Wednesday, March 19, 2014

EnCase EnScript to parse & display recent RDP sessions from user's NTUSER.DAT

This EnScript was designed as a "quick hit" to parse and show the MRU values for the Terminal server client for each user.

The EnScript checks the Software\Microsoft\Terminal Server Client\Default for each NTUSER.DAT and displays/bookmarks any values.



*The link below has been updated to an EnScript that can be run in either v6 & v7.

Download EnCase v6 & v7 here

3 comments:

jason pickens Wednesday, 19 March, 2014  

is the enscript compatible with v7?

Lance Mueller Wednesday, 19 March, 2014  
This comment has been removed by the author.
Lance Mueller Wednesday, 19 March, 2014  

I have updated the EnScript and it can now be run in either v6 or v7. The link above is now pointing to the new version.

Post a Comment

Computer Forensics, Malware Analysis & Digital Investigations

Random Articles