Investigating Paint MRU
27/05/2022 Friday
Windows systems include a number of installed and ready to use applications. Among these applications is the Microsoft Paint utility. The recent files accessed by the user via MS Paint are stored in the Registry within the “Recent File List” subkey beneath the “Paint” key. However, recent files accessed do not appear instantly within the Recent File List subkey, the user has to close the application window for the changes to be committed to the Registry key.
Digital Forensics Value of Paint MRU Artifact
Paint key and all the subkeys beneath it are not populated in the registry until the user launches and uses the application. Thus, this artifact can provide an indication of program execution. Paint MRU artifact can also be an important source of evidentiary information in investigations as it enables the investigator to retrieve a list of the recent files accessed by the user via the application.
Location of Paint MRU Artifact
Information about the recent files accessed by the user via MS Paint is maintained in the following
location:
NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Applets\Paint\Recent File List
Structure of Paint MRU Artifact
The values listed beneath the Recent File List key have names such as “File1”, “File 2”, “File 3”, and so
on. This key maintains its values in a manner similar to TypedPaths and TypedURLs keys. There is no MRUList
value to indicate the order in which the values were accessed. However, this information can be inferred
from the names of the values. The first value added to the key is named “File1”. When a new file is
created/accessed, the new value is named “File1” and the previous value becomes “File2”. Therefore, the
value named “File1” will always contain the most recently accessed file.
Analyzing Paint MRU Artifact with ArtiFast Windows
This section discusses how to use ArtiFast Windows to analyze Paint MRU artifact from Windows machines and
what kind of digital forensics insight we can gain from the artifact.
After you have created your case and added evidence for the investigation, at the Artifacts Selection phase,
you can select Paint MRU Artifact:
Once ArtiFast parser plugins complete processing artifacts for analysis, it can be reviewed via “Artifact View” or “Timeline View”, with indexing, filtering, and searching capabilities. Below is a detailed description of Paint MRU artifact in ArtiFast Windows.
Paint MRU Artifact
- File Name - Image file name.
- Close Date - Image Close Date
- Other Values - Other recent values.
For more information or suggestions please contact: asmaa.elkhatib@forensafe.com
