OfficeMRU

Overview

Evidence: OfficeMRU Description: Enumerate OfficeMRU Category: Registry Platform: Windows Short Name: officemru Is Parsed: Yes - Office MRU data parsed with timestamps Sent to Investigation Hub: Yes Collect File(s): No

Background

Microsoft Office applications maintain Most Recently Used (MRU) lists of documents that users have opened. These lists are stored in the user's registry and include file paths and access timestamps embedded in the registry value data.

Office MRU can reveal which documents users were working with, including documents on network shares, removable drives, and deleted files.

Data Collected

Collection Method

This collector:

• Collects user registry hives (ntuser.dat)

• Searches for Office MRU keys:

  • Software\Microsoft\Office\*\*\File MRU

  • Software\Microsoft\Office\*\*\Place MRU

  • Software\Microsoft\Office\*\*\User MRU\*\File MRU

  • Software\Microsoft\Office\*\*\User MRU\*\Place MRU

• Parses value data to extract file paths and timestamps

• Decodes embedded FILETIME values from registry data

The registry value format: [F00000000][T01D7A5B69601F2E0]*C:\path\to\file.docx

Usage

Office MRU provides evidence of document access and user activity with Office files. Investigators use this data to identify recently accessed sensitive documents, track document access on network shares, establish document access timelines, detect access to deleted documents, identify documents of interest, correlate with file system artifacts, and prove user interaction with specific files.

Known Limitations

• Only tracks Microsoft Office applications

• Limited number of entries per application

• Can be cleared through Office privacy settings

• Timestamp encoding varies by Office version

• Only captures files opened through Office, not programmatically

Notes

Office MRU can reveal access to files on network shares and removable drives that are no longer connected. The embedded timestamps provide precise file access times.