Abstract
The provenance of a file is a detailing of its origins and activities. Tools have been developed that help maintain the provenance of files. However, these tools require prior installation on a computer of interest before and while provenance-generating events occur. The automated tool described in this chapter can reconstruct the provenance of a file from a variety of artifacts. It identifies relevant temporal and user correlations between the artifacts and presents them to an investigator. Results from six use cases demonstrate that these correlations are reliable and valuable in digital forensic investigations.
Chapter PDF
Similar content being viewed by others
References
Buchholz, F., Falk, C.: Design and implementation of Zeitline: A forensic timeline. Digital Investigation 6(S), S78–S87 (2005)
Carvey, H.: Windows Registry Forensics: Advanced Digital Forensic Analysis of the Windows Registry. Syngress, Cambridge (2016)
Case, A., Cristina, A., Marziale, L., Richard, G., Roussev, V.: FACE: Automated digital evidence discovery and correlation. Digital Investigation 5(S), S65–S75 (2008)
Gudjonsson, K.: Mastering the super timeline with log2timeline. InfoSec Reading Room. SANS Institute, Bethesda (2010). www.sans.org/reading-room/whitepapers/logging/mastering-super-timeline-log2timeline-33438
Hargreaves, C., Patterson, J.: An automated timeline reconstruction approach for digital forensic investigations. Digital Investigations 9(S), S69–S79 (2012)
Harvey, P.: ExifTool (2017). www.sno.phy.queensu.ca/~phil/exiftool
Jensen, C., Lonsdale, H., Wynn, E., Cao, J., Slater, M., Dietterich, T.: The life and times of files and information: a study of desktop provenance. In: Proceedings of the SIGCHI Conference on Human Factors in Computing Systems, pp. 767–776 (2010)
Lenik, G.: I’m your MAC(b) daddy. Presented at DEF CON 19 (2011)
Margo, D., Smogor, R.: Using provenance to extract semantic file attributes. In: Proceedings of the Second Conference on Theory and Practice of Provenance (2010)
Muniswamy-Reddy, K., Holland, D., Braun, U., Seltzer, M.: Provenance-aware storage systems. In: Proceedings of the USENIX Annual Technical Conference (2006)
NirSoft, IEHistoryView v1.70 (2011). www.nirsoft.net/utils/iehv.html
NirSoft, ChromeHistoryView v1.30 (2017). www.nirsoft.net/utils/chrome_history_view.html
Shavers, B.: RegRipper (2015). brettshavers.cc/index.php/brettsblog/entry/regripper
Sultana, S., Bertino, E.: A file provenance system. In: Proceedings of the Third ACM Conference on Data and Application Security and Privacy, pp. 153–156 (2013)
Zadok, E., Badulescu, I.: A stackable filesystem interface for Linux. In: Proceedings of the LinuxExpo Conference, pp. 141–151 (1999)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2017 IFIP International Federation for Information Processing
About this paper
Cite this paper
Good, R., Peterson, G. (2017). Automated Collection and Correlation of File Provenance Information. In: Peterson, G., Shenoi, S. (eds) Advances in Digital Forensics XIII. DigitalForensics 2017. IFIP Advances in Information and Communication Technology, vol 511. Springer, Cham. https://doi.org/10.1007/978-3-319-67208-3_15
Download citation
DOI: https://doi.org/10.1007/978-3-319-67208-3_15
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-67207-6
Online ISBN: 978-3-319-67208-3
eBook Packages: Computer ScienceComputer Science (R0)