![]() The possibility for a large number of subkeys exist within the OpenSaveMRU key. Thus what is stored in the key is the auto-complete information for that transaction, and the full filename is not stored. User input into this dialog will typically be the name of the file without the extension, since the dropdown filetype menu takes care of that. Consider an OpenSave dialog box that allows you to choose your file type from a list (e.g.jpg. Since most files have extensions, what often ends up here is auto-complete information. The values stored in the key itself are items that do not have file extensions associated with them. The key is located at HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDIg32\OpenSaveMRU (OpenSavePidlMRU in Vista/Win7)Īnd contains values and multiple subkeys. What sometimes gets missed is that this key is also responsible for tracking auto-complete terms for that same dialog box. This happens to be a big data set, not only including web browsers like Internet Explorer and Firefox, but also a majority of commonly used applications. In simplest terms, this key tracks files that have been opened or saved within a Windows shell dialog box. Here is a quick rundown on what we can glean from these keys. That being said, I would bet many examiners have not investigated the keys deeply enough to understand everything they are telling us. Both have been documented for years and are frequently cited in examinations. As an example, let's look at the OpenSaveMRU and LastVisitedMRU Registry keys. ![]() With no specification and even Microsoft products not following any data storage methodology, it is about as haphazard and irregular as they come. Nowhere is this more true than in the Windows Registry. Talking with a colleague the other day reminded me of just how nuanced many of the forensic artifacts are that we rely upon. Immediately apply the skills and techniques learned in SANS courses, ranges, and summits
0 Comments
Leave a Reply. |