Pavel Gladyshev scite author profile

This paper presents a rigorous method for reconstructing events in digital systems. It is based on the idea, that once the system is described as a finite state machine, its state space can be explored to determine all possible scenarios of the incident. To formalize evidence, the evidential statement notation is introduced. It represents the facts conveyed by the evidence as a series of witness stories that restrict possible computations of the finite state machine. To automate event reconstruction, a generic event reconstruction algorithm is proposed. It computes the set of all possible explanations for the given evidential statement with respect to the given finite state machine.

show abstract

Signature Based Detection of User Events for Post-mortem Forensic Analysis

James

Gladyshev

Zhu

2011

View full text Add to dashboard

Abstract. This paper introduces a novel approach to user event reconstruction by showing the practicality of generating and implementing signature-based analysis methods to reconstruct high-level user actions from a collection of low-level traces found during a post-mortem forensic analysis of a system. Traditional forensic analysis and the inferences an investigator normally makes when given digital evidence, are examined. It is then demonstrated that this natural process of inferring high-level events from low-level traces may be encoded using signature-matching techniques. Simple signatures using the defined method are created and applied for three popular Windows-based programs as a proof of concept.

show abstract

Analysis of Evidence Using Formal Event Reconstruction

James

Gladyshev

Abdullah

et al. 2010

View full text Add to dashboard

This paper expands upon the finite state machine approach for the formal analysis of digital evidence. The proposed method may be used to support the feasibility of a given statement by testing it against a relevant system model. To achieve this, a novel method for modeling the system and evidential statements is given. The method is then examined in a case study example.Comment: 10 pages, 11 figures, Presented at the 1st International Conference on Digital Forensics & Cyber Crim

show abstract

A survey of digital forensic investigator decision processes and measurement of decisions based on enhanced preview

James

Gladyshev

2013

Digital Investigation

View full text Add to dashboard

An intrusion and defense testbed in a cyber-power system environment

Hong¹,

Wu²,

Stefanov³

et al. 2011

View full text Add to dashboard

Automated inference of past action instances in digital investigations

James

Gladyshev

2014

Int. J. Inf. Secur.

View full text Add to dashboard

As the amount of digital devices suspected of containing digital evidence increases, case backlogs for digital investigations are also increasing in many organizations. To ensure timely investigation of requests, this work proposes the use of signature-based methods for automated action instance approximation to automatically reconstruct past user activities within a compromised or suspect system. This work specifically explores how multiple instances of a user action may be detected using signaturebased methods during a post-mortem digital forensic analysis. A system is formally defined as a set of objects, where a subset of objects may be altered on the occurrence of an action. A novel action-trace update time threshold is proposed that enables objects to be categorized by their respective update patterns over time. By integrating time into event reconstruction, the most recent action instance approximation as well as limited past instances of the action may be differentiated and their time values approximated. After the formal theory if signature-based event reconstruction is defined, a case study is given to evaluate the practicality of the proposed method.

show abstract

Decision-theoretic file carving

Gladyshev

James

2017

Digital Investigation

View full text Add to dashboard

Using shellbag information to reconstruct user activities

Zhu

Gladyshev

James

2009

Digital Investigation

View full text Add to dashboard

scite is a Brooklyn-based startup that helps researchers better discover and understand research articles through Smart Citations–citations that display the context of the citation and describe whether the article provides supporting or contrasting evidence. scite is used by students and researchers from around the world and is funded in part by the National Science Foundation and the National Institute on Drug Abuse of the National Institutes of Health.

Contact Info

hi@scite.ai

334 Leonard St

Brooklyn, NY 11211

Blog Terms and Conditions API Terms Privacy Policy Contact Cookie Preferences Do Not Sell or Share My Personal Information

Made with 💙 for researchers

Pavel Gladyshev

Finite state machine approach to digital event reconstruction

Signature Based Detection of User Events for Post-mortem Forensic Analysis

Analysis of Evidence Using Formal Event Reconstruction

A survey of digital forensic investigator decision processes and measurement of decisions based on enhanced preview

An intrusion and defense testbed in a cyber-power system environment

Automated inference of past action instances in digital investigations

Decision-theoretic file carving

Using shellbag information to reconstruct user activities

Contact Info

Product

Resources

About