Top

International Journal of Information Security

Published in:

01-06-2015 | Regular contribution

Automated inference of past action instances in digital investigations

Authors: Joshua I. James, Pavel Gladyshev

Published in: International Journal of Information Security | Issue 3/2015

Activate our intelligent search to find suitable subject content or patents.

search-config

AI-assisted search

Off

Abstract

As the amount of digital devices suspected of containing digital evidence increases, case backlogs for digital investigations are also increasing in many organizations. To ensure timely investigation of requests, this work proposes the use of signature-based methods for automated action instance approximation to automatically reconstruct past user activities within a compromised or suspect system. This work specifically explores how multiple instances of a user action may be detected using signature-based methods during a postmortem digital forensic analysis. A system is formally defined as a set of objects, where a subset of objects may be altered on the occurrence of an action. A novel action-trace update time threshold is proposed that enables objects to be categorized by their respective update patterns over time. By integrating time into event reconstruction, the most recent action instance approximation as well as limited past instances of the action may be differentiated and their time values approximated. After the formal theory if signature-based event reconstruction is defined, a case study is given to evaluate the practicality of the proposed method.

previous article Analysis of two authorization protocols using Colored Petri Nets

next article A new algorithm for low-deterministic security

Dont have a licence yet? Then find out more about our products and how to get one now:

Springer Professional "Technik"

Online-Abonnement

Mit Springer Professional "Technik" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 390 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Maschinenbau + Werkstoffe

Jetzt Wissensvorsprung sichern!

inform now

Springer Professional "Wirtschaft+Technik"

Online-Abonnement

Mit Springer Professional "Wirtschaft+Technik" erhalten Sie Zugriff auf:

über 102.000 Bücher
über 537 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Finance + Banking
Management + Führung
Marketing + Vertrieb
Maschinenbau + Werkstoffe
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

inform now

Springer Professional "Wirtschaft"

Online-Abonnement

Mit Springer Professional "Wirtschaft" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 340 Zeitschriften

aus folgenden Fachgebieten:

Bauwesen + Immobilien
Business IT + Informatik
Finance + Banking
Management + Führung
Marketing + Vertrieb
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

inform now

For more information on Regular Expressions, see http://www.bsd.org/regexintro.html.

The open source tool implementing the proposed theory can be found at http://github.com/hvva/IoAF.

Palmer, G.: DFRWS technical report: a road map for digital forensic research . In: Digital forensic research workshop, p 42. Utica, New York. Retrieved from http://www.dfrws.org/2001/dfrws-rm-final.pdf (2001)

Casey, E.: Digital forensics: coming of age. Digit. Investig. 6(1–2), 1–2 (2009)CrossRef

Garfinkel, S.L.: Digital forensics research: the next 10 years. Digit. Investig. 7(Supplement 1), S64–S73 (2010)CrossRef

Gogolin, G.: The digital crime tsunami. Digit. Investig. 7(1–2), 3–8 (2010)CrossRef

Casey, E., Ferraro, M., Nguyen, L.: Investigation delayed is justice denied: proposals for expediting forensic examinations of digital evidence*. J. Forensic Sci. 54(6), 1353–1364 (2009)CrossRef

Raasch, J.: Child porn prosecutions delayed by backlog of cases . In: Eastern iowa news. Retrieved from http://www.easterniowanewsnow.com/2010/07/12/child-porn-prosecutions-delayed-by-backlog-of-cases/ (2010)

BBC: Police ’need more e-crime skills’ . Retrieved from http://news.bbc.co.uk/2/hi/technology/3725305.stm (2004)

InfoSecurity: digital forensics in a smarter and quicker way? Retrieved from http://www.infosecurity-magazine.com/view/2473/digital-forensics-in-a-smarter-and-quicker-way (2009)

Kohtz, D.: Dealing with the digital evidence backlog In: Digital forensics magazine. Retrieved from http://digitalforensicsmagazine.com/index.php?option=com_content&view=article&id=576&Itemid=72 (2011)

10.

Gladyshev, P., Patel, A.: Finite state machine approach to digital event reconstruction. Digit. Investig. 1(2), 130–149 (2004)CrossRef

11.

Carrier, B.D., Spafford, E.H.: A hypothesis-based approach to digital forensic investigations. CERIAS, PhD (2006)

12.

Arasteh, A.R., Debbabi, M., Sakha, A., Saleh, M.: Analyzing multiple logs for forensic evidence. Digit. Investig. 4, 82–91 (2007)CrossRef

13.

James, J., Gladyshev, P., Abdullah, M.T., Zhu, Y.: Analysis of evidence using formal event reconstruction. Digit. Forensics Cyber Crime 31, 85–98 (2010)CrossRef

14.

Marrington, A., Mohay, G., Morarji, H., Clark, A.: A Model for Computer Profiling. pp. 635–640. IEEE (2010)

15.

Khan, M.N.A., Wakeman, I.: Machine Learning for Post-Event Timeline Reconstruction, pp. 112–121 (2006)

16.

Khan, M.N.A., Chatwin, C.R., Young, R.C.D.: A framework for post-event timeline reconstruction using neural networks. Digit. Investig. 4(3–4), 146–157 (2007)CrossRef

17.

James, J.: Survey of evidence and forensic tool usage in digital investigations (2010). In: Digital forensic investigation research laboratory in corporation with INTERPOL working party on IT crime. Dublin. Retrieved from http://digitalfire.ucd.ie/?p=858 (2010)

18.

Menzies, P.: Counterfactual theories of causation . Stanford University. Retrieved from http://stanford.library.usyd.edu.au/entries/causation-counterfactual/ (2008)

19.

James, J.I., Gladyshev, P., Zhu, Y.: Signature based detection of user events for post-mortem forensic analysis. In: Baggili I. (ed.) Digital Forensics and Cyber Crime, vol 53, pp. 96–109 (2011). doi:10.1007/978-3-642-19513-6_8

20.

Carney, M., Rogers, M.: The Trojan made me do it: a first step in statistical based computer forensics event reconstruction. Int. J. Digit. Evid. 2(4), 1–11 (2004)

21.

Kwan, M., Chow, K.P., Law, F., Lai, P.: Reasoning about evidence using Bayesian networks. In: Ray I., Shenoi S. (eds.) Advances in Digital Forensics IV, vol 285, pp. 275–289 (2008). doi:10.1007/978-0-387-84927-0 _ 22

22.

James, J.I.: Internet Explorer and Firefox User Activity Dataset . In: Digital forensic investigation research laboratory (DigitalFIRE). Retrieved from http://digitalfire.ucd.ie/?page_id=855 (2013)

Title: Automated inference of past action instances in digital investigations
Authors: Joshua I. James
Pavel Gladyshev
Publication date: 01-06-2015
Publisher: Springer Berlin Heidelberg
Published in: International Journal of Information Security / Issue 3/2015
Print ISSN: 1615-5262
Electronic ISSN: 1615-5270
DOI: https://doi.org/10.1007/s10207-014-0249-6

Springer Professional

Abstract

Please log in to get access to your license.

Dont have a licence yet? Then find out more about our products and how to get one now:

Springer Professional "Technik"

Springer Professional "Wirtschaft+Technik"

Springer Professional "Wirtschaft"

Other articles of this Issue 3/2015

A new algorithm for low-deterministic security

Analysis of two authorization protocols using Colored Petri Nets

GPU-assisted malware

Detection and analysis of eavesdropping in anonymous communication networks

Premium Partner