Abstract
Built into Microsoft Windows is the ability for the operating system to track user window viewing preferences specific to Windows Explorer. This information, which is called “ShellBag” information, is stored in several locations within the Windows Registry in the Windows Operating System. This paper introduces a novel method to examine ShellBag information within Registry snapshots to reconstruct user activities. It compares different states of ShellBag information within consecutive Registry snapshots in order to detect ShellBag-related user actions. Nine detection rules are proposed on the basis of analyzing the causality between user actions and updated ShellBag information. This approach can be used to prove that certain interactions between the user and system must have, or must not have happened during a certain time period.
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Schedule a callDisclaimer: All third-party content on this website/platform is and will remain the property of their respective owners and is provided on "as is" basis without any warranties, express or implied. Use of third-party content does not indicate any affiliation, sponsorship with or endorsement by them. Any references to third-party content is to identify the corresponding services and shall be considered fair use under The CopyrightLaw.
