SeeShells: An Optimized Solution for Utilizing Shellbags in a Digital Forensic Investigation

SeeShells: An Optimized Solution for Utilizing Shellbags in a Digital Forensic Investigation

연구 분야: Analysis

학회: 2022 IEEE International Conference on Cyber Security and Resilience (CSR)

The Windows registry is a treasure trove for digital forensics investigators. Shellbags, an important element in registry, can assist investigators with detailed timeline evidence. Several existing applications provide access to Shellbags, but they lack a complete and effective interface for searching and reporting event timelines. In this paper, we develop an optimized and configurable application called "SeeShells" to query Shellbags to build history of criteria-based events and efficiently display them in a rich user interface to facilitate forensic investigation. Our application provides analysis capabilities to flag suspicious events in an easy-to-view frequency map with corresponding event labels. Our frequency map, also known as a heat map, will show density plots in a range of colors to identify the intensity of activities satisfying a query. In addition, our application can export parsed timeline event information into various commonly used file formats to compliment an investigator’s digital forensic report.