Other Program Execution Artefacts
Other program execution aretfacts of interest
There are several locations on a computer with Windows 10 installed that contain aretafcts indicating a previous process execution. An example of of one of these locations is detailed below:
UserAssit
This aretfact is a registry key that relates to the execution of GUI programs launched via the Desktop. The key location is:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\<GUID>\Count
An example of this registry key is detailed below:
Note the 2 Count GUIDs highlighted above. These GUIDs relate to:
- CEBFF5CD Executable File Executed
- F4E57C4B Shortcut File Executed
It can be seen that the content of the keys do not appear to make any sense. This is because the characters are ROT13 encoded. This encoding is a simple caesar substitution cipher. Let’s use Cyber Chef to decode the first highlighted entry ‘abgrcnq.rkr’:
It can be seen that that each character will be rotated 13 times (to the left). The file ‘abgrcnq.rkr’ is then decoded to ‘notepad.exe’.
How cool is Cyber Chef?
Additional information…
Remember any data that is encoded can still be processed by a computer providing the encoding scheme is known. Encrypted data however, cannot be processed without a key.
The following are examples of publicly available encoding schemes in use today:
• HTML Encoding
• URL Encoding
• Unicode Encoding
• Base64 Encoding
• Hex Encoding
Introduction to Digital Forensics: Malware Analysis and Investigations
Introduction to Digital Forensics: Malware Analysis and Investigations
Reach your personal and professional goals
Unlock access to hundreds of expert online courses and degrees from top universities and educators to gain accredited qualifications and professional CV-building certificates.
Join over 18 million learners to launch, switch or build upon your career, all at your own pace, across a wide range of topic areas.
