Authors:
Bhupendra Singh
and
Upasna Singh
Affiliation:
Defence Institute of Advanced Technology (DU), India
Keyword(s):
UserAssist, Windows Registry Forensics, User Activity Analysis, Program Execution Analysis, Malware Analysis.
Related
Ontology
Subjects/Areas/Topics:
Data and Application Security and Privacy
;
Digital Forensics
;
Information and Systems Security
;
Privacy
Abstract:
The construction of user activity timeline related to digital incident being investigated is part of most of the
forensic investigations. Sometimes, it is desirable to know the programs executed on a system, and more
importantly, when and from where these programs were launched. Program execution analysis is very meaningful
effort both for forensic and malware analysts. The UserAssist key, a part of Microsoft Windows registry,
records the information related to programs run by a user on a Windows system. This paper seeks thorough
investigation of UserAssist key, as a resource for program execution analysis. In this paper, the binary structure
of UserAssist key in modern Windows (Windows 7/8/10) is presented and compared with that in older
versions of Windows (e.g., Windows XP). Several experiments were carried out to record the behavior of
UserAssist key when programs were executed from various sources, such as USB device, Windows store and
shared network. These artifacts we
re found to persist even after the applications have been uninstalled/deleted
from the system. In the area of program execution analysis, the paper highlights the forensic capability of
UserAssist key and compares it with that from similar sources, such as IconCache.db, SRUDB.dat, Prefetch,
Amcache.hve and Shortcut (.lnk) files, in order to summarize what information can and cannot be determined
from these sources.
(More)