FirstFolder

Overview

Evidence: FirstFolder Description: Enumerate FirstFolder Category: Registry Platform: Windows Short Name: firstfolder Is Parsed: Yes - MRU data parsed into structured format Sent to Investigation Hub: Yes Collect File(s): No

Background

The FirstFolder MRU (Most Recently Used) list tracks the first folder that was opened when using Windows common file dialogs (Open/Save dialogs). This registry artifact records which folders users or applications initially navigated to when opening or saving files.

This can provide evidence of file operations and folder access patterns associated with specific applications.

Data Collected

Collection Method

This collector:

• Collects user registry hives (ntuser.dat)

• Searches for: Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\FirstFolder

• Parses MRUListEx binary data to determine access order

• Extracts file names and folder paths from binary structures

• Orders entries by MRU position

Usage

FirstFolder MRU reveals folder access through file dialogs and can indicate file operations. Investigators use this data to identify folders accessed for file operations, track file saving/opening patterns, detect access to hidden or sensitive folders, correlate with application usage, and establish file operation timelines.

Known Limitations

• Only tracks folders opened via file dialogs

• Limited number of entries retained

• Can be cleared by user or privacy tools

• May not capture all file dialog operations

• Data format is binary and version-specific

Notes

FirstFolder MRU is particularly useful when combined with OpenSavePidlMRU to reconstruct complete file dialog activity and understand what files users were working with.