Microsoft Office 2013 continues to yield very interesting artifacts related to user activity. Harlan recently posted about the "PendingChanges" subkeys in relation to PowerPoint, and I have previously posted about MS Word's "Reading Locations" subkeys as well as the last saved location
metadata in Excel 2013 spreadsheets. The registry, specifically the
NTUSER.DAT hive, has been particularly interesting in terms of the
Office 2013-related information it stores.
In Harlan's earlier post, he identified references to the PowerPoint
presentation he had opened in PowerPoint 2013 in the "File MRU" and
"Place MRU" subkeys of
"HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Excel\User
MRU\LiveId_xxx". The "File MRU" and "Place MRU" subkeys appear to track
files and directories recently accessed by the application, with the
"Item 1" value corresponding to the most recently accessed item, "Item
2" the next most recently accessed, etc..
 |
| Office 2013 Sign in Option |
Interestingly, it appears that a new LiveId_xxx subkey is created each time a new Live ID account is signed in to through the Office 2013 interface. Based on my limited testing thus far, the File and Place MRUs of each LiveId_xxx subkey appear to be updated independently from one another (updates depend on which Live ID account is signed in) as well as independent from the File and Place MRUs maintained when a user is not signed into a Live ID account. This means that you could see multiple sets of File and Place MRUs per application, all within a single NTUSER.DAT hive!
 |
| HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Excel Subkey |
As Harlan mentioned in his previous post, each Item # value in the File
and Place MRU subkeys should contain data similar to
"[F00000000][T01CF2DF40FEB4220][O00000000]*Z:\Files\Presentation1.pptx",
with the value in the second set of brackets being a FILETIME structure
that corresponds to the last time the file or directory was accessed
from the application. This means that not only do we have an
independent File and Place MRU subkey for each Live ID account that
signed in to the system (as well as a File and Place MRU for when the
user is not signed into a Live ID account), but we are also provided
with the last time each item within each MRU list was accessed.
Regardless of whether a Live ID account was signed in or which Live ID
account was used to access a file, usage history still appears to be
recorded in the familiar RecentDocs subkey as well as the application's
associated jump list. These artifacts can serve to provide a file
access history (regardless of the Live ID account used to access the
file) as well as to help correlate and confirm data located in other
artifacts.
Based on initial testing, the File and Place MRU list per Live ID
account does not appear to be updated properly on Windows 7 running
Office 2013. More research will be necessary to determine the
value and reliability of this artifact under Windows 7. The majority of
my testing as it relates to the File and Place MRUs has been with
Windows 8.1, which appears to be consistent in updating the appropriate
MRU list. I've only tested the addition of Live ID-associated File and
Place MRUs with Word, Excel, and PowerPoint 2013, so the differences in
MRUs as compared to previous versions of Office likely extend beyond
these three applications.
Fuente:
http://dfstream.blogspot.com/2014/02/office-2013-more-mrus.html
Links:
http://wp.ofl.me/index.php?p=2020
http://wp.ofl.me/index.php?p=2040
http://wp.ofl.me/index.php?p=2022
http://wp.ofl.me/index.php?p=2022
Entradas
No hay comentarios:
Publicar un comentario