filmov
tv
What is a 'Windows Recents Folder' Artifact. And How It Can Be Useful In DFIR Investigation
Показать описание
The Recents Folder artifact contains files and folders that were recently opened or saved. It is closely related to the RecentDocs and JumpList artifacts, which will be covered in other posts.
This artifact is in the Data Accessed category, which contains items that a user opened or saved.
The Recents Folder is useful to a DFIR investigator because it can show what files the user was recently focused on. In an intrusion case with account take over, this list could show what files the attacker was interested in. These could be documents with intellectual property or configuration files for their attack tools. For an insider threat case, it can show what kinds of documents the user was opening. In a general investigation, knowing what documents the user recently opened can reveal what they used the computer for.
The folder contains “.lnk” files that point to recent folders and files. Some systems will have a fixed number of entries (149) and others do not. There is a registry key that limits the number.
You can see Recent Folder artifacts in Cyber Triage in the “Data Accessed” section. Cyber Triage will parse the LNK files and also collect the target file that is being
How Does Cyber Triage Score Windows Recents Folder Artifact?
Cyber Triage will score files as suspicious if they have malware characteristics. For example, an Office document that has a macro that runs when the document is opened would get flagged.
About Cyber Triage
Cyber Triage is an automated digital forensics tool and Incident Response (DFIR) software that allows cybersecurity professionals like you to quickly answer intrusion questions related to:
Malware
Ransomware
Account Takeover
It uses host-based data, scoring, advanced analytics, and a recommendation engine to ensure your investigations are fast and comprehensive.
References
Windows Forensic Analysis Toolkit by Harlan Carvey.
LNK Files and Jump Lists by 13Cubed
The Meaning of Linkfiles In Forensic by Harry Parsonage
Windows 10 Jump List and Link File Artifacts – Saved, Copied and Moved by Larry Jones
LNK File Format
This artifact is in the Data Accessed category, which contains items that a user opened or saved.
The Recents Folder is useful to a DFIR investigator because it can show what files the user was recently focused on. In an intrusion case with account take over, this list could show what files the attacker was interested in. These could be documents with intellectual property or configuration files for their attack tools. For an insider threat case, it can show what kinds of documents the user was opening. In a general investigation, knowing what documents the user recently opened can reveal what they used the computer for.
The folder contains “.lnk” files that point to recent folders and files. Some systems will have a fixed number of entries (149) and others do not. There is a registry key that limits the number.
You can see Recent Folder artifacts in Cyber Triage in the “Data Accessed” section. Cyber Triage will parse the LNK files and also collect the target file that is being
How Does Cyber Triage Score Windows Recents Folder Artifact?
Cyber Triage will score files as suspicious if they have malware characteristics. For example, an Office document that has a macro that runs when the document is opened would get flagged.
About Cyber Triage
Cyber Triage is an automated digital forensics tool and Incident Response (DFIR) software that allows cybersecurity professionals like you to quickly answer intrusion questions related to:
Malware
Ransomware
Account Takeover
It uses host-based data, scoring, advanced analytics, and a recommendation engine to ensure your investigations are fast and comprehensive.
References
Windows Forensic Analysis Toolkit by Harlan Carvey.
LNK Files and Jump Lists by 13Cubed
The Meaning of Linkfiles In Forensic by Harry Parsonage
Windows 10 Jump List and Link File Artifacts – Saved, Copied and Moved by Larry Jones
LNK File Format
0:01:17
0:03:57
0:01:23
0:01:13
0:00:53
0:00:42
0:01:18
0:01:02
0:02:29
0:05:23
0:01:33
0:04:35
0:00:41
0:01:57
0:09:55
0:03:09
0:02:04
0:01:40
0:01:37
0:02:06
0:01:39
0:01:29
0:04:09
0:02:37