The Data Accessed Artifact Category contains artifacts that show what files a user explicitly opened or saved. For example, what documents they opened.
The category does not include:
- Programs that the user launched, those are in the Process Artifact Category.
- Files that were indirectly opened, such as configuration files that an application uses. Those are features of a process.
Key Attributes of the Artifacts
A Data Accessed artifact will have attributes such as:
- Path to file that was opened or saved
- Date that the file was last opened or saved
Why Is It Important For DFIR?
Data Accessed Artifacts are useful for DFIR because they answer investigative questions about user intent, even if the user account was taken over by an attacker.
- In an intrusion case with account take over, these artifacts could show what documents the attacker was interested in. For example, if they were opening documents about a certain technology or area of the company.
- For an insider threat case, they can show what kinds of documents the user wanted to steal.
- In a general investigation, where the investigator is trying to profile the computer owner, then these artifacts can reveal what documents the owner was recently interested in.
Further, sometimes these artifacts will store a path to a file that no longer exists or the path could be on a removable drive, such as “D:\”. These can reveal:
- What files were of importance and are now deleted
- What files were on a removable drive and that may have been copied off the system
- ComDIg32 LastVisitedMRU
- ComDIg32 OpenSave MRU (LINK)
- Explorer RecentDoc Registry
- Jump Lists
- Office MRU (LINK)
- Shell Bags
- Windows Recent Folder
What is a Windows Recents Folder Artifact?
What Is A Windows Recents Folder Artifact? The Recents Folder...
What is a Windows OpenSave MRU Artifact?
What Is a Windows OpenSave MRU Artifact? The Windows OpenSaveMRU...
What is a Microsoft Office Most Recently Used Artifact “MRU”
What is an Office MRU artifact? This artifact stores references...