Digital Forensics and Cyber Crime. Second International ICST Conference, ICDF2C 2010, Abu Dhabi, United Arab Emirates, October 4-6, 2010, Revised Selected Papers

Research Article

Signature Based Detection of User Events for Post-mortem Forensic Analysis

Download
572 downloads
  • @INPROCEEDINGS{10.1007/978-3-642-19513-6_8,
        author={Joshua James and Pavel Gladyshev and Yuandong Zhu},
        title={Signature Based Detection of User Events for Post-mortem Forensic Analysis},
        proceedings={Digital Forensics and Cyber Crime. Second International ICST Conference, ICDF2C 2010, Abu Dhabi, United Arab Emirates, October 4-6, 2010, Revised Selected Papers},
        proceedings_a={ICDF2C},
        year={2012},
        month={5},
        keywords={Digital Forensics Event Reconstruction Signature Detection User Actions User Events Investigator inference},
        doi={10.1007/978-3-642-19513-6_8}
    }
    
  • Joshua James
    Pavel Gladyshev
    Yuandong Zhu
    Year: 2012
    Signature Based Detection of User Events for Post-mortem Forensic Analysis
    ICDF2C
    Springer
    DOI: 10.1007/978-3-642-19513-6_8
Joshua James1,*, Pavel Gladyshev1,*, Yuandong Zhu1,*
  • 1: University College Dublin
*Contact email: Joshua.James@UCD.ie, Pavel.Gladyshev@UCD.ie, Yuandong.Zhu@UCD.ie

Abstract

This paper introduces a novel approach to user event reconstruction by showing the practicality of generating and implementing signature-based analysis methods to reconstruct high-level user actions from a collection of low-level traces found during a post-mortem forensic analysis of a system. Traditional forensic analysis and the inferences an investigator normally makes when given digital evidence, are examined. It is then demonstrated that this natural process of inferring high-level events from low-level traces may be encoded using signature-matching techniques. Simple signatures using the defined method are created and applied for three popular Windows-based programs as a proof of concept.