Time Line Analysis in Digital Forensics

Time lines are an essential part of forensic analysis. Reconstructing the event sequence around an incident of interest is vital to virtually any resolution, regardless of the venue. A private enterprise may be concerned about prevention and thus focus on identifying an attack path and vulnerabilities. In contrast, law enforcement, would be concerned with identifying a suspect and preserving evidence for potential prosecution. In both cases, however, an accurate and credible time line is necessary. Without knowing the order in which events occurred, an enterprise could have trouble identifying how unauthorized access was gained. Without an accurate chronology, law enforcement couldn't map suspects' actions to the o ense. Investigation of a digital event is no exception. The digital environment, however, does present unique challenges.

[1]  Eoghan Casey Error, Uncertainty and Loss in Digital Evidence , 2002, Int. J. Digit. EVid..

[2]  Malcolm W. Stevens,et al.  Unification of relative time frames for digital forensics , 2004, Digit. Investig..

[3]  Chet Hosmer Proving the Integrity of Digital Evidence with Time , 2002, Int. J. Digit. EVid..

[4]  Florian P. Buchholz,et al.  Design and Implementation of Zeitline: a Forensic Timeline Editor , 2005, DFRWS.

[5]  Ahmed Patel,et al.  Formalising Event Time Bounding in Digital Investigations , 2005, Int. J. Digit. EVid..

[6]  David A. Dampier,et al.  Unifying computer forensics modeling approaches: a software engineering perspective , 2005, First International Workshop on Systematic Approaches to Digital Forensic Engineering (SADFE'05).