OfficeMRU
Overview
Evidence: OfficeMRU Description: Enumerate OfficeMRU Category: System Platform: windows Short Name: officemru Is Parsed: Yes Sent to Investigation Hub: Yes Collect File(s): No
Background
Microsoft Office applications maintain Most Recently Used (MRU) lists of documents that users have opened. These lists are stored in the user's registry and include file paths and access timestamps embedded in the registry value data.
Office MRU can reveal which documents users were working with, including documents on network shares, removable drives, and deleted files.
Data Collected
This collector gathers structured data about officemru.
OfficeMRU Data
Path
Document file path
C:\Users\user\Documents\report.docx
OpenedOn
When file was opened
2023-10-15T14:30:00
Value
Registry value name
Item 1
Username
User account name
user
KeyPath
Registry key path
Software\Microsoft\Office\16.0\Word\File MRU
LastWriteTime
Registry key last write time
2023-10-15T14:30:00
RegPath
Path to registry hive
Registry/ntuser.dat
Collection Method
This collector:
Collects user registry hives (ntuser.dat)
Searches for Office MRU keys:
Software\Microsoft\Office\*\*\File MRUSoftware\Microsoft\Office\*\*\Place MRUSoftware\Microsoft\Office\*\*\User MRU\*\File MRUSoftware\Microsoft\Office\*\*\User MRU\*\Place MRU
Parses value data to extract file paths and timestamps
Decodes embedded FILETIME values from registry data
The registry value format: [F00000000][T01D7A5B69601F2E0]*C:\path\to\file.docx
Forensic Value
Office MRU provides evidence of document access and user activity with Office files. Investigators use this data to identify recently accessed sensitive documents, track document access on network shares, establish document access timelines, detect access to deleted documents, identify documents of interest, correlate with file system artifacts, and prove user interaction with specific files.
Last updated
Was this helpful?