"The Windows registry contains numerous keys that are useful for forensic analysis. One such set of keys are the MRU keys, which contain the names of applications and files that have been recently opened on the system. This information can be quite useful to a forensic investigator, and the fact that MRU keys exist in both user-based registry hives (NTUSER.DAT) and system hives just bolsters the ability to determine which user opened a particular executable or file." Malwarewolf
Registry Analysis (Windows Forensic Analysis) Part 8 - what when how
Get exclusive access to online courses and content through Patreon !