Recently used files

Created: 02.06.2023



There are several artifacts indicating user activity. One of them is LNK files. To analyse acquired LNK files use πŸ›  LECmd (E. Zimmerman’s) or Link Parser.


Enother mechanism is Prefetch. It’s usually located at C:\Windows\Prefetch. Several tools are available for viewing this artifact: Magnet AXIOM πŸ’°, PECmd.

Recent Files

Recent files (LNK) - C:\Users\veronicazvereva\AppData\Roaming\Microsoft\Windows\Recent Files\ on Windows 11, C:\Users\veronicazvereva\AppData\Roaming\Microsoft\Windows\Recent Windows 10-. Captures the MAC times of the original file.

Last Accessed (filetime, NTFS timestamps) for a file is updated by FTK.

1.18 original file opened

several mins passed

File association

Key πŸ”‘: Classes. For each extension there is a OpenWith - suggestions, which program can be used. That’s the file association itself. OpenWithProgIDs - user-selected.

Key πŸ”‘: Software\Microsoft\Windows\CurrentVersion\Applets. Something that comes with Windows (built-in).

Recent documents

Key πŸ”‘: NTUSER.DAT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs

Contains the list of all recent documents as a bunch and also the same data sorted by extension. MRUListEx is list. It has a number of 4 byte values, each noting the sequence number of a document. It starts from the document’s number that was accessed some time age (first in the list) and ends with the most recently used one. This key also has a list of recently accessed folders.

βš οΈπŸ”Ž I only had a short binary data stream under the ViewStream subkey.

Office MRU

Key πŸ”‘: NTUSER.DAT\Software\Microsoft\Office\XX.X.

You might see if there were several versions of Microsoft Office installed. Expanding Word|Excel|PowerPoint etc and looking at the entries, they have a Txxxxxxxx in the middle. That’s time (Win64 big-endian, UTC).

Jump List Data and LNK

Key πŸ”‘: NTUSER.DAT\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\JumplistData.

LnkFilesAndJumpLists: Path: C: (Users\ (*\AppData\Roaming\Microsoft\Windows\ Recent
LnkFilesAndJumpLists: Path: C: Documents and Settings\|*\Recent
LnkFilesAndJumpLists: Path: C: (Documents and Settings| |* Desktop| |*. lnk
LnkFilesAndJumpLists: Path: C:| Users \* Desktop \*.lnk
LnkFilesAndJumpLists: Path: C:\ Users\ \* AppData\Local\ConnectedDevicesPlatform||*||*.db

Shows applications accessed.


Key πŸ”‘ : UsrClass\Local Settings\Software\Microsoft\Windows\Shell\BagMRU . Values: MRUListEx, NodeSlot, Subkeys.

Key πŸ”‘ : UsrClass\Local Settings\Software\Microsoft\Windows\Shell\Bags. Values: Shell, will have folder’s GUID.

volatility.exe -f memory.dmp --profile=Win7SP1x64 shellbags

Created On: when the folder was created/moved/renamed. Last accessed and created are sometimes the same. Last modified is when the preferences were last changed (window resized, view options changed). Mind if it’s utc or gmt. Also, this data might be updated with a little lag. Last key write time is the ShellBag’s timestamp.

⚠️ Shortcuts MAC times are not updated!

⚠️ Fat16 only records date. No time. So the Last accessed time for a fat16 formatted folder will be 00:00:00.000. It’s more usual for a USB removable media.

Created On, Modified On and Last accessed on are all FS timestamps ❗️❗️❗️ However, Registry last write time is its own timestamp and it seems to be updated even when no preferences were changed.

Track Windows folder settings (how the view is set), track zip files, folder access, even if information was deleted. Can also show folders on removable media. This data is a little bit confusing at first, but can be digested in a couple of minutes. One important thing to note is that both keys are interconnected. I’ve used arrows, squares and circles to mark data corresponding to each for better visualization on the picture below. Sometimes, additional info for NTFS filesystem will be available (MFT record number) and file system type as well, not always however.

⚠️ Proves that the user interacted with these folders if they are found in ShellBags but not on the system.

❓ How about when being hacked? A hacker might delete the folder.

Right under BagMRU subkey, there is only one subkey (in this case, in case of shell bags, a folder): 0. MRUListEx contains a list of folders inside this one identified by sequence numbers. In our example there are only three subfolders (and, hence, values in the list) in this folder: 00 00 00 00, just 0 in little-endian (green), 01 00 00 00, just 1 in little-endian (orange) and 02 00 00 00, just 2 in little-endian (purple). Above the MRUListEx there are three values in our case, each corresponding to the subfolder and containing a folder path and name. In the example below the 0 subfolder’s value is expanded and marked with a green circle.

Each of these folders in the list will have a corresponding subkey inside our 0 subkey/folder (marked with arrows on the left).


So, we have a parent folder info, what folders it contains and the paths to them. Now, since ShellBags store folder settings, where are they? Under the second subkey, Bags. But since sequence numbers are used here as well, how do we find the folder we need? Are these sequence number the same as on the picture above? The answer is no. On the picture above numbering restarts from 0 for each folder’s subfolders, so that each folder that has at least one subfolder, will have at least 0 value and a 0 subkey. However, the Bags subkeys numbers folders sequencially. Each subkey representing a folder in a BagMRU subkey we’ve seen above, will have a value NodeSlot. This is a number it’s identified by withing Bags subkey. See the below example for the folder 0.


