Andrew Case
Office
The TrustRecord field inside of Office’s NTUSER holds the full path to documents that were downloaded from untrusted places (e.g. a web browser download), and that the user had to explicitly tell Office to trust. This “trust” prompt is shown when the user wants to edit the document or run macros inside of it.
The artifact is interesting because it holds not only the full path in a MRU listing, but the value of the particular name/value is the time it was trusted.
Software\Microsoft\Office\14.0\PowerPoint\Security\Trusted Documents\TrustRecords
The path part after “Office” will differ per-version of Office, but the rest of the path is the same.
NTUSER hive
RegExtract – http://www.woanware.co.uk/?page_id=209 – The “OfficeDocuments” plugin will extract this information
