NTUSER.DAT

windowsUser ActivityDisk Image

Location

C:\Users\<username>\NTUSER.DAT

Description

Per-user registry hive containing user-specific settings including recently opened files (RecentDocs), typed URLs, Run/RunOnce persistence keys, UserAssist encoded program execution records, and shell bags.

Forensic Value

UserAssist entries (ROT13-encoded) record every GUI program a user launched with execution count and last-run timestamp, providing evidence of interactive attacker tool usage. Run/RunOnce keys reveal per-user persistence mechanisms. RecentDocs and typed paths reconstruct the files and directories the user accessed.

Tools Required

KAPERegRipperRegistry Explorer (Eric Zimmerman)ShellBags Explorer

Acquisition Methods

FTK Imager Full Disk Image

windows — physical

EnCase Forensic Full Disk Image

windows — physical

dd / dc3dd Raw Disk Image

windows — physical

Guymager Full Disk Image

windows — physical

FTK Imager Logical Image (AD1)

windows — logical