value big-endian, and we get a date and time. We can see the one at the top would be the most recently used, so theoretically that should match the file MRU key, key date, last written timestamp. When we look at that, it does match. We can see that it is March 17th, 2018 at 11:00:19 seconds in UTC, and these times are stored in UTC, and we can see that does match the last written timestamp of the file MRU subkey. We know that was the most recently used one. If we look at the bottom, Number 34, which was our last entry, and we decode that time, we see a much earlier date of April 22nd in the year 2016, at 12:04:28 UTC. Again, the value is decoded Windows 64-bit hex value big-endian. This key contains an MRU order, so we can see the order in which these files were accessed, we can see the program that they were accessed with. We have a key last access date and time, we have a full file path, so you're able to see where in the file system this file was, was it on his desktop, was it in downloads, was it in documents. We can even see the directory that contain the file, which may be important depending on the case we're looking at. We can see the name of the file, which may be very important especially in intellectual property theft cases. We can see a last access date for each individual file, and this also shows us that the user interacted with the file, and it shows us the application that was used to access that file. This key has a lot of information in it. It is only for Microsoft Office products such as PowerPoint, Excel, Word.
