This script parses UserAssist Registry values made available by the MemProcFS memory anaysis tool.

These values can be brought into EnCase as single files or as part of a Logical Evidence File.

In doing so, it is recommended to process the UserAssist sub-tree only, otherwise MemProcFS may hang whist trying to parse every possible memory artifact so it can be made available to EnCase.

The script will only parse those values that are 16 or 72-bytes in length. These values must be contained in a parent-folder called Count and have a GUID-named grandparent-folder that has the following sub-string in its path:

• Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist

For more information about UserAssist and the values they contain, please consult the help-text that is packaged with the User Assist Registry Value Decoder script.

This script was developed for use in EnCase training. For more details, please click the following link:

• OpenText EnCase Training