An automated timeline reconstruction approach for digital forensic investigations
| dc.contributor.author | Hargreaves, C. J. | - |
| dc.contributor.author | Patterson, J. | - |
| dc.date.accessioned | 2014-01-23T05:02:43Z | |
| dc.date.available | 2014-01-23T05:02:43Z | |
| dc.date.issued | 2012-08-06T00:00:00Z | - |
| dc.description.abstract | Existing work on digital forensics timeline generation focuses on extracting times from a disk image into a timeline. Such an approach can produce several million ‘low-level’ events (e.g. a file modification or a Registry key update) for a single disk. This paper proposes a technique that can automatically reconstruct high-level events (e.g. connection of a USB stick) from this set of low-level events. The paper describes a framework that extracts low- level events to a SQLite backing store which is automatically analysed for patterns. The provenance of any high- level events is also preserved, meaning that from a high-level event it is possible to determine the low-level events that caused its inference, and from those, the raw data that caused the low-level event to be initially created can also be viewed. The paper also shows how such high-level events can be visualised using existing tools. | en_UK |
| dc.identifier.issn | 1742-2876 | - |
| dc.identifier.uri | http://dx.doi.org/10.1016/j.diin.2012.05.006 | - |
| dc.identifier.uri | http://dspace.lib.cranfield.ac.uk/handle/1826/8103 | |
| dc.language.iso | en_UK | - |
| dc.publisher | Elsevier Science B. V., Amsterdam | en_UK |
| dc.title | An automated timeline reconstruction approach for digital forensic investigations | en_UK |
| dc.type | Article | - |