What is a Windows Recents Folder Artifact?

What Is A Windows Recents Folder Artifact?

The Recents Folder artifact contains files and folders that were recently opened or saved. It is closely related to the Windows MRU and JumpList artifacts, which will be covered in other posts. 

This artifact is in the Data Accessed category, which contains items that a user opened or saved.

Why Does A Windows Recents Folder Artifact Exist?

Microsoft Windows maintains this artifact so that it can show recent files to the user. Different versions of Windows have different ways of showing “recent” files to the user. 

In Windows 10, you must browse the actual folder to see the contents. The “Quick Access” list of documents in Windows 10 is populated by a Jump List, not this folder. 

 In previous versions of Windows, you could see it from the Start Menu. 

How Is a Windows Recents Folder Artifact Useful in DFIR?

It is useful to a DFIR investigator because it can show what files the user was recently focused on:

• In an intrusion case with an account takeover, this list could show what files the attacker was interested in. These could be documents with intellectual property or configuration files for their attack tools. 
• For an insider threat case, it can show what kinds of documents the user was opening.
• In a general investigation, knowing what documents the user recently opened can reveal what they used the computer for.

It can also list file paths and times for files that have since been deleted or were on a removable drive. 

Where Do You Find Windows Recents Folder Artifacts?

These artifacts are in a file system folder.  The path depends on the operating system version:

Vista+: %UserProfile%\AppData\Roaming\Microsoft\Windows\Recent

XP: %UserProfile%\Recent

For example, on Windows 10, it could be at c:\users\jdoe\AppData\Roaming\Microsoft\Windows\Recent

Note that if you navigate to this folder on a live Windows system, it will display as “Recent Items” instead of “Recent.” But, if you are looking with a forensics tool or the command prompt, it will be “Recent.”

What Does a Windows Recents Folder Artifact Contain?

The folder contains “.lnk” files that point to recent folders and files. Some systems will have a fixed number of entries (149), and others do not.  There is a registry key that limits the number.

The LNK files will contain:

• Path to the file that was opened or saved
• Dates of last activity
• Metadata of the target file, such as size and dates. 

Where Can You See Windows Recents Folder Artifact in Cyber Triage?

You can see Recent Folder artifacts in Cyber Triage in the “Data Accessed” section.  Cyber Triage will parse the LNK files and collect the target file being referred to. 

The Recent Folder artifacts are merged with other Data Accessed artifacts, but you can see if an artifact came from the Recent Folder in the Source Info section in the bottom right.

How Does Cyber Triage Score Windows Recents Folder Artifact?

Cyber Triage will score files as suspicious if they have malware characteristics. For example, an Office document with a macro running when the document is opened would get flagged. 

About Cyber Triage

Cyber Triage is an automated digital forensics tool and Incident Response (DFIR) software that allows cybersecurity professionals like you to quickly answer intrusion questions related to:

• Malware
• Ransomware
• Account Takeover

It uses host-based data, scoring, advanced analytics, and a recommendation engine to ensure your investigations are fast and comprehensive.

Get your free 7-day evaluation copy from here.

References

• Windows Forensic Analysis Toolkit by Harlan Carvey. 
• LNK Files and Jump Lists  by 13Cubed
• The Meaning of Linkfiles In Forensic by Harry Parsonage
• Windows 10 Jump List and Link File Artifacts – Saved, Copied and Moved by Larry Jones
• LNK File Format