Research Article
Signature Based Detection of User Events for Post-mortem Forensic Analysis
644 downloads
@INPROCEEDINGS{10.1007/978-3-642-19513-6_8, author={Joshua James and Pavel Gladyshev and Yuandong Zhu}, title={Signature Based Detection of User Events for Post-mortem Forensic Analysis}, proceedings={Digital Forensics and Cyber Crime. Second International ICST Conference, ICDF2C 2010, Abu Dhabi, United Arab Emirates, October 4-6, 2010, Revised Selected Papers}, proceedings_a={ICDF2C}, year={2012}, month={5}, keywords={Digital Forensics Event Reconstruction Signature Detection User Actions User Events Investigator inference}, doi={10.1007/978-3-642-19513-6_8} }- Joshua James
Pavel Gladyshev
Yuandong Zhu
Year: 2012
Signature Based Detection of User Events for Post-mortem Forensic Analysis
ICDF2C
Springer
DOI: 10.1007/978-3-642-19513-6_8
Abstract
This paper introduces a novel approach to user event reconstruction by showing the practicality of generating and implementing signature-based analysis methods to reconstruct high-level user actions from a collection of low-level traces found during a post-mortem forensic analysis of a system. Traditional forensic analysis and the inferences an investigator normally makes when given digital evidence, are examined. It is then demonstrated that this natural process of inferring high-level events from low-level traces may be encoded using signature-matching techniques. Simple signatures using the defined method are created and applied for three popular Windows-based programs as a proof of concept.
Copyright © 2010–2025 ICST
