Hello and welcome back to Windows Registry Forensics, Course 3, Section 3. We're in the NT user.dat hiv, and today we're going to be looking at the UserAssist and program execution. The UserAssist is one of those keys that is an indication of program execution and that can be very important to our forensic examination. Quick review of what we covered so far in Course 3. We've covered the recent docs subkey and we looked at the MRU lists and how we interpret them. We also saw that recent docs has an overall list of recent docs and then it also has lists of recent docs by extension, by file type. And they also have their own MRU lists that we can read and get dates and times. We also looked at our typed URL subkey, and again these are searches that the user types into the Internet Explorer search bar to go to web addresses, and that could be done through the dropdown menu. That could be the whole URL was typed or it could be an auto fill. It could also be a cut and paste, but anything typed into that Windows Explorer address bar will be in the typed URL subkey. We also talked about how that could be used by an intruder if they gained access via the shell and executed URLs through there. Today we're going to be talking about user assist. User assist is a good key. It is a key that is an indication of program usage and can give you, when you look at it, it's very helpful in building your timeline when you're seeing what applications were being used at what time. This key does monitor application usage as we've covered. The registry values are stored in a way that they are obscured or obfuscated. And it's called using Route 13. And we're going to talk about route 13 or route 13, however you would like to pronounce that, in depth a little bit later. And this is populated each time we type into the start menu, our frequently used applications gets populated. The more we use an application, the more we run an application, this application then gets put into our start menu, so it helps us. It is supposed to be for the ease of use and to help the user have a better experience. And that's the purpose of user assist. What we're going to be using today, in this section, we're going to be using Register Explorer. We're going to take a look at UserAssist, which is a program we'll download shortly. We're going to use a Windows-userassist-values.pdf, which is going to be in your class container. We're going to use Decode, Windows Calculator, and we're going to use the Ivan NT user.dat file, the one we exported earlier and stored somewhere on our computers, hopefully on our desktop or somewhere we can get to easily. Okay, route 13. All route 13 really means is that we take the alphabet and we substitute each letter with a letter that is 13 places away from it. So A would become N, B would become O, C would become P. So this is how you would decode it or encode it depending on what you were trying to do. If we had this message, ATTACK AT DAWN, and we were going to route 13 encode it, we would use our little chart up top. We know we need an N, We need a G, a G, another N, we need a C, so we put a P there. K would be an X, A would be N again, T would be G again, D would be Q, A would be N, W would be J, and N would be A. Found N, that would be A. And that would be how we would encode the message, to decode it, you would just reverse the process. You'd look at the encoded letters and find their decoded matches. So that's route 13 and that's how each of our values in UserAssist is going to be written. They're going to be encoded using route 13. Now to download UserAssist, which we're going to use shortly, we want to go out and go ahead and type Didler Stevens UserAssist into your Google Search. The first one that comes up should be Didler Stevens UserAssist. We're going to click on that and that's going to bring us to the page where we can download the tool. If we go ahead and scroll down, you're going to come to where it says Download UserAssist Version 6 0.zip, V2_ 6_0.zip. Go ahead and click on that, see it'll come up. You can go ahead and save it. Once you go ahead and save it, you're going to have a zip file. Take the zip file. Use seven zip and you can go ahead and extract it to wherever you'd like to put it on your computer. Let's go ahead and launch Registry Explorer. So we can talk about this stuff and see it at the same time. Once you've launched Registry Explorer, please go ahead and go to file, load hive and navigate to where you have your Ivan NT user.dat and load that hive please. You can just click open and it'll load the hive. You might notice that I have another hive in here. You do not have this hive file, it is just a Windows 7 one. I wanted to show you the difference between 7 and 10. We'll go ahead and we'll take a quick look at the Windows 7, pulls it up and we're going to navigate from here to UserAssist. We'll expand the Hive. We're going to expand software. Go ahead and expand Microsoft, scroll all the way down, expand Windows, expand current version, expand Explorer and now navigate down to UserAssist and go ahead and expand UserAssist. You just click right on the hour and expand it. Notice we have two GUIDs here, we have to GUID subkeys. And I just want to explain to you what these GUID subkeys are. And these two keys will be in Windows 10 also. And these are the two keys we are really going to be focused on. This top key here, CEBFF5CD, and you can remember it as your BFF, this is the key that's going to show us executable programs that were executed or run. And where