Automated inference of past action instances in digital investigations

James, Joshua; Gladyshev, Pavel
June 2015
International Journal of Information Security;Jun2015, Vol. 14 Issue 3, p249
Academic Journal
As the amount of digital devices suspected of containing digital evidence increases, case backlogs for digital investigations are also increasing in many organizations. To ensure timely investigation of requests, this work proposes the use of signature-based methods for automated action instance approximation to automatically reconstruct past user activities within a compromised or suspect system. This work specifically explores how multiple instances of a user action may be detected using signature-based methods during a postmortem digital forensic analysis. A system is formally defined as a set of objects, where a subset of objects may be altered on the occurrence of an action. A novel action-trace update time threshold is proposed that enables objects to be categorized by their respective update patterns over time. By integrating time into event reconstruction, the most recent action instance approximation as well as limited past instances of the action may be differentiated and their time values approximated. After the formal theory if signature-based event reconstruction is defined, a case study is given to evaluate the practicality of the proposed method.


Related Articles

  • Finjan Prevents Zero-Day Exploit.  // Database & Network Journal;Aug2009, Vol. 39 Issue 4, p26 

    The article reports on the discovery of zero-day exploit by Finjan Software Inc. It notes that the zero-day vulnerability (CVE-2009-1862) in Adobe Acrobat Reader and Flash player are exploited by cybercriminals. The exploit, which was detected by the Malicious Code Research Center of Finjan,...

  • Detection and analysis of eavesdropping in anonymous communication networks. Chakravarty, Sambuddho; Portokalidis, Georgios; Polychronakis, Michalis; Keromytis, Angelos // International Journal of Information Security;Jun2015, Vol. 14 Issue 3, p205 

    Anonymous communication networks, like Tor, partially protect the confidentiality of user traffic by encrypting all communications within the overlay network. However, when the relayed traffic reaches the boundaries of the network, toward its destination, the original user traffic is inevitably...

  • Explosion of Connected Devices Exposes Holes in IT Security.  // Appliance Design;Aug2014, Vol. 62 Issue 8, p6 

    The article offers information on BlueCat Threat Protection for DNS/DHCP Server, a solution developed to combat threats of malware, botnets and other information security attacks.

  • A Survey of Different Approaches to Detect Wormhole attack. Saluja, Baltej Kaur; Gupta, A. K. // International Journal of Computer Science & Information Technolo;2014, Vol. 5 Issue 3, p4369 

    Mobile ad-hoc networks (MANETs) are collection of wireless mobile computers (or nodes) having no Pre existing infrastructure or centralized management and which are connected by wireless links automatically .Securing Mobile Adhoc Network is essential for network communications. Success of mobile...

  • Managing Cyber Risks in an Interconnected World.  // PC Quest;Nov2014, p20 

    The article discusses the findings in the survey "State of the Information Security Survey-India 2015," conducted by the research firm PwC. Topics include the initiation of the 'Bitterbug' malware by an Islamabad based group, the severity of the Heartbleed virus categorized by the Computer...

  • Combating the Evolving Malware Threat. Moynihan, John // Risk Management (00355593);Oct2014, Vol. 61 Issue 8, p26 

    The article reports on the evolution and management of malware threats. Topics discussed include the meaning of customized malware, the Trojan.POSRAM attack variant, and the implementation of information security policy. Also mentioned is information on the importance of cybereducation in...

  • Malicious Nodes Identification for Complex Network Based on Local Views. VERNIZE, GRAZIELLE; PIRES GUEDES, ANDRÉ LUIZ; PESSOA ALBINI, LUIZ CARLOS // Computer Journal;Oct2015, Vol. 58 Issue 10, p2476 

    Several social, biological and information systems can be described through complex network models. All complex networks display common structural features, such as the small-world and scale-free properties. However, the presence of selfish and/or malicious nodes can damage the network...

  • Using Security Logs to Identify and Manage User Behaviour to Enhance Information Security. Hunt, Rose; Hill, Stephen // Proceedings of the European Conference on e-Learning;2015, p111 

    This paper describes a study which seeks to evaluate the relationship between user behaviour, including the use of social technologies within the workplace, and the prevalence of malware infections routinely detected on devices. The study's initial focus is the extent to which security breaches...

  • Failure Detection in Network Forensics for Volatile Data Acquisition. Nassif, Lilian Noronha // Proceedings of the International Conference on Cyber Warfare & S;2014, p342 

    Acts committed in cyber attacks are often difficult to identify because attackers remove incriminating traces. Digital forensics provides evidence of illegal actions in the digital world. One of its branches, network forensics, can record the entire communication flow between the attacker and...


Read the Article


Sorry, but this item is not currently available from your library.

Try another library?
Sign out of this library

Other Topics