# FirstFolder ## Overview **Evidence:** FirstFolder\ **Description:** Enumerate FirstFolder\ **Category:** System\ **Platform:** windows\ **Short Name:** firstfolder\ **Is Parsed:** Yes\ **Sent to Investigation Hub:** Yes\ **Collect File(s):** No ## Background The FirstFolder MRU (Most Recently Used) list tracks the first folder that was opened when using Windows common file dialogs (Open/Save dialogs). This registry artifact records which folders users or applications initially navigated to when opening or saving files. This can provide evidence of file operations and folder access patterns associated with specific applications. ## Data Collected This collector gathers structured data about firstfolder. ### FirstFolder Data | Field | Description | Example | | --------------- | ---------------------------- | ----------------------------------------------------------------------- | | `KeyPath` | Registry key path | Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\FirstFolder | | `LastWriteTime` | Registry key last write time | 2023-10-15T14:30:00 | | `Value` | MRU value name | 0 | | `Username` | User account name | user | | `Path` | File name | document.docx | | `Folder` | Folder path opened | C:\Users\user\Documents\Confidential | | `MRUPosition` | Position in MRU list | 0 | | `RegPath` | Path to registry hive | Registry/ntuser.dat | ## Collection Method This collector: * Collects user registry hives (ntuser.dat) * Searches for: `Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\FirstFolder` * Parses MRUListEx binary data to determine access order * Extracts file names and folder paths from binary structures * Orders entries by MRU position ## Forensic Value FirstFolder MRU reveals folder access through file dialogs and can indicate file operations. Investigators use this data to identify folders accessed for file operations, track file saving/opening patterns, detect access to hidden or sensitive folders, correlate with application usage, and establish file operation timelines.