the data with the meat and potatoes is going to be is in this count file. And what we could see here is we have the name of the program, we have the run counter, which is going to tell us how many times the program was executed. We have something called Focus count. What happens with the focus count every time the application, once it is launched goes out of focus but then receives focus again then it's brought back into focus. Its minimize the task bar and then you unminimize it and you're actively interacting with that application. The focus count is going to be incremental and buy one at that point. And the system is going to start tracking the focus time again. So when it's out of focus the focus time gets paused and when you bring it back into focus the focus time starts again and the program is incremental by one it goes out of focus and then receives the focus again it will be implemented by one. The focus counter is not implemented at the time the program is started only when it is lost focus and then regains it does the focus count increments and the focus time started it. Last execution is the last time the program was executed. Now let's take a look at this grid sub key F4E57C4B. And again the data is in the count folder and we look into account folder we're seeing link. These are all programs run from shortcut files like files. So these are programs that were executed because we're sticking with program execution but they were executed through a link and we can see that here and we see the same types of values here. The link file execution does not seem to track or at least track accurately focus count and focus time. We do have a run counter and we do have a last executed as you can see, we do not have a focus count, our focus time. And these are programs executed through a shortcut link. Now we're going to go check on Windows 10 and see what that sub key looks like. So I'm going to close everything up so we have a nice clean screen, make sure that you focus in this pane. We're going to go ahead and use our bookmarks this time. To navigate to use user assist. And the sub key is in the same place, Software Microsoft Windows, current version Explorer user assist. And we expand it, we see we have more than two sub keys, we actually have nine and you will always have nine. But the two keys we're going to be focused on is like I said earlier, those first two keys, which is going to be CEBFF and F4E. Let's start with our executable programs that were not executed through a shortcut. We can see we have quite a few entries here. And we're noticing we have a time, the focus time is broken down into hours, minutes and seconds. This time is actually stored in millisecond time and we don't really have a millisecond entry, so anything but less than a second value wouldn't be populated here and we have our last executed. So we can see that something like the snipping tool which would probably be interesting to me and what some of my investigations. As a counter of nine, focus kind of 11 hasn't been up that long, three minutes, 15 seconds and it has its last executed date. Let's take a look in here, we have note pad, we do see the cmd executed. Now you are going to see zeros in here and most of these zeros are going to be associated with some type of Microsoft product, like Edge. The exact reasoning for this is unknown at this point, but it could be because Microsoft products like Edge, you're very much embedded in the Microsoft operating system. And for whatever reason they're not writing properly to this key. Because you can see here we have a zero in the run count but we have focus count and focus time, which is somewhat odd. You can see that municipally, that might be interesting to you. Dropbox if you're doing many type of data, exfiltration case could be interesting to you. But we see the installer ran, but we can see here we also have the same issue with Dropbox that we had with the Microsoft product. So it's not just Microsoft products that are having this issue with the run counter and then they're being data in the focus count and focus time. We do see some true crips password cracker orphan crack, so that's an interesting programs here. Now let's take a quick look, not a quick look, but we'll look at the ones that were executed using a shortcut file. We're seeing the same type of data here, but notice again, we're seeing a run count in the last executed time. You're not seeing anything in focus count or focus time here, it doesn't seem to be being recorded. And at this point the answer to why it's not really out there yet, this key is still being explored quite a bit. Now we're going to go ahead and export these two keys so we can view them with the other tool that we just downloaded. So what we're going to do is we're going to on the key, on the grid, right click export key to a .reg format recursive meaning we want the sub folders. Once you click on that, it's just going to ask you where you'd like to save it out to, go ahead and save it out somewhere that you can get to it easily. Once you've done that one, go ahead and do the next one, I'm sorry, do the next one. Which is that F4E 57 C4 B right click, export key to reg format recursive. Once we've done that, let's go ahead and bring up user assist, the program that we just downloaded. We're going to to go to commands, we're going to go to load reg file load from reg file. We're going to navigate out to where we save those files and the first file we're going to take a look at is the file CERBFF5CD. going to open