Version 11.0.07 of Adobe Reader, released in May 2014, introduced some interesting changes that can impact forensic examination. With previous versions of Reader for Windows, the cRecentFiles subkey found in the Acrobat Reader subkeys of an NTUSER.DAT hive provided an examiner with the five most recent files accessed by Adobe Reader. Information about these files was divided into five subkeys named “c1”, “c2”, “c3”, etc., with each subkey containing a bit of information about the accessed file. Version 11.0.07 of Adobe Reader expanded this capability, tracking much more than just the five most recently accessed files. Additional information is also recorded about each accessed file, as well as a list of the five most recently accessed folders.
The screenshot below shows the new look of the “c#” subkeys that store information about recent files accessed in Adobe Reader version 11.0.07 and above. Note that the full path to these subkeys is found in a user's NTUSER.DAT hive under "\Software\Adobe\Acrobat Reader\<version>\AVGeneral\cRecentFiles\c#".
|Values in a cRecentFiles\c# subkey|
The new values added to the "cRecentFiles\c#"subkeys are “sDate”, “uFileSize”, and
|sDate value data|
The five most recently accessed folders are also tracked by Adobe Reader version 11.0.07 and later in a "cRecentFolders" subkey under "HKCU\Software\Adobe\Acrobat Reader\<version>\AVGeneral". Recently accessed folders are maintained in a
similar fashion as the recently accessed files, but the level of detail associated with each accessed folder is pretty minimal. Each "c#" subkey provides us with the name and path of the accessed folder via the tDIText (or sDI) value, and we can correlate the Last Write time of the cRecentFolders subkey with time that the most recent folder was accessed.
|Values in a cRecentFolders\c# subkey|
Perhaps the most significant change from a forensic perspective in Adobe Reader version 11.0.7 and later is the alteration to the number of files tracked in the cRecentFiles subkey. Instead of the most five most recent files that are tracked in previous versions, Adobe Reader 11.0.7 appears to track the 50 most recently accessed files. In version 11.0.9, the maximum number of recently accessed files jumps to 100. After testing the current version of Adobe Reader DC, 100 still appears to be the maximum. This means that you could have up to 100 “c#” subkeys under the cRecentFiles key! After 100 documents have been accessed, the subkeys will be reused in a FIFO fashion as seen in previous versions of Adobe Reader (e.g. the contents of subkey c100 will be removed and replaced with the contents of c99).
Examiners should be aware of this additional functionality in Adobe Reader in order to take advantage of the historical information it provides. The cRecentFiles subkey from a user's active NTUSER.DAT hive can provide a nice list of files accessed by Adobe Reader. With later versions storing up to 100 "recently" accessed files, the cRecentFiles subkeys could end up storing files that were not-so-recently accessed as well. Further, when combined with previous versions of the user's NTUSER.DAT hive from volume shadow copies, an examiner may be provided with quite a detailed history of files accessed using Adobe Reader.
|cRecentFiles with 100 subkeys|