Windows systems have a database where the important operating system and application configurations are maintained. This database is called the Windows Registry, it is made up of keys and values analogous to filesystems’ folders and files respectively. UserAssist is a key in a part of the Registry that contains a record of programs frequently executed by a user. Values such as file name, the time of last execution, and the number of times executed can be found within the UserAssist key.
Analysis of program executions is essential to digital forensics and incident response investigations, such as in tracing malware and detecting anti-forensic tools. UserAssist artifact provides valuable information that helps in identifying the presence and execution history of malicious programs on a system even after deletion.
UserAssist artifact source file is located at C:\Users\[UserName]\NTUSER.DAT.
Within the NTUSER.DAT hive, the artifact data can be found at the following location:
The NTUSER.DAT file is a registry hive file. The registry file format is a binary file like a filesystem with a group of keys, subkeys and values. These files are used by the operating system to store user, system, and application configurations.
This section will discuss how to use ArtiFast Windows to extract UserAssist artifact from Windows machines and what kind of digital forensics insight we can gain from the artifact.
After you have created your case and added evidence for the investigation, at the Artifact Parser Selection Phase, you can select UserAssist artifact:
Once ArtiFast parser plugins complete processing the artifact for analysis, it can be reviewed via “Artifact View” or “Timeline View,” with indexing, filtering, and searching capabilities. Below is a detailed description of the UserAssist artifact in ArtiFast software.
The artifact contains information on frequently used applications. The details you can view include: