DFSP # 317 - UserAssist

This week it’s back to basics with a Windows artifact for tracking program execution. I’m covering the user assist key which is a mainstay for both live triage and dead box forensics. This artifact is useful for profiling system usage, identifying malware, and general file use and knowledge applications. There are some caveats you need to be aware of and in this episode I’m covering  five different experiments to document the effects that different types of user activity had on the artifact. If you want to better understand this artifact and how to work with it stay tuned.