±Forensic Focus Partners

Become an advertising partner

±Your Account


Username
Password

Forgotten password/username?

Site Members:

New Today: 0 Overall: 36775
New Yesterday: 0 Visitors: 100

±Follow Forensic Focus

Forensic Focus Facebook PageForensic Focus on TwitterForensic Focus LinkedIn GroupForensic Focus YouTube Channel

RSS feeds: News Forums Articles

±Latest Articles

±Latest Videos

±Latest Jobs

The registry and Proof of usage

Computer forensics discussion. Please ensure that your post is not better suited to one of the forums below (if it is, please post it there instead!)
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
Page Previous  1, 2, 3  Next 
  

keydet89
Senior Member
 

Re: The registry and Proof of usage

Post Posted: Nov 08, 05 23:24

youcefb9,

Have you been able to determine what conditions cause an entry to be made beneath either UserAssist key?  
 
  

mark777
Senior Member
 

Re: The registry and Proof of usage

Post Posted: Nov 09, 05 08:34

If you look in the registry files for the specific user you should see Kazaa details in there (Under software if i remember right) in clear language. This will tell you a massive amount of data including the settings for downloads and uploads etc, default shared folder and any others shared by user and if you are lucky to have the right version of Kazaa the last twenty search terms used by the user. It will also give you the username used, e mail address given etc. Wont tell you what you want i.e yes it was used but if he has changed his download and upload settings from the default and there are search terms it is a good pointer that it was .

Hope this helps a little bit.
_________________
Mark 
 
  

andy1500mac
Senior Member
 

Re: The registry and Proof of usage

Post Posted: Nov 09, 05 19:03

Hi all,

The keys mentioned in the post piqued my interest as I hadn't
visited them before and wasn't aware of what they contained.

For those in the same boat here is an interesting link.
www.utdallas.edu/~jere...r_spy.html

Does anyone know if each entry is timestamped, in effect letting an examiner know when the file, url,link, etc was accessed and is there a utility that can decode the keys and export them into a file to make viewing easier?

While examining the keys I essentially decoded them one at a time which obviously isn't practical..

Andrew-  
 
  

andy1500mac
Senior Member
 

Re: The registry and Proof of usage

Post Posted: Nov 09, 05 19:24

Bottom of the site has a tool that seems to do what I mentioned above....I'll try @ home.

Andrew-  
 
  

ASH368
Member
 

Re: The registry and Proof of usage

Post Posted: Nov 10, 05 04:03

When I was getting WRA developed, one of the key areas that required attention was the ability to decrypt the User Assist Keys. Although WRA was sold to Paraben in May, I still have the free version available.

The links to WRA and WRA Guidance in 'Downloads' are not active. If anyone wants a copy of WRA or WRA Guidance, send an email to:

ash368 @ btinternet.com  
 
  

youcefb9
Member
 

Re: The registry and Proof of usage

Post Posted: Nov 10, 05 21:57

Hi Ash368,
Indeed WRA was the tool I've used to decrypt the UserAssist key. the least I can say about it is "superb".

The version I got is one of the oldest freeware version. would you please send me the latest freeware you have. send it to: youcefb9 @ hotmail.com  
 
  

mark777
Senior Member
 

Re: The registry and Proof of usage

Post Posted: Nov 11, 05 06:22

Ash368

Would appreciate a copy if you could. Tried emailing you but Outlook says does not recognise e mail address you give.

My e mail is mark777 @ mail2mark.com

Many Thanks
_________________
Mark 
 

Page 2 of 3
Page Previous  1, 2, 3  Next