Digital Forensics Event Graph Reconstruction

  • Daniel J. SchelkophEmail author
  • Gilbert L. Peterson
  • James S. Okolica
Conference paper
Part of the Lecture Notes of the Institute for Computer Sciences, Social Informatics and Telecommunications Engineering book series (LNICST, volume 259)


Ontological data representation and data normalization can provide a structured way to correlate digital artifacts and reduce the amount of data that a forensics investigator needs to process in order to understand the sequence of events that happened on a system. However, ontology processing suffers from large disk consumption and a high computational cost. This paper presents Property Graph Event Reconstruction (PGER), a data normalization and event correlation system that utilizes a native graph database to store event data. This storage method leverages zero index traversals. PGER reduces the processing time of event correlation grammars by up to a factor of 9.9 times over a system that uses a relational database based approach.


Graph database Digital forensics Property graph Ontology Event reconstruction 



The views expressed in this document are those of the author and do not reflect the official policy or position of the United States Air Force, the United States Department of Defense or the United States Government. This material is declared a work of the U.S. Government and is not subject to copyright protection in the United States.


  1. 1.
    Angles, R.: A comparison of current graph database models. In: Proceedings of IEEE 28th International Conference on Data Engineering Workshops, ICDEW 2012, pp. 171–177. IEEE (2012).
  2. 2.
    Bureau of Labor Statistics: Occupational Outlook Handbook: Forensic Science Technicians (2017).
  3. 3.
    Bureau of Labor Statistics: Occupational Outlook Handbook: Information Security Analysts (2017).
  4. 4.
    Carvey, H., Hull, D.: Windows Registry Forensics, 2nd edn. Elsevier, Cambridge (2016). Scholar
  5. 5.
    Casey, E., Back, G., Barnum, S.: Leveraging CybOX™ to standardize representation and exchange of digital forensic information. Digit. Investig. 12(S1), S102–S110 (2015). Scholar
  6. 6.
    Chabot, Y., Bertaux, A., Nicolle, C., Kechadi, M.T.: A complete formalized knowledge representation model for advanced digital forensics timeline analysis. Digit. Investig. 11, S95–S105 (2014). Scholar
  7. 7.
    Chabot, Y., Bertaux, A., Nicolle, C., Kechadi, T.: An ontology-based approach for the reconstruction and analysis of digital incidents timelines. Digit. Investig. 15, 83–100 (2015). Scholar
  8. 8.
    Chao, J., Graphista, N.: Graph Databases for Beginners: Native vs. Non-Native Graph Technology (2016).
  9. 9.
    Gladyshev, P., Patel, A.: Finite state machine approach to digital event reconstruction. Digit. Investig. 1(2), 130–149 (2004). Scholar
  10. 10.
    GraphAware: GraphAware Neo4j TimeTree (2018).
  11. 11.
    Gu\(\eth \)jonssón, K.: Mastering the Super Timeline With log2timeline (2010).
  12. 12.
    Hargreaves, C., Patterson, J.: An automated timeline reconstruction approach for digital forensic investigations. Digit. Investig. 9(Suppl.), S69–S79 (2012). Scholar
  13. 13.
    James, J., Gladyshev, P., Abdullah, M., Zhu, Y.: Analysis of evidence using formal event reconstruction. Digit. Forensics Cyber Crime 31, 85–98 (2010). Scholar
  14. 14.
    Khan, M.N., Mnakhansussexacuk, E., Wakeman, I.: Machine Learning for Post-Event Timeline Reconstruction. PGnet (January 2006), 1–4 (2006)Google Scholar
  15. 15.
    Marrington, A., Mohay, G., Clark, A., Morarji, H.: Event-based computer profiling for the forensic reconstruction of computer activity. AusCERT2007 R&D Stream 71, 71–87 (2007). Scholar
  16. 16.
    Okolica, J.S.: Temporal Event Abstraction and Reconstruction. Ph.D. thesis, AFIT (2017)Google Scholar
  17. 17.
    Robinson, I., Webber, J., Eifrem, E.: Graph Databases, 2nd edn. O’Reilly Media Inc., Sebastopol (2015)Google Scholar
  18. 18.
    Rodriguez, M.A., Neubauer, P.: The graph traversal pattern. Computing Re-search Repository, pp. 1–18 (2010).,
  19. 19.
    Schatz, B., Mohay, G., Clark, A.: Rich Event Representation for Computer Forensics. In: Asia Pacific Industrial Engineering and Management Systems APIEMS 2004, pp. 1–16 (2004)Google Scholar
  20. 20.
    Turnbull, B., Randhawa, S.: Automated event and social network extraction from digital evidence sources with ontological mapping. Digit. Investig. 13, 94–106 (2015). Scholar

Copyright information

© ICST Institute for Computer Sciences, Social Informatics and Telecommunications Engineering 2019

Authors and Affiliations

  • Daniel J. Schelkoph
    • 1
    Email author
  • Gilbert L. Peterson
    • 1
  • James S. Okolica
    • 1
  1. 1.Air Force Institute of Technology (AFIT)Wright-Patterson AFBUSA

Personalised recommendations