ww88

Dự án diễn đàn ww88ap. Nơi chia sẽ kinh nghiệm ww88. ww88ap

You are not logged in.

#1 2020-09-14 13:06:19

AngeliaSte
Member
From: Germany, Hebertsfelden
Registered: 2020-09-14
Posts: 1

Registry Artifacts: Adobe Acrobat Reader

Registry Artifacts: Adobe  Acrobat Reader .
As you probably already know, the Windows Registry is a treasure trove of forensics artifacts that can come in quite handy during  investigations  and incident response.
Many applications leave quite the trail, and I’ve decided to start documenting these less common sections in the registry and sharing the  information  that I find on my blog.
We’ll start with Adobe  Acrobat Reader :In addition to recently accessed files showing up under the RecentDocs key, Acrobat Reader itself stores a list of the 5 most recently accessed PDF files in the user’s hive.

This information can be found in the subkeys under SoftwareAdobeAVGeneralcRecentFiles

The subkeys found in this location are labeled cx (where x is replaced by the numbers 1 through 5), and under each of  these  subkeys you’ll find a value named tDIText which contains the full path and filename of the recently accessed pdf file.

Every time a new PDF file is opened in Reader

any existing values found in cx are copied to cx+1 and any values that were in c5 are lost (of course, keep in mind that you may be able to use VSS to recover old hives).
Unfortunately.

Reader does not store date/time stamp values in these subkeys; however

you can get the date and time of the most recent file access (for the file information stored in c1) by reviewing the registry key’s last write time.
For all of the other files described in the other subkeys, given no other  support ing data, you’ll only be able to state that the pdf file was accessed but will be unable to definitively state when.
If/when I discover any other interesting artifacts left by Adobe Acrobat Reader in the registry, I’ll  make sure  to update this post with my findings.
Feel free to leave me a comment as well if you have any  additional  Reader related artifacts that you review as part of your workflow… Comments.
Globz  says February 27, 2012 at 10:33 pmYou can also see a list of visited trusted url’s inside TrustManagercDefaultLaunchURLPermsUrl’s will only be added if the user wants Reader  to remember  this action.

Reply  Derek Newton  says March 11

2012 at 8:07 amThanks Globz.
Reply.
Leave a  Reply Cancel  reply.
Your email address will not be published.
Required fields are marked * CommentName *  Email *  Website    This site uses Akismet to reduce spam.
Learn how your comment data is processed.

Offline

Board footer

Powered by FluxBB