UserAssist Forensic

Recently, I have been spending a little more time on EnScript. I did a simple Enscript to parse UserAssist registry key. There have been many good references on UserAssist. Notable mentioned are:

In a statement, UserAssist keep track of the applications ran by the users and stored them in the NTUSER.DAT registry. The data is then used to display the frequently used program in Windows. UserAssist registry key on Windows XP, Vista, 7 and 8 is located at NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\[GUID]\Count\. Using a limited set of registry files and references, the respective OS and the UserAssist’s GUID are as follows:

Windows XP

  • {75048700-EF1F-11D0-9888-006097DEACF9}
  • {5E6AB780-7743-11CF-A12B-00AA004AE837\}

Windows Vista

  • {75048700-EF1F-11D0-9888-006097DEACF9}
  • {5E6AB780-7743-11CF-A12B-00AA004AE837}

Windows 7

  • {F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}
  • {CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}

Windows 8

  • {FA99DFC7-6AC2-453A-A5E2-5E2AFF4507BD}
  • {F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}
  • {F2A1CB5A-E3CC-4A2E-AF9D-505A7009D442}
  • {CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}
  • {CAA59E3C-4792-41A5-9909-6A6A8D32490E}
  • {B267E3AD-A825-4A09-82B9-EEC22AA3B847}
  • {A3D53349-6E61-4557-8FC7-0028EDCEEBF6}
  • {9E04CAB2-CC14-11DF-BB8C-A2F1DED72085}

Registry Name are encoded using ROT13 algorithm. Registry Value are stored in binary value. The registry value of discussion are the:

  • 16 bytes values on Windows XP and Vista,
  • 72 bytes values on Windows 7 and 8,
  • Other sizes of registry values exists on the system but there is not the point of this discussion.,
  • Detailed reference can be referred to http://www.aldeid.com/wiki/Windows-userassist-keys

Registry Values of forensic interest are:

  • Last executed time in 8 bytes Filetime value,
  • Executed counts

So I using my amateurish programming skill and wrote a simple EnScript. The Enscript work is as follows:

  • Ability to parse UserAssist registry key on Windows XP, Vista, 7 and 8,
  • Parse all selected registry files (NTUSER.DAT),
  • Dialog box to specify destination folder,
  • Output file in TSV format, FileID of the selected file is appended to the output file,
  • Determine the OS version using the buildnumber registry value (NTUSER.DAT\Software\Microsoft\Windows NT\CurrentVersion\Winlogon and based on the reference http://www.gaijin.at/en/lstwinver.php,
  • Based on the OS Version, it will parse the registry value based on the respective OS’s GUID,
  • Check the registry value size (16 or 72 bytes) and parse the value for “last executed time” and “executed count”.

userassistparser

userassist 002

The EnScript is coded and test on EnCase version 7.0.7. The EnScript is tested based on a small set of Registry files. The EnScript can be downloaded at Link. If you find any bug, please contact me. Thank You!!

UserAssist Parser 0.1

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s