Signature Based Detection of User Events for Post-mortem Forensic Analysis

James, Joshua I.; Gladyshev, Pavel; Zhu, Yuandong

doi:10.1007/978-3-642-19513-6_8

Cited by 11 publications

(22 citation statements)

References 10 publications

(10 reference statements)

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Without naming it, James et al [12] adapt the concept of a fingerprint that is known from other areas of computer security. Fingerprints arise from side channels that transport typical information that may be useful to an attacker.…”

Section: B Related Workmentioning

confidence: 99%

“…He has shown that it is possible to tell if and when a folder was last copied even if the event took place weeks or even months prior to the investigation. James et al [12] generate timestamp signatures for identifying user activities in post mortem digital investigations. They focus on generating "signatures" for the startup process of different applications and created those signatures for the following three applications: Microsoft Internet Explorer, Mozilla Firefox and Microsoft MSN Messenger.…”

Section: B Related Workmentioning

confidence: 99%

“…Generally, our goal is to 1) make use of such fingerprints in event reconstruction, i.e., to prove the presence or absence of known fingerprints on an analyzed system, and 2) to generate a database of such fingerprints automatically using a novel fingerprint generation system. Like James et al [12], we only use NTFS MAC timestamps for fingerprint generation, although our approach can be extended to any file system metadata that is available in the specific file system. Using only timestamp information already enables us to generate fingerprints for detecting not only the start of specific applications, but also different actions that can be performed with the same application.…”

Section: Introducing Application Fingerprintsmentioning

confidence: 98%

See 1 more Smart Citation

Forensic Application-Fingerprinting Based on File System Metadata

Kalber

Dewald

Freiling

2013

2013 Seventh International Conference on IT Security Incident Management and IT Forensics

View full text Add to dashboard Cite

While much work has been invested in tools for aquisition and extraction of digital evidence, there are only few tools that allow for automatic event reconstruction. In this paper, we present a generic approach for forensic event reconstruction based on digital evidence from file systems. Our approach applies the idea of fingerprinting to changes made by applications in file system metadata. We present a system with which it is possible to automatically compute file system fingerprints of individual actions. Using NTFS timestamps as an example, we show that with our approach it is possible to automatically reconstruct actions performed by different applications even if the set of files accessed by those actions overlap.

show abstract

“…For each tested action, the results of each instance of the action were analyzed to determine trace category association [13] . This process consisted of comparing the trace time with the known execution time.…”

Section: Experimentationmentioning

confidence: 99%

Update Thresholds of More Accurate Time Stamp for Event Reconstruction

James¹,

Jang²

2017

JIIBC

View full text Add to dashboard Cite

Many systems rely on reliable timestamps to determine the time of a particular action or event. This is especially true in digital investigations where investigators are attempting to determine when a suspect actually committed an action. The challenge, however, is that objects are not updated at the exact moment that an event occurs, but within some time-span after the actual event. In this work we define a simple model of digital systems with objects that have associated timestamps. The model is used to predict object update patterns for objects with associated timestamps, and make predictions about these update time-spans. Through empirical studies of digital systems, we show that timestamp update patterns are not instantaneous. We then provide a method for calculating the distribution of timestamp updates on a particular system to determine more accurate action instance times.

show abstract

“…Mohamad et al used markers and data structures for JPEG header detection [11]. James et al used signature-based analysis methods to reconstruct user event [12]. The aforementioned methods are invariably deployed at the application level.…”

Section: Internet Packet Flowmentioning

confidence: 99%

Digital evidence collection for web image access

Hsieh

Liu

2012

Security Comm. Networks

View full text Add to dashboard Cite

As the volume of multimedia data exchanged over the Internet continues to grow, the problem of preventing the unauthorized duplication of copyright-protected images or the dissemination of undesirable material such as pornographic pictures has become increasingly important. The majority of the images circulated over the Internet are coded in the JPEG format. Thus, the present study proposes a novel digital feature retrieval scheme designed to detect unlawful dissemination of preselected JPEG images. In the proposed approach, the packet-level features of the target JPEG image are collected in advance and are stored in a feature database. Thereafter, the features of all the packets passing through a nominated router are compared on-the-fly with those in the feature database in order to detect any transmissions of the target images. The experimental results show that the proposed packet-level forensic scheme is far more efficient than existing applicationlevel schemes. As a result, the proposed scheme provides a viable solution for the background monitoring of JPEG streams over large-scale network environments such as the Internet in order to detect unlawful transmissions and to compile digital evidence of such transmissions for possible future legal proceedings.

show abstract

Signature Based Detection of User Events for Post-mortem Forensic Analysis

Cited by 11 publications

References 10 publications

Forensic Application-Fingerprinting Based on File System Metadata

Update Thresholds of More Accurate Time Stamp for Event Reconstruction

Digital evidence collection for web image access

Contact Info

Product

Resources

About