An automated timeline reconstruction approach for digital forensic investigations

Hargreaves, Christopher; Patterson, Jonathan

doi:10.1016/j.diin.2012.05.006

Cited by 98 publications

(60 citation statements)

References 5 publications

Supporting

Mentioning

Contrasting

Unclassified

Order By: Relevance

“…For example, Carrier [11] provides guidelines about the types of hypotheses that should be formulated and the analysis to be performed to verify those hypotheses during a digital investigation. Others [1,8,27,47] have focused on providing a unified representation of heterogeneous log events to automate event reconstruction. Similar to us, all these approaches distinguish between primitive events having a direct mapping to raw log events and complex level events, which can be determined by the occurrence of primitive ones.…”

Section: Related Workmentioning

confidence: 99%

On evidence preservation requirements for forensic-ready systems

Alrajeh

Pasquale

Nuseibeh

2017

Proceedings of the 2017 11th Joint Meeting on Foundations of Software Engineering

View full text Add to dashboard Cite

Forensic readiness denotes the capability of a system to support digital forensic investigations of potential, known incidents by preserving in advance data that could serve as evidence explaining how an incident occurred. Given the increasing rate at which (potentially criminal) incidents occur, designing software systems that are forensic-ready can facilitate and reduce the costs of digital forensic investigations. However, to date, little or no attention has been given to how forensic-ready software systems can be designed systematically. In this paper we propose to explicitly represent evidence preservation requirements prescribing preservation of the minimal amount of data that would be relevant to a future digital investigation. We formalise evidence preservation requirements and propose an approach for synthesising specifications for systems to meet these requirements. We present our prototype implementationbased on a satisfiability solver and a logic-based learner-which we use to evaluate our approach, applying it to two digital forensic corpora. Our evaluation suggests that our approach preserves relevant data that could support hypotheses of potential incidents. Moreover, it enables significant reduction in the volume of data that would need to be examined during an investigation.

show abstract

Section: Related Workmentioning

confidence: 99%

On evidence preservation requirements for forensic-ready systems

Alrajeh

Pasquale

Nuseibeh

2017

Proceedings of the 2017 11th Joint Meeting on Foundations of Software Engineering

View full text Add to dashboard Cite

show abstract

“…In (Hargreaves & Patterson, 2012), a system able to automatically reconstruct high-level events using large amount of low-level events extracted by log2timeline or Zeitline is proposed. The authors highlight that the amount of data and the number of events make the visualisation and the analysis of a timeline difficult, especially with the super-timeline approach.…”

Section: Automated Timeline Reconstruction Approachmentioning

confidence: 99%

“…• Processes to reduce the amount of data that investigators have to read by filtering data or summarize the timeline as proposed in (Abbott, Bell, Clark, De Vel, & Mohay, 2006) and (Hargreaves & Patterson, 2012).…”

Section: Future Research Directionsmentioning

confidence: 99%

Event Reconstruction

Chabot

Bertaux

Kechadi

et al. 2015

Advances in Digital Crime, Forensics, and Cyber Terrorism

View full text Add to dashboard Cite

Publication informationCruz-Cunha, M.M. and Portela, I.M. (eds. ABSTRACTEvent reconstruction is one of the most important step in digital forensic investigations. It allows investigators to have a clear view of the events that have occurred over time. Event reconstruction is a complex task which requires exploration of a large amount of events due to the pervasiveness of new technologies nowadays. Any evidence produced at the end of the investigative process must also meet the requirements of the courts, such as reproducibility, verifiability, validation, etc. After defining the most important concepts of event reconstruction, a survey of the challenges of this field and solutions proposed so far is given in this chapter.

show abstract

“…In [6], the authors carry out the event reconstruction by searching sequences of events satisfying the constraints imposed by the evidence in a finite state machine representing the behaviour of the system subject of the investigation. In [5], a system based on patterns is used to produce high-level events from a timeline containing low-level events. However, none of the approaches discussed offers a complete solution to assist investigators in the interpretation and analysis of chronologies.…”

Section: Event Reconstruction Approachesmentioning

confidence: 99%

“…The use of an ontology provides several advantages that will be described in Section III. Regarding the analysis of timeline, existing approaches offer features to correlate events [4] or assist the investigators during the interpretation of the timeline by producing high-level events from low-level events extracted from raw data [5]. The FORE approach introduces a system to identify correlations between events by connecting them with links of cause and effect.…”

Section: Event Reconstruction Approachesmentioning

confidence: 99%