Recipe Difficulty: Medium

Python Version: 2.7

Operating System: Linux

Windows stores a plethora of information about user activity, and like other registry hives, the NTUSER.DAT file is a great resource to be relied upon during an investigation. This hive lives within each user's profile and stores information and configurations as they relate to the specific user's on the system.

In this recipe, we cover multiple keys within NTUSER.DAT that throw light on the actions of a user on a system. This includes the prior searches run in Windows Explorer, paths typed into Explorer's navigation bar, and the recently used statements in the Windows run command. These artifacts better illustrate how the user interacted with the system and may give insight into what normal, or abnormal, usage of the system looked like for the user.