Digital Forensics and Cyber Crime. Second International ICST Conference, ICDF2C 2010, Abu Dhabi, United Arab Emirates, October 4-6, 2010, Revised Selected Papers

Research Article

An Architecture for the Forensic Analysis of Windows System Artifacts

Download
912 downloads
  • @INPROCEEDINGS{10.1007/978-3-642-19513-6_10,
        author={Noor Hashim and Iain Sutherland},
        title={An Architecture for the Forensic Analysis of Windows System Artifacts},
        proceedings={Digital Forensics and Cyber Crime. Second International ICST Conference, ICDF2C 2010, Abu Dhabi, United Arab Emirates, October 4-6, 2010, Revised Selected Papers},
        proceedings_a={ICDF2C},
        year={2012},
        month={5},
        keywords={Forensics Visualisation Open platform},
        doi={10.1007/978-3-642-19513-6_10}
    }
    
  • Noor Hashim
    Iain Sutherland
    Year: 2012
    An Architecture for the Forensic Analysis of Windows System Artifacts
    ICDF2C
    Springer
    DOI: 10.1007/978-3-642-19513-6_10
Noor Hashim1,*, Iain Sutherland1,*
  • 1: University of Glamorgan
*Contact email: nhashim@glam.ac.uk, isutherl@glam.ac.uk

Abstract

We propose an architecture to enable the forensic investigator to analyze and visualise a range of system generated artifacts with known and unknown data structures. The architecture is intended to facilitate the extraction and analysis of operating system artifacts while being extensible, flexible and reusable. The examples selected for the paper are the Windows Event Logs and Swap Files. Event logs can reveal evidence regarding logons, authentication, accounts and privileged use and can address questions relating to which user accounts were being used and which machines were accessed. The Swap file may contain fragments of data, remnants or entire documents, e-mail messages or the results of internet browsing which may reveal past user activities. Issues relating to understanding and visualising artifacts data structures are discussed and possible solutions are explored. We outline a proposed solution; an extraction component responsible for extracting data and preparing the data for visualisation, a storage subsystem consisting of a database that holds all of the extracted data and the interface, an integrated set of visualization tools.