Get-ForensicOfficeTrustRecord
SYNOPSIS
Gets files that have been explicity trusted by users of Microsoft Offfice applications.
SYNTAX
ByVolume
Get-ForensicOfficeTrustRecord [[-VolumeName] <String>]
ByPath
Get-ForensicOfficeTrustRecord -HivePath <String>
DESCRIPTION
The Get-ForensicOfficeFileMru cmdlet parses NTUSER.DAT registry hives to determine what files have been explicitly trusted by users of Microsoft Office applications.
Except as noted, the cmdlets in the PowerForensics module require the permissions of a member of the Administrators group on the computer. To run them, start Windows PowerShell with the 'Run as administrator' option.
EXAMPLES
Example 1
[ADMIN]: PS C:\> Get-ForensicOfficeTrustRecord
This example shows Get-ForensicOfficeTrustRecord parsing all user's NTUSER.DAT hives.
Example 2
[ADMIN]: PS C:\> Get-ForensicOfficeTrustRecord -HivePath C:\Users\tester\NTUSER.DAT
This command uses the HivePath parameter of Get-ForensicOfficeTrustRecord to specify an exported NTUSER.DAT hive to parse.
PARAMETERS
-HivePath
Registry hive to parse.
Type: String
Parameter Sets: ByPath
Aliases: Path
Required: True
Position: Named
Default value: None
Accept pipeline input: False
Accept wildcard characters: False
-VolumeName
Specifies the name of the volume or logical partition.
Enter the volume name in one of the following formats: \.\C:, C:, or C.
Type: String
Parameter Sets: ByVolume
Aliases:
Required: False
Position: 0
Default value: None
Accept pipeline input: False
Accept wildcard characters: False