Investigating UserAssist
13/05/2022 Friday
Windows systems have a database where the important operating system and application configurations are maintained. This database is called the Windows Registry, it is made up of keys and values analogous to filesystems’ folders and files respectively. UserAssist is a key in a part of the Registry that contains a record of programs frequently executed by a user. Values such as file name, the time of last execution, and the number of times executed can be found within the UserAssist key.
Digital Forensics Value of UserAssist Artifacts
Analysis of program executions is essential to digital forensics and incident response investigations, such as in tracing malware and detecting anti-forensic tools. UserAssist artifact provides valuable information that helps in identifying the presence and execution history of malicious programs on a system even after deletion.
Location of UserAssist Artifacts
UserAssist artifact source file is located at C:\Users\[UserName]\NTUSER.DAT.
Within the NTUSER.DAT hive, the artifact data can be found at the following
location:
Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist
Structure of UserAssist Artifacts
The NTUSER.DAT file is a registry hive file. The registry file format is a binary file like a filesystem with a group of keys, subkeys and values. These files are used by the operating system to store user, system, and application configurations.
Analyzing UserAssist Artifacts with ArtiFast Windows
This section will discuss how to use ArtiFast Windows to extract UserAssist artifact from Windows machines
and what kind of digital forensics insight we can gain from the artifact.
After you have created your case and added evidence for the investigation, at the Artifact Selection
phase, you can select UserAssist artifact:
Once ArtiFast parser plugins complete processing the artifact for analysis, it can be reviewed via “Artifact View” or “Timeline View,” with indexing, filtering, and searching capabilities. Below is a detailed description of the UserAssist artifact in ArtiFast software.
UserAssist Artifact
The artifact contains information on frequently used
applications. The details you can view include:
- Class ID - Unique ID representing an application or an applications shortcut link.
- Key Name – Path to the launched application or shortcut link.
- Session – Session identifier.
- Run Count – Number of times the application was launched.
- Focus Count – Number of times the application was brought in focus by the user.
- Total Time – Total time in seconds the application was in focus for.
- Last Execution Date – Date and time the application was last run.
- Located At – Where in the hive the current entry is located.
For more information or suggestions please contact: ummulkulthum.wambai@forensafe.com
