Aust Dyches • 07/25/2022
Hi, my name is Austin Dyches and I’m the product manager for Cyber triage and welcome to the Cyber Triage Artifact Speedrun series, where we bring you quick overviews on the various artifacts parsed in our tool and how they can help you in your DFIR investigation.
So today we’re talking about the office MRU Artifact, which stands for most recently used and how that artifact can be useful in your investigation.
So let’s get started first, what?
Is it the office Imru artifact keeps track of Windows Office files accessed by a user in the location of that file?
Why does it exist?
Windows Office applications like Word, Excel or otherwise use this to keep a list of the most recent documents opened and display it to the user.
So how does it work?
Entries are created when a documents such as my document dot Docx is opened each time it’s opened.
The last open timestamp within the MRU artifact is updated.
The most recent files opened by a Microsoft Office.
Location will be listed as the first entry, so these entries are not deleted when the associated document is deleted and just FYI, creating a document by right clicking and selecting new document will not create an entry until the document is opened, so different subkeys are used for things like
Office 365 like Live ID and ADL.
We won’t cover those here, but based on testing there does not appear to be limit on how much data is allowed to be stored in the key or for how long.
So we tested up to 1262 entries and had entries from 2010. No issue, So what data is stored?
The office MRU data is stored in a user’s ntuser dat registry hive like this.
And each office application and version has its own list.
For example, here is a path for word 2016. And you can tell which version of Office they are using based on these version numbers.
All right within this key there are several sub keys that are relevant.
The first file MRU files recently open.
We’ll talk about some more place imru folders recently used to open and save, and user MRU which contains files and folders recently used.
When an online Microsoft account was used, we see that with this key, the office 2016 file MRU.
We see that the key is listed as item one, meaning that this key will be at the top of the most recent list, with item 2 etcetera being the next and so forth in the data section we have a few different pieces of information, and we’ll walk through them.
The first section that starts with F000 and so on means that the document was pinned.
The next section in brackets is the date timestamp in HEX, representing a win 32 datetime in Big Indian.
Next is a marker and the last of the full ASCII path and file name.
So what’s the relevance of DFR at a high level?
You can view documents open by a user that might have been malicious a little deeper.
You can see which documents a user opened, the location of the document, the order in which the documents were opened and the last open time.
So where can you see all this?
Inside of triage and cyber triage you can find the office imru contents and the data.
Access section this section shows files that a user opened or saved.
You can look at the source info section to see if the item came from an office MRU key or another artifact and how does cyber triage score it?
Well, Cyber Triage score office MRU files.
If they have malware characteristics, for example, an office document that has a macro that runs when the documents open will get flagged just one of the many ways in which cyber triage can assist you and your DFI investigation.
And that is the Microsoft Office MRU artifact until next time.