Artifacts

Posts Tagged ‘MRU’


Registry: MUICache

Posted by:  /  Tags: , ,

Author Name
Matt

Artifact Name
MUICache

Artifact/Program Version
Windows

Description
According to Nirsoft.net, “each time that you start using a new application, Windows operating system automatically extract the application name from the version resource of the exe file, and stores it for using it later, in Registry key known as the ‘MuiCache’.”

This key is similar to the UserAssist key in that it shows you programs that have been run on the system. This key is useful when looking for evidence of malware, virtualization, or “evidence cleaning” programs.

Please see the additional description from “Windows Forensic Analysis” in the first Research Link.

Registry Keys
HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\MUICache
HKEY_CURRENT_USER\Software\Classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache

Research Links
- Google Book Preview – Windows Forensic Analysis
- http://windowsir.blogspot.com/2005/12/mystery-of-muicachesolved.html

Forensic Programs of Use
- http://www.nirsoft.net/utils/muicache_view.html
- http://regripper.net

Related Posts

Registry: ACMru – Search Assistant

Posted by:  /  Tags: , ,  /  Comments: 1

Author Name
Matt

Artifact Name
ACMru – Search Assistant

Description
This registry key stores search terms that have been typed into the Windows Search dialog box (Windows Start Button –> Search). There may be up to four subkeys:

- 5001: Contains list of terms used for the Internet Search Assistant

- 5603: Contains the list of terms used for the Windows XP files and folders search

- 5604: Contains list of terms used in the “word or phrase in a file” search

- 5647: Contains list of terms used in the “for computers or people” search

Registry Keys
HKEY_CURRENT_USER\Software\Microsoft\Search Assistant\ACMru

Research Links
http://books.google.com/books?id=5hvSrBGVfIgC&pg=PA235&lpg=PA235&dq=acmru+search+assistant&source=bl&ots=HqAt5n3Tue&sig=Bj7WMCRVmVOyndo9UVyXTs7tmVE&hl=en&ei=Y1ltTMWdOozSngeGtfHsBw&sa=X&oi=book_result&ct=result&resnum=8&ved=0CDcQ6AEwBw#v=onepage&q=acmru%20search%20assistant&f=false

http://www.windowsitpro.com/article/configuration/how-can-i-clear-windows-xp-s-search-companion-cache-of-previous-searches-.aspx

Forensic Programs of Use
RegRipper

Other Info
A good explanation can be read in Windows Forensic Analysis 2e by Harlan Carvey. I highly recommend this book.

Registry: Common MRUs

Posted by:  /  Tags: , ,  /  Comments: 1

Author Name
ForensicsWiki

Artifact Name
Common Windows Most Recently Used Locations

Artifact/Program Version

Windows (various versions)

Categories

Registry

Description

Registry Keys

EDITOR’S NOTE (Joe)

The author sent in a submission which included numerous Registry Keys for examiners to look for regarding Windows MRU Locations.  It was essentially a copy & paste from the ForensicsWiki page.  I have left the link to that page below so that if you would like to check out that list you can for further educational purposes.  I felt that it did not fit the format that we are going for here on this site.  Thank you to the author for their submission!

Research Links

http://www.forensicswiki.org/wiki/List_of_Windows_MRU_Locations#Common

Forensic Programs of Use
RegRipper