FirstFolder

Overview

Evidence: FirstFolder Description: Enumerate FirstFolder Category: System Platform: windows Short Name: firstfolder Is Parsed: Yes Sent to Investigation Hub: Yes Collect File(s): No

Background

The FirstFolder MRU (Most Recently Used) list tracks the first folder that was opened when using Windows common file dialogs (Open/Save dialogs). This registry artifact records which folders users or applications initially navigated to when opening or saving files.

This can provide evidence of file operations and folder access patterns associated with specific applications.

Data Collected

This collector gathers structured data about firstfolder.

FirstFolder Data

Field

Description

Example

KeyPath

Registry key path

Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\FirstFolder

LastWriteTime

Registry key last write time

2023-10-15T14:30:00

Value

MRU value name

Username

User account name

user

Path

File name

document.docx

Folder

Folder path opened

C:\Users\user\Documents\Confidential

MRUPosition

Position in MRU list

RegPath

Path to registry hive

Registry/ntuser.dat

Collection Method

This collector:

Collects user registry hives (ntuser.dat)
Searches for: Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\FirstFolder
Parses MRUListEx binary data to determine access order
Extracts file names and folder paths from binary structures
Orders entries by MRU position

Forensic Value

FirstFolder MRU reveals folder access through file dialogs and can indicate file operations. Investigators use this data to identify folders accessed for file operations, track file saving/opening patterns, detect access to hidden or sensitive folders, correlate with application usage, and establish file operation timelines.

PreviousFirewall Rules NextGithub Desktop Cache

Last updated 3 days ago

Was this helpful?