Didier Stevens

Tuesday 11 August 2009

Update: UserAssist Tool Version 2.4.3

Filed under: Forensics,My Software,Update — Didier Stevens @ 16:07

I had an interesting discussion with Hans Heins concerning the timestamp displayed by my UserAssist tool.

The first version of the UserAssist tool would only decode the UserAssist registry keys of the account under which it was running. And thus it made sense to display the timestamp in local time format, even if the entry is stored in UTC.

I added a warning about the time zones when I added registry file import functions, but this was confusing.

This new version of the UserAssist tool adds an extra column, with the timestamp in UTC:

20090811-175725

And I’ll be posting a new version to support the new UserAssist registry key format of Windows 7 and Windows 2008 R2.

Download:

UserAssist_V2_4_3.zip (https)

MD5: A5244C7F83E0DE70600E27F5D3B8AD7D

SHA256: 7E2D107BE84FBBF7E79F1BD11703401A374B5138B2F77E4FF8AFE1A3E749CCDA

8 Comments »

  1. Didier,

    Does this mean that the “encryption” is NOT, in fact, going to fall back to ROT-13, the way previously discussed?

    Comment by H. Carvey — Thursday 13 August 2009 @ 11:08

  2. I’d love to know when a version comes out that supports Win 7. 🙂 I’m thinking of doing a video, or at least a text article that links to it.

    Comment by Irongeek — Thursday 13 August 2009 @ 14:10

  3. Yes, it’s back to ROT-13 in the RTM I saw, but the binary data has changed.

    Comment by Didier Stevens — Thursday 13 August 2009 @ 21:14

  4. @Irongeek

    that woulkd be cool, will keep you posted

    Comment by Didier Stevens — Thursday 13 August 2009 @ 21:15

  5. I am very interested to why it does not work currently with windows 7? what windows 7 have/n’t that makes it not work with it in a forensic point of view?

    Comment by Hemn Baker — Thursday 15 October 2009 @ 22:05

  6. It’s simple. The registry key has changed and the binary data format has changed in Windows 7 (and Windows Server 2008 R2).
    What’s more, after I reversed the format of an early version of Windows 7 beta, Steve Riley from Microsoft told me that this format would change in next releases.
    That’s why I only started last month with the analysis of the new format. I’ve a working beta version of my tool.

    Comment by Didier Stevens — Friday 16 October 2009 @ 11:00

  7. Have you checked your tool’s results with RegRipper’s userassist.pl plugin? When I run them both, your tool lists more items than RegRipper’s. Do you know why?

    Comment by Anonymous — Monday 16 December 2013 @ 19:41

  8. @Anonymous Please provide more details.

    Comment by Didier Stevens — Monday 16 December 2013 @ 19:54


RSS feed for comments on this post. TrackBack URI

Leave a Reply (comments are moderated)

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Blog at WordPress.com.