An empirical study of automatic event reconstruction systems (original) (raw)
Related papers
Handbook of Research on Digital Crime, Cyberspace Security, and Information Assurance
Event reconstruction is one of the most important step in digital forensic investigations. It allows investigators to have a clear view of the events that have occurred over time. Event reconstruction is a complex task which requires exploration of a large amount of events due to the pervasiveness of new technologies nowadays. Any evidence produced at the end of the investigative process must also meet the requirements of the courts, such as reproducibility, verifiability, validation, etc. After defining the most important concepts of event reconstruction, a survey of the challenges of this field and solutions proposed so far is given in this chapter.
Event-based computer profiling for the forensic reconstruction of computer activity
2007
In cases where an investigator has no prior knowledge of a computer system to be investigated, the significant investment of time and resources required to undertake a detailed computer forensic examination may deter investigators, given it is not known whether it will yield any relevant evidence. This problem is particularly acute in cases involving acceptable usage monitoring or intelligence operations, where an investigator has no particular expectations about the digital evidence which might be found on a collection ...
Event Reconstruction Study Using Windows Restore Point and Reverse Engineering Concepts
Zenodo (CERN European Organization for Nuclear Research), 2022
In this internet era almost all smart devices relate to each other depending upon their uniqueness and usage pattern. Vivid applications were created and with multiple features thereby making them easy targets to be exploited [1]. Exploits usually are malwares that pose to be genuine and productive applications. These malwares enter the system and cause serious losses in terms of information, hardware and other types of monetary losses. It is a wellknown fact that information stealing malwares and spywares steal personal information thereby making them available in social media or become seeds for furthermore attacks in the future [2]. Several researches have been carried out in the recent years in areas of Malware analysis to emphasize on the alarming increase of malware threats for a variety of platforms even in the presence of antimalware checks. In our article we are focusing on event reconstruction considering different malware analysis techniques and tools. Our focuss would be mainly to reconstruct and known attack with practical emphasis and thereby proposing mitigation solutions.
An event-based digital forensic investigation framework
2004
Abstract In this paper, we present a framework for digital forensics that includes an investigation process model based on physical crime scene procedures. In this model, each digital device is considered a digital crime scene, which is included in the physical crime scene where it is located. The investigation includes the preservation of the system, the search for digital evidence, and the reconstruction of digital events.
Automated inference of past action instances in digital investigations
International Journal of Information Security, 2014
As the amount of digital devices suspected of containing digital evidence increases, case backlogs for digital investigations are also increasing in many organizations. To ensure timely investigation of requests, this work proposes the use of signature-based methods for automated action instance approximation to automatically reconstruct past user activities within a compromised or suspect system. This work specifically explores how multiple instances of a user action may be detected using signaturebased methods during a post-mortem digital forensic analysis. A system is formally defined as a set of objects, where a subset of objects may be altered on the occurrence of an action. A novel action-trace update time threshold is proposed that enables objects to be categorized by their respective update patterns over time. By integrating time into event reconstruction, the most recent action instance approximation as well as limited past instances of the action may be differentiated and their time values approximated. After the formal theory if signature-based event reconstruction is defined, a case study is given to evaluate the practicality of the proposed method.
Forensic live response and event reconstruction methods in Linux systems
2009
In this paper, we describe forensic live analysis and event reconstruction methods in digital crime investigation. This information is forensically interesting because it helps to determine the origin of events by gathering data for analysis and applying the methods of event reconstruction for evidential purposes in the court of law. Our investigation is focussed on Linux systems. We have noted the effectiveness of existing automated event reconstruction systems and we present an experimental study that describes the forensic live response and event reconstruction in digital crime investigation.
Automatic Timeline Construction and Analysis for Computer Forensics Purposes
2014 IEEE Joint Intelligence and Security Informatics Conference, 2014
To determine the circumstances of an incident, investigators need to reconstruct events that occurred in the past. The large amount of data spread across the crime scene makes this task very tedious and complex. In particular, the analysis of the reconstructed timeline, due to the huge quantity of events that occurred on a digital system, is almost impossible and leads to cognitive overload. Therefore, it becomes more and more necessary to develop automatic tools to help or even replace investigators in some parts of the investigation. This paper introduces a multi-layered architecture designed to assist the investigative team in the extraction of information left in the crime scene, the construction of the timeline representing the incident and the interpretation of this latter.
A framework for post-event timeline reconstruction using neural networks
Digital Investigation, 2007
Post-event timeline reconstruction plays a critical role in forensic investigation and serves as a means of identifying evidence of the digital crime. We present an artificial neural networks based approach for post-event timeline reconstruction using the file system activities. A variety of digital forensic tools have been developed during the past two decades to assist computer forensic investigators undertaking digital timeline analysis, but most of the tools cannot handle large volumes of data efficiently. This paper looks at the effectiveness of employing neural network methodology for computer forensic analysis by preparing a timeline of relevant events occurring on a computing machine by tracing the previous file system activities. Our approach consists of monitoring the file system manipulations, capturing file system snapshots at discrete intervals of time to characterise the use of different software applications, and then using this captured data to train a neural network to recognise execution patterns of the application programs. The trained version of the network may then be used to generate a post-event timeline of a seized hard disk to verify the execution of different applications at different time intervals to assist in the identification of available evidence.
Towards Proactive Computer-System Forensics
2004
This paper examines principles and approaches for proactive computer-system forensics. Proactive computersystem forensics is the design, construction and configuring of systems to make them most amenable to digital forensics analyses in the future. The primary goals of proactive computer-system forensics are system structuring and augmentation for automated data discovery, lead formation, and efficient data preservation. This paper proposes:
Finite state machine approach to digital event reconstruction
Digital Investigation, 2004
This paper presents a rigorous method for reconstructing events in digital systems. It is based on the idea, that once the system is described as a finite state machine, its state space can be explored to determine all possible scenarios of the incident. To formalize evidence, the evidential statement notation is introduced. It represents the facts conveyed by the evidence as a series of witness stories that restrict possible computations of the finite state machine. To automate event reconstruction, a generic event reconstruction algorithm is proposed. It computes the set of all possible explanations for the given evidential statement with respect to the given finite state machine.