As part of the 2014 Volatility Plugin Contest, I created a simple plugin that queries the registry for Office TrustRecords. This post contains details about this registry key. It’s basically used to record Office files that were opened from an untrusted location and manually “trusted” by the user by clicking a prompt to edit the document or enable content. Along with this record of opening the document, the data in the value is the time that the document was opened. This plugin locates the registry key for Word, Excel, Access, and PowerPoint and prints the list of files and their timestamps.

I don’t have a memory sample to provide, but here is some sample output of the plugin.

$ vol.py -f memory.vmem --profile=Win7SP1x86 trustrecords
Volatility Foundation Volatility Framework 2.4
Legend: (S) = Stable   (V) = Volatile

----------------------------
Registry: \??\C:\Users\voltest\ntuser.dat
Key path: Software\Microsoft\Office\14.0\Word\Security\Trusted Documents\TrustRecords
Key name: TrustRecords (S)
Last updated: 2014-09-09 03:37:16 UTC+0000

Values:
2014-09-09 03:34:44.081925	%USERPROFILE%/Desktop/Doc1.docm
2014-09-09 03:37:07.689334	%USERPROFILE%/Desktop/newDoc.docm