Blog >> Recent Items

Investigating Recent Items

11/11/2022 Friday

Recent items are a list of files a user has used or opened recently. These items are displayed as “Recent” in jump lists on the Start menu, File Explorer, and Taskbar. The user can quickly and easily access recently accessed files and opened folders via recent items. This feature works like a caching mechanism in Windows operating system.

Digital Forensics Value of Recent Items

Recent items store user’s activity chronologically in terms of application access, file creation, and modification. Like Jump List artifact, we can collect information about recently accessed application by analyzing recent items. What makes this artifact more valuable is the fact that the information may be maintained on the system after the file, folder or application has ceased to exist on the system.

Location of Recent Items

The following location contains recent items jump list details:
C:\users\[user]\Appdata\Roaming\Microsoft\Windows\Recent Items

Analyzing Recent Items Artifacts with ArtiFast

This section will discuss how to use ArtiFast Windows to extract Recent Items artifacts from Windows machines and what kind of digital forensics insight we can gain from the artifacts.

After you have created your case and added evidence for the investigation, at the Artifact Selection phase, you can select Recent Items artifacts:

Once ArtiFast parser plugins complete processing the artifact for analysis, it can be reviewed via “Artifact View” or “Timeline View,” with indexing, filtering, and searching capabilities. Below is a detailed description of Recent Items artifact in ArtiFast.

Recent Items Artifact

For more information or suggestions please contact: [email protected]