by Chetan Gupta, NII Consulting
Windows XP has a built-in feature – UserAssist, that acts as a monitoring tool and greatly aids in the forensic investigation of Windows operating systems. UserAssist records user access of specific objects on the system, such as executables, Control Panel applets, shortcut files, etc. This is stored in the registry under the following key:
HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersion
ExplorerUserAssist
This key contains two subkeys which closely resemble GUIDs (Globally unique identifiers). Each subkey contains another subkey called ‘count’. The count subkey contains the entries that contain the access records for various objects. However, these entries are ‘encrypted’ using an encryption algorithm known as ‘ROT-13’. The full path to the two keys is:
HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersion
ExplorerUserAssist
{5E6AB780-7743-11CF-A12B-00AA004AE837}Count
HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersion
ExplorerUserAssist
{75048700-EF1F-11D0-9888-006097DEACF9}Count
Encryption using ROT13
According to Wikipedia, ROT13 (“rotate by 13 places”, sometimes hyphenated ROT-13) is a simple Caesar cipher used for obscuring text by replacing each letter with the letter thirteen places down the alphabet. A becomes N, B becomes O, and so on up to M, which becomes Z, then the sequence reverses: N becomes A, O becomes B and so on to Z, which becomes M.
Decrypting Rot-13 encrypted entries
An online ROT13 decryption program is available at http://www.degraeve.com/rot13.php. You can also save the page and use the decryption feature offline.
How to decrypt the UserAssist entries?
- Open Regedit and then navigate to:
HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersion
ExplorerUserAssist - Right click on ‘count’ subkey and export the contents to a .reg file
- Open the .reg file with an editor such as notepad and copy the contents
- Paste the contents in decryption program as mentioned above and you are done!
If there is a key that indicates a ‘tracks eraser’ program such as evidence eliminator was run, it definitely puts the user under suspicion as to why he wanted to erase the trails of his activity on the machine. A typical decrypted output would look something like this:
"UEME_RUNPATH:C:\WINDOWS\system32\NOTEPAD.EXE"=urk:83,00,00,00,n2,02,00,00, 10,qo,77,02,rr,84,p6,01
"UEME_RUNPATH:C:\PROGRA~1\MOZILL~2\THUNDE~1.EXE"=urk:80,00,00,00,9p,00,00, 00,60,q8,sr,48,30,82,p6,01
"UEME_RUNPIDL"=urk:83,00,00,00,10,08,00,00,80,62,44,9p,pp,84,p6,01
"UEME_RUNPIDL:::{2559A1F5-21D7-11D4-BDAF-00C04F60B9F0}"=urk:80,00,00,00,9p,00, 00,00,r0,s2,04,49,30,82,p6,01
"UEME_RUNPATH:C:\WINDOWS\System32\cmd.exe"=urk:83,00,00,00,n2,00,00,00,50, n9,61,40,9n,84,p6,01
"UEME_UISCUT"=urk:83,00,00,00,p3,00,00,00,70,on,56,31,s1,84,p6,01
"UEME_RUNPATH:::{20D04FE0-3AEA-1069-A2D8-08002B30309D}"=urk:83,00,00,00,1s,01, 00,00,70,on,56,31,s1,84,p6,01
"UEME_UIQCUT"=urk:83,00,00,00,pp,07,00,00,70,r9,69,30,s1,84,p6,01
"UEME_RUNPATH:WinTasks.lnk"=urk:02,00,00,00,07,00,00,00,q0,o0,ns,30,r3,02,p6, 01
"UEME_RUNPIDL:%csidl2%\Evidence Eliminator"=urk:04,00,00,00,07,00,00,00,r0,os, sp,2p,n5,0s,p6,01
"UEME_RUNPATH:C:\WINDOWS\system32\shell32.dll"=urk:82,00,00,00,47,00,00,00, 00,p0,26,q9,p1,83,p6,01
"UEME_RUNPATH:C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE"=urk:83, 00,00,00,30,00,00,00,90,03,45,60,7n,84,p6,01
As we can see that there is an entry which suggests that the user did run evidence eliminator on his system, he definitely owes an explanation to the investigator!
