..
    generated, remove this comment to keep this file

``trusteddocs``
===============

.. code-block:: console

    $ target-query <path/to/target> -f trusteddocs


.. list-table:: Details
    :widths: 20 80

    * - Module
      - ``dissect.target.plugins.os.windows.regf.trusteddocs.TrustedDocumentsPlugin``
    * - Output
      - ``records``

**Module documentation**

Plugin to obtain Microsoft Office Trusted Document registry keys.

**Function documentation**

Return Microsoft Office TrustRecords registry keys for all Office applications.

Microsoft uses Trusted Documents to cache whether the user enabled the editing and/or macros for that document.
Therefore, this may reveal if macros have been enabled for a malicious Office document.

Yields records based on the values within the TrustRecords registry keys.
At least contains the following fields:

.. code-block:: text

    application (string): Application name of the Office product that produced the TrustRecords registry key.
    document (path): Path to the document for which a TrustRecords entry is created.
    ts (datetime): The created time of the TrustRecord registry key.
    type (varint): Type of the value within the TrustRecords registry key.
    value (bytes): Value of the TrustRecords entry, which contains the information whether macros are enabled.

References:
    - https://az4n6.blogspot.com/2016/02/more-on-trust-records-macros-and.html
    - https://github.com/DissectMalware/OfficeForensicTools/blob/master/trusted_documents.py
    - https://github.com/nmantani/PS-TrustedDocuments