Method of Event Reconstruction in Digital Investigation and its Visualization

A reconstruction of sequences of events that leads to a suspicious incident is an important phase in digital forensics investigation. Event reconstruction answers the question concerning the existence of digital object within computer at any particular time either triggered by an event or an effect...

Full description

Saved in:
Bibliographic Details
Main Author: Abdullah, Mohd. Taufik
Format: Thesis
Language:English
English
Published: 2011
Subjects:
Online Access:http://psasir.upm.edu.my/id/eprint/19635/1/FSKTM_2011_2.pdf
Tags: Add Tag
No Tags, Be the first to tag this record!
id my-upm-ir.19635
record_format uketd_dc
spelling my-upm-ir.196352014-06-12T06:29:22Z Method of Event Reconstruction in Digital Investigation and its Visualization 2011-01 Abdullah, Mohd. Taufik A reconstruction of sequences of events that leads to a suspicious incident is an important phase in digital forensics investigation. Event reconstruction answers the question concerning the existence of digital object within computer at any particular time either triggered by an event or an effect of an event. Various event reconstruction techniques are used for representing the sequence of event that caused presence of the digital objects. The reconstruction of events in digital investigations is fairly complicated. Unaided reasoning is usually insufficient to comprehensively analyze the sequence of events to identify suspect, apprehend the guilty and defend the innocent. Most present techniques lacks of thoroughness, relevancy, and user friendliness. A development of a sound technique which could reduce the possibility of reasoning errors and hence increases the effectiveness of the analysis is crucial. This research defines a new method of event reconstruction which associates the capability to handle infinite set of incident scenarios, determine the relevancy of witness statements, and visualize all possibilities of incident scenarios. This study proposed a new method for representing the functionality of system under investigation as well as evidential statements. Some previous works only represent the functionality of the system under investigation as Finite State Machine (FSM). In the proposed method, the functionality of the system under investigation is represented as FSM whereby witness statement is represented as regular expression. An algorithm is developed to derive a Deterministic Finite Automaton (DFA) that accepts computations of FSM that represent the functionality of system under investigation. Similarly, the regular expression is transformed into another DFA using standard algorithms. Finally, the two DFAs are intersected to produce another DFA known as Diagram of Digital Event Reconstruction and Analysis (DDERA). Having both the functionality of system under investigation and evidential statement represented as DFAs, the event reconstruction is reduced to the problem of automata intersection. The proposed method of event reconstruction in this research has an ability to represent infinite sets of incident scenarios. Therefore, it is capable of handling problematic even transition graphs with loops. Moreover, it allows relevancy checking among given statements themselves as well as against the representation of the functionality of system under investigation. Visualization of all possible scenarios of incident in graphical manner facilitates efficient insight gaining into digital evidence. Above all, the whole research formalizes and automates digital forensic analysis into a new horizon. Visualization Forensic computer scientists Image reconstruction 2011-01 Thesis http://psasir.upm.edu.my/id/eprint/19635/ http://psasir.upm.edu.my/id/eprint/19635/1/FSKTM_2011_2.pdf application/pdf en public phd doctoral Universiti Putra Malaysia Visualization Forensic computer scientists Image reconstruction Faculty of Computer Science and Information Technology English
institution Universiti Putra Malaysia
collection PSAS Institutional Repository
language English
English
topic Visualization
Forensic computer scientists
Image reconstruction
spellingShingle Visualization
Forensic computer scientists
Image reconstruction
Abdullah, Mohd. Taufik
Method of Event Reconstruction in Digital Investigation and its Visualization
description A reconstruction of sequences of events that leads to a suspicious incident is an important phase in digital forensics investigation. Event reconstruction answers the question concerning the existence of digital object within computer at any particular time either triggered by an event or an effect of an event. Various event reconstruction techniques are used for representing the sequence of event that caused presence of the digital objects. The reconstruction of events in digital investigations is fairly complicated. Unaided reasoning is usually insufficient to comprehensively analyze the sequence of events to identify suspect, apprehend the guilty and defend the innocent. Most present techniques lacks of thoroughness, relevancy, and user friendliness. A development of a sound technique which could reduce the possibility of reasoning errors and hence increases the effectiveness of the analysis is crucial. This research defines a new method of event reconstruction which associates the capability to handle infinite set of incident scenarios, determine the relevancy of witness statements, and visualize all possibilities of incident scenarios. This study proposed a new method for representing the functionality of system under investigation as well as evidential statements. Some previous works only represent the functionality of the system under investigation as Finite State Machine (FSM). In the proposed method, the functionality of the system under investigation is represented as FSM whereby witness statement is represented as regular expression. An algorithm is developed to derive a Deterministic Finite Automaton (DFA) that accepts computations of FSM that represent the functionality of system under investigation. Similarly, the regular expression is transformed into another DFA using standard algorithms. Finally, the two DFAs are intersected to produce another DFA known as Diagram of Digital Event Reconstruction and Analysis (DDERA). Having both the functionality of system under investigation and evidential statement represented as DFAs, the event reconstruction is reduced to the problem of automata intersection. The proposed method of event reconstruction in this research has an ability to represent infinite sets of incident scenarios. Therefore, it is capable of handling problematic even transition graphs with loops. Moreover, it allows relevancy checking among given statements themselves as well as against the representation of the functionality of system under investigation. Visualization of all possible scenarios of incident in graphical manner facilitates efficient insight gaining into digital evidence. Above all, the whole research formalizes and automates digital forensic analysis into a new horizon.
format Thesis
qualification_name Doctor of Philosophy (PhD.)
qualification_level Doctorate
author Abdullah, Mohd. Taufik
author_facet Abdullah, Mohd. Taufik
author_sort Abdullah, Mohd. Taufik
title Method of Event Reconstruction in Digital Investigation and its Visualization
title_short Method of Event Reconstruction in Digital Investigation and its Visualization
title_full Method of Event Reconstruction in Digital Investigation and its Visualization
title_fullStr Method of Event Reconstruction in Digital Investigation and its Visualization
title_full_unstemmed Method of Event Reconstruction in Digital Investigation and its Visualization
title_sort method of event reconstruction in digital investigation and its visualization
granting_institution Universiti Putra Malaysia
granting_department Faculty of Computer Science and Information Technology
publishDate 2011
url http://psasir.upm.edu.my/id/eprint/19635/1/FSKTM_2011_2.pdf
_version_ 1747811430024871936