Forensic Application-Fingerprinting Based on File System Metadata

Kalber, Sven; Dewald, Andreas; Freiling, Felix C.

doi:10.1109/imf.2013.20

Cited by 13 publications

(21 citation statements)

References 12 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Event reconstruction, which allows a digital investigator to understand the timeline of a crime, is one of the paramount steps of the digital investigation process [13]. This complex task requires exploration of a large number of events due to the innovation in technology frequently, a heterogeneous, huge quantity of data, and manually-performed event reconstruction process, which is inefficient and expensive [14]. Bang et al [15] discussed how the creation time, last written time, and last accessed time of a file or folder are important factors that can indicate events that have affected a computer system.…”

Section: Literature Reviewmentioning

confidence: 99%

An Abstraction Based Approach for Reconstruction of TimeLine in Digital Forensics

Bhandari

Jusas

2020

Symmetry

View full text Add to dashboard Cite

Acquiring a clear perspective of events and artefacts that occur over time is a challenging objective to accomplish in digital forensics. Reconstruction of the timeline of events and artefacts, which enables digital investigators to understand the timeline of digital crime and interpret the conclusion in the form of digital evidence, is one of the most paramount and challenging tasks in digital forensics. This challenging task requires the analysis of immense amounts of events because of the explosive growth of the internet, interconnected devices, and innovative technology nowadays. Various approaches have been developed during the last decade, but most of them are not able to handle huge volumes of data, explore evidence, and enhance the understandability of timelines in a competent way to assist the investigator. For this purpose, we introduce a methodology backed by an abstraction concept and forensic tools that can support investigators during the reconstruction, understanding of the timeline of events and artefacts, and interpretation of evidence by tracing the activities performed by users of the typical computer system. The Java programming language is used to implement the proposed methodology, which is object-oriented and follows the symmetry definition in software. Generally, symmetry in software can be viewed as an invariant change that aims to preserve a specific property of the system, namely its structure, behaviour, regularity, similarity, familiarity and uniformity. Similarly, the abstraction-based methodology also permits us to follow the properties of symmetry. For instance, a uniform structure is stipulated for all the sources at the particular level of abstraction, such as the number of fields to be considered to provide the abstract level of timeline. The primary purpose of this approach is to assist with the analysis of the timeline in an optimum way. This paper illustrates the approach and then focuses on conceptual aspects of the methodology. The performed experiment shows that the proposed approach enhanced the analysis of the timeline.

show abstract

Section: Literature Reviewmentioning

confidence: 99%

An Abstraction Based Approach for Reconstruction of TimeLine in Digital Forensics

Bhandari

Jusas

2020

Symmetry

View full text Add to dashboard Cite

show abstract

“…Prior works focus on the detection of specific trace update patterns derive signatures either by using snapshot analysis (Kang et al, 2013;Kalber et al, 2013) comparing the updates to data sources between to different snapshots of the same system, or using real-time trace update detection (James et al, 2011). This work proposes an advancement to the real-time trace update detection.…”

Section: Signature Creationmentioning

confidence: 99%

“…A non-probabilistic model was later proposed by James, Gladyshev et al (James, Gladyshev, & Zhu, 2011) that used real-time system analysis to create signatures of user actions based on created observable traces. Similar methods implementing snapshot-based signature derivation have also been proposed for automatic event reconstruction purposes (Kang, Lee, & Lee, 2013;Kalber, Dewald, & Freiling, 2013). Event reconstruction, however, focuses more on the reconstruction of events in time, where this work is concerned only with the detection of traces that may indicate anti-forensic techniques were used on a suspect system.…”

Section: Introductionmentioning

confidence: 99%

Anti-Forensic Trace Detection in Digital Forensic Triage Investigations

Park¹,

Park²,

Kim³

et al. 2017

JDFSL

View full text Add to dashboard Cite

Anti-forensics, whether intentionally to disrupt investigations or simply an effort to make a computer system run better, is becoming of increasing concern to digital investigators. This work attempts to assess the problem of anti-forensics techniques commonly deployed in South Korea. Based on identified challenges, a method of signature-based anti-forensic trace detection is proposed for triage purposes that will assist investigators in quickly making decisions about the suspect digital devices before conducting a full investigation. Finally, a prototype anti-forensic trace detection system is given to demonstrate the practicality of the proposed method.

show abstract

“…Examining millions of pieces of raw data to extract high-level information is a time-consuming and exhausting work. Thus, some automatic methods are required to generate high-level information from raw and low-level data [2][3][4].…”

Section: Introductionmentioning

confidence: 99%