FirstFolder
Overview
Section titled “Overview”Evidence: FirstFolder
Description: Enumerate FirstFolder
Category: System
Platform: windows
Short Name: firstfolder
Is Parsed: Yes
Sent to Investigation Hub: Yes
Collect File(s): No
Background
Section titled “Background”The FirstFolder MRU (Most Recently Used) list tracks the first folder that was opened when using Windows common file dialogs (Open/Save dialogs). This registry artifact records which folders users or applications initially navigated to when opening or saving files.
This can provide evidence of file operations and folder access patterns associated with specific applications.
Data Collected
Section titled “Data Collected”This collector gathers structured data about firstfolder.
FirstFolder Data
Section titled “FirstFolder Data”| Field | Description | Example |
|---|---|---|
KeyPath | Registry key path | Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\FirstFolder |
LastWriteTime | Registry key last write time | 2023-10-15T14:30:00 |
Value | MRU value name | 0 |
Username | User account name | user |
Path | File name | document.docx |
Folder | Folder path opened | C:\Users\user\Documents\Confidential |
MRUPosition | Position in MRU list | 0 |
RegPath | Path to registry hive | Registry/ntuser.dat |
Collection Method
Section titled “Collection Method”This collector:
- Collects user registry hives (ntuser.dat)
- Searches for:
Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\FirstFolder - Parses MRUListEx binary data to determine access order
- Extracts file names and folder paths from binary structures
- Orders entries by MRU position
Forensic Value
Section titled “Forensic Value”FirstFolder MRU reveals folder access through file dialogs and can indicate file operations. Investigators use this data to identify folders accessed for file operations, track file saving/opening patterns, detect access to hidden or sensitive folders, correlate with application usage, and establish file operation timelines.