Extraction of User Activity through Comparison of Windows Restore Points

Authors

Damir Kahvedžić, University College Dublin
Tahar Kechadi, University College Dublin

Document Type

Conference Proceeding

Publisher

School of Computer and Information Science, Edith Cowan University, Perth, Western Australia

Abstract

The extraction of past user activity is one of the main goals in the analysis of digital evidence. In this paper we present a methodology for extracting this activity by comparing multiple Restore Points found in the Windows XP operating system. We concentrate on comparing the copies of the registry hives found within these points. The registry copies represent a snapshot in time of the state of the system. Differences between them can reveal user activity from one instant to another. This approach is implemented and presented as a tool that is able to compare any set of offline hive files and present the results to the user. Investigative techniques are presented to use the software as efficiently as possible. The techniques range from general analysis, in which areas of high user activity are pinpointed, to specific techniques, where user activity relating to specific files and file types is found.

Comments

6th Australian Digital Forensics Conference, Edith Cowan University, Perth Western Australia, December 3rd 2008.

DOI

10.4225/75/57b2703b40cbc