Extraction and Categorisation of User Activity from Windows Restore Points
<p class="JDFSLParagraph">The extraction of the user activity is one of the main goals in the analysis of digital evidence. In this paper we present a methodology for extracting this activity by comparing multiple Restore Points found in the Windows XP operating system. The registry...
| Main Authors: | , |
|---|---|
| Format: | Article |
| Language: | English |
| Published: |
Association of Digital Forensics, Security and Law
2008-12-01
|
| Series: | Journal of Digital Forensics, Security and Law |
| Online Access: | http://ojs.jdfsl.org/index.php/jdfsl/article/view/170 |
| _version_ | 1818513069838434304 |
|---|---|
| author | Damir Kahvedzic Tahar Kechadi |
| author_facet | Damir Kahvedzic Tahar Kechadi |
| author_sort | Damir Kahvedzic |
| collection | DOAJ |
| description | <p class="JDFSLParagraph">The extraction of the user activity is one of the main goals in the analysis of digital evidence. In this paper we present a methodology for extracting this activity by comparing multiple Restore Points found in the Windows XP operating system. The registry copies represent a snapshot of the state of the system at a certain point in time. Differences between them can reveal user activity from one instant to another. The algorithms for comparing the hives and interpreting the results are of high complexity. We develop an approach that takes into account the nature of the investigation and the characteristics of the hives to reduce the complexity of the comparison and result interpretation processes. The approach concentrates on hives that present higher activity and highlights only those differences that are relevant to the investigation. The approach is implemented as a software tool that is able to compare any set of offline hives and categorise the results according to the user needs. The categorisation of the results, in terms of activity will help the investigator in interpreting the results. In this paper we present a general concept of result categorisation to prove its efficiency on Windows XP, but these can be adapted to any Windows versions including the latest versions. Â </p> |
| first_indexed | 2024-12-10T23:55:54Z |
| format | Article |
| id | doaj.art-29e08fba647b44c7bbeed79c016c31d2 |
| institution | Directory Open Access Journal |
| issn | 1558-7215 1558-7223 |
| language | English |
| last_indexed | 2024-12-10T23:55:54Z |
| publishDate | 2008-12-01 |
| publisher | Association of Digital Forensics, Security and Law |
| record_format | Article |
| series | Journal of Digital Forensics, Security and Law |
| spelling | doaj.art-29e08fba647b44c7bbeed79c016c31d22022-12-22T01:28:35ZengAssociation of Digital Forensics, Security and LawJournal of Digital Forensics, Security and Law1558-72151558-72232008-12-0134234293Extraction and Categorisation of User Activity from Windows Restore PointsDamir Kahvedzic0Tahar Kechadi1University College Dublin, IrelandUniversity College Dublin, Ireland<p class="JDFSLParagraph">The extraction of the user activity is one of the main goals in the analysis of digital evidence. In this paper we present a methodology for extracting this activity by comparing multiple Restore Points found in the Windows XP operating system. The registry copies represent a snapshot of the state of the system at a certain point in time. Differences between them can reveal user activity from one instant to another. The algorithms for comparing the hives and interpreting the results are of high complexity. We develop an approach that takes into account the nature of the investigation and the characteristics of the hives to reduce the complexity of the comparison and result interpretation processes. The approach concentrates on hives that present higher activity and highlights only those differences that are relevant to the investigation. The approach is implemented as a software tool that is able to compare any set of offline hives and categorise the results according to the user needs. The categorisation of the results, in terms of activity will help the investigator in interpreting the results. In this paper we present a general concept of result categorisation to prove its efficiency on Windows XP, but these can be adapted to any Windows versions including the latest versions. Â </p>http://ojs.jdfsl.org/index.php/jdfsl/article/view/170 |
| spellingShingle | Damir Kahvedzic Tahar Kechadi Extraction and Categorisation of User Activity from Windows Restore Points Journal of Digital Forensics, Security and Law |
| title | Extraction and Categorisation of User Activity from Windows Restore Points |
| title_full | Extraction and Categorisation of User Activity from Windows Restore Points |
| title_fullStr | Extraction and Categorisation of User Activity from Windows Restore Points |
| title_full_unstemmed | Extraction and Categorisation of User Activity from Windows Restore Points |
| title_short | Extraction and Categorisation of User Activity from Windows Restore Points |
| title_sort | extraction and categorisation of user activity from windows restore points |
| url | http://ojs.jdfsl.org/index.php/jdfsl/article/view/170 |
| work_keys_str_mv | AT damirkahvedzic extractionandcategorisationofuseractivityfromwindowsrestorepoints AT taharkechadi extractionandcategorisationofuseractivityfromwindowsrestorepoints |