7.2 UserAssist

00:01

Hi. Welcome back. We have this cost howto find evidence in windows. In this video, we're going to analyze another important key.

00:09

Microsoft Windows Systems implements various Logan and every reporting mechanisms to have a record off how this system is used.

00:17

This information is load on numerous here locations on the hard drive to manage operating system, more interactive and user friendly.

00:26

This looks concerned. Our foreign signal git toe analysis to exploit

00:30

the Exorcist key apart off the window for history was still introduced and we know 24 on continue the celebration before looks, including Windows 10

00:40

they use their seize key is a very useful resource in the area of pronunciation analysis to analyze what programs were recently room on their execution history.

00:50

The information of 10 from assesses key can also be leveraged in consitutional forensic Thailand officer activities.

00:57

The evidence offering programs on a window system can be found in numerous look fights, including profession, case file,

01:04

it looks and T F s, U S and Germany creased Ricky's Julie's, among others.

01:12

The user seize key is maintained by Microsoft in its users and to you, sir, that that which is a high file at the following five past

01:22

So far. Microsoft Windows Corrine Version Explorer, You, Cyrus East

01:27

for all Beijing off Windows or or a life computer system at S Casey. You So for Microsoft, we lose Karim Mercial Explorer. You, sir, assist beneath the user. Seize key There at least two keys

01:44

which are the same across platforms but maybe more in different patients off windows, so ski 3% globally unique Identify IRS on each identify key contains a sub key called count on their wish. The actual values are stored in a certificated manner.

02:02

Some researchers have identified that this values are in cold with the roads to teen a Christian algorithm which is a substitution cipher that replaces a letter with the two teams. Layer after it

02:17

in, we know *** be on Bista useless his keys by 90 day that contains information for the applications Launch by a user on Lee Pierre will explore

02:29

the most significant change off your sources. Keys in window seven was a new four months off. Binary data

02:35

in Windows seven the size off the violet area Waas 72 bites are supposed to 16 bites in windows experience from Vista,

02:44

the structure appears to be the same in more recent operations, off windows

02:50

in more than Windows, the Exorcist key also keep start off applications on how they were launched.

02:58

The 1st 4 buys identify cessation. There appears very across same platform.

03:05

The next four bites the starting at offset four represent a counter that increments upon program execution.

03:14

This attribute can supplied barker Information on the frequency with applications have been secured in the system.

03:22

Oh no, we lose experion this time machine the wrong can't start with the number five US default value.

03:30

Therefore, is the counter this place seeks. Then the application has only been wrong one time. If the Exorcist key gets cleared, then the hex counter value will start over at five.

03:43

The last eight byte is the time stand in UTC format.

03:47

With this information, one can see what program was launched when Iwas launched on how many times it was launched.

03:55

The new structure career Really the focus time in milliseconds, then application hot.

04:01

These calm provide information off Holland. A program was being a security on the system by a particular user.

04:09

The last execution time stamp in five time when the code it can provide a date on time when the application was last time executed.

04:19

Okay, who's the quick question for you

04:23

for the youth assist key on a Windows Experion star machine? If the recount this place are six, then how many times application has been run?

04:31

Do you think is a one time or be two times, or maybe see five times? Or the six times

04:41

if you said a you're correct when the Windows experion vista the room cancer starts with the number five after the full value.

04:49

Therefore, if the counter this place, a safe application has only being run on time,

04:58

we have analyzed the user seize key. There publicly, really was creep

05:02

on. Do I tools to pass this key

05:05

In the next video, we'll be analyzing some off there