Paper Info
Title
Automated inference of past action instances in digital investigations
Abstract
the amount of digital devices suspected of containing digital evidence increases, case backlogs for digital investigations are also increasing in many organizations. To ensure timely investigation of requests, this work proposes the use of signature-based methods for automated action instance approximation to automatically reconstruct past user activities within a compromised or suspect system. This work specifically explores how multiple instances of a user action may be detected using signature-based methods during a postmortem digital forensic analysis. A system is formally defined as a set of objects, where a subset of objects may be altered on the occurrence of an action. A novel action-trace update time threshold is proposed that enables objects to be categorized by their respective update patterns over time. By integrating time into event reconstruction, the most recent action instance approximation as well as limited past instances of the action may be differentiated and their time values approximated. After the formal theory if signature-based event reconstruction is defined, a case study is given to evaluate the practicality of the proposed method.
Year
DOI
Venue
2014
10.1007/s10207-014-0249-6
International Journal of Information Security
Keywords
Field
DocType
Automatic event reconstruction, Digital forensic investigations, Automated inference, Signature analysis, Action-trace update pattern detection
Data mining,Digital forensics,Theory,Computer security,Computer science,Inference,Theoretical computer science,Digital evidence,Suspect,Event reconstruction
Journal
Volume
Issue
ISSN
14
3
1615-5270
Citations 
PageRank 
References 
5
0.66
12
Authors
2
Name
Order
Citations
PageRank
Joshua I. James1242.60
Pavel Gladyshev219424.85