
Research Article
Efficient Fingerprint Matching for Forensic Event Reconstruction
@INPROCEEDINGS{10.1007/978-3-030-68734-2_6, author={Tobias Latzo}, title={Efficient Fingerprint Matching for Forensic Event Reconstruction}, proceedings={Digital Forensics and Cyber Crime. 11th EAI International Conference, ICDF2C 2020, Boston, MA, USA, October 15-16, 2020, Proceedings}, proceedings_a={ICDF2C}, year={2021}, month={2}, keywords={Forensic event reconstruction Linux logs System call tracing SIEM}, doi={10.1007/978-3-030-68734-2_6} }
- Tobias Latzo
Year: 2021
Efficient Fingerprint Matching for Forensic Event Reconstruction
ICDF2C
Springer
DOI: 10.1007/978-3-030-68734-2_6
Abstract
Forensic investigations usually utilize log files to reconstruct previous events on computing systems. Using standard log files as well as traces of system calls, we analyze what traces are left by different events on a GNU/Linux server that runs different common services like an SSH server, Wordpress, Nextcloud and Docker containers. Based on these traces, we calculate characteristic fingerprints of these events that can later be matched to other log files to detect them. We develop a matching algorithm and examine the different parameters that influence its performance both in terms of event detectability and detection time. We also examine the effect of using different subsets of system calls to improve matching efficiency.