Windows
Recent documents
Key 🔑: NTUSER.DAT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs
Contains the list of all recent documents as a bunch and also the same data sorted by extension. MRUListEx
is list. It has a number of 4 byte values, each noting the sequence number of a document. It starts from the document’s number that was accessed some time age (first in the list) and ends with the most recently used one. This key also has a list of recently accessed folders.
⚠️🔎 I only had a short binary data stream under the
ViewStream
subkey.
ManagedByApp
Key 🔑: Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.Photos_8wekyb3d8bbwe\PersistedStorageItemTable\ManagedByApp
.
Tracks images opened with Microsoft application. Shows volume GUID (use other USB-related registry to assemble the picture), file path, data and time ⏰. LastUpdateTime
shows when the files was … . This date and time is very close LastInteracted
from ShellBags. Go to MountedDevices
in SOFTWARE
hive to find the device by the volume GUID and the to SYSTEM
’s USBSTR
-> PartitionTableCache
.
This information is very useful for child abuse cases.
Screen Captures
Xbox, on later versions, is a built-in game centre. However, one of the features is used beyond gaming: screen recordings. C:\Users\%Username%\XboxApp\GameDVR\OnThisPC\Videos\Captures
.
ThumbCache
ThumbCache: Path: C: \Users\ \*\AppData\ Local\Microsoft\Windows\ Explorer\ thumbcache\_\*.db
macOS
Snapshots
tmutil
to find and list all snapshots
iOS
User Photos
- /private/var/mobile/Media/DCIM
- /private/var/mobile/Media/PhotoData/Photos.sqlite
- /private/var/mobile/Media/PhotoData/
- PhotoCloudSharingData/[DSID]