UserAssistant

We’ve been quietly developing digital forensics tools and forensic software to assist in our analysis for almost 10 years, and until recently, all of that source code has been sitting around and collecting dust.  As time permits, we will be dusting it off, adding some updates, and releasing some of it to the public.

Think of it as our way of saying thank you to everyone who has written articles, published research, or contributed software/code to the forensic community.

These utilities are provided “as-is” and are free for both personal and commercial use. As with any software, including ours, you should always independently validate your findings.  Oh, and if you find any of our utilities useful, feel free to drop by @chadgough or @4Discovery on Twitter and say thanks. Bug reports and feature requests are always welcome!

User Assist Analysis

Description

UserAssist keys are method that Microsoft uses to populate a user’s start menu with frequently used applications. They exist on Windows XP, Vista, and 7 and maintain counts of application usage. These values are located in each user’s NTUSER.DAT hive at SoftwareMicrosoftWindowsCurrentVersionExplorerUserAssist and are ROT-13 encoded.

Features

• Extracts SID, User Names, Indexes, Application Names, Run Counts, Session, and Last Run Time Attributes
• Saves to CSV for additional analysis
• Requirements: Microsoft .NET Framework v4.0
• Free for both personal and commercial use

Screenshots

v1.2 (05-24-2013)

• Application now digitally signed
• Application will automatically check for updates
• Application now has global exception handling

References:

• Dider Stevens – UserAssist
• UserAssist Forensics