An ontology-based approach for the reconstruction and analysis of digital incidents timelines

Due to the democratisation of new technologies, computer forensics investigators have to deal with volumes of data which are becoming increasingly large and heterogeneous. Indeed, in a single machine, hundred of events occur per minute, produced and logged by the operating system and various software. Therefore, the identification of evidence, and more generally, the reconstruction of past events is a tedious and time-consuming task for the investigators. Our work aims at reconstructing and analysing automatically the events related to a digital incident, while respecting legal requirements. To tackle those three main problems (volume, heterogeneity and legal requirements), we identify seven necessary criteria that an efficient reconstruction tool must meet to address these challenges. This paper introduces an approach based on a three-layered ontology, called ORD2I, to represent any digital events. ORD2I is associated with a set of operators to analyse the resulting timeline and to ensure the reproducibility of the investigation.

[1]  M. Tahar Kechadi,et al.  A complete formalized knowledge representation model for advanced digital forensics timeline analysis , 2014, Digit. Investig..

[2]  Christopher Hargreaves,et al.  An automated timeline reconstruction approach for digital forensic investigations , 2012 .

[3]  George M. Mohay,et al.  Automated recognition of event scenarios for digital forensics , 2006, SAC '06.

[4]  Peter F. Patel-Schneider,et al.  OWL 2 Web Ontology Language , 2009 .

[5]  Liyang Yu OWL: Web Ontology Language , 2011 .

[6]  Kristinn Guethjoacutensson Mastering the Super Timeline With log2timeline , 2015 .

[7]  Venansius Baryamureeba,et al.  The Enhanced Digital Investigation Process Model , 2004 .

[8]  Yolanda Gil,et al.  PROV Model Primer: W3C Working Group Note , 2013 .

[9]  Martin Boldt,et al.  Computer forensic timeline visualization tool , 2009 .

[10]  James F. Allen Maintaining knowledge about temporal intervals , 1983, CACM.

[11]  Benjamin Turnbull,et al.  Automated event and social network extraction from digital evidence sources with ontological mapping , 2015, Digit. Investig..

[12]  Joshua James,et al.  Analysis of Evidence Using Formal Event Reconstruction , 2009, ICDF2C.

[13]  Courtney Falk,et al.  Design and Implementation of Zeitline : a Forensic Timeline , .

[14]  George M. Mohay,et al.  RICH EVENT REPRESENTATION FOR COMPUTER FORENSICS , 2004 .

[15]  Yolanda Gil,et al.  PROV Model Primer , 2012 .

[16]  Thomas R. Gruber,et al.  A translation approach to portable ontology specifications , 1993, Knowl. Acquis..

[17]  Deborah L. McGuinness,et al.  PROV-O: The PROV Ontology , 2013 .

[18]  George M. Mohay,et al.  ECF - Event Correlation for Forensics , 2003, Australian Computer, Network & Information Forensics Conference.

[19]  Chris R. Chatwin,et al.  A framework for post-event timeline reconstruction using neural networks , 2007, Digit. Investig..

[20]  Eoghan Casey,et al.  Leveraging CybOX™ to standardize representation and exchange of digital forensic information , 2015, Digit. Investig..

[21]  Golden G. Richard,et al.  FACE: Automated digital evidence discovery and correlation , 2008, Digit. Investig..

[22]  Bernardo Cuenca Grau,et al.  OWL 2 Web Ontology Language: Profiles , 2009 .

[23]  Florian P. Buchholz,et al.  Design and Implementation of Zeitline: a Forensic Timeline Editor , 2005, DFRWS.

[24]  James Cheney,et al.  PROV-O: The PROV ontology:W3C recommendation 30 April 2013 , 2013 .

[25]  Ahmed Patel,et al.  Finite state machine approach to digital event reconstruction , 2004, Digit. Investig..