that, I'm going to take a look at some of the stuff in here, see what's going on. Mainly, what I am looking to see is I am looking to see if my tools are giving me the same results because if they're not, then we have to figure it out for a minute here. I'm going to minimize this, I want to look this. You have filters here you can use too, I want to look for the snipping tool. Well, I have the snipping tool here. And that's what it's saying. And I have. And we also have here we go. We have the snipping tool here in front of the snipping tool. I have a long guide. You might have noticed these grids in the file path. What do these grids mean if we bring up our user fees values, start, I take a look at the squid, which is 1AC 14 E. I do a control F 1AC1. I get one match, click on it. And this says it's coming from system 32, Windows Directory System 32. What this PDF tells us based on these grids is where these files, where these applications are originating from, what path they're being launched through. Which can also be very important to your case. But this particular one is saying Windows, System 32. So out of curiosity, let me look at that and where the program for a minute, if I type sniffing again and it does say it is coming from system 32. And it's saying it's gotta run counter of nine and it's saying a focus count of 11. So that does match. If we look at this very first entry we see we have absolutely nothing. If you take a look here, drop box installer update, again, we have a counter of zero and focus kind of four, which is odd. So let's see what other programs shows us for that particular update. Is showing the same data. So this is at what point would have to go look in the hex which we're going to do shortly. Okay. So let's take a look at our other file. Let's take a look at our link file for a second. So we're going to go ahead and load reg file, we're going to navigate back out and we're going to take it to look at the files that were executed using link shortcut files. Here we see a google chrome link and we see two different grids, what appears to be two different file paths. So if I want to know what these squids are again, I'm going to go to my sheet, take a look using a control F. I'm going to see what this is. Google chrome task force. I'm going to put in nine E three. I got one match and it says apt at a Microsoft and Explorer Quick launch, user pinned. So this is user pinned to the task bar. This was launched. This application was launched from a user pin shortcut on the task bar. That's pretty much a lot of information to get about an application, see what else we can find out. Okay, so we just did that one and then we know it user pinned application coming from task bar. Now let's see what this one is. This one just says google chrome link but we're going to do a control F to see where that's coming from and it's all 101, that was really easy. And that is the right one. This is coming from all users Microsoft, Windows start menu programs, so everybody has all users have access to this. It's coming from Microsoft Windows, start menu programs. So there's more than one short cut to google chrome. And it was launched in more than one way. We're going to remember, we're looking at a certain users anti dot dot file. So that does show interaction with that program. It shows it being launched and it shows us how it's being launched. Not just that the user used it and when the date of last execution was, but whether they launched it from their task bar pin, or shortcut on their, Windows start menu programs. So we're getting a lot of detailed information about user activity with the user's S key. And again, we can see our values and this particular program does give us local time. UTC time, which is nice. It's just minimize this for a second. See what it says about google chrome, link here. This is saying it's a desktop, Link and this one is saying, That's fine Google crowd, it's user pin to the task bar. [SOUND] And we see also common programs Google link, that's what's coming from the, Start menu. We all see some other interesting programs listed in here, true grit. See another desktop shortcut for Google Chrome. We see a snipping tool like. And we do see the command prompt link is also showing up here. She links to control panel, And let's take a look at the file structure. So we know all our grids can be resolved if we use our file, our pdf file to resolve those GUIDS. Also notice even in actually Explorer, Do you still have some GUIDS in the file paths. It does try to decipher the GUIDS for you most of the time, But every once in a while you will see a GUID in here too. This bi weekly is not a GUID though that's something else. It's how certain things are stored, In a week on a weekly basis, and some of the browser histories. You see a wire shark download also here? When p caps. So a lot of things that could be very interesting to your case. And everything you see here with these curly brackets, that would be a GUID when you're looking at it in user assist. The other program we're using. So everything between the curly brackets is a interpreted GUID. And if you want to see the actual GUID, you would need another tool to do that. I'm going to take a quick look at the structure of these files and how they're interpreted. Every file, they have a file structure. So let's take a quick look at the file structure. If we're looking at an individual entry, The first 4 bytes will usually be zeroes. Not always, but usually. These next four bytes are going to be read little Indian, so we would read it this way, the number of executions and we can see it's seven. We see we have a focus time here. We have a focus time here, so let's go ahead and translate our focus time. Let's bring up our Windows calculator. If we're going to translate that, it would be 0 0 0 3 6 8 2 1. And that is a millisecond decimal value. There are online converters or time converters that will translate your millisecond times to actual seconds. Now let's look at the date and time. We're going to use decode for this. We're looking at a Windows 64 bit hex value, A Windows 64 bit hex value. And this one you just go ahead and type them in. And because I typed it in little Indian, we're going to need to use big Indian to decode that, but that would be the date and time, From that particular user assist entry. And that is how we would decode it. Now, looking at the second entry, bi weekly, Bi weekly and we're going to go ahead and look into, Look at it in simple file parts, so we're going to go command load reg file, And then go back out to where you store your reg file, I'm going to load that first one CEBFF5CD. We're going to hit open, I'm going to look at that, This is the hex view of that entry. And we can see that we have zero E and we know zero E is 14. So our number of executions should be 14. If we decode, Our focus time. To decimal we should get 4200. Let's take a look so far, are we? Right 14 counter Focus time 4200, translate the date and time back to hacks. Clear it out the date and time. Is these last eight bytes? Well not last eight, But they're sandwiched between zero zero's and ffs. We're going to go ahead and translate that. We're going to need decode, bring up key code had, paste that in. We're going to decode it now. Let's see if it looks the same. So March 18th 2017 and I'm in UTC right here. 04 50 so that's correct. That value does read what it reads on disk so we know we can probably trust that value. Another thing we're going to look at right here. As you can see there is a patent to the data. Most data is going to have patterns. You can see we have a value here, you can see we have a value here and we can see where this date and time except for this line is all pretty much sandwiched between these zeros. And if so we do see where we have all zeros, which means we have no date and time. But you can see a pattern, the entries that don't seem to follow that pattern. Your tool is pulling this data from these set points, so if the data doesn't make sense, you're going to come up with an answer that doesn't make sense. So just be aware of that and also we're going to take a look at the other key were talking about earlier, we were seeing the run count and the focus count just to show you again real quick. In here We look at this link file value of the FA 99, I'm sorry. F four E. When we look at our focus count here, we have all zeros. If we look at the same thing again, we're going to have a little the other file in real quick. But we'll go to commands. Lord Reg file, we'll navigate down. We'll load the F 4 E 57 file real quick.. Again our count And our focus time, I'm sorry, not a focus count. But our focus time matches are counter and our focus time is in milliseconds So if we launch this Application nine times we only had It in focus for 9 milliseconds I don't think so. So I would not trust the focus time on this or the focus count. But what I would trust here and we're talking about the programs executed through the link files. I would trust the counter and I would trust the last access date and the same thing here. And we're not seeing anything in focus Time because again, this only goes out two seconds. It's not showing us milliseconds and you can see all the way down these number of executions and focus time are matching numbers. So I would think it would be safe to say there's something wrong with that. We do have what looks to be a good date and time values. That third entry down which is not showing us any data has a very strange pattern. You can also see in the data pattern that you're looking at 80 BF. I mean it has a pattern, a very distinct pattern. And data that doesn't conform to that pattern is probably not being interpreted correctly by your tool because all your tool is doing is going to these offsets in interpreting this data and putting it into a human readable form for you. So by using two tools to do this, we are validating our tools. We're also getting to see, I'm going to load the other high if you don't have to follow me through it if you don't want, you're also getting to see like this is the actual millisecond value versus a translated value. Hours, minutes seconds. We're getting to see a tool that is putting it in local and UTC local and UTC. And you're also being able to confirm that what your tool is showing you Is able to be seen in more than one tool. Because going back to the basics, we're talking about computer forensics is a forensic science and we need to have something that is reliable and repeatable and something that another examiner could look at in a different tool and confirm our findings. Come up with the same answers that we did. So, if you're looking at something, you're a tool, it doesn't seem right. Take a look at the hacks and if the hex doesn't look right, it's probably not your tools, probably not able to interpret that value, and those values are probably being stored differently and Microsoft is not open source code, so we don't always know why some of those values are being stored the way they are.
