loading
Papers

Research.Publish.Connect.

Paper

Authors: Bhupendra Singh and Upasna Singh

Affiliation: Defence Institute of Advanced Technology (DU), India

ISBN: 978-989-758-259-2

Keyword(s): UserAssist, Windows Registry Forensics, User Activity Analysis, Program Execution Analysis, Malware Analysis.

Related Ontology Subjects/Areas/Topics: Data and Application Security and Privacy ; Digital Forensics ; Information and Systems Security ; Privacy

Abstract: The construction of user activity timeline related to digital incident being investigated is part of most of the forensic investigations. Sometimes, it is desirable to know the programs executed on a system, and more importantly, when and from where these programs were launched. Program execution analysis is very meaningful effort both for forensic and malware analysts. The UserAssist key, a part of Microsoft Windows registry, records the information related to programs run by a user on a Windows system. This paper seeks thorough investigation of UserAssist key, as a resource for program execution analysis. In this paper, the binary structure of UserAssist key in modern Windows (Windows 7/8/10) is presented and compared with that in older versions of Windows (e.g., Windows XP). Several experiments were carried out to record the behavior of UserAssist key when programs were executed from various sources, such as USB device, Windows store and shared network. These artifacts wer e found to persist even after the applications have been uninstalled/deleted from the system. In the area of program execution analysis, the paper highlights the forensic capability of UserAssist key and compares it with that from similar sources, such as IconCache.db, SRUDB.dat, Prefetch, Amcache.hve and Shortcut (.lnk) files, in order to summarize what information can and cannot be determined from these sources. (More)

PDF ImageFull Text

Download
CC BY-NC-ND 4.0

Sign In Guest: Register as new SciTePress user now for free.

Sign In SciTePress user: please login.

PDF ImageMy Papers

You are not signed in, therefore limits apply to your IP address 3.209.80.87

In the current month:
Recent papers: 100 available of 100 total
2+ years older papers: 200 available of 200 total

Paper citation in several formats:
Singh, B. and Singh, U. (2017). Program Execution Analysis using UserAssist Key in Modern Windows.In Proceedings of the 14th International Joint Conference on e-Business and Telecommunications - Volume 6: SECRYPT, (ICETE 2017) ISBN 978-989-758-259-2, pages 420-429. DOI: 10.5220/0006416704200429

@conference{secrypt17,
author={Bhupendra Singh. and Upasna Singh.},
title={Program Execution Analysis using UserAssist Key in Modern Windows},
booktitle={Proceedings of the 14th International Joint Conference on e-Business and Telecommunications - Volume 6: SECRYPT, (ICETE 2017)},
year={2017},
pages={420-429},
publisher={SciTePress},
organization={INSTICC},
doi={10.5220/0006416704200429},
isbn={978-989-758-259-2},
}

TY - CONF

JO - Proceedings of the 14th International Joint Conference on e-Business and Telecommunications - Volume 6: SECRYPT, (ICETE 2017)
TI - Program Execution Analysis using UserAssist Key in Modern Windows
SN - 978-989-758-259-2
AU - Singh, B.
AU - Singh, U.
PY - 2017
SP - 420
EP - 429
DO - 10.5220/0006416704200429

Login or register to post comments.

Comments on this Paper: Be the first to review this paper.