:py:mod:`dissect.target.plugins.os.windows.regf.mru` ==================================================== .. py:module:: dissect.target.plugins.os.windows.regf.mru Module Contents --------------- Classes ~~~~~~~ .. autoapisummary:: dissect.target.plugins.os.windows.regf.mru.MRUPlugin Functions ~~~~~~~~~ .. autoapisummary:: :nosignatures: dissect.target.plugins.os.windows.regf.mru.parse_mru_key dissect.target.plugins.os.windows.regf.mru.parse_mru_ex_key dissect.target.plugins.os.windows.regf.mru.parse_office_mru dissect.target.plugins.os.windows.regf.mru.parse_office_mru_key Attributes ~~~~~~~~~~ .. autoapisummary:: dissect.target.plugins.os.windows.regf.mru.UserRegistryRecordDescriptor dissect.target.plugins.os.windows.regf.mru.RunMRURecord dissect.target.plugins.os.windows.regf.mru.RecentDocsRecord dissect.target.plugins.os.windows.regf.mru.OpenSaveMRURecord dissect.target.plugins.os.windows.regf.mru.LastVisitedMRURecord dissect.target.plugins.os.windows.regf.mru.ACMruRecord dissect.target.plugins.os.windows.regf.mru.MapNetworkDriveMRURecord dissect.target.plugins.os.windows.regf.mru.TerminalServerMRURecord dissect.target.plugins.os.windows.regf.mru.MSOfficeMRURecord .. py:data:: UserRegistryRecordDescriptor .. py:data:: RunMRURecord .. py:data:: RecentDocsRecord .. py:data:: OpenSaveMRURecord .. py:data:: LastVisitedMRURecord .. py:data:: ACMruRecord .. py:data:: MapNetworkDriveMRURecord .. py:data:: TerminalServerMRURecord .. py:data:: MSOfficeMRURecord .. py:class:: MRUPlugin(target: dissect.target.Target) Bases: :py:obj:`dissect.target.plugin.Plugin` Return MRU data stored at various registry keys. The Windows registry contains various keys about Most Recently Used (MRU) files. .. rubric:: References - https://winreg-kb.readthedocs.io/en/latest/sources/explorer-keys/Most-recently-used.html .. py:attribute:: __namespace__ :value: 'mru' .. py:method:: check_compatible() -> None Perform a compatibility check with the target. This function should return ``None`` if the plugin is compatible with the current target (``self.target``). For example, check if a certain file exists. Otherwise it should raise an ``UnsupportedPluginError``. :raises UnsupportedPluginError: If the plugin could not be loaded. .. py:method:: run() Return the RunMRU data. The ``HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU`` registry key contains information about the most recent commands that have been performed by the Run application .. rubric:: References - https://digitalf0rensics.wordpress.com/2014/01/17/windows-registry-and-forensics-part2/ .. py:method:: recentdocs() Return the RecentDocs data. The ``HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs`` registry key contains information about the last 10 documents that the currently logged on user accessed or executed via Windows Explorer. .. rubric:: References - https://digitalf0rensics.wordpress.com/2014/01/17/windows-registry-and-forensics-part2/ .. py:method:: opensave() Return the OpenSaveMRU data. The ``HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU`` registry key contains information about the most recently opened or saved files. .. rubric:: References - https://digitalf0rensics.wordpress.com/2014/01/17/windows-registry-and-forensics-part2/ .. py:method:: lastvisited() Return the LastVisitedMRU data. The ``HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\LastVisitedMRU`` registry key contains information about the executable used by an application to open the files that are documented at the OpenSaveMRU registry key. Also each value tracks the directory location for the last file that was accessed by that application. .. rubric:: References - https://digitalf0rensics.wordpress.com/2014/01/17/windows-registry-and-forensics-part2/ .. py:method:: acmru() Return the ACMru (Windows Search) data. The following keys are being searched: - ``HKCU\Software\Microsoft\Search Assistant\ACMru``: This registry key contains the most recent search history from Windows default search. - ``HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\WordWheelQuery``: This registry key contains the most recent search history from Windows Explorer. (Windows >=7) .. rubric:: References - https://digitalf0rensics.wordpress.com/2014/01/17/windows-registry-and-forensics-part2/ Known categories: - 5001: Internet Search Assistant - 5603: Windows XP files and folder search - 5604: "Word or phrase in a file" dialog box - 5647: "For computers or people" selection in Search Results dialog box .. py:method:: networkdrive() Return MRU of mapped network drives. The HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Map Network Drive MRU registry key contains information about the most recently used mapped network drives. .. rubric:: References - https://winreg-kb.readthedocs.io/en/latest/sources/explorer-keys/Most-recently-used.html#keys-with-a-mrulist-value .. py:method:: mstsc() Return Terminal Server Client MRU data. .. py:method:: msoffice() Return MS Office MRU keys. .. py:function:: parse_mru_key(target, key, record) .. py:function:: parse_mru_ex_key(target, key, record) .. py:function:: parse_office_mru(target, key, record) .. py:function:: parse_office_mru_key(target, key, record)