Wednesday, March 19, 2014

EnCase EnScript to parse each NTUSER.DAT for RecentDocs

This EnScript is another "quick hit" to parse out all the recently accessed files recorded in the user's NTUSER.DAT.

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs

When run, it will parse each NTUSER.DAT and display the results in console, as well as automatically open Excel (Excel is required to be installed on the examiner's machine in order to use this EnScript) and create a worksheet for each user processed:


The EnScript will also create a bookmark for each user. It will put the date the registry key was last modified in the comment section of each file extension for consideration:



Download EnCase v6 here

0 comments:

Post a Comment

Computer Forensics, Malware Analysis & Digital Investigations

Random Articles