Automated Inference of Past Action Instances in Digital Investigations
This work addresses the need for timely digital forensic analysis in organizations dealing with growing amounts of digital evidence, though it appears incremental as it builds on existing signature-based methods.
The paper tackles the problem of increasing case backlogs in digital investigations by proposing a signature-based method to automatically reconstruct past user activities in compromised systems, enabling differentiation and time approximation of recent and limited past action instances through a novel action-trace update time threshold.
As the amount of digital devices suspected of containing digital evidence increases, case backlogs for digital investigations are also increasing in many organizations. To ensure timely investigation of requests, this work proposes the use of signature-based methods for automated action instance approximation to automatically reconstruct past user activities within a compromised or suspect system. This work specifically explores how multiple instances of a user action may be detected using signature-based methods during a post-mortem digital forensic analysis. A system is formally defined as a set of objects, where a subset of objects may be altered on the occurrence of an action. A novel action-trace update time threshold is proposed that enables objects to be categorized by their respective update patterns over time. By integrating time into event reconstruction, the most recent action instance approximation as well as limited past instances of the action may be differentiated and their time values approximated. After the formal theory if signature-based event reconstruction is defined, a case study is given to evaluate the practicality of the proposed method.