< Back

Get-ForensicOfficeTrustRecord

Sat Jan 18, 2020 8:51 pm

NAME Get-ForensicOfficeTrustRecord



SYNOPSIS

Gets files that have been explicity trusted by users of Microsoft Offfice applications.





SYNTAX

Get-ForensicOfficeTrustRecord [-VolumeName <String>] [<CommonParameters>]



Get-ForensicOfficeTrustRecord -HivePath <String> [<CommonParameters>]





DESCRIPTION

The Get-ForensicOfficeFileMru cmdlet parses NTUSER.DAT registry hives to determine what files have been explicitly

trusted by users of Microsoft Office applications.



Except as noted, the cmdlets in the PowerForensics module require the permissions of a member of the

Administrators group on the computer. To run them, start Windows PowerShell with the 'Run as administrator' option.





PARAMETERS

-VolumeName [<String>]

Specifies the name of the volume or logical partition.



Enter the volume name in one of the following formats: \\\\.\\C:, C:, or C.



Required? false

Position? named

Default value

Accept pipeline input? false

Accept wildcard characters? false



-HivePath <String>

Registry hive to parse.



Required? true

Position? named

Default value

Accept pipeline input? false

Accept wildcard characters? false



<CommonParameters>

This cmdlet supports the common parameters: Verbose, Debug,

ErrorAction, ErrorVariable, WarningAction, WarningVariable,

OutBuffer, PipelineVariable, and OutVariable. For more information, see

about_CommonParameters (https:/go.microsoft.com/fwlink/?LinkID=113216).



INPUTS

None







OUTPUTS

PowerForensics.Artifacts.MicrosoftOffice.TrustRecords







-------------------------- EXAMPLE 1 --------------------------



[ADMIN]: PS C:\\>Get-ForensicOfficeTrustRecord



This example shows Get-ForensicOfficeTrustRecord parsing all user's NTUSER.DAT hives.

-------------------------- EXAMPLE 2 --------------------------



[ADMIN]: PS C:\\>Get-ForensicOfficeTrustRecord -HivePath C:\\Users\\tester\\NTUSER.DAT



This command uses the HivePath parameter of Get-ForensicOfficeTrustRecord to specify an exported NTUSER.DAT hive

to parse.



RELATED LINKS