Automated Inference of Past Action Instances in Digital Investigations

TL;DR

This paper introduces a signature-based method for automatically reconstructing past user actions in digital investigations, aiming to reduce case backlogs by accurately approximating multiple action instances over time.

Contribution

It proposes a novel formal framework and a new action-trace update time threshold to improve detection of multiple action instances in digital forensic analysis.

Findings

Effective detection of multiple action instances demonstrated

Time-based categorization improves reconstruction accuracy

Case study validates practical applicability

Abstract

As the amount of digital devices suspected of containing digital evidence increases, case backlogs for digital investigations are also increasing in many organizations. To ensure timely investigation of requests, this work proposes the use of signature-based methods for automated action instance approximation to automatically reconstruct past user activities within a compromised or suspect system. This work specifically explores how multiple instances of a user action may be detected using signature-based methods during a post-mortem digital forensic analysis. A system is formally defined as a set of objects, where a subset of objects may be altered on the occurrence of an action. A novel action-trace update time threshold is proposed that enables objects to be categorized by their respective update patterns over time. By integrating time into event reconstruction, the most recent action instance approximation as well as limited past instances of the action may be differentiated and their time values approximated. After the formal theory if signature-based event reconstruction is defined, a case study is given to evaluate the practicality of the proposed method.