Abstract
Ontological data representation and data normalization can provide a structured way to correlate digital artifacts and reduce the amount of data that a forensics investigator needs to process in order to understand the sequence of events that happened on a system. However, ontology processing suffers from large disk consumption and a high computational cost. This paper presents Property Graph Event Reconstruction (PGER), a data normalization and event correlation system that utilizes a native graph database to store event data. This storage method leverages zero index traversals. PGER reduces the processing time of event correlation grammars by up to a factor of 9.9 times over a system that uses a relational database based approach.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Angles, R.: A comparison of current graph database models. In: Proceedings of IEEE 28th International Conference on Data Engineering Workshops, ICDEW 2012, pp. 171–177. IEEE (2012). https://doi.org/10.1109/ICDEW.2012.31
Bureau of Labor Statistics: Occupational Outlook Handbook: Forensic Science Technicians (2017). https://www.bls.gov/ooh/life-physical-and-social-science/forensic-science-technicians.htm
Bureau of Labor Statistics: Occupational Outlook Handbook: Information Security Analysts (2017). https://www.bls.gov/ooh/computer-and-information-technology/information-security-analysts.htm
Carvey, H., Hull, D.: Windows Registry Forensics, 2nd edn. Elsevier, Cambridge (2016). https://doi.org/10.1016/C2009-0-63856-3
Casey, E., Back, G., Barnum, S.: Leveraging CybOX™ to standardize representation and exchange of digital forensic information. Digit. Investig. 12(S1), S102–S110 (2015). https://doi.org/10.1016/j.diin.2015.01.014
Chabot, Y., Bertaux, A., Nicolle, C., Kechadi, M.T.: A complete formalized knowledge representation model for advanced digital forensics timeline analysis. Digit. Investig. 11, S95–S105 (2014). https://doi.org/10.1016/j.diin.2014.05.009. http://www.sciencedirect.com/science/article/pii/S1742287614000528
Chabot, Y., Bertaux, A., Nicolle, C., Kechadi, T.: An ontology-based approach for the reconstruction and analysis of digital incidents timelines. Digit. Investig. 15, 83–100 (2015). https://doi.org/10.1016/j.diin.2015.07.005
Chao, J., Graphista, N.: Graph Databases for Beginners: Native vs. Non-Native Graph Technology (2016). https://neo4j.com/blog/native-vs-non-native-graph-technology/
Gladyshev, P., Patel, A.: Finite state machine approach to digital event reconstruction. Digit. Investig. 1(2), 130–149 (2004). https://doi.org/10.1016/j.diin.2004.03.001
GraphAware: GraphAware Neo4j TimeTree (2018). https://github.com/graphaware/neo4j-timetree
Gu\(\eth \)jonssón, K.: Mastering the Super Timeline With log2timeline (2010). https://www.sans.org/reading-room/whitepapers/logging/mastering-super-timeline-log2timeline-33438
Hargreaves, C., Patterson, J.: An automated timeline reconstruction approach for digital forensic investigations. Digit. Investig. 9(Suppl.), S69–S79 (2012). https://doi.org/10.1016/j.diin.2012.05.006
James, J., Gladyshev, P., Abdullah, M., Zhu, Y.: Analysis of evidence using formal event reconstruction. Digit. Forensics Cyber Crime 31, 85–98 (2010). https://doi.org/10.1007/978-3-642-11534-9
Khan, M.N., Mnakhansussexacuk, E., Wakeman, I.: Machine Learning for Post-Event Timeline Reconstruction. PGnet (January 2006), 1–4 (2006)
Marrington, A., Mohay, G., Clark, A., Morarji, H.: Event-based computer profiling for the forensic reconstruction of computer activity. AusCERT2007 R&D Stream 71, 71–87 (2007). http://eprints.qut.edu.au/15579
Okolica, J.S.: Temporal Event Abstraction and Reconstruction. Ph.D. thesis, AFIT (2017)
Robinson, I., Webber, J., Eifrem, E.: Graph Databases, 2nd edn. O’Reilly Media Inc., Sebastopol (2015)
Rodriguez, M.A., Neubauer, P.: The graph traversal pattern. Computing Re-search Repository, pp. 1–18 (2010). https://doi.org/10.4018/978-1-61350-053-8, http://arxiv.org/abs/1004.1001
Schatz, B., Mohay, G., Clark, A.: Rich Event Representation for Computer Forensics. In: Asia Pacific Industrial Engineering and Management Systems APIEMS 2004, pp. 1–16 (2004)
Turnbull, B., Randhawa, S.: Automated event and social network extraction from digital evidence sources with ontological mapping. Digit. Investig. 13, 94–106 (2015). https://doi.org/10.1016/j.diin.2015.04.004
Acknowledgments
The views expressed in this document are those of the author and do not reflect the official policy or position of the United States Air Force, the United States Department of Defense or the United States Government. This material is declared a work of the U.S. Government and is not subject to copyright protection in the United States.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2019 ICST Institute for Computer Sciences, Social Informatics and Telecommunications Engineering
About this paper
Cite this paper
Schelkoph, D.J., Peterson, G.L., Okolica, J.S. (2019). Digital Forensics Event Graph Reconstruction. In: Breitinger, F., Baggili, I. (eds) Digital Forensics and Cyber Crime. ICDF2C 2018. Lecture Notes of the Institute for Computer Sciences, Social Informatics and Telecommunications Engineering, vol 259. Springer, Cham. https://doi.org/10.1007/978-3-030-05487-8_10
Download citation
DOI: https://doi.org/10.1007/978-3-030-05487-8_10
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-05486-1
Online ISBN: 978-3-030-05487-8
eBook Packages: Computer ScienceComputer Science (R0)