Download userassist

By •January 10, 2019•Daily Blogforensic lunchtest kitchenuserassistwindows 10•Hello Reader, Tonight I changed the course of our testing in a slight detour, ok maybe a hard right, over to Windows 10 because I remembered an artifact that has been bugging me. The UserAssist artifact that has been a friend of mine since 2002 (I wrote about it in 2004 in the first hacking exposed computer forensics) seems to have had a change in behavior starting in Windows 8. Suddenly we had values showing up in the UserAssist with a run count of 0 and no last execution time. So to remedy this I decided to start some testing and here is what we learned:Running a Modern app will update the run count and the execution timeRunning a desktop app will update the run count and the execution timeThe focus count is still unreliableThe focus time is still unreliableRebooting does not zero out the values in the UserAssist keysSome entries in the UserAssist CEBFF guid specifically appear to not get updated as other versions of the same program do (process hacker in this example)Some things don't get updated run counts or execution times, so far Microsoft Edge and Cortana appear to behave that wayMore testing is needed so we can determine what is effecting the expected behavior.You can watch the video here:Also Read: Daily Blog #592

This EnScript is designed to decode data stored in the HKCU Registry UserAssist sub-key present in Windows XP and later operating systems.This key monitors application usage so as to enable the system to populate each user's start menu with frequently used applications.The UserAssist key will contain one or more sub-keys each with a name that is a GUID. Contained within each of those keys is a sub-key called Count; the entries themselves are contained therein.The name of each UserAssist entry is ROT13 encoded. Beta versions of Windows 7 used the Vigenère cipher but the final release of the operating system reverted to ROT13. Vigenère is not supported by this script.The entries that are of significance to the examiner are 16 bytes in length for operating systems prior to Windows 7 and 72 bytes in length for Windows 7 and later.16-byte entries contain run-count and session-count variables, also a last-executed date/time stamp. The run-count variable is stored as 5 greater than the actual value so a stored value of 6 would represent an actual run-count of 1. A run-count of 0 is believed to be a special value used to prevent an application being shown in the start menu. The examiner may also encounter negative values but the significance of these is not currently known.72-byte values were introduced with Windows 7. Not everything is known about these values but reverse engineering indicates the following -The session-count is no longer stored and the run-count is stored as is (it is not incremented by 5); the last-executed date/time stamp is still present.In addition to this, two additional variables are stored. These are a focus-counter and a focus-timer. The significance of the remaining bytes is unknown.When an application is executed the run-counter is incremented by one. The system then tracks the time that the

Range of artifacts in a fraction of the time, enriching evidentiary libraries.Grouping Artifacts Expedites TriageGrouping Artifacts Expedites TriageKAPE focuses on collecting and processing relevant data quickly, grouping artifacts in categorized directories such as EvidenceOfExecution, BrowserHistory and AccountUsage. Grouping things by category means an examiner no longer needs to know how to process prefetch, shimcache, amcache, userassist, etc., as they relate to evidence of execution artifacts.Standardize Forensic ProcessesStandardize Forensic ProcessesWhen handling an incident, forensic examiners are tasked with knowing which artifacts to collect, where they may reside, and how to collect the data without damaging the evidence or chain of custody. With KAPE, forensic examiners have a solution to find, collect and process forensic artifacts in a way that standardizes forensic engagements by leveraging a wider range of extracted artifacts. KAPE can also help facilitate the onboarding and training of new investigators by standardizing and scaling artifact pulls. Continually Evolving Dynamic Solution Kroll works on some of the most complex and highest profile cyber incidents in the world and performs digital forensics and evidence collection for thousands of companies. This unique frontline insight from our experts is enhanced by input from the global DFIR community to actively contribute to the development of KAPE. To learn more: Read the official KAPE Changelog Browse the KAPE Documentation Clarifying KAPE Usage Permission KAPE is free for any local, state, federal or international government agency. KAPE is free for educational and research use. KAPE is free for internal company use. KAPE requires a enterprise license

Extract your Mirabilis ICQ and Miranda IM history into such formats as plain text, HTML and XML. Almost all versions of ICQ/Miranda are. ...File Name:bihep201.zip Author:BelkasoftLicense:Shareware ($19.95)File Size:Runs on:Win98, WinXP, Windows2000, Windows2003Every time you open a program from the start menu, the date and number of times you used it is stored in an encrypted database. The Start Menu Click History Viewer reads the Explorer UserAssist Data from the registry and allows you to see exactly that information is stored in this location.When first looking at the contents of this registry key one might think they have been infected by a trojan or something.File Name:StartMenuClickHistory.zip Author:Pointstone Software, LLCLicense:Shareware ($)File Size:276 KbRuns on:WinXP, Win2003, Win2000, Win Vista, Windows 7Yahoo chat conversation revival software recovers entire chat conversation, personal messages and SMS without having internet connection and password. Application search and decode all .DAT file from computer system and display in plain text format.File Name:Y-A-recovery-demo.exe Author:Password crackerLicense:Shareware ($38.00)File Size:710 KbRuns on:Win98, WinME, WinNT 3.x, WinNT 4.x, Windows2000, WinXP, Windows2003, Windows VistaThis program allows you to explore the history of connecting usb drive. This program allows you to explore the history of connecting usb drives after installing the system.Small size(19 kb with Gui).File Name:usbHistory.zip Author:Aleksandr Vorobiev(CynicRus)License:Shareware ($)File Size:10 KbRuns on:WinXP, Win Vista, Windows 7, Windows XP X64,Windows Vista, Windows 7 x64, Windows 8Plugin for Eclipse IDE to view CVS Repository information graphically. Includes historical timeline of file updates..File Name:org.eclipse.ui.RHVplugin.zip Author:ugrad.cs.ubc.caLicense:Freeware (Free)File Size:384 KbRuns on:Windows; BSD; Mac; Solaris; LinuxIndexes ICQ history with powerful Google Desktop Search utility The product indexes your ICQ history with Google Desktop Search thus enabling you to use amazingly powerful search facilities GDS provides. You can search files, documents, mails and now ICQ chats within the same familiar and convenient Google search interface.File Name:bgdsp201.zip Author:BelkasoftLicense:Shareware ($29.95)File Size:1.1 MbRuns on:WinXP, Win98

Application has the focus. If the application is closed or looses focus then the focus-timer, which appears to be stored in milliseconds, will be incremented by the time tracked by the system.Every time the application is out of focus but then receives the focus, the focus-counter is increased by one and the system starts tracking the focus time again. Note that the focus-counter is not incremented at the time the application is started, only when it has lost the focus and re-gains it.Depending on whether anything in the case has been selected or not the script will process either all or selected files that have the name 'NTUSER.DAT' or else have a name starting with '_REGISTRY_USER_NTUSER' (System Restore files).Because System Restore NTUSER.DAT Registry backups are stored outside of user folders, identifying each one is accomplished by having the script read file-system permission information and then using that data to interpret the SID that forms part of the backup name. This option can take some time so the examiner can opt to skip this step. Note that translation between SID and account name will only be possible if EnCase has that information: it may not, for instance, work for domain accounts.The script produces its results in the form of note bookmarks and also a tab-separated-value (TSV) output file. The latter is suitable for opening in Microsoft Excel or another compatible spreadsheet application; the script can do this automatically if required.Note that the output from the script will show both a run-count and an adjusted run-account. For post Windows-7 UserAssist entries these values will be the same.The output from the script refers to two variables named Unknown 1 and Unknown 2.For 72-byte entries these relate to the first four bytes and last four bytes respectively (shown as Little Endian integers in hex).For