Book Image

Learn Computer Forensics – 2nd edition - Second Edition

By : William Oettinger
Book Image

Learn Computer Forensics – 2nd edition - Second Edition

By: William Oettinger

Overview of this book

Computer Forensics, being a broad topic, involves a variety of skills which will involve seizing electronic evidence, acquiring data from electronic evidence, data analysis, and finally developing a forensic report. This book will help you to build up the skills you need to work in a highly technical environment. This book's ideal goal is to get you up and running with forensics tools and techniques to successfully investigate crime and corporate misconduct. You will discover ways to collect personal information about an individual from online sources. You will also learn how criminal investigations are performed online while preserving data such as e-mails, images, and videos that may be important to a case. You will further explore networking and understand Network Topologies, IP Addressing, and Network Devices. Finally, you will how to write a proper forensic report, the most exciting portion of the forensic exam process. By the end of this book, you will have developed a clear understanding of how to acquire, analyze, and present digital evidence, like a proficient computer forensics investigator.
Table of Contents (17 chapters)
15
Other Books You May Enjoy
16
Index

Exploring program execution

Program execution artifacts indicate programs or applications that were run on the system. The user could cause the execution, or an autostart/run event managed by the system. Some categories overlap with the file knowledge category we discussed earlier in the chapter. I am not going to re-examine those specific artifacts in this section. Just be aware that the artifacts from recent apps, JumpLists, an MRU, and prefetch files will also contain information about program/application activity.

Determining UserAssist

UserAssist is a registry key in the user’s NTUSER.DAT file and can be found at the following path:

NTUSER.DAT\Software\Microsoft\Windows\Currentversion\Explorer\UserAssist

The key tracks the GUI-based applications that were launched in the system. The system encodes the data in the key with ROT 13 encoding. RegRipper will decode the data automatically. The following represents the output you will see from RegRipper:

...