Abstract
This paper introduces a novel approach to user event reconstruction by showing the practicality of generating and implementing signature-based analysis methods to reconstruct high-level user actions from a collection of low-level traces found during a post-mortem forensic analysis of a system. Traditional forensic analysis and the inferences an investigator normally makes when given digital evidence, are examined. It is then demonstrated that this natural process of inferring high-level events from low-level traces may be encoded using signature-matching techniques. Simple signatures using the defined method are created and applied for three popular Windows-based programs as a proof of concept.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
Similar content being viewed by others
References
Gladyshev, P., Patel, A.: Formalising Event Time Bounding in Digital Investigations. International Journal of Digital Evidence 4 (2005)
Haggerty, J., Taylor, M.: FORSIGS: Forensic Signature Analysis of the Hard Drive for Multimedia File Fingerprints. In: IFIP International Federation for Information Processing, vol. 232, pp. 1–12 (2007)
James, J.: Survey of Evidence and Forensic Tool Usage in Digital Investigations (July 23, 2010), The UCD Centre for Cybercrime Investigation, http://cci.ucd.ie/content/survey-evidence-and-forensic-tool-usage-digital-investigations (July 26, 2010)
Kahvedzic, D., Kechadi, T.: Extraction of user activity through comparison of windows restore points. In: 6th Australian Digital Forensics Conference (2008)
Kim, D.H., In, D.H.: Cyber Criminal Activity Analysis Models using Markov Chain for Digital Forensics. In: ISA, pp. 193–198 (2008)
McAfee. Complete Security: The Case for Combined Behavioral and Signature-Based Protection. Whitepaper. Santa Carla: McAfee Inc. (2005)
Mukkamala, S., Sung, A.H.: Identifying Significant Features for Network Forensic Analysis Using Artificial Intelligent Techniques. International Journal of Digital Evidence 1.4 (2003)
Ogaw̆a, A., Yamazaki, Y., Ueno, K., Cheng, K., Iriki, A.: Neural Correlates of Species-typical Illogical Cognitive Bias in Human Inference. Journal of Cognitive Neuroscience, Massachusetts Institute of Technology (2009), doi:10.1162/jocn.2009.21330
Personage, H.: The Meaning of (L)inkfiles (I)n (F)orensic (E)xaminations (November 2009). Computer Forensics Miscellany, http://computerforensics.parsonage.co.uk/downloads/TheMeaningofLIFE.pdf (Febuary 2, 2010)
Roiter, N.: When signature based antivirus isn’t enough (May 3, 2007), http://searchsecurity.techtarget.com/news/article/0,289142,sid14_gci1253602,00.html (Febuary 2, 2010)
Russinovich, M.: Inside the Registry (Feburary 3, 2010), http://technet.microsoft.com/enus/library/cc750583.aspx
Scarfone, K., Mell, P.: Guide to Intrusion Detection and Prevention Systems (IDPS) SP800-94. Special Publication. NIST: National Institute of Science and Technology. National Institute of Science and Technology, Gaithersburg (2007)
Sy, B.K.: Signature-Based Approach for Intrusion Detection. Machine Learning and Data Mining in Pattern Recognition, 526–536 (August 8, 2005)
Willassen, S.Y.: Timestamp evidence correlation by model based clock hypothesis testing. In: Proceedings of the 1st International Conference on Forensic Applications and Techniques in Telecommunications, Information, and Multimedia and Workshop, ICST, Brussels, Belgium, pp. 1–6 (2008)
Zhu, Y., James, J., Gladyshev, P.: A comparative methodology for the reconstruction of digital events using Windows Restore Points. Digital Investigation (2009a), doi:10.1016/j.diin.2009.02.004
Zhu, Y., James, J., Gladyshev, P.: Consistency Study of the Windows Registry. In: Sixth Annual IFIP WG 11.9 International Conference on Digital Forensics (2010)
Zhu, Y., Gladyshev, P., James, J.: Using ShellBag Information to Reconstruct User Activities. Digital Investigation 6, 69–77 (2009c), doi:10.1016/j.diin.2009.06.009
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2011 ICST Institute for Computer Science, Social Informatics and Telecommunications Engineering
About this paper
Cite this paper
James, J.I., Gladyshev, P., Zhu, Y. (2011). Signature Based Detection of User Events for Post-mortem Forensic Analysis. In: Baggili, I. (eds) Digital Forensics and Cyber Crime. ICDF2C 2010. Lecture Notes of the Institute for Computer Sciences, Social Informatics and Telecommunications Engineering, vol 53. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-19513-6_8
Download citation
DOI: https://doi.org/10.1007/978-3-642-19513-6_8
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-19512-9
Online ISBN: 978-3-642-19513-6
eBook Packages: Computer ScienceComputer Science (R0)