Abstract
User activity reconstruction is a technique used in digital forensic investigation. Using this technique, digital forensic investigators extract a list of user activities from digital artifacts confiscated at the crime scene. Based on the list, explicit knowledge about the crime, such as motive, method, time, and place, can be deduced. Until now, activity reconstruction has been conducted by manual analysis. This means that the domain of the reconstructed activities is limited to the personal knowledge of the investigators, so the result exhibits low accuracy due to human errors , and the process requires an excessive amount of time. To solve these problems, this paper proposes a digital forensic framework SigDiff for automated user activity reconstruction. This framework uses a signature-based approach. It comprises an activity signature generation module, signature database, digital artifact collection module, and activity reconstruction module. Using SigDiff, the process of user activity reconstruction can be performed accurately with a high retrieval rate and in a reduced time span.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
Similar content being viewed by others
References
Regional Computer Forensics Laboratory: Annual report for fiscal year 2003-2011 (2011)
Garfinkel, S.L.: Digital forensics research: The next 10 years. Digital Investigation 7, S64–S73 (2010)
Van Dongen, W.S.: Forensic artefacts left by Windows Live Messenger 8.0. Digital Investigation 4(2), 73–87 (2007)
Palmer, G.: A road map for digital forensics research-report from the first Digital Forensics Research Workshop (DFRWS), Utica, New York (2001)
Rowlingson, R.: A ten step process for forensic readiness. International Journal of Digital Evidence 2(3), 1–28 (2004)
Carrier, B.: Defining digital forensic examination and analysis tools using abstraction layers. International Journal of Digital Evidence 1(4), 1–12 (2003)
EnCase forensic, http://www.guidancesoftware.com/forensic.htm
Forensic toolkit, http://accessdata.com/products/computer-forensics/ftk
Beebe, N.L., Clark, J.G.: Digital forensic text string searching: Improving information retrieval effectiveness by thematically clustering search results. Digital Investigation 4, 49–54 (2007)
log2timeline, http://log2timeline.net/
Teelink, S., Erbacher, R.F.: Improving the computer forensic analysis process through visualization. Communications of the ACM 49(2), 71–75 (2006)
Arnes, A., Haas, P., Vigna, G., Kemmerer, R.: Digital forensic reconstruction and the virtual security testbed ViSe. Detection of Intrusions and Malware & Vulnerability Assessment, 144–163 (2006)
Reust, J.: Case study: AOL instant messenger trace evidence. Digital Investigation 3(4), 238–243 (2006)
Yasin, M., Cheema, A.R., Kausar, F.: Analysis of Internet Download Manager for collection of digital forensic artefacts. Digital Investigation 7(1), 90–94 (2010)
Carvey, H., Altheide, C.: Tracking USB storage: Analysis of windows artifacts generated by USB storage devices. Digital Investigation 2(2), 94–100 (2005)
Oh, J., Lee, S., Lee, S.: Advanced evidence collection and analysis of web browser activity. Digital Investigation 8, S62–S70 (2011)
James, J.I., Gladyshev, P., Zhu, Y.: Signature Based Detection of User Events for Post-mortem Forensic Analysis. Digital Forensics and Cyber Crime, 96–109 (2011)
Hargreaves, C., Patterson, J.: An automated timeline reconstruction approach for digital forensic investigations. Digital Investigation 9, S69–S79 (2012)
Hilbert, D.M., Redmiles, D.F.: Extracting usability information from user interface events. ACM Computing Surveys (CSUR) 32(4), 384–421 (2000)
National Institute of standards and technology, National software reference library, http://www.nsrl.nist.gov/
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2013 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Kang, J., Lee, S., Lee, H. (2013). A Digital Forensic Framework for Automated User Activity Reconstruction. In: Deng, R.H., Feng, T. (eds) Information Security Practice and Experience. ISPEC 2013. Lecture Notes in Computer Science, vol 7863. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-38033-4_19
Download citation
DOI: https://doi.org/10.1007/978-3-642-38033-4_19
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-38032-7
Online ISBN: 978-3-642-38033-4
eBook Packages: Computer ScienceComputer Science (R0)