Using shellbag information to reconstruct user activities

Built into Microsoft Windows is the ability for the operating system to track user window viewing preferences specific to Windows Explorer. This information, which is called “ShellBag” information, is stored in several locations within the Windows Registry in the Windows Operating System. This paper introduces a novel method to examine ShellBag information within Registry snapshots to reconstruct user activities. It compares different states of ShellBag information within consecutive Registry snapshots in order to detect ShellBag-related user actions. Nine detection rules are proposed on the basis of analyzing the causality between user actions and updated ShellBag information. This approach can be used to prove that certain interactions between the user and system must have, or must not have happened during a certain time period.