Using shellbag information to reconstruct user activities

Zhu, Yuandong; Gladyshev, Pavel; James, Joshua I.

doi:10.1016/j.diin.2009.06.009

Cited by 12 publications

(9 citation statements)

References 2 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…For specific situations and contexts, automated event reconstruction can however be performed. For example, Zhu et al [8] present the idea of reconstructing user activities based on ShellBag information stored in the Windows Registry. Commonly, this information is used by the operating system to store user preferences, such as window sizes and positions.…”

Section: B Related Workmentioning

confidence: 99%

Forensic Application-Fingerprinting Based on File System Metadata

Kalber

Dewald

Freiling

2013

2013 Seventh International Conference on IT Security Incident Management and IT Forensics

View full text Add to dashboard Cite

While much work has been invested in tools for aquisition and extraction of digital evidence, there are only few tools that allow for automatic event reconstruction. In this paper, we present a generic approach for forensic event reconstruction based on digital evidence from file systems. Our approach applies the idea of fingerprinting to changes made by applications in file system metadata. We present a system with which it is possible to automatically compute file system fingerprints of individual actions. Using NTFS timestamps as an example, we show that with our approach it is possible to automatically reconstruct actions performed by different applications even if the set of files accessed by those actions overlap.

show abstract

Section: B Related Workmentioning

confidence: 99%

Forensic Application-Fingerprinting Based on File System Metadata

Kalber

Dewald

Freiling

2013

2013 Seventh International Conference on IT Security Incident Management and IT Forensics

View full text Add to dashboard Cite

show abstract

“…To accurately infer information from given facts an investigator must understand the underlying relation between the observed facts and the inferred conclusion. For example Zhu [11] states, "To infer events from the Registry it requires an investigator to understand the relationship between Registry information and occurred activities". This means that when a user does an action that affects data stored in the Windows Registry, the investigator can only begin to infer what the user action was once the investigator understands not only how but also why that particular piece of data has been modified in the registry.…”

Section: Automatic Detection Of User Eventsmentioning

confidence: 99%

Signature Based Detection of User Events for Post-mortem Forensic Analysis

James

Gladyshev

Zhu

2011

Lecture Notes of the Institute for Computer Sciences, Social Informatics and Telecommunications Engineering

Self Cite

View full text Add to dashboard Cite

Abstract. This paper introduces a novel approach to user event reconstruction by showing the practicality of generating and implementing signature-based analysis methods to reconstruct high-level user actions from a collection of low-level traces found during a post-mortem forensic analysis of a system. Traditional forensic analysis and the inferences an investigator normally makes when given digital evidence, are examined. It is then demonstrated that this natural process of inferring high-level events from low-level traces may be encoded using signature-matching techniques. Simple signatures using the defined method are created and applied for three popular Windows-based programs as a proof of concept.

show abstract

“…As described in [8], the registry value associated with this folder includes the timestamp when the ShellBag information was first updated in the registry. Therefore, three events can be inferred: In this example, more than one event is inferred from a single registry record.…”

Section: Inferred Eventsmentioning

confidence: 99%

“…Zhu, et al [8] have proposed several rules that use ShellBag information to determine if a folder was accessed. Specifically, the information under the BagMRU registry key (located at HKCU\Software\Microsoft\ Windows\ShellNoRoam\BagMRU) and the Bags key (located at HKCU\ Software\Microsoft\Windows\ShellNoRoam\Bags) can be used to determine if the folder was accessed during a particular period.…”

Section: Checking Inferred Eventsmentioning

confidence: 99%

A Consistency Study of the Windows Registry

Zhu

James

Gladyshev

2010

Advances in Digital Forensics VI

Self Cite

View full text Add to dashboard Cite

This paper proposes a novel method for checking the consistency of forensic registry artifacts by gathering event information from the artifacts and analyzing the event sequences based on the associated timestamps. The method helps detect the use of counter-forensic techniques without focusing on one particular counter-forensic tool at a time. Several consistency checking models are presented to verify events derived from registry artifacts. Examples of these models are used to demonstrate how evidence of alteration may be detected.

show abstract

Using shellbag information to reconstruct user activities

Cited by 12 publications

References 2 publications

Forensic Application-Fingerprinting Based on File System Metadata

Forensic Application-Fingerprinting Based on File System Metadata

Signature Based Detection of User Events for Post-mortem Forensic Analysis

A Consistency Study of the Windows Registry

Contact Info

Product

Resources

About