Computer Hacking Forensic Investigator (CHFI v10) — Question 172

Smith, an employee of a reputed forensic investigation firm, has been hired by a private organization to investigate a laptop that is suspected to be involved in the hacking of the organization's DC server. Smith wants to find all the values typed into the Run box in the Start menu. Which of the following registry keys will Smith check to find the above information?

Answer options

• A. TypedURLs key
• B. MountedDevices key
• C. UserAssist Key
• D. RunMRU key

Correct answer: D

Explanation

The RunMRU key is the correct choice because it specifically stores the most recently used entries from the Run box, which is exactly what Smith is looking for. The TypedURLs key tracks URLs typed in web browsers, the MountedDevices key relates to connected drives, and the UserAssist Key stores information about applications run by the user, none of which contain entries from the Run box.