As part of the 2014 Volatility Plugin Contest, I created a simple plugin that queries the registry for Office TrustRecords. This post contains details about this registry key. It’s basically used to record Office files that were opened from an untrusted location and manually “trusted” by the user by clicking a prompt to edit the document or enable content. Along with this record of opening the document, the data in the value is the time that the document was opened. This plugin locates the registry key for Word, Excel, Access, and PowerPoint and prints the list of files and their timestamps.
I don’t have a memory sample to provide, but here is some sample output of the plugin.
$ vol.py -f memory.vmem --profile=Win7SP1x86 trustrecords Volatility Foundation Volatility Framework 2.4 Legend: (S) = Stable (V) = Volatile ---------------------------- Registry: \??\C:\Users\voltest\ntuser.dat Key path: Software\Microsoft\Office\14.0\Word\Security\Trusted Documents\TrustRecords Key name: TrustRecords (S) Last updated: 2014-09-09 03:37:16 UTC+0000 Values: 2014-09-09 03:34:44.081925 %USERPROFILE%/Desktop/Doc1.docm 2014-09-09 03:37:07.689334 %USERPROFILE%/Desktop/newDoc.docm