Data and Context
I receive questions from time to time regarding various bits of information, some of which is presented in my book. I recently received some questions regarding differences in run counts for applications derived from Prefetch files and UserAssist key entries, the latter being displayed via RegRipper.
What needs to be kept in mind when looking at data as it is being presented by any extraction technique or utility is the context with respect to how the data is created or modified.
For example, application Prefetch files are created by default for XP and Vista systems and are not user specific. However, UserAssist key/subkey entries are found in the NTUSER.DAT files and are user-specific.
Also, UserAssist key entries are most often created through a user's interaction with the shell; entries can be created or modified by double-clicking a shortcut on the Desktop or in Windows Explorer, by clicking through Start, the Programs, etc. However, application Prefetch files can be created/modified by double-clicking a shortcut to a file on the Desktop, as well.
I know that this is only one example, but the key here is to understand that just because two sources apparently include information about applications being launched, the analyst needs to understand the nature of the event or events that create/modify artifacts on a Windows system. Otherwise, you're going to be facing apparent contradictions where in truth, there isn't one.
What needs to be kept in mind when looking at data as it is being presented by any extraction technique or utility is the context with respect to how the data is created or modified.
For example, application Prefetch files are created by default for XP and Vista systems and are not user specific. However, UserAssist key/subkey entries are found in the NTUSER.DAT files and are user-specific.
Also, UserAssist key entries are most often created through a user's interaction with the shell; entries can be created or modified by double-clicking a shortcut on the Desktop or in Windows Explorer, by clicking through Start, the Programs, etc. However, application Prefetch files can be created/modified by double-clicking a shortcut to a file on the Desktop, as well.
I know that this is only one example, but the key here is to understand that just because two sources apparently include information about applications being launched, the analyst needs to understand the nature of the event or events that create/modify artifacts on a Windows system. Otherwise, you're going to be facing apparent contradictions where in truth, there isn't one.