This key does monitor application usage as we've covered. It is a key that is an indication of program usage and can give you, when you look at it, it's very helpful in building your timeline when you're seeing what applications were being used at what time. Today we're going to be talking about user assist. We also talked about how that could be used by an intruder if they gained access via the shell and executed URLs through there.
#Recentapps registry forensics windows
It could also be a cut and paste, but anything typed into that Windows Explorer address bar will be in the typed URL subkey. That could be the whole URL was typed or it could be an auto fill. We also looked at our typed URL subkey, and again these are searches that the user types into the Internet Explorer search bar to go to web addresses, and that could be done through the dropdown menu.
And they also have their own MRU lists that we can read and get dates and times. We also saw that recent docs has an overall list of recent docs and then it also has lists of recent docs by extension, by file type. We've covered the recent docs subkey and we looked at the MRU lists and how we interpret them. Quick review of what we covered so far in Course 3. The UserAssist is one of those keys that is an indication of program execution and that can be very important to our forensic examination. We're in the NT user.dat hiv, and today we're going to be looking at the UserAssist and program execution.
Hello and welcome back to Windows Registry Forensics, Course 3, Section 3.
0 kommentar(er)
