Welcome to Cyber Triage Resources

Subscribe to our newsletter that delivers the most actionable, tactical, and timely digital forensics tips you actually need in 15 minutes or less. Get an edge on incident response forensics, for free.

Recent Posts

View all posts


What is a Windows OpenSave MRU Artifact?

What Is a Windows OpenSave MRU Artifact? The Windows OpenSaveMRU...


What is a Microsoft Office Most Recently Used Artifact “MRU”

What is an Office MRU artifact? This artifact stores references...

New Features

Cyber Triage 3.3.0

Cyber Triage version 3.3.0 introduces many new features to make...



What is a “Most Recently Used” Artifact Video

Welcome to the first installment of the Cyber Triage Artifact Speedrun series! Today, we're discussing the office MRU Artifact and how it can be useful in your DFIR investigation.The office MRU Artifact keeps track of Windows Office files accessed by a user. It exists because Windows Office applications like Word, Excel or otherwise use this to keep a list of the most recent documents opened and display it to the user.How does it work? Entries are created when a document, such as my document dot Docx, is opened each time it's opened. The last open timestamp within the MRU artifact is updated. Therefore, the most recent files opened by a Microsoft Office application can be found in the office MRU Artifact.We hope you found this quick overview informative and helpful in your DFIR investigation. Stay tuned for more Artifact Speedruns!

New Features

Cyber Triage 3.3.0 Release Updates Video

New Release notes 3.3.0 is out and it's better than ever! With New “Data Accessed” data type, Importing Logical files, and PDF / Microsoft Office Document malware scanning.

New Features

Cyber Triage 3.2.0 New Release Video

Cyber Triage version 3.2.0 brings requested customer features, Ingest Batching, Streaming over the Network, and KAPE Import.