7.3 UserAssist Parcer

00:01

Hi. Welcome back to the course in this muscle. We have explained the use addresses key apart Off Microsoft Windows Registry that recourse information related to programs run by you, sir, on a window Sisters

00:14

Feminized before broughtem Execution analysis is very important for foreign sick Camel, where analysts the USAir assist key comprised significant information regarding so spirited e social. Which programs are consistently used aliens off only style programs, events off our file existence and so on.

00:35

They're publicly of a level discrete, and you, I tools to pass. The useless is key off a life system.

00:42

All of this utilities have the same functionality

00:45

they create on display. The list off all your dresses enters a store under the key Corrine user. So far, Microsoft Windows cover Inversion Explorer is assist key in the race tree. The user assist key

01:02

contains information about the ex. If eyes on leans,

01:06

they're open frequency

01:07

tools. Please play a table off program security on the Windows machine,

01:15

complete with urine count. Unless execution date on time, some off them would allow you to save the least off exorcist entries into a different format. Files such as text, html, XML or CCTV as well as manipulate or delete these countries

01:37

there many tools to parse the Exorcist key social as you saw us. His view by new suffer, which is a free where on doesn't require an escalation process or additional delay of five

01:51

they use is pretty straightforward. The insurgents has to click on, the executor will file, and it will display the lace off. All use assist items stored in the registry.

02:01

These are then can select one or more items and save them. Tow a file or deleting

02:07

you say Isis utility by DDS Stevens. It is also easy to use just by clicking on secure a profile. You several be able to see a manipulate The Exorcist entries. In addition to show with the enters in the local history, it has the option to load the information from our dreck. File

02:29

Magnet for in Six Tools will parse the user cyst registry data on the coat. The Road 13 and called the data

02:37

provided examiners with the file name on past application run count associating user. And it's eight. I'm telling when the program was less executed,

02:47

depending on how the bureau was executed minded forensics tools move for either the part or a globally unique identifier past combination for a given entry. The past entries are straightforward. I'm health indicate where a problem or link was executed from,

03:07

but the globally unique and I identifier records. Some interpretation.

03:12

These globally unique identifiers. 3% common past on the sister social as I use this update. A folder Sisters 32 or older locations. They're coming. The March Magna forensics source do know Mark this anti fires for the Examiner?

03:30

Okay, before finishing, Here's the quick question for you.

03:35

What is the cipher used to encode key names associated to use or assist?

03:40

This is a

03:42

rotor team or be wrote five or C brought 47 or D wrote 17.

03:52

If you said a you're correct

03:54

rotor team is a model for Eric Substitution Cipher that replaces a letter with the 13th letter after it.

04:05

In this morsel, we have analyzed some general restrain for to look for when analyzing the evidence, we started the user assist key structure unimportance. A swell some tools to parse it.

04:19

Don't forget to check the references discriminatory material for more information. On the next morning, we're going to analyze another off the window. Forensic essentials. The Windows profession,