Investigating Recent Items
11/11/2022 Friday
Recent items are a list of files a user has used or opened recently. These items are displayed as “Recent” in jump lists on the Start menu, File Explorer, and Taskbar. The user can quickly and easily access recently accessed files and opened folders via recent items. This feature works like a caching mechanism in Windows operating system.
Digital Forensics Value of Recent Items
Recent items store user’s activity chronologically in terms of application access, file creation, and modification. Like Jump List artifact, we can collect information about recently accessed application by analyzing recent items. What makes this artifact more valuable is the fact that the information may be maintained on the system after the file, folder or application has ceased to exist on the system.
Location of Recent Items
The following location contains recent items jump list details:
C:\users\[user]\Appdata\Roaming\Microsoft\Windows\Recent Items
Analyzing Recent Items Artifacts with ArtiFast
This section will discuss how to use ArtiFast Windows to extract Recent Items artifacts from Windows machines and what kind of digital forensics insight we can gain from the artifacts.
After you have created your case and added evidence for the investigation, at the Artifact Selection phase, you can select Recent Items artifacts:
Once ArtiFast parser plugins complete processing the artifact for analysis, it can be reviewed via “Artifact View” or “Timeline View,” with indexing, filtering, and searching capabilities. Below is a detailed description of Recent Items artifact in ArtiFast.
Recent Items Artifact
- Target File Created Date - The date when the file was created.
- Target Path - Item path details.
- Linked Path - Path to the file accessed
- Target File Size - Recent items file size.
- Volume Serial Number - Volume serial number.
- MAC Address - MAC address.
- Name - Name of the file.
- Target File Last Modified Date - Item last modified date.
- Target File Last Accessed Date - Item last accessed date.
- Show Command - Details of the command.
- Volume Name - Name of the volume where the item resides.
- Drive Type - Drive type for the item.
- Working Directory - Working directory.
- NetBIOS Name - Machine name on the network.
- Created Date - Date when the item was opened.
- Last Modified Date - Last modified date.
- Last Accessed Date - Last accessed date.
- Arguments - Item attributes.
- Environment Variable - Environment variable.
- Target Attributes - Target attributes.
- Relative Path - Relative path.
- Link File Size - Link file size.
- Icon Path - Icon location.
- CNRL Device Name - CNRL device name.
- CNRL Network Name - CNRL network name.
- CNRL Network Type - CNRL network type.
- Hotkey Combination - Hotkey combination.
- Unclassified Data String - Unclassified data string.
For more information or suggestions please contact: ummulkulthum.wambai@forensafe.com
