Recent Activity

Execution

This is about … .

Recently used files

Windows

LNK

There are several artifacts indicating user activity. One of them is LNK files. To analyse acquired LNK files use 🛠 LECmd (E. Zimmerman’s) or Link Parser.

Prefetch

Enother mechanism is Prefetch. It’s usually located at C:\Windows\Prefetch. Several tools are available for viewing this artifact: Magnet AXIOM 💰, PECmd.

Recent Files

Recent files (LNK) - C:\Users\veronicazvereva\AppData\Roaming\Microsoft\Windows\Recent Files\ on Windows 11, C:\Users\veronicazvereva\AppData\Roaming\Microsoft\Windows\Recent Windows 10-. Captures the MAC times of the original file.