The registry and Proof of usage
How can we prove that a particualr applicaiton was used using the Windows Registry analysis.
For instance a user installed IM app (like Kazaa), used it, and then uninstalled it. the uninstall left some keys on the registry which could be used to prove that the user did use install the application, but how can we push assumption further and prove that he did indeed used it.
I've tried to look for traces in the followings keys but with no avail
any other pointers that may help (I am interseted in the registry only and not the file system).
Have u tried collecting information about MRU-Run MRU?
I don't know will it serve ur purpose….
It might be helpful if you could provide more information.
First off, specifically which application was used? Include not only the name, but the version number, as well. This is important, and may make a significant difference.
Second, which operating system (ie, which version of Windows) are we talking about?
"Windows Forensics and Incident Recovery"
I do not think it is prudent just to isolate the Registry as a possible source of history. As Harlan mentoned, it is essential that you elaborate on which OS you are examining as a variety of OS's have differing artefacts.
The Application in question is Kazaa v3.0 and the OS is Win2kSp4 (latest patch).
Sachin, can you tell what exatcly are the keys you referring to as MRU-RUN MRU?
Kazaa uses dbb files to maintain records of what has been available for sharing via the program. It does not neccessarily mean that the user was sharing, it is merely the repository for files thats that could have been available.
If you are using forensic software, select all the case, sort by file extension and ascertain if you have files similar or equal to 1024.dbb or 2048.dbb If you find the files you will need some sofware like Kazalyser to correctly output the information.
If you do not find the files try searching across the UC for ' My Shared Folder' and make sure you do this in Unicode also. If this fails,try doing a text search for '1331' without quotes, which is the Record Signature.
Thanks everyone for their feedback.
For you info I managed to gather the evidential material of usage by just looking at the registry. The mystery key was HKCU\Software\Microsoft\Windows\CurrentVerson\Explorer\UserAssist.
The trick is that all entries in this key are ROT13 encrypted that's why doing a search on the keyword kazaa wouldnt return anything useful.
Have you been able to determine what conditions cause an entry to be made beneath either UserAssist key?
If you look in the registry files for the specific user you should see Kazaa details in there (Under software if i remember right) in clear language. This will tell you a massive amount of data including the settings for downloads and uploads etc, default shared folder and any others shared by user and if you are lucky to have the right version of Kazaa the last twenty search terms used by the user. It will also give you the username used, e mail address given etc. Wont tell you what you want i.e yes it was used but if he has changed his download and upload settings from the default and there are search terms it is a good pointer that it was .
Hope this helps a little bit.
The keys mentioned in the post piqued my interest as I hadn't
visited them before and wasn't aware of what they contained.
For those in the same boat here is an interesting link.
Does anyone know if each entry is timestamped, in effect letting an examiner know when the file, url,link, etc was accessed and is there a utility that can decode the keys and export them into a file to make viewing easier?
While examining the keys I essentially decoded them one at a time which obviously isn't practical..
Bottom of the site has a tool that seems to do what I mentioned above….I'll try @ home.
When I was getting WRA developed, one of the key areas that required attention was the ability to decrypt the User Assist Keys. Although WRA was sold to Paraben in May, I still have the free version available.
The links to WRA and WRA Guidance in 'Downloads' are not active. If anyone wants a copy of WRA or WRA Guidance, send an email to
Indeed WRA was the tool I've used to decrypt the UserAssist key. the least I can say about it is "superb".
The version I got is one of the oldest freeware version. would you please send me the latest freeware you have. send it to [email protected]
Wow, this is pretty funny…I posted a link to a Perl script here not long ago that does exactly what you're asking, including "decrypting" the UserAssist keys.
The Perl script is run against the raw Registry file (in this case, NTUSER.DAT), and can be run on Linux, Windows, or even a Mac G5. The script can be "compiled" with Perl2Exe (I've done it) or PAR.
I still find it interesting how there's more of a reliance in this forum on closed source and commercial tools than there is on open source freeware, particularly those that (a) require a tiny bit more work than simply downloading an executable and (b) actually help you understand what's going on "under the hood".