Automatic Timeline Construction and Analysis for Computer Forensics Purposes

Chabot, Yoan; Bertaux, Aurélie; Nicolle, Christophe; Kechadi, Tahar

doi:10.1109/jisic.2014.54

Cited by 11 publications

(7 citation statements)

References 4 publications

(6 reference statements)

Supporting

Mentioning

Contrasting

Unclassified

Order By: Relevance

“…The use of predefined rules does not provide flexibility because previously unseen messages may be recorded in log files. For an automatic process, there are several methods for generating a forensic timeline [8], [9] but not for finding events of interest in a timeline.…”

Section: Instance the Investigator Can Analyzementioning

confidence: 99%

“…Then, there are several queries for examining important events, namely, application activity, browsing history, access to recent documents, and executed programs [19]. A forensic timeline is also needed after events are modeled with semantic-based correlation [3] or ontology-based techniques [9] to investigate the association between events and their timeline.…”

Section: A Forensic Timeline Analysismentioning

confidence: 99%

See 1 more Smart Citation

Sentiment Analysis in a Forensic Timeline With Deep Learning

2020

View full text Add to dashboard Cite

A forensic investigator creates a timeline from a forensic disk image after an occurrence of a security incident. This procedure aims to acquire the time for all events identified from the investigated artifacts. An investigator usually looks for events of interest by manually searching the timeline. One of the sources from which to build a timeline is log files, and these events are often found in log messages. In this paper, we propose a sentiment analysis technique to automatically extract events of interest from log messages in the forensic timeline. We use a deep learning technique with a context and content attention model to identify aspect terms and the corresponding sentiments in the forensic timeline. Terms with negative sentiments indicate events of interest and are highlighted in the timeline. Therefore, the investigator can quickly examine the events and other activities recorded within the surrounding time frame. Experimental results on four public forensic case studies show that the proposed method achieves 98.43% and 99.64% for the F1 score and accuracy, respectively.

show abstract

Section: Instance the Investigator Can Analyzementioning

confidence: 99%

Section: A Forensic Timeline Analysismentioning

confidence: 99%

Sentiment Analysis in a Forensic Timeline With Deep Learning

2020

View full text Add to dashboard Cite

show abstract

“…Timeline reconstruction is of interest to both cyber and traditional crime investigations. This interest is reflected in the wide variety of work done for creating timelines [28], [35], [36], [41], making better tools for editing and visualization [24], [47], and correlating sources together to infer semantics in a timeline [29], [39], [54]. However, all these methods are dependent on various logs and database files that are formatted independently by applications making their timeline recovery highly application-specific.…”

Section: Related Workmentioning

confidence: 99%

"Tipped Off by Your Memory Allocator": Device-Wide User Activity Sequencing from Android Memory Images"

Bhatia

Saltaformaggio

Yang

et al. 2018

Proceedings 2018 Network and Distributed System Security Symposium

View full text Add to dashboard Cite

An essential forensic capability is to infer the sequence of actions performed by a suspect in the commission of a crime. Unfortunately, for cyber investigations, user activity timeline reconstruction remains an open research challenge, currently requiring manual identification of datable artifacts/logs and heuristic-based temporal inference. In this paper, we propose a memory forensics capability to address this challenge. We present Timeliner, a forensics technique capable of automatically inferring the timeline of user actions on an Android device across all apps, from a single memory image acquired from the device. Timeliner is inspired by the observation that Android app Activity launches leave behind key self-identifying data structures. More importantly, this collection of data structures can be temporally ordered, owing to the predictable manner in which they were allocated and distributed in memory. Based on these observations, Timeliner is designed to (1) identify and recover these residual data structures, (2) infer the user-induced transitions between their corresponding Activities, and (3) reconstruct the devicewide, cross-app Activity timeline. Timeliner is designed to leverage the memory image of Android's centralized ActivityManager service. Hence, it is able to sequence Activity launches across all apps -even those which have terminated. Our evaluation shows that Timeliner can reveal substantial evidence (up to an hour) across a variety of apps on different Android platforms.

show abstract

“…Yoan, Bertaux, e Tahar apresentam uma proposta baseada em semântica, implementada por meio de ontologias, para lidar com o problema da análise de logs de um sistema. A proposta consiste em fornecer ao analista uma visão de conhecimento dos eventos do sistema com um nível de agrupamento e abstração maior do que os dados brutos [9]. O presente trabalho lida com o problema da grande quantidade de logs com uma abordagem diferente da usada nos dois últimos trabalhos citados.…”

Section: Trabalhos Relacionadosunclassified

Uma Proposta de Abordagem para Análise Forense de Sistemas Invadidos por Ransomware

Filho¹

2018

Proceedings of the Tenth International Conference on Forensic Computer Science and Cyber Law

View full text Add to dashboard Cite

A perícia em casos de invasão de sistemas representa um desafio ao especialista, principalmente pela diversidade de tecnologias envolvidas e a grande quantidade de dados que precisa ser analisada. O objetivo do trabalho é apresentar uma abordagem desse problema realizada em um caso real de sistema invadido vítima de ransomware. O trabalho descreve o cenário do sistema invadido, os processos usados para obtenção dos dados, a necessidade de informações adicionais para análise dos dados obtidos e como a abordagem utilizada pôde contribuir para as conclusões da perícia. Ao final, são discutidas potenciais aplicações da abordagem em casos semelhantes e trabalhos futuros.

show abstract

Automatic Timeline Construction and Analysis for Computer Forensics Purposes

Cited by 11 publications

References 4 publications

Sentiment Analysis in a Forensic Timeline With Deep Learning

Sentiment Analysis in a Forensic Timeline With Deep Learning

"Tipped Off by Your Memory Allocator": Device-Wide User Activity Sequencing from Android Memory Images"

Uma Proposta de Abordagem para Análise Forense de Sistemas Invadidos por Ransomware

Contact Info

Product

Resources

About