Automating the generation of user activity timelines on Microsoft Vista and Windows 7 operating systems

For many computer forensics investigations, the discovery of the complete activity history of users is an essential part of the process; however, due to the complexity and variety of current modern personal computer operating systems, the availability of useful tools is limited. This limitation is based on the tools ability to retrieve the relevant data and pre sent it to the investigator in a user friendly format. The current software tools that claim to extract user activity information put the onus on the investigator to construct the timeline from the data which can introduce errors and is time consuming. This paper discusses the development and evaluation of a new tool, the User Activity Tracker (UAT), which automates the visual presentation of the timeline process by retrieving and consolidating user activity data into a single source and producing as accurately as possible, the timeline of user activity on that computer. The UAT tool was tested against a modern commercial forensic tool and the results of this preliminary testing showed that the UAT tool was faster and required less manual intervention to produce a greater level of detail of the user's activity than the commercial tool.