Computer Forensics, Malware Analysis & Digital Investigations: EnCase EnScript to parse & display recent RDP sessions from user's NTUSER.DAT

Wednesday, March 19, 2014

EnCase EnScript to parse & display recent RDP sessions from user's NTUSER.DAT

This EnScript was designed as a "quick hit" to parse and show the MRU values for the Terminal server client for each user.

The EnScript checks the Software\Microsoft\Terminal Server Client\Default for each NTUSER.DAT and displays/bookmarks any values.

*The link below has been updated to an EnScript that can be run in either v6 & v7.

Download EnCase v6 & v7 here

3 comments:

jason pickens Wednesday, 19 March, 2014: is the enscript compatible with v7?
Lance Mueller Wednesday, 19 March, 2014: This comment has been removed by the author.
Lance Mueller Wednesday, 19 March, 2014: I have updated the EnScript and it can now be run in either v6 or v7. The link above is now pointing to the new version.

EnScript v6 Tutorial IV

Wednesday, March 19, 2014

EnCase EnScript to parse & display recent RDP sessions from user's NTUSER.DAT

3 comments:

Post a Comment

Search This Blog

Blog Archive

Label Cloud

Contact

Subscribe via email

Computer Forensics, Malware Analysis & Digital Investigations

Random Articles