A framework for post-event timeline reconstruction using neural networks

Post-event timeline reconstruction plays a critical role in forensic investigation and serves as a means of identifying evidence of the digital crime. We present an artificial neural networks based approach for post-event timeline reconstruction using the file system activities. A variety of digital forensic tools have been developed during the past two decades to assist computer forensic investigators undertaking digital timeline analysis, but most of the tools cannot handle large volumes of data efficiently. This paper looks at the effectiveness of employing neural network methodology for computer forensic analysis by preparing a timeline of relevant events occurring on a computing machine by tracing the previous file system activities. Our approach consists of monitoring the file system manipulations, capturing file system snapshots at discrete intervals of time to characterise the use of different software applications, and then using this captured data to train a neural network to recognise execution patterns of the application programs. The trained version of the network may then be used to generate a post-event timeline of a seized hard disk to verify the execution of different applications at different time intervals to assist in the identification of available evidence.

[1]  Paul Helman,et al.  Statistical Foundations of Audit Trail Analysis for the Detection of Computer Misuse , 1993, IEEE Trans. Software Eng..

[2]  Brian D. Carrier,et al.  Defining event reconstruction of digital crime scenes. , 2004, Journal of forensic sciences.

[3]  Wu-chi Feng,et al.  Forensix: a robust, high-performance reconstruction system , 2005, 25th IEEE International Conference on Distributed Computing Systems Workshops.

[4]  Daniel J. Ragsdale,et al.  A hybrid approach to the profile creation and intrusion detection , 2001, Proceedings DARPA Information Survivability Conference and Exposition II. DISCEX'01.

[5]  David W. J. Stringer-Calvert,et al.  Digital Evidence , 2002, Commun. ACM.

[6]  Eugene H. Spafford,et al.  Automated Digital Evidence Target Definition Using Outlier Analysis and Existing Evidence , 2005, DFRWS.

[7]  Brian D. Carrier,et al.  Open Source Digital Forensics Tools The Legal Argument 1 , 2003 .

[8]  S. Hyakin,et al.  Neural Networks: A Comprehensive Foundation , 1994 .

[9]  Nello Cristianini,et al.  Classification using String Kernels , 2000 .

[10]  Brian D. Carrier Defining Digital Forensic Examination and Analysis Tool Using Abstraction Layers , 2003, Int. J. Digit. EVid..

[11]  Eoghan Casey Error, Uncertainty and Loss in Digital Evidence , 2002, Int. J. Digit. EVid..

[12]  G. Kane Parallel Distributed Processing: Explorations in the Microstructure of Cognition, vol 1: Foundations, vol 2: Psychological and Biological Models , 1994 .

[13]  R. Allen,et al.  A Period of Time , 1992 .

[14]  Karen A. Forcht,et al.  LEGAL METHODS OF USING COMPUTER FORENSICS TECHNIQUES FOR COMPUTER CRIME ANALYSIS AND INVESTIGATION , 2004 .

[15]  Florian P. Buchholz,et al.  Design and Implementation of Zeitline: a Forensic Timeline Editor , 2005, DFRWS.

[16]  M.H. Hassoun,et al.  Fundamentals of Artificial Neural Networks , 1996, Proceedings of the IEEE.

[17]  Atif Ahmad,et al.  FIRESTORM: Exploring the Need for a Forensic Tool for Pattern Correlation in Windows NT Audit Logs , 2002 .

[18]  Mikhail J. Atallah,et al.  An empirical study of automatic event reconstruction systems , 2006, Digit. Investig..

[19]  William W. Cohen Fast Effective Rule Induction , 1995, ICML.

[20]  William Frawley,et al.  Knowledge Discovery in Databases , 1991 .

[21]  Philip K. Chan,et al.  A Machine Learning Approach to Anomaly Detection , 2003 .

[22]  James L. McClelland,et al.  Parallel Distributed Processing: Explorations in the Microstructure of Cognition : Psychological and Biological Models , 1986 .

[23]  Samuel T. King,et al.  Backtracking intrusions , 2003, SOSP '03.

[24]  Risto Miikkulainen,et al.  Intrusion Detection with Neural Networks , 1997, NIPS.

[25]  Jeffrey L. Elman,et al.  Finding Structure in Time , 1990, Cogn. Sci..

[26]  Matt Bishop,et al.  Computer Security: Art and Science , 2002 .

[27]  Salvatore J. Stolfo,et al.  A comparative evaluation of two algorithms for Windows Registry Anomaly Detection , 2005, J. Comput. Secur..

[28]  James L. McClelland,et al.  Parallel distributed processing: explorations in the microstructure of cognition, vol. 1: foundations , 1986 .

[29]  Heekuck Oh,et al.  Neural Networks for Pattern Recognition , 1993, Adv. Comput..