Advertisement

Digital Forensics Event Graph Reconstruction

  • Daniel J. Schelkoph
  • Gilbert L. Peterson
  • James S. Okolica
Conference paper
Part of the Lecture Notes of the Institute for Computer Sciences, Social Informatics and Telecommunications Engineering book series (LNICST, volume 259)

Abstract

Ontological data representation and data normalization can provide a structured way to correlate digital artifacts and reduce the amount of data that a forensics investigator needs to process in order to understand the sequence of events that happened on a system. However, ontology processing suffers from large disk consumption and a high computational cost. This paper presents Property Graph Event Reconstruction (PGER), a data normalization and event correlation system that utilizes a native graph database to store event data. This storage method leverages zero index traversals. PGER reduces the processing time of event correlation grammars by up to a factor of 9.9 times over a system that uses a relational database based approach.

Keywords

Graph database Digital forensics Property graph Ontology Event reconstruction 

Notes

Acknowledgments

The views expressed in this document are those of the author and do not reflect the official policy or position of the United States Air Force, the United States Department of Defense or the United States Government. This material is declared a work of the U.S. Government and is not subject to copyright protection in the United States.

References

  1. 1.
    Angles, R.: A comparison of current graph database models. In: Proceedings of IEEE 28th International Conference on Data Engineering Workshops, ICDEW 2012, pp. 171–177. IEEE (2012).  https://doi.org/10.1109/ICDEW.2012.31
  2. 2.
    Bureau of Labor Statistics: Occupational Outlook Handbook: Forensic Science Technicians (2017). https://www.bls.gov/ooh/life-physical-and-social-science/forensic-science-technicians.htm
  3. 3.
    Bureau of Labor Statistics: Occupational Outlook Handbook: Information Security Analysts (2017). https://www.bls.gov/ooh/computer-and-information-technology/information-security-analysts.htm
  4. 4.
    Carvey, H., Hull, D.: Windows Registry Forensics, 2nd edn. Elsevier, Cambridge (2016).  https://doi.org/10.1016/C2009-0-63856-3CrossRefGoogle Scholar
  5. 5.
    Casey, E., Back, G., Barnum, S.: Leveraging CybOX™ to standardize representation and exchange of digital forensic information. Digit. Investig. 12(S1), S102–S110 (2015).  https://doi.org/10.1016/j.diin.2015.01.014CrossRefGoogle Scholar
  6. 6.
    Chabot, Y., Bertaux, A., Nicolle, C., Kechadi, M.T.: A complete formalized knowledge representation model for advanced digital forensics timeline analysis. Digit. Investig. 11, S95–S105 (2014).  https://doi.org/10.1016/j.diin.2014.05.009. http://www.sciencedirect.com/science/article/pii/S1742287614000528CrossRefGoogle Scholar
  7. 7.
    Chabot, Y., Bertaux, A., Nicolle, C., Kechadi, T.: An ontology-based approach for the reconstruction and analysis of digital incidents timelines. Digit. Investig. 15, 83–100 (2015).  https://doi.org/10.1016/j.diin.2015.07.005CrossRefGoogle Scholar
  8. 8.
    Chao, J., Graphista, N.: Graph Databases for Beginners: Native vs. Non-Native Graph Technology (2016). https://neo4j.com/blog/native-vs-non-native-graph-technology/
  9. 9.
    Gladyshev, P., Patel, A.: Finite state machine approach to digital event reconstruction. Digit. Investig. 1(2), 130–149 (2004).  https://doi.org/10.1016/j.diin.2004.03.001CrossRefGoogle Scholar
  10. 10.
    GraphAware: GraphAware Neo4j TimeTree (2018). https://github.com/graphaware/neo4j-timetree
  11. 11.
    Gu\(\eth \)jonssón, K.: Mastering the Super Timeline With log2timeline (2010). https://www.sans.org/reading-room/whitepapers/logging/mastering-super-timeline-log2timeline-33438
  12. 12.
    Hargreaves, C., Patterson, J.: An automated timeline reconstruction approach for digital forensic investigations. Digit. Investig. 9(Suppl.), S69–S79 (2012).  https://doi.org/10.1016/j.diin.2012.05.006CrossRefGoogle Scholar
  13. 13.
    James, J., Gladyshev, P., Abdullah, M., Zhu, Y.: Analysis of evidence using formal event reconstruction. Digit. Forensics Cyber Crime 31, 85–98 (2010).  https://doi.org/10.1007/978-3-642-11534-9CrossRefGoogle Scholar
  14. 14.
    Khan, M.N., Mnakhansussexacuk, E., Wakeman, I.: Machine Learning for Post-Event Timeline Reconstruction. PGnet (January 2006), 1–4 (2006)Google Scholar
  15. 15.
    Marrington, A., Mohay, G., Clark, A., Morarji, H.: Event-based computer profiling for the forensic reconstruction of computer activity. AusCERT2007 R&D Stream 71, 71–87 (2007). http://eprints.qut.edu.au/15579Google Scholar
  16. 16.
    Okolica, J.S.: Temporal Event Abstraction and Reconstruction. Ph.D. thesis, AFIT (2017)Google Scholar
  17. 17.
    Robinson, I., Webber, J., Eifrem, E.: Graph Databases, 2nd edn. O’Reilly Media Inc., Sebastopol (2015)Google Scholar
  18. 18.
    Rodriguez, M.A., Neubauer, P.: The graph traversal pattern. Computing Re-search Repository, pp. 1–18 (2010).  https://doi.org/10.4018/978-1-61350-053-8, http://arxiv.org/abs/1004.1001
  19. 19.
    Schatz, B., Mohay, G., Clark, A.: Rich Event Representation for Computer Forensics. In: Asia Pacific Industrial Engineering and Management Systems APIEMS 2004, pp. 1–16 (2004)Google Scholar
  20. 20.
    Turnbull, B., Randhawa, S.: Automated event and social network extraction from digital evidence sources with ontological mapping. Digit. Investig. 13, 94–106 (2015).  https://doi.org/10.1016/j.diin.2015.04.004CrossRefGoogle Scholar

Copyright information

© ICST Institute for Computer Sciences, Social Informatics and Telecommunications Engineering 2019

Authors and Affiliations

  • Daniel J. Schelkoph
    • 1
  • Gilbert L. Peterson
    • 1
  • James S. Okolica
    • 1
  1. 1.Air Force Institute of Technology (AFIT)Wright-Patterson AFBUSA

Personalised recommendations