An ontology-based approach for the reconstruction and analysis of digital incidents timelines

Chabot, Yoan; Bertaux, Aurélie; Nicolle, Christophe; Kechadi, Tahar

doi:10.1016/j.diin.2015.07.005

Cited by 43 publications

(23 citation statements)

References 14 publications

Supporting

Mentioning

Contrasting

Unclassified

Order By: Relevance

“…In the paper [14], the authors stated that digital forensics investigators face a challenge such as the high volume of data, which are becoming continuously vast and diverse because of the growth of new technologies. Therefore, the interpretation of digital evidence and the reconstruction of events is a complicated and time-consuming task for the investigator.…”

Section: Literature Reviewmentioning

confidence: 99%

An Ontology Based on the Timeline of Log2timeline and Psort Using Abstraction Approach in Digital Forensics

Bhandari

Jusas

2020

Symmetry

View full text Add to dashboard Cite

Digital forensics practitioners encounter numerous new terminologies during time-intensive digital investigation processes because of the explosive growth of the web, an immense amount of data, and rapid changes in technology. In such a scenario, the time needed to find and interpret the cause of the potential digital incident can be affected by the complexity involved in understanding the meaning of newly encountered terminologies. Although various approaches have been designed to assist digital practitioners in understanding the newly encountered terminologies during the investigation of the accident, none of them is capable of supporting investigators to interpret new terminologies. Our work focuses on reconstructing and analyzing the timeline of events and artifacts backed by the abstraction concept to help practitioners in reasoning about the perceived meaning of different digital forensics terminologies that are encountered during the investigation. This paper introduces an ontological approach based on the abstraction concept to reconstruct the timeline provided by command-based digital forensic tools, i.e., Log2timeline and Psort in the L2TCSV format, and assist in resolving the meaning of new encountered concepts. The performed experiments show that the novel methodology is capable of enhancing the timeline and assisting practitioners in determining the significance of encountered terminologies or concepts.

show abstract

Section: Literature Reviewmentioning

confidence: 99%

An Ontology Based on the Timeline of Log2timeline and Psort Using Abstraction Approach in Digital Forensics

Bhandari

Jusas

2020

Symmetry

View full text Add to dashboard Cite

show abstract

“…A fundamental aspect of cyber-investigations is the extraction and analysis of traces, where the definition of a trace is any observable modification, including an absence of expected data, caused by an event in a digital crime scene (Casey, 2013). In the context of cyber-investigations, traces are used to address questions, which are generally described what, where, when, who, how and why.…”

Section: Case Overviewmentioning

confidence: 99%

The Evolution of Expressing and Exchanging Cyber-Investigation Information in a Standardized Form

Casey

Barnum

Griffith³

et al. 2018

Law, Governance and Technology Series

View full text Add to dashboard Cite

Motivation This paper describes the evolution of a community-developed, standardized specification language for representing and exchanging information in the broadest possible range of cyber-investigation domains, including digital forensic science, incident response, and counter terrorism. This initiative was originally called the Digital Forensic Analysis eXpression (DFAX), which has evolved into the Cyber-investigation Analysis Standard Expression (CASE). These standardization efforts include development of the Unified Cyber Ontology (UCO) to provide the scaffolding necessary to satisfy the requirements of a wide range of use cases in multiple specializations. A primary motivation for this community driven initiative is interoperability-to enable the exchange of cyber-investigation information between tools, organizations, and countries. The CASE specification language and UCO ontology are a rational progression from the foundational work on Digital Forensic Analysis eXpression (DFAX), which focused on digital forensic information and provenance context (Casey, Back, Barnum, 2015). "When investigating a single incident, being able to combine the results from multiple tools that are used to extract information from the digital evidence supports forensic reconstruction, including timeline creation and link analysis. In addition, being able to automate the comparison of similar results from multiple tools facilitates dual-tool verification. When crime spans borders, sharing of information between investigative agencies is crucial for a successful resolution. A fundamental requirement in digital forensics is to maintain information about evidence provenance as it is exchanged and processed, to help establish authenticity and trustworthiness. Furthermore, without a standardized approach to representing and sharing digital forensic information, investigators in different jurisdictions may never know that they are investigating crimes committed by the same criminal."

show abstract

“…Las propuestas de (Rueda-rueda, Rico-bautista, & Guerrero, 2018) y de (Di Ioro et al, 2017) se tuvieron en cuenta para definir el método más adecuado para el análisis forense de correos electrónicos. Los criterios de calidad para que las herramientas forenses permitan la reconstrucción de la prueba digital, bajo cánones de reproducibilidad, integridad y credibilidad propuestos por (Chabot, Bertaux, Nicolle, & Kechadi, 2015) y los criterios de evaluación de herramientas propuestos por (David, Parra, Rico-bautista, Medina-cárdenas, & Sanchez-ortiz, 2018) resultaron de interés para aplicar a la herramienta de soporte aquí presentada. El trabajo (Chhabra & Bajwa, 2012) que revisa integralmente el tema del análisis forense de correos electrónicos, se tomó como estructura formal para la descripción ordenada del objeto de estudio, mientras que los trabajos (Devendran, Shahriar, & Clincy, 2015) y (Youn, 2014) permitieron ajustar la ontología al modelo requerido para representar la trazabilidad y las preguntas de competencia.…”

Section: Introductionunclassified

OntoFoCE: Herramienta para el Análisis Forense de Correos Electrónicos

Notario

Gallo

Vegetti

et al. 2019

RISTI

View full text Add to dashboard Cite

Resumen: Este trabajo tiene como objetivo presentar una herramienta para el análisis forense de correos electrónicos a partir de la cabecera de los mismos y la utiliza para instanciar una ontología definida para responder a los puntos de pericia solicitados sobre el correo electrónico. La herramienta consta de cuatro componentes que permiten la obtención de las cabeceras de los correos a peritar, la instanciación de la ontología con los datos obtenidos de las cabeceras y la obtención de respuestas a los puntos de pericia a partir de las preguntas de competencia definidas para la ontología. Se describe cada componente y se ejemplifica el uso de la herramienta mediante un caso de estudio sobre análisis forense de un correo electrónico. Palabras-clave:Ontología; cabecera de correo; forensia digital. Abstract:The purpose of this work is to present a tool for the forensic analysis of emails from their headers. The tool is used to generate a defined ontology, in order to respond to the points of expertise requested about the email. It consists of four components which allow us to obtain the headers of the mails to be analyzed, to generate the ontology with the data acquired from those headers, and to give an answer to the points of expertise produced by the competency questions defined for the ontology. Each component is described and the use of the tool is exemplified through a case study on forensic analysis of an email.

show abstract

An ontology-based approach for the reconstruction and analysis of digital incidents timelines

Cited by 43 publications

References 14 publications

An Ontology Based on the Timeline of Log2timeline and Psort Using Abstraction Approach in Digital Forensics

An Ontology Based on the Timeline of Log2timeline and Psort Using Abstraction Approach in Digital Forensics

The Evolution of Expressing and Exchanging Cyber-Investigation Information in a Standardized Form

OntoFoCE: Herramienta para el Análisis Forense de Correos Electrónicos

Contact Info

Product

Resources

About