Is your documentation look like this?
Step 1: (1/10/2014 12:49:40 PM) User left click on "Start (list item)" in "Start"
It is important to document problems precisely and record error messages exactly how they appear for technical support to help troubleshoot system errors. Recording the precise steps that a user took in order to reproduce the exact error is even more useful in troubleshooting technical issues when the client is not technical at all. This is especially important if we need to troubleshoot technical problems remotely.
The word I’ve mentioned above was “reproduce”. It is very important in forensics to reproduce the exact steps an investigator performs on a live system in order to create repeatable and verifiable steps for volatile or sparse data acquisition. We can provide hand written documentation or record steps on the system itself. We can use third party tools for this purpose, but Windows includes a very useful utility that not many people talks about even though it’s been available since Windows 7.
It is nice to know that we have this utility available that we will not have to take with us or install on the suspect drive. It is less than 600KB in size and does a great job recording precise steps using official Microsoft terminology and includes time tamps as well. It creates screenshots with auto highlight of focus area. It creates the report as a flat report in MHTML format that can be viewed as a slide show as well. It also allows the saving of the report and it does it automatically as a compressed ZIP archive to save space.
One of the drawbacks I can see is that it does not record actual characters typed in Command Line Interface ( CLI ). I guess, it was not meant to be a keylogger, just a Graphical User Interface ( GUI ) action recorder. For any typed keywords or commands, the user can add comments to the specific step to make it clear if the user finds it necessary. This can be a useful feature as well since no password will be recorded by mistake and shared with unintended parties.
You can start the Steps Recorder from the Run dialogue or directly from C:\Windows \System32. The executable is called psr.exe. Give it a try and see if you can utilize its capabilities in your environment. I would be curious if anyone is using this tool already or if you can see its benefits in some cases.
