Update Thresholds of More Accurate Time Stamp for Event Reconstruction (original) (raw)
Related papers
Automated inference of past action instances in digital investigations
International Journal of Information Security, 2014
As the amount of digital devices suspected of containing digital evidence increases, case backlogs for digital investigations are also increasing in many organizations. To ensure timely investigation of requests, this work proposes the use of signature-based methods for automated action instance approximation to automatically reconstruct past user activities within a compromised or suspect system. This work specifically explores how multiple instances of a user action may be detected using signaturebased methods during a post-mortem digital forensic analysis. A system is formally defined as a set of objects, where a subset of objects may be altered on the occurrence of an action. A novel action-trace update time threshold is proposed that enables objects to be categorized by their respective update patterns over time. By integrating time into event reconstruction, the most recent action instance approximation as well as limited past instances of the action may be differentiated and their time values approximated. After the formal theory if signature-based event reconstruction is defined, a case study is given to evaluate the practicality of the proposed method.
Formalising event time bounding in digital investigations
2005
A timestamp is a clock reading attached to a unit of data. Timestamps are widely used in computing and seem to offer an easy way to determine the time of events in digital investigations. Unfortunately, the ability of users to change clock settings reduces the evidential weight of timestamps. Alternative methods of estimating times of events are often needed to corroborate timestamps. One such method is to "sandwich" the unknown time of an event between known times of causally connected events. For example, if event A caused event B and event B caused event C, then the time of B must be between the times of A and C. This type of reasoning is sometimes called "event time bounding." This paper defines event time bounding as a mathematical problem and presents an algorithm for solving it 1 .
Adding real time into state machine analysis of digital evidence
This report describes an extension of the finite state machine theory of digital event reconstruction. The proposed extension adds the known times of witness observations as formal objects in the theory and uses them to compute temporal bounds of events, whose time is not known.
An empirical study of automatic event reconstruction systems
2006
Reconstructing the sequence of computer events that led to a particular event is an essential part of the digital investigation process. The ability to quantify the accuracy of automatic event reconstruction systems is an essential step in standardizing the digital investigation process thereby making it resilient to tactics such as the Trojan horse defense. In this paper, we present findings from an empirical study to measure and compare the accuracy and effectiveness of a suite of such event reconstruction techniques. We quantify (as applicable) the rates of false positives and false negatives, and scalability in terms of both computational burden and memory-usage. Some of our findings are quite surprising in the sense of not matching a priori expectations, and whereas other findings qualitatively match the a priori expectations they were never before quantitatively put to the test to determine the boundaries of their applicability. For example, our results show that automatic event reconstruction systems proposed in literature have very high false-positive rates (up to 96%).
Correct and Efficient Timestamping of Temporal Data
1997
Any software made available via TIMECENTER is provided "as is" and without any express or implied warranties, including, without limitation, the implied warranty of merchantability and fitness for a particular purpose.
A framework for post-event timeline reconstruction using neural networks
Digital Investigation, 2007
Post-event timeline reconstruction plays a critical role in forensic investigation and serves as a means of identifying evidence of the digital crime. We present an artificial neural networks based approach for post-event timeline reconstruction using the file system activities. A variety of digital forensic tools have been developed during the past two decades to assist computer forensic investigators undertaking digital timeline analysis, but most of the tools cannot handle large volumes of data efficiently. This paper looks at the effectiveness of employing neural network methodology for computer forensic analysis by preparing a timeline of relevant events occurring on a computing machine by tracing the previous file system activities. Our approach consists of monitoring the file system manipulations, capturing file system snapshots at discrete intervals of time to characterise the use of different software applications, and then using this captured data to train a neural network to recognise execution patterns of the application programs. The trained version of the network may then be used to generate a post-event timeline of a seized hard disk to verify the execution of different applications at different time intervals to assist in the identification of available evidence.
Handbook of Research on Digital Crime, Cyberspace Security, and Information Assurance
Event reconstruction is one of the most important step in digital forensic investigations. It allows investigators to have a clear view of the events that have occurred over time. Event reconstruction is a complex task which requires exploration of a large amount of events due to the pervasiveness of new technologies nowadays. Any evidence produced at the end of the investigative process must also meet the requirements of the courts, such as reproducibility, verifiability, validation, etc. After defining the most important concepts of event reconstruction, a survey of the challenges of this field and solutions proposed so far is given in this chapter.
An Index-Based Method for Timestamped Event Sequence Matching
Lecture Notes in Computer Science, 2005
This paper addresses the problem of timestamped event sequence matching, a new type of sequence matching that retrieves the occurrences of interesting patterns from a timestamped event sequence. Timestamped event sequence matching is useful for discovering temporal causal relationships among timestamped events. In this paper, we first point out the shortcomings of prior approaches to this problem and then propose a novel method that employs an R *-tree to overcome them. To build an R *-tree, it places a time window at every position of a timestamped event sequence and represents each window as an n-dimensional rectangle by considering the first and last occurrence times of each event type. Here, n is the total number of disparate event types that may occur in a target application. When n is large, we apply a grouping technique to reduce the dimensionality of an R *-tree. To retrieve the occurrences of a query pattern from a timestamped event sequence, the proposed method first identifies a small number of candidates by searching an R *tree and then picks out true answers from them. We prove its robustness formally, and also show its effectiveness via extensive experiments.
Automatic Timeline Construction and Analysis for Computer Forensics Purposes
2014 IEEE Joint Intelligence and Security Informatics Conference, 2014
To determine the circumstances of an incident, investigators need to reconstruct events that occurred in the past. The large amount of data spread across the crime scene makes this task very tedious and complex. In particular, the analysis of the reconstructed timeline, due to the huge quantity of events that occurred on a digital system, is almost impossible and leads to cognitive overload. Therefore, it becomes more and more necessary to develop automatic tools to help or even replace investigators in some parts of the investigation. This paper introduces a multi-layered architecture designed to assist the investigative team in the extraction of information left in the crime scene, the construction of the timeline representing the incident and the interpretation of this latter.