7.2 UserAssist

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *

Already have an account? Sign In »

Video Transcription
Hi. Welcome back. We have this cost howto find evidence in windows. In this video, we're going to analyze another important key.
Microsoft Windows Systems implements various Logan and every reporting mechanisms to have a record off how this system is used.
This information is load on numerous here locations on the hard drive to manage operating system, more interactive and user friendly.
This looks concerned. Our foreign signal git toe analysis to exploit
the Exorcist key apart off the window for history was still introduced and we know 24 on continue the celebration before looks, including Windows 10
they use their seize key is a very useful resource in the area of pronunciation analysis to analyze what programs were recently room on their execution history.
The information of 10 from assesses key can also be leveraged in consitutional forensic Thailand officer activities.
The evidence offering programs on a window system can be found in numerous look fights, including profession, case file,
it looks and T F s, U S and Germany creased Ricky's Julie's, among others.
The user seize key is maintained by Microsoft in its users and to you, sir, that that which is a high file at the following five past
So far. Microsoft Windows Corrine Version Explorer, You, Cyrus East
for all Beijing off Windows or or a life computer system at S Casey. You So for Microsoft, we lose Karim Mercial Explorer. You, sir, assist beneath the user. Seize key There at least two keys
which are the same across platforms but maybe more in different patients off windows, so ski 3% globally unique Identify IRS on each identify key contains a sub key called count on their wish. The actual values are stored in a certificated manner.
Some researchers have identified that this values are in cold with the roads to teen a Christian algorithm which is a substitution cipher that replaces a letter with the two teams. Layer after it
in, we know *** be on Bista useless his keys by 90 day that contains information for the applications Launch by a user on Lee Pierre will explore
the most significant change off your sources. Keys in window seven was a new four months off. Binary data
in Windows seven the size off the violet area Waas 72 bites are supposed to 16 bites in windows experience from Vista,
the structure appears to be the same in more recent operations, off windows
in more than Windows, the Exorcist key also keep start off applications on how they were launched.
The 1st 4 buys identify cessation. There appears very across same platform.
The next four bites the starting at offset four represent a counter that increments upon program execution.
This attribute can supplied barker Information on the frequency with applications have been secured in the system.
Oh no, we lose experion this time machine the wrong can't start with the number five US default value.
Therefore, is the counter this place seeks. Then the application has only been wrong one time. If the Exorcist key gets cleared, then the hex counter value will start over at five.
The last eight byte is the time stand in UTC format.
With this information, one can see what program was launched when Iwas launched on how many times it was launched.
The new structure career Really the focus time in milliseconds, then application hot.
These calm provide information off Holland. A program was being a security on the system by a particular user.
The last execution time stamp in five time when the code it can provide a date on time when the application was last time executed.
Okay, who's the quick question for you
for the youth assist key on a Windows Experion star machine? If the recount this place are six, then how many times application has been run?
Do you think is a one time or be two times, or maybe see five times? Or the six times
if you said a you're correct when the Windows experion vista the room cancer starts with the number five after the full value.
Therefore, if the counter this place, a safe application has only being run on time,
we have analyzed the user seize key. There publicly, really was creep
on. Do I tools to pass this key
In the next video, we'll be analyzing some off there
unless useful. Don't forget to check the references on supplementary material. For more information on the air assist key
Up Next
7.3 UserAssist Parcer
8.1 Windows Prefetch
9.1 Registry of the Past
9.2 Restore Point Data
10.1 Recycle Bin