Program Execution Analysis using UserAssist Key in Modern Windows

Bhupendra Singh, Upasna Singh

Abstract

The construction of user activity timeline related to digital incident being investigated is part of most of the forensic investigations. Sometimes, it is desirable to know the programs executed on a system, and more importantly, when and from where these programs were launched. Program execution analysis is very meaningful effort both for forensic and malware analysts. The UserAssist key, a part of Microsoft Windows registry, records the information related to programs run by a user on a Windows system. This paper seeks thorough investigation of UserAssist key, as a resource for program execution analysis. In this paper, the binary structure of UserAssist key in modern Windows (Windows 7/8/10) is presented and compared with that in older versions of Windows (e.g., Windows XP). Several experiments were carried out to record the behavior of UserAssist key when programs were executed from various sources, such as USB device, Windows store and shared network. These artifacts were found to persist even after the applications have been uninstalled/deleted from the system. In the area of program execution analysis, the paper highlights the forensic capability of UserAssist key and compares it with that from similar sources, such as IconCache.db, SRUDB.dat, Prefetch, Amcache.hve and Shortcut (.lnk) files, in order to summarize what information can and cannot be determined from these sources.

Download


Paper Citation


in Harvard Style

Singh B. and Singh U. (2017). Program Execution Analysis using UserAssist Key in Modern Windows . In Proceedings of the 14th International Joint Conference on e-Business and Telecommunications - Volume 6: SECRYPT, (ICETE 2017) ISBN 978-989-758-259-2, pages 420-429. DOI: 10.5220/0006416704200429


in Bibtex Style

@conference{secrypt17,
author={Bhupendra Singh and Upasna Singh},
title={Program Execution Analysis using UserAssist Key in Modern Windows},
booktitle={Proceedings of the 14th International Joint Conference on e-Business and Telecommunications - Volume 6: SECRYPT, (ICETE 2017)},
year={2017},
pages={420-429},
publisher={SciTePress},
organization={INSTICC},
doi={10.5220/0006416704200429},
isbn={978-989-758-259-2},
}


in EndNote Style

TY - CONF
JO - Proceedings of the 14th International Joint Conference on e-Business and Telecommunications - Volume 6: SECRYPT, (ICETE 2017)
TI - Program Execution Analysis using UserAssist Key in Modern Windows
SN - 978-989-758-259-2
AU - Singh B.
AU - Singh U.
PY - 2017
SP - 420
EP - 429
DO - 10.5220/0006416704200429