Comments on: UserAssist Revisited! http://niiconsulting.com/checkmate/2006/07/16/userassist-revisited/ An Information Security Blog by NII Consulting Fri, 16 Dec 2011 01:39:22 +0000 hourly 1 http://wordpress.org/?v=3.3 By: käfer http://niiconsulting.com/checkmate/2006/07/16/userassist-revisited/comment-page-1/#comment-20758 käfer Tue, 27 Sep 2011 00:59:41 +0000 http://www.niiconsulting.com/checkmate/2006/07/userassist-revisited/#comment-20758 thanks for this great tip! thanks for this great tip!

]]> By: Iain http://niiconsulting.com/checkmate/2006/07/16/userassist-revisited/comment-page-1/#comment-58 Iain Wed, 04 Jul 2007 16:51:45 +0000 http://www.niiconsulting.com/checkmate/2006/07/userassist-revisited/#comment-58 Thank you, and sorry about the delay in my responding. I check here on most days and the first time that I saw your response was today, 4 July 2007. Since posting my question, I've been investigating myself and have realised that the count starts at 05h (the "zero" reference point) and that accounts for only part of this data. I suspect that the meaning of the remainder of the data will be uncovered in due course. Thank you, and sorry about the delay in my responding. I check here on most days and the first time that I saw your response was today, 4 July 2007.

Since posting my question, I’ve been investigating myself and have realised that the count starts at 05h (the “zero” reference point) and that accounts for only part of this data. I suspect that the meaning of the remainder of the data will be uncovered in due course.

]]> By: Kush Wadhwa http://niiconsulting.com/checkmate/2006/07/16/userassist-revisited/comment-page-1/#comment-57 Kush Wadhwa Fri, 01 Jun 2007 13:54:27 +0000 http://www.niiconsulting.com/checkmate/2006/07/userassist-revisited/#comment-57 Hey Iain, Thats a very good question. Let me make this point very clear. The first 4 byte refer to DWORD (4 byte or 32 bits). This DWORD is a 32 bit integer that is a counter for the number of times that the program link files or other object has been opened. The very first time a program or link file is recorded it is assigned a counter value of 06h, which is decimal six. From that point forward, it will increment one for each time that particular program, link file or object is opened. The reason for the number starting at 6 is unknown. For your satisfaction you can say "GATES" in bill gates have 5 alphabets. Therefore he gave the increment of 5. LOL!!!. Anyways it hardly matters. I think it is clear to you now.:) Hey Iain,

Thats a very good question. Let me make this point very clear.

The first 4 byte refer to DWORD (4 byte or 32 bits). This DWORD is a 32 bit integer that is a counter for the number of times that the program link files or other object has been opened. The very first time a program or link file is recorded it is assigned a counter value of 06h, which is decimal six. From that point forward, it will increment one for each time that particular program, link file or object is opened. The reason for the number starting at 6 is unknown. For your satisfaction you can say “GATES” in bill gates have 5 alphabets. Therefore he gave the increment of 5. LOL!!!. Anyways it hardly matters. I think it is clear to you now.:)

]]> By: Iain http://niiconsulting.com/checkmate/2006/07/16/userassist-revisited/comment-page-1/#comment-56 Iain Mon, 28 May 2007 14:43:11 +0000 http://www.niiconsulting.com/checkmate/2006/07/userassist-revisited/#comment-56 Hi Chetan What a fascinating insight into this mystery. I see that there are 16 pieces of data. I've used Decode and the final 8 pieces do, indeed, say when I last had access - but what about the first 8 pieces? On my system, they're predominantly zeros, rather than a wide spread of all hex characters from 0 to F. Do you have any idea what the first 8 refer to and how they can be interpreted? Iain Hi Chetan

What a fascinating insight into this mystery.

I see that there are 16 pieces of data. I’ve used Decode and the final 8 pieces do, indeed, say when I last had access – but what about the first 8 pieces? On my system, they’re predominantly zeros, rather than a wide spread of all hex characters from 0 to F.

Do you have any idea what the first 8 refer to and how they can be interpreted?

Iain

]]> By: Anonymous http://niiconsulting.com/checkmate/2006/07/16/userassist-revisited/comment-page-1/#comment-54 Anonymous Wed, 18 Oct 2006 15:13:07 +0000 http://www.niiconsulting.com/checkmate/2006/07/userassist-revisited/#comment-54 Hey Shaun, Thanks for pointing that out! I accept my mistake (part lazyness and part ignorance! :) ) Actually the 16 bits of data is the date and time when the object was accessed... Very Important for leads to investigation... Now the important question is : how to convert this to humanly interpretable data? The answer is: 1. You can use the decode program available at http://www.digital-detective.co.uk/freetools/decode.asp 2. You can also use Mitec WRR (Windows Registry Recovery) or WRA (Analyzer) which are both freely available for the same purpose. Hope that helps! Chetan Hey Shaun,
Thanks for pointing that out! I accept my mistake (part lazyness and part ignorance! :) )
Actually the 16 bits of data is the date and time when the object was accessed… Very Important for leads to investigation… Now the important question is : how to convert this to humanly interpretable data?
The answer is:
1. You can use the decode program available at http://www.digital-detective.co.uk/freetools/decode.asp
2. You can also use Mitec WRR (Windows Registry Recovery) or WRA (Analyzer) which are both freely available for the same purpose.
Hope that helps!
Chetan

]]> By: Shaun Harrington http://niiconsulting.com/checkmate/2006/07/16/userassist-revisited/comment-page-1/#comment-55 Shaun Harrington Wed, 18 Oct 2006 14:19:43 +0000 http://www.niiconsulting.com/checkmate/2006/07/userassist-revisited/#comment-55 You failed to describe the 16 bits of data. Can you give us the details? Thanks! -Shaun You failed to describe the 16 bits of data. Can you give us the details?

Thanks!

-Shaun

]]>