Abstract
In a forensic investigation, computer profiling is used to capture evidence and to examine events surrounding a crime. A rapid increase in the last few years in the volume of data needing examination has led to an urgent need for automation of profiling. In this paper, we present an efficient, automated event profiling approach to a forensic investigation for a computer system and its activity over a fixed time period. While research in this area has adopted a number of methods, we extend and adapt work of Marrington et al. based on a simple relational model. Our work differs from theirs in a number of ways: our object set (files, applications etc.) can be enlarged or diminished repeatedly during the analysis; the transitive relation between objects is used sparingly in our work as it tends to increase the set of objects requiring investigative attention; our objective is to reduce the volume of data to be analyzed rather than extending it. We present a substantial case study to illuminate the theory presented here. The case study also illustrates how a simple visual representation of the analysis could be used to assist a forensic team.
This is a preview of subscription content, log in via an institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptionsPreview
Unable to display preview. Download preview PDF.
References
Abraham, T., de Vel, O.: Investigative Profiling with Computer Forensic Log Data and Association Rules. In: Proceedings of the 2002 IEEE International Conference on Data Mining, pp. 11–18 (2002)
Agrawal, R., Imielinski, T., Swami, A.: Mining Association Rules between Sets of Items in Large Databases. In: Proceedings of the 1993 ACM SIGMOD International Conference on Management of Data, pp. 207–216 (1993)
Carrier, B.: File System Forensic Analysis. Upper Saddle River, Addison-Wesley (2005)
Garfinkel, S.L.: Forensic Feature Extraction and Cross-Drive Analysis. Digital Investigation 3, 71–81 (2006)
Gladyshev, P., Patel, A.: Finite State Machine Approach to Digital Event Reconstruction. Digital Investigation 1, 130–149 (2004)
Herstein, I.N.: Topics in Algebra, 2nd edn. Wiley, New York (1975)
Hwang, H.-U., Kim, M.-S., Noh, B.-N.: Expert System Using Fuzzy Petri Nets in Computer Forensics. In: Szczuka, M.S., Howard, D., Ślȩzak, D., Kim, H.-k., Kim, T.-h., Ko, I.-s., Lee, G., Sloot, P.M.A. (eds.) ICHIT 2006. LNCS (LNAI), vol. 4413, pp. 312–322. Springer, Heidelberg (2007)
Kwan, M., Chow, K.-P., Law, F., Lai, P.: Reasoning about Evidence Using Bayesian Networks. In: Proceedings of IFIP International Federation for Information Processing. Advances in Digital Forensics IV, vol. 285, pp. 275–289. Springer, Heidelberg (2008)
Liu, Z., Wang, N., Zhang, H.: Inference Model of Digital Evidence based on cFSA. In: Proceedings IEEE International Conference on Multimedia Information Networking and Security, pp. 494–497 (2009)
Marrington, A., Mohay, G., Morarji, H., Clark, A.: Computer Profiling to Assist Computer Forensic Investigations. In: Proceedings of RNSA Recent Advances in Security Technology, pp. 287–301 (2006)
Marrington, A., Mohay, G., Morarji, H., Clark, A.: Event-based Computer Profiling for the Forensic Reconstruction of Computer Activity. In: Proceedings of AusCERT 2007, pp. 71–87 (2007)
Marrington, A.: Computer Profiling for Forensic Purposes. PhD thesis, QUT, Australia (2009)
Tian, R., Batten, L., Versteeg, S.: Function Length as a Tool for Malware Classification. In: Proceedings of 3rd International Conference on Malware 2008, pp. 79–86. IEEE Computer Society, Los Alamitos (2008)
Welsh, D.J.A.: Matroid Theory. Academic Press, London (1976)
Wolf, J., Bansal, N., Hildrum, K., Parekh, S., Rajan, D., Wagle, R., Wu, K.-L., Fleischer, L.K.: SODA: An Optimizing Scheduler for Large-Scale Stream-Based Distributed Computer Systems. In: Issarny, V., Schantz, R. (eds.) Middleware 2008. LNCS, vol. 5346, pp. 306–325. Springer, Heidelberg (2008)
Yu, S., Zhou, W., Doss, R.: Information Theory Based Detection against Network Behavior Mimicking DDoS Attacks. IEEE Communication Letters 12(4), 319–321 (2008)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2011 ICST Institute for Computer Science, Social Informatics and Telecommunications Engineering
About this paper
Cite this paper
Batten, L.M., Pan, L. (2011). Using Relationship-Building in Event Profiling for Digital Forensic Investigations. In: Lai, X., Gu, D., Jin, B., Wang, Y., Li, H. (eds) Forensics in Telecommunications, Information, and Multimedia. e-Forensics 2010. Lecture Notes of the Institute for Computer Sciences, Social Informatics and Telecommunications Engineering, vol 56. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-23602-0_4
Download citation
DOI: https://doi.org/10.1007/978-3-642-23602-0_4
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-23601-3
Online ISBN: 978-3-642-23602-0
eBook Packages: Computer ScienceComputer Science (R0)