Welcome to Cyber Triage Resources

Welcome to the first installment of the Cyber Triage Artifact Speedrun series! Today, we're discussing the office MRU Artifact and how it can be useful in your DFIR investigation.The office MRU Artifact keeps track of Windows Office files accessed by a user. It exists because Windows Office applications like Word, Excel or otherwise use this to keep a list of the most recent documents opened and display it to the user.How does it work? Entries are created when a document, such as my document dot Docx, is opened each time it's opened. The last open timestamp within the MRU artifact is updated. Therefore, the most recent files opened by a Microsoft Office application can be found in the office MRU Artifact.We hope you found this quick overview informative and helpful in your DFIR investigation. Stay tuned for more Artifact Speedruns!

New Release notes 3.3.0 is out and it's better than ever! With New “Data Accessed” data type, Importing Logical files, and PDF / Microsoft Office Document malware scanning.

Cyber Triage version 3.2.0 brings requested customer features, Ingest Batching, Streaming over the Network, and KAPE Import.