Comprehensive Guide to Identifying File and Folder Access in Digital Forensics

When investigating digital forensics cases, confirming which files and folders have been opened or accessed is crucial. Whether tracking user activity or validating forensic evidence, understanding where and how to find artifacts plays a key role in uncovering the truth.

However, putting them all together in a structured way helps streamline forensic investigations.

-------------------------------------------------------------------------------------------------

1. Open/Save MRU / Last Visited MRU

Description: The Open/Save MRU (Most Recently Used) and Last Visited MRU registry keys record file paths and directories accessed through common dialog boxes. They are valuable for determining recently accessed files.

Article:

Windows Registry Artifacts: Insights into User Activity (Last Visited MRU/ Open Save MRU)

2. Recent Files (RecentDocs)

Description: The RecentDocs registry key stores metadata about recently opened files, categorized by file extensions.

Article:

RecentDocs: Uncovering User Activity Through Recently Opened Files

3. Shortcut (LNK) Files

Description: Windows automatically generates LNK (shortcut) files when users open files and folders. These files contain metadata, including access timestamps and file locations.

Articles:

• Windows LNK Files: A Hidden Treasure for Forensic Investigators

• LECmd: A Powerful Tool for Investigating LNK Files

4. Office Recent Files

Description: Microsoft Office maintains records of recently accessed files within the Windows registry.

Article:

Tracking Recently Opened Files in Microsoft Office: A Forensic Guide

5. ShellBags

Description: ShellBags store information about folder views and access history in Windows Explorer. They can provide insights into directories that were accessed, even if deleted.

Articles:

• Understanding ShellBags: A Forensic Goldmine in Windows Investigations

• Unlocking ShellBags Analysis with ShellBags Explorer (SBE) / SBECmd.exe

6. Jump Lists

Description: Jump Lists store metadata about recently accessed files and applications pinned to the Windows taskbar.

Articles:

• Windows Taskbar Jump Lists: A Forensic Goldmine

• Mastering JLECmd for Windows Jump List Forensics

7. Office Trust Records

Description: Office Trust Records store information about trusted Office documents, often used in investigations related to macro-based malware and suspicious document execution.

Article:

Tracking Trusted Office Documents: A Key to Investigating Macro-Based Malware

--------------------------------------------------------------------------------------------------

Conclusion

Understanding file and folder access artifacts is essential in forensic investigations. Each artifact provides unique insights, but they also come with limitations. By combining multiple sources of evidence, investigators can build a comprehensive timeline of user activity.

-------------------------------------------------Dean--------------------------------------------