Artifacts

NTUSER Trust Records

Posted by:  /  Tags: , , ,  /  Comments: 1

Andrew Case

Office

The TrustRecord field inside of Office’s NTUSER holds the full path to documents that were downloaded from untrusted places (e.g. a web browser download), and that the user had to explicitly tell Office to trust. This “trust” prompt is shown when the user wants to edit the document or run macros inside of it.

The artifact is interesting because it holds not only the full path in a MRU listing, but the value of the particular name/value is the time it was trusted.

Software\Microsoft\Office\14.0\PowerPoint\Security\Trusted Documents\TrustRecords

The path part after “Office” will differ per-version of Office, but the rest of the path is the same.

NTUSER hive

RegExtract – http://www.woanware.co.uk/?page_id=209 – The “OfficeDocuments” plugin will extract this information

One Comment

Harlan Carvey

July 16, 2012

arrow

Andrew,

Thanks for posting this information. I wrote up a RegRipper plugin for this information.

One question…do you know what the date/time fields within the binary data correspond to?

Thanks.

Leave a Reply

Your Name: (required)

Your Email: (will not be published) (required)

Your Website:

Your Message:

submit comment