DFIR-Notes
Windows Forensics
Windows Forensics
  • windows Memory Forensics
  • Windows Registry Forensics
  • Windows Registry Forensics with RegRipper
  • Windows Powershell Forensics
  • Incident Response Eventhoods
  • Incident Response splunk filters
  • LNK Files (Shortcut Files) Forensics
  • Jump List Forensics
  • Prefetch Files Forensics
  • Living off the Land Binaries (LOLBins)
  • COM (Component Object Model)
  • Key Email Headers for SOC Analysts and DFIR
  • Distributed Component Object Model (DCOM)
  • legitimate Windows processes
  • UserAssist Keys
  • Application Compatibility Cache (Shim Cache)
  • CIDSizeMRU
  • Start Menu Run MRUs
  • MUI Cache
  • BAM (Background Activity Moderator)
  • SRUM (System Resource Usage Monitor)
  • Master File Table (MFT), NTFS, $LogFile, and $UsnJrnl: Forensics
  • 🔹 Windows System Processes
Powered by GitBook
On this page
  • Overview:
  • Benefits for DFIR:
  • How It Works:
  • Tools:

Start Menu Run MRUs

The RunMRUs registry key tracks the applications that have been previously executed through the Start menu.

Overview:

  • Purpose: Tracks entries typed into the Windows Run dialog (Win + R).

  • Registry Location:

    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU

  • Structure:

    • Stores commands executed through the Run dialog.

Benefits for DFIR:

  • Command History: Reveals applications, files, or scripts executed by the user.

  • Timeline Construction: Establishes what commands were run and their sequence

  • Application Tracking: Stores a list of applications that have been run via the Start menu's Run dialog, helping to reconstruct user activities.

  • Execution Order: Maintains the order in which the applications were executed, providing insight into user actions and behaviors.

  • Command History: Useful for analyzing past commands and scripts executed by the user

How It Works:

  • Each key stores:

    • Command: Full path or name of the file or program executed.

    • Order: Sequential order of execution for correlation.

Tools:

  • Registry Explorer: Extracts and deciphers Run MRU entries.

  • Autoruns: Checks for anomalous entries in startup commands

for example :

MRU Folder Access

The MRU Folder Access artifact category details information concerning folders accessed by a Windows application using the Open / Save file dialog. This functionality is often accessed by third-party applications which means as an examiner, you may find evidence of access to folders which were browsed during file open or save operations associated with a variety of programs on the system. Windows Vista and later may include entries that reference a PIDL path, which contain GUID values, instead of relative path strings

For Windows Vista and later, this data is stored at:

NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32

MRU Opened-Saved Files

The MRU Opened/Saved Files artifact category details information about the last files accessed by an application using the Open File or Save File dialog window. As with the MRU Folder Access artifact category, Windows Vista and later may include entries that reference a PIDL path, which contain GUID values, instead of relative path strings.

PreviousCIDSizeMRUNextMUI Cache

Last updated 5 months ago