Digital forensic investigators are typically hired to uncover what happened on a digital device. Regardless of what the device is (mobile phone, laptop, server, etc), they will do their best to produce a narrative of past system events. This narrative is often nothing more than an explained timeline of the system. To achieve this, investigators use a mesh of computer forensic knowledge beyond just looking at file modification dates and last accessed dates (if enabled). As you can imagine, the creation of the timeline requires the investigator to have an actual idea of when the events took place on the system. For this reason, it is highly beneficial to be able to identify what items a device’s user has recently accessed.
How can I find what items were recently accessed on a system?
Shorthand Answer: There are multiple ways that an investigator can determine if an application was recently launched or if a document was opened. Microsoft’s Windows Operating System offers routes such as reviewing certain registry keys or specific artifact files. Meanwhile, macOS 10.11 and beyond use a collection of Shared File lists to keep track of recently used items. In this post, we will cover numerous possibilities from both operating systems.
A valid question is why someone would have any interest in recently used items on a system. Simply, the more information an investigator can learn about a digital device, the better they can outline a user’s actions. Not only will a list of recent items give them a better understanding of the user, but also of the system itself. Therefore, recent items can be highly valuable for the creation of an investigative timeline. Things we hope to find include:
- Application/file’s name (To tell us what the item is)
- Date/time it was recently accessed (To show us when)
- How many times the application/file has been accessed (Launch count)
- Path to the application/file (To show where it exists)
- Any file that this application/file then recently touched (Helpful for word document and PDF apps)
For our purposes we will not be exploring every possible route to discover recently used items, however we will be reviewing a fairly large chunk of them.
Microsoft’s Windows operating system is well known for holding a very large amount of information that is useful for investigators. A wonderful place to begin our quest for recent items is within the Registry. Think of the registry as a massive collection of settings for the system that can hold vital data.
RecentApps: As the name suggests, this registry key shows the recent applications that the user has launched. Not only that, but the RecentApps key also provides the launch count of the recent application, the path to the application, the last accessed date of the application, and the path to the file that was used with the application’s time of launch. The RecentApps key is found at the following path under the user’s NTUSER.dat file, meaning the items are all specific to that single user.
Hive path: Software\Microsoft\Windows\CurrentVersion\Search\RecentApps
Shown in our example above, you can see that this system had recently opened the Notepad application, with 9 logged launch counts. This application has been last accessed on 2018-05-01 at 16:17:23. On the right, you can see a list of filenames and paths to the text files that were recently used with this application. If you are interested in learning more about RecentApps, you can do so here.
RecentDocs: Recent documents and other file types are also reflected within this user-specific registry key. This quickly updated list is fantastic for identifying what documents and files were recently accessed locally on the system, or from a network share, by the user. Here you will find valuable information like the name of the target file, the target file’s .LNK name, what ‘Most Recently Used Position’ this file is in (0 is the most recent item in the MRU list), when the document was opened and when the extension was very last accessed.
Hive path: Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs\
UserAssist: This key displays an updated list of executables the user has recently launched. Along with the name of the program, a run counter is also tracked, along with the time the application was last executed. The following two images show different UserAssist lists on the same computer. The top list shows executions of .LNK files, while the bottom list shows the application launch. Link files are basically just shortcut files that are similar to the ones that you created on your desktop, but created automatically on an application’s first launch. Gathering both lists can be equally as useful.
As you can see above, the programs Chrome, DB Browser for SQLite, and pycharm are present in both lists. However, you may notice that the top list shows the path as “User Pinned/taskbar”. This text means that the application was launched from its pinned icon on the taskbar (the more information about the event the better!). The bottom list then shows the same applications being launched for the same instance, but including its file path. The run counters do vary a little bit, and as you can see the focus time populates for only the bottom list. If you are unaware, the focus time is the amount of time this application was active on the screen. From these few highlighted differences, I feel that reviewing both lists can be beneficial.
Continuing our search for recent items, we must inspect the jumplists Windows artifact.
JumpLists: These provide the ability for a user to quickly access items that an application on your taskbar has recently interacted with. You may have seen jumplists in action if you ever right-clicked an application that was sitting on your taskbar (figure 5).
There are two types of jumplists; AutomaticDestinations and CustomDestinations. AutomaticDestinations are jumplist items that are automatically populated by the application. CustomDestinations are when the user has created their own custom jumplists for an application.
As you can see below, jumplist data can reveal helpful information about not only what recent applications were launched, but about what those recent applications touched. For our example, the first image below shows that Chrome has a jumplist populated on this system. The bottom image (at the upper left) then shows that Chrome has recently interacted with some virtual machine .ISO files.
Apple’s Mac Operating system still has artifact files, but in a slightly different way. The majority of all forensic data will be found within logs, plist files, and SFL (Shared File Lists). Much like in Windows, the Mac operating system has seen updates which has changed how this forensic data can be found. Although there aren’t resoundingly-specific artifacts like jumplists, you will still find plenty of places for recently accessed items.
Recent Items: Starting us off is this Mac artifact from versions 10.10 and prior. Recent Items shows the user’s recently opened applications, files, and servers.
SharedFileList: This artifact directory is present in Mac OS 10.11 and beyond. Within it you will find a helpful collection of specific .SFL files including Recent Documents, Recent Applications, and Servers. Think of .SLF files as a list. Unfortunately, there is no date/time reflection on the items within the .SFL files, but you can see when the Modification date/time for the .SFL files themselves.
Recent Documents: Presents recently accessed documents of various types, along with their path.
Path: /Users/USERNAME/Library/Application Support/com.apple.sharedfilelist/com.apple.LSSharedFileList.RecentDocuments.sfl
Recent Applications: Presents recently accessed applications, and the path to the application.
Path: /Users/USERNAME/Library/Application Support/com.apple.sharedfilelist/com.apple.LSSharedFileList.RecentApplications.sfl.
Recent Servers: Presents recently accessed ‘server’ access and network shared drives connections.
Path: /Users/USERNAME/Library/Application Support/com.apple.sharedfilelist/com.apple.LSSharedFileList.RecentServers.sfl
More information on these files and the data residing in them can be found here!
Spotlight: The spotlight database on Mac OS is a forensic file data gold mine. Unlike the SharedFileList items above, spotlight provides valuable date/time information and use count information about files and applications. Read more about Spotlight and download a tool to parse it here!
There are many ways an investigator can identify which applications and files have been recently accessed by a certain user account. Believe it or not, there are even more forensic artifacts on both operating systems which can help determine similar things. Thankfully, minor redundancy exists within some of these artifacts, allowing for data to still be recovered if others are absent. In the end, it all comes down to the specifics of the case and which item type the investigator is looking for at the time. But it is possible.