πŸ›  ShellBagsExplorer (E. Zimmerman) is a tools that helps automating this process which is useful for larger amount of data.


The above is an example of the ShellBagsExplorer for my Windows 10 Parallels VM. Pretty user-friendly representation and lot’s of valuable information. Note the folders on the very top: \\Mac\vm, \\Mac\Home and \\Mac\AllFiles. Someone who is using Paralells Windows 10 on Mac might note this at once, that this is a VM running on a Mac. Also, both \\Mac\Home and \\Mac\AllFiles are no longer available for Windows 10, but they were not deleted from the registry as you may see. That’s because when folders are deleted, they are not deleted from here, at least not soon.


General Properties get information from OS metadata and Statistics tab for word.exe is for embedded metadata. If the timestamps are different is probably from a fatal system error. On reboot file was opened by recovery option which changed the embedded timestamps.

Also, some information can be hidden within embedded metadata. Just imagine, that most of the data for a tiny office document is the meta. πŸ›  One of the tools to view DocScrubber. Office documents also have additional meta that reveals much about the document, for example, who edited it, user name, user initials, org name, comp name, doc location, previous authors, revision logs (Word, Excel), version logs (Word), template file name (Word, PowerPoint), hidden text (Word, Excel), GUIDs. If the file was renamed and then reopened, it’s seen as a new file and editing clocks ⏰ start over.

πŸ§ΉπŸ‘£ There are certains anti-forensics techniques that allow cleansing the file’s metadata.

Do not forget about autosaved docs (asd). Also, sometimes the Track Changes feature was enabled.

Temp file

Some of the programs keep tmp files. Digital Archaeology, page 173 (Kindle, Mining the Temporary Files) has a table of some temp files for different applications on a Windows machine. Some of them will be deleted on OS shutdown, but can also be carved before overwritten anyway.


Alternate data streams, see more here. Are there such streams for other OS? If yes, how to make them and discover them?

To ensure compatability between NTFS and HFS. Allows hiding files.

C:\type C:\mal.exe > C:\readme.txt:naughty.exe
start readme.txt:naughty.exe
C:\mklink innocent.exe readme.txt:naughty.exe

# to run

But dir /r - will display all streams. LNS and Sfind will hunt down such files. Also, when you copy files from and to a FAT partition - all residual files will be deleted.

On Windows machines (NTFS file system) it’s possible to “append” a file to another file in such a way that this files is not visible with standard tools. This notion is called an alternate data stream. There are several problems that arise in this case:

  • The host file’s hash is not changed, because technically it is not a part of this file. To check - fciv.
  • The host file’s size is not changed, again, because technically it is not a part of this file.
  • These files are not visible for the file system and therefore such tools as cmd, PowerShell, Explorer or others won’t see them if don’t know the magic πŸͺ„ word. Even if you run type filewithlitter.txt you won’t see the stream file’s contents, only the original one’s.

How to create an ADS

type litter.txt > host.txt:litterhidden.txt

How to check a directory for an ADS

streams -s <directory>

How to get a file from a stream

You need to know its name to be able to reference it:

notepad host.txt:litterhidden.txt

If you find a program file with an executable attached, it’s almoust always means something malicious is at place. Sometimes, attackers might hide the extension. In this case the file size might be a good reason to dig deeper.

How to delete the stream

streams -s -d <directory>. Quite dangerous since you might delete something good instead. Some system files are stored as streams for legitimate reasons. Why, btw?


Obtain and image or physical evidence to work with. For Android, to see installed apps and recent activity:

  • packages.list
  • packages.xml - to see permissions for all applications in one place. For example, if this application has a SMS or messaging permission, you’ll know to look. Or, for example, I need all applications with chat permissions or access to the camera.
  • com.vending.adnroid
  • usagestats
  • usage history
  • battery stats
  • recent images
  • snapshots

tccb on iOS?

Chromebook - extension preferences file.

Run commercial tools to parse the info. If not, then try to find some specific parser, may be for similar app and try.

Create profiles and you any real data for generation.

Fake data - mockaroo and

  1. take the snapshot of the system state before populating with data
  2. Write a script-plan
  3. take notes
  4. perform actions 1 min apart
  5. scrrencap actions
  6. document them (log with script)
  7. compare with the the baseline “snapshot” from step 1.

Do not make assumptions before testing! For example, a QuizUp game folder contained some usernames and pictures and the assumption would be that this person was in touch with the suspect. However, testing revealed that when you choose to randomly find you a rival from around the globe 🌎, QuizUp automatically adds them to the player’s contacts.

Jessica advices to use appropriate view-managers for specific files, but I would also recommend to check these files in hex as well. There was once a case when I performed vulnerability assessment of a mobile application and I got a SQLite DB, opened it in SQLite Browser DB and couldn’t find the data I was looking for. However grep command showed that this data was in the DB. I opened it in hex and noticed that it might have been damaged because there was an amount of data almoust the same size as the visible one, that was not shown in the viewer. Perhaps that were some deleted rows or the DB was damaged indeed.

Applications of different versions or platforms may have different data structure. For example, iOS QuizUp had a geolocation field, while Android didn’t at that point in time. [1]


β€’ /private/var/mobile/Library/CoreDuet/Knowledge/ knowledgeC.db


  • /private/car/mobile/Library/Application

  • Support/

  • RMAdminStore-Local.sqlite


    β€’ /private/var/mobile/Library/Containers/Data/ Application/[APPGUID]/Library/Splashboard/ Snapshots/


Expand… Something here