When investigating a suspicious activity on a computer, you might want to check the CCM_RecentlyUsedApps file. This record contains the last ten executable files run on your computer. If you’re unsure how to use this information, read the following tips to learn how to properly interpret this data. These tips will help you understand the data stored in this file and why it’s important for your investigation.

In addition, CCM_RecentlyUsedApps records can be used to identify deleted files and executable files. These logs are stored in Windows’s Windows Management Instrumentation repository. This enables forensic investigators to gather inventory data from various sources, including system and user logs. Moreover, these records can also help in building a chronological order of events. For more information about the CCM_RecentlyUsedApp metering feature, visit FireEye Labs Advanced Reverse Engineering (FLARE) blog.

Similarly, a forensic examiner may want to review CCM_RecentlyUsedApps records to identify executable files. Using these records can help reconstruct a timeline of events. However, these files should be part of an overall investigation. There are many sources of information on the CCM_RecentlyUsedApp data, so it is important to conduct a comprehensive investigation before making a conclusion.