RecentDocs
Overview
Section titled “Overview”Evidence: RecentDocs
Description: Enumerate RecentDocs
Category: System
Platform: windows
Short Name: recentdocs
Is Parsed: Yes
Sent to Investigation Hub: Yes
Collect File(s): No
Background
Section titled “Background”The RecentDocs registry key tracks files that users have recently opened, organized by file extension. Windows maintains separate MRU lists for each file extension (e.g., .docx, .pdf, .txt) as well as a general list of all recently accessed files.
This artifact preserves evidence of file access even after files are deleted and can reveal which documents and files users were working with.
Data Collected
Section titled “Data Collected”This collector gathers structured data about recentdocs.
RecentDocs Data
Section titled “RecentDocs Data”| Field | Description | Example |
|---|---|---|
KeyPath | Registry key path | Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs.docx |
LastWriteTime | Registry key last write time | 2023-10-15T14:30:00 |
Value | MRU value name | 0 |
Username | User account name | user |
Extension | File extension | .docx |
FileName | File name | confidential-report.docx |
LNKName | Associated LNK file path | C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\confidential-report.lnk |
MRUPosition | Position in MRU list | 0 |
RegPath | Path to registry hive | Registry/ntuser.dat |
Collection Method
Section titled “Collection Method”This collector:
- Collects user registry hives (ntuser.dat)
- Searches for RecentDocs keys:
Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs(all files)Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs\*(by extension)
- Parses MRUListEx binary data
- Decodes shell item data using libfwsi
- Extracts file names and LNK file references
- Orders by MRU position (most recent first)
Forensic Value
Section titled “Forensic Value”RecentDocs reveals which files users recently accessed and can persist after file deletion. Investigators use this data to identify recently accessed documents, track file access by extension type, detect access to sensitive or classified files, establish document access timelines, prove user interaction with specific files, correlate with LNK files and JumpLists, and identify files of interest that may have been deleted.