Dự án diễn đàn ww88ap. Nơi chia sẽ kinh nghiệm ww88. ww88ap
You are not logged in.
Registry Artifacts: Adobe Acrobat Reader .
As you probably already know, the Windows Registry is a treasure trove of forensics artifacts that can come in quite handy during investigations and incident response.
Many applications leave quite the trail, and I’ve decided to start documenting these less common sections in the registry and sharing the information that I find on my blog.
We’ll start with Adobe Acrobat Reader :In addition to recently accessed files showing up under the RecentDocs key, Acrobat Reader itself stores a list of the 5 most recently accessed PDF files in the user’s hive.
The subkeys found in this location are labeled cx (where x is replaced by the numbers 1 through 5), and under each of these subkeys you’ll find a value named tDIText which contains the full path and filename of the recently accessed pdf file.
any existing values found in cx are copied to cx+1 and any values that were in c5 are lost (of course, keep in mind that you may be able to use VSS to recover old hives).
Unfortunately.
you can get the date and time of the most recent file access (for the file information stored in c1) by reviewing the registry key’s last write time.
For all of the other files described in the other subkeys, given no other support ing data, you’ll only be able to state that the pdf file was accessed but will be unable to definitively state when.
If/when I discover any other interesting artifacts left by Adobe Acrobat Reader in the registry, I’ll make sure to update this post with my findings.
Feel free to leave me a comment as well if you have any additional Reader related artifacts that you review as part of your workflow… Comments.
Globz says February 27, 2012 at 10:33 pmYou can also see a list of visited trusted url’s inside TrustManagercDefaultLaunchURLPermsUrl’s will only be added if the user wants Reader to remember this action.
2012 at 8:07 amThanks Globz.
Reply.
Leave a Reply Cancel reply.
Your email address will not be published.
Required fields are marked * CommentName * Email * Website This site uses Akismet to reduce spam.
Learn how your comment data is processed.
Offline