Logo
RSS Feed

🎞 Media Files

Created: 12.10.2020

Windows

Recent documents

Key 🔑: NTUSER.DAT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs

Contains the list of all recent documents as a bunch and also the same data sorted by extension. MRUListEx is list. It has a number of 4 byte values, each noting the sequence number of a document. It starts from the document’s number that was accessed some time age (first in the list) and ends with the most recently used one. This key also has a list of recently accessed folders.

⚠️🔎 I only had a short binary data stream under the ViewStream subkey.

ManagedByApp

Key 🔑: Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.Photos_8wekyb3d8bbwe\PersistedStorageItemTable\ManagedByApp.

Tracks images opened with Microsoft application. Shows volume GUID (use other USB-related registry to assemble the picture), file path, data and time ⏰. LastUpdateTime shows when the files was … . This date and time is very close LastInteracted from ShellBags. Go to MountedDevices in SOFTWARE hive to find the device by the volume GUID and the to SYSTEM’s USBSTR -> PartitionTableCache.

This information is very useful for child abuse cases.

Screen Captures

Xbox, on later versions, is a built-in game centre. However, one of the features is used beyond gaming: screen recordings. C:\Users\%Username%\XboxApp\GameDVR\OnThisPC\Videos\Captures.

ThumbCache

ThumbCache: Path: C: \Users\ \*\AppData\ Local\Microsoft\Windows\ Explorer\ thumbcache\_\*.db

macOS

Snapshots

tmutil to find and list all snapshots

iOS

User Photos

  • /private/var/mobile/Media/DCIM
  • /private/var/mobile/Media/PhotoData/Photos.sqlite
  • /private/var/mobile/Media/PhotoData/
  • PhotoCloudSharingData/[DSID]