Event Reconstruction: A State of the Art

Event reconstruction is one of the most important step in digital forensic investigations. It allows investigators to have a clear view of the events that have occurred over a time period. Event reconstruction is a complex task which requires exploration of a large amount of events due to the pervasiveness of new technologies nowadays. Any evidence produced at the end of the investigative process must also meet the requirements of the courts, such as reproducibility, verifiability, validation, etc. After defining the most important concepts of event reconstruction, we present a survey of the challenges of this field and solutions proposed so far.

[1]  Eoghan Casey Error, Uncertainty and Loss in Digital Evidence , 2002, Int. J. Digit. EVid..

[2]  Mikhail J. Atallah,et al.  Practical automatic determination of causal relationships in software execution traces , 2011 .

[3]  Golden G. Richard,et al.  FACE: Automated digital evidence discovery and correlation , 2008, Digit. Investig..

[4]  Roberto Gómez Cárdenas,et al.  A Log Correlation Model to Support the Evidence Search Process in a Forensic Investigation , 2007, SADFE.

[5]  Mohamed Saleh,et al.  Analyzing multiple logs for forensic evidence , 2007, Digit. Investig..

[6]  Florian P. Buchholz,et al.  Design and Implementation of Zeitline: a Forensic Timeline Editor , 2005, DFRWS.

[7]  Martin Boldt,et al.  Computer forensic timeline visualization tool , 2009 .

[8]  Hitesh Gupta,et al.  Implementation Of An Automated Server Timeline Analysis Tool For Web Forensics , 2013 .

[9]  James F. Allen Maintaining knowledge about temporal intervals , 1983, CACM.

[10]  George M. Mohay,et al.  A correlation method for establishing provenance of timestamps in digital evidence , 2006, Digit. Investig..

[11]  George M. Mohay,et al.  RICH EVENT REPRESENTATION FOR COMPUTER FORENSICS , 2004 .

[12]  Kristinn Guethjoacutensson Mastering the Super Timeline With log2timeline , 2015 .

[13]  Alejandro P. Buchmann,et al.  Event composition in time-dependent distributed systems , 1999, Proceedings Fourth IFCIS International Conference on Cooperative Information Systems. CoopIS 99 (Cat. No.PR00384).

[14]  Bradley L. Schatz,et al.  Extending the advanced forensic format to accommodate multiple data sources, logical evidence, arbitrary information and forensic workflow , 2009, Digit. Investig..

[15]  Priya Chandran,et al.  Towards designing a tool for event reconstruction using Gladyshev Approach , 2011, SAC '11.

[16]  Christopher Hargreaves,et al.  An automated timeline reconstruction approach for digital forensic investigations , 2012 .

[17]  Vassil Roussev,et al.  Digital Forensic Tools: The Next Generation , 2006 .

[18]  George M. Mohay,et al.  Event-Based Computer Profiling for the Forensic Reconstruction of Computer Activity , 2007 .

[19]  George M. Mohay,et al.  Automated recognition of event scenarios for digital forensics , 2006, SAC '06.

[20]  Ibrahim Baggili,et al.  Forensic analysis of social networking applications on mobile devices , 2012, Digit. Investig..

[21]  Brian D. Carrier,et al.  Defining event reconstruction of digital crime scenes. , 2004, Journal of forensic sciences.

[22]  Eugene H. Spafford,et al.  Getting Physical with the Digital Investigation Process , 2003, Int. J. Digit. EVid..

[23]  Simson L. Garfinkel,et al.  Digital forensics research: The next 10 years , 2010, Digit. Investig..

[24]  Nick Antonopoulos,et al.  A Framework for Enhanced Timeline Analysis in Digital Forensics , 2012, 2012 IEEE International Conference on Green Computing and Communications.

[25]  Mikhail J. Atallah,et al.  An empirical study of automatic event reconstruction systems , 2006, Digit. Investig..

[26]  Venansius Baryamureeba,et al.  The Enhanced Digital Investigation Process Model , 2004 .

[27]  Anupam Joshi,et al.  Modeling Computer Attacks: An Ontology for Intrusion Detection , 2003, RAID.

[28]  Chris R. Chatwin,et al.  A framework for post-event timeline reconstruction using neural networks , 2007, Digit. Investig..

[29]  Timothy W. Finin,et al.  A Target-Centric Ontology for Intrusion Detection , 2003, IJCAI 2003.

[30]  E. Earl Eiland Time Line Analysis in Digital Forensics , 2006 .

[31]  Ahmed Patel,et al.  Finite state machine approach to digital event reconstruction , 2004, Digit. Investig..

[32]  Tyler Moore,et al.  Measuring the Cost of Cybercrime , 2012, WEIS.

[33]  George M. Mohay,et al.  Generalising Event Forensics Across Multiple Domains , 2004, Australian Computer, Network & Information Forensics Conference.

[34]  Sean Morrissey,et al.  iOS Forensic Analysis: for iPhone, iPad, and iPod touch , 2010 .