RecentDocs
RecentDocs maintains a list of the most recently accessed documents and folders by the user.
Analysis
RecentDocs is tied to individual user profiles and can be located inside an individual user's NTUSER.DAT hive:
NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs
The following is information is available for each RecentDocs entry:
- File Name (full path is not available)
- File Extension
- MRU Position (available per file extension)
The registry key maintains individual sub-keys for each file extension. It does not maintain a wildcard extension sub-key, but instead will store the wildcard extension as values under the RecentDoc key itself. The parent key and each sub-key maintains up to 150 of the most recent files or folders.
Investigation Considerations
RecentDocs only maintains the file name and extension, it does not record full path. It may not be possible to positively associate the file name present in the registry to a file on disk. IOt