Blog >> LastVisitedMRU

Investigating LastVisitedMRU

03/08/2021 Tuesday

LastVisitedMRU is a Windows registry key that tracks the applications used to open or save files that are documented in the OpenSaveMRU key. The key also tracks the location of the last file that was accessed (opened or saved) by that application. This is how "Open"/"Save As" Windows shell dialog box keep track of the last directory used by an application when the user is trying to open or save a file. This key differs slightly between Windows XP and Windows versions above XP (LastVisitedMRU on Windows XP and 2003; LastVisitedPidlMRU on Vista through Windows 10 systems).

Digital Forensics Value of LastVisitedMRU Artifacts

The LastVisitedMRU/LastVisitedPidlMRU key tracks the application used to open/save files stored in OpenSaveMRU as well as the folder location of the last file that was accessed (opened or saved) by that application. Being able to track such information can be critical during the digital forensic analysis process.

Location of LastVisitedMRU Artifacts

Windows XP: NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\LastVisitedMRU

Windows 7, 8 and 10: NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\LastVisitedPidlMRU

Structure of LastVisitedMRU Artifacts

The key contains multiple values. These values/items are assigned numbers as names (or letters for Windows XP). The items are numbered in an ascending order according to their creation time and each item stores the data (the application executables and full path) in binary format. LastVisitedMRU/LastVisitedPidlMRU key also contains an ‘MRUListEx’ (or ‘MRUList’ for Windows XP) which lists the order in which the files were accessed.

LastVisitedMRU key
LastVisitedPidlMRU key

Analyzing LastVisitedMRU Artifacts with ArtiFast Windows

This section discusses how to use ArtiFast Windows to analyze LastVisitedMRU artifact from Windows machines and what kind of digital forensics insight we can gain from the artifact.

After you have created your case and added evidence for investigation, at the Artifacts Parser Selection Phase, you can select LastVisitedMRU Artifact:

Once ArtiFast parser plugins complete processing artifacts for analysis, it can be reviewed via "Artifact View" or "Timeline View", with indexing, filtering, and searching capabilities. Below is a detailed description of the Last Visited MRU artifact in ArtiFast software.

Last Visited MRU Artifact

This artifact contains information related to the executables used to access the files documented in the OpenSaveMRU key. The details you can view include: