UserAssist artifacts can be found in the following registry key: Since we would like to determine how many times excel.exe has been run by a specific user, UserAssist is the perfect candidate. Remember that unlike Prefetch, UserAssist artifacts will show us run counts per user instead of globally per system. As such, the artifact we will want to look at will be UserAssist. However, we are limited to only the NTUSER.DAT hive for this challenge. And, as we already know, there is no shortage of artifacts that can be used to determine this (.lnk files, Windows Error Reporting crash logs, Prefetch, AppCompatCache, etc.). Question #2: Find the number of times excel.exe was run.įor question #2, we are concerned with program execution. an entry for "7" would be shown as "07 00 00 00."
Going to be a 32-bit integer with the least significant byte stored at the beginning of the entry. "Windows Search" refers to searches run using the following search fields within Windows:Įach entry in the MRUListEx value will be 4 bytes in length stored in little endian.
Question #1: Find the most recent keyword searched using Windows Search.įirst, we must understand what the question is asking. Right off the bat, we can see that these questions are pretty standard when it comes to registry analysis. What is the most recent Typed URL in the vibranium NTUSER.DAT?.How many times did the vibranium account run excel.exe on the nromanoff system?.What was the most recent keyword that the user vibranium searched using Windows Search for on the nromanoff system?.Given an NTUSER.DAT hive, the questions were as follows: It's time to once again refresh our memories with the raw basics. Below is a look at my process for answering these questions and ultimately solving the challenge. In short, SANS provided an NTUSER.DAT hive and asked three questions about it. I had some downtime before the conference, so I decided to take part. SANS posted a quick challenge at CEIC this year. FORENSICS QUICKIES! These posts will consist of small tidbits of useful information that can be explained very succinctly.
0 kommentar(er)
