Signature Based Detection of User Events for Post-mortem Forensic Analysis

  title={Signature Based Detection of User Events for Post-mortem Forensic Analysis},
  author={J. James and P. Gladyshev and Yuandong Zhu},
  • J. James, P. Gladyshev, Yuandong Zhu
  • Published in ICDF2C 2010
  • Computer Science
  • This paper introduces a novel approach to user event reconstruction by showing the practicality of generating and implementing signature-based analysis methods to reconstruct high-level user actions from a collection of low-level traces found during a post-mortem forensic analysis of a system. Traditional forensic analysis and the inferences an investigator normally makes when given digital evidence, are examined. It is then demonstrated that this natural process of inferring high-level events… CONTINUE READING
    14 Citations

    Figures, Tables, and Topics from this paper

    Anti-Forensic Trace Detection in Digital Forensic Triage Investigations
    • 8
    • PDF
    Automated inference of past action instances in digital investigations
    • 17
    • PDF
    Forensic Application-Fingerprinting Based on File System Metadata
    • 14
    The Phases Based Approach for Regeneration of Timeline in Digital Forensics
    • S. Bhandari, V. Jusas
    • Computer Science
    • 2020 International Conference on INnovations in Intelligent SysTems and Applications (INISTA)
    • 2020
    Automated Digital Forensic Triage: Rapid Detection of Anti-Forensic Tools
    Challenges with Automation in Digital Forensic Investigations
    • 35
    • PDF
    A survey on digital evidence collection and analysis
    • 14


    Cyber Criminal Activity Analysis Models using Markov Chain for Digital