Investigating Typed Paths
11/10/2021 Monday
TypedPaths is a Windows Registry key that records the last 25 paths typed or inserted into the path bar of
File Explorer (previously known as Windows Explorer). The typed paths, however, do not appear instantly
within the TypedPaths key. The user has to close the File Explorer window for the typed paths to be
committed to the registry key.
If a user has two File Explorer windows open simultaneously, these two windows will initially start with the same copy of the registry key and display the same entries that were typed earlier. However, the two windows are independent from each other. Thus, if the user typed a new path into one of the windows, this path will not appear in the history of the other opened window.
What is more interesting about this key is that when the user closes the first window, TypedPaths key will be updated with the content of this window alone. However, when the user closes the second window, the key will be updated with the content of the second window overwriting any unique entries from the first window.
Location of Typed Paths Artifact
Full paths typed or inserted in File Explorer are stored at: NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\TypedPaths
Structure of Typed Paths Artifact
In TypedPaths subkey, the values have names such as “url1”, “url2”, “url3”, and so on. The first value added
is named “url1”, however, when a new value is added, the previous value will be named “url2” and the new
value will be named “url1”. Thus, the names of the values keep changing and the value named “url1” will
always contain the most recent typed path.
Analyzing Typed Paths Artifact with ArtiFast Windows
This section discusses how to use ArtiFast Windows to analyze Typed Paths artifact from Windows machines and
what kind of digital forensics insight we can gain from the artifact.
After you have created your case and added evidence for the investigation, at the Artifacts Selection phase,
you can select Typed Paths Artifact:
Once ArtiFast parser plugins complete processing artifacts for analysis, it can be reviewed via “Artifact View” or “Timeline View”, with indexing, filtering, and searching capabilities. Below is a detailed description of Typed Paths artifact in ArtiFast Windows.
Typed Paths Artifact
This artifact contains the full path typed in File Explorer.
The details you can view include:
- Typed Path - Path typed or inserted in Windows File Explorer bar.
- Last Update - The date and time when the most recent entry was typed.
- Other Values - The other paths typed or inserted in Windows File Explorer bar.
For more information or suggestions please contact: asmaa.elkhatib@forensafe.com
