Abstract
As the amount of digital devices suspected of containing digital evidence increases, case backlogs for digital investigations are also increasing in many organizations. To ensure timely investigation of requests, this work proposes the use of signature-based methods for automated action instance approximation to automatically reconstruct past user activities within a compromised or suspect system. This work specifically explores how multiple instances of a user action may be detected using signature-based methods during a postmortem digital forensic analysis. A system is formally defined as a set of objects, where a subset of objects may be altered on the occurrence of an action. A novel action-trace update time threshold is proposed that enables objects to be categorized by their respective update patterns over time. By integrating time into event reconstruction, the most recent action instance approximation as well as limited past instances of the action may be differentiated and their time values approximated. After the formal theory if signature-based event reconstruction is defined, a case study is given to evaluate the practicality of the proposed method.
Similar content being viewed by others
Notes
For more information on Regular Expressions, see http://www.bsd.org/regexintro.html.
The open source tool implementing the proposed theory can be found at http://github.com/hvva/IoAF.
References
Palmer, G.: DFRWS technical report: a road map for digital forensic research . In: Digital forensic research workshop, p 42. Utica, New York. Retrieved from http://www.dfrws.org/2001/dfrws-rm-final.pdf (2001)
Casey, E.: Digital forensics: coming of age. Digit. Investig. 6(1–2), 1–2 (2009)
Garfinkel, S.L.: Digital forensics research: the next 10 years. Digit. Investig. 7(Supplement 1), S64–S73 (2010)
Gogolin, G.: The digital crime tsunami. Digit. Investig. 7(1–2), 3–8 (2010)
Casey, E., Ferraro, M., Nguyen, L.: Investigation delayed is justice denied: proposals for expediting forensic examinations of digital evidence*. J. Forensic Sci. 54(6), 1353–1364 (2009)
Raasch, J.: Child porn prosecutions delayed by backlog of cases . In: Eastern iowa news. Retrieved from http://www.easterniowanewsnow.com/2010/07/12/child-porn-prosecutions-delayed-by-backlog-of-cases/ (2010)
BBC: Police ’need more e-crime skills’ . Retrieved from http://news.bbc.co.uk/2/hi/technology/3725305.stm (2004)
InfoSecurity: digital forensics in a smarter and quicker way? Retrieved from http://www.infosecurity-magazine.com/view/2473/digital-forensics-in-a-smarter-and-quicker-way (2009)
Kohtz, D.: Dealing with the digital evidence backlog In: Digital forensics magazine. Retrieved from http://digitalforensicsmagazine.com/index.php?option=com_content&view=article&id=576&Itemid=72 (2011)
Gladyshev, P., Patel, A.: Finite state machine approach to digital event reconstruction. Digit. Investig. 1(2), 130–149 (2004)
Carrier, B.D., Spafford, E.H.: A hypothesis-based approach to digital forensic investigations. CERIAS, PhD (2006)
Arasteh, A.R., Debbabi, M., Sakha, A., Saleh, M.: Analyzing multiple logs for forensic evidence. Digit. Investig. 4, 82–91 (2007)
James, J., Gladyshev, P., Abdullah, M.T., Zhu, Y.: Analysis of evidence using formal event reconstruction. Digit. Forensics Cyber Crime 31, 85–98 (2010)
Marrington, A., Mohay, G., Morarji, H., Clark, A.: A Model for Computer Profiling. pp. 635–640. IEEE (2010)
Khan, M.N.A., Wakeman, I.: Machine Learning for Post-Event Timeline Reconstruction, pp. 112–121 (2006)
Khan, M.N.A., Chatwin, C.R., Young, R.C.D.: A framework for post-event timeline reconstruction using neural networks. Digit. Investig. 4(3–4), 146–157 (2007)
James, J.: Survey of evidence and forensic tool usage in digital investigations (2010). In: Digital forensic investigation research laboratory in corporation with INTERPOL working party on IT crime. Dublin. Retrieved from http://digitalfire.ucd.ie/?p=858 (2010)
Menzies, P.: Counterfactual theories of causation . Stanford University. Retrieved from http://stanford.library.usyd.edu.au/entries/causation-counterfactual/ (2008)
James, J.I., Gladyshev, P., Zhu, Y.: Signature based detection of user events for post-mortem forensic analysis. In: Baggili I. (ed.) Digital Forensics and Cyber Crime, vol 53, pp. 96–109 (2011). doi:10.1007/978-3-642-19513-6_8
Carney, M., Rogers, M.: The Trojan made me do it: a first step in statistical based computer forensics event reconstruction. Int. J. Digit. Evid. 2(4), 1–11 (2004)
Kwan, M., Chow, K.P., Law, F., Lai, P.: Reasoning about evidence using Bayesian networks. In: Ray I., Shenoi S. (eds.) Advances in Digital Forensics IV, vol 285, pp. 275–289 (2008). doi:10.1007/978-0-387-84927-0 _ 22
James, J.I.: Internet Explorer and Firefox User Activity Dataset . In: Digital forensic investigation research laboratory (DigitalFIRE). Retrieved from http://digitalfire.ucd.ie/?page_id=855 (2013)
Author information
Authors and Affiliations
Corresponding author
Rights and permissions
About this article
Cite this article
James, J.I., Gladyshev, P. Automated inference of past action instances in digital investigations. Int. J. Inf. Secur. 14, 249–261 (2015). https://doi.org/10.1007/s10207-014-0249-6
Published:
Issue Date:
DOI: https://doi.org/10.1007/s10207-014-0249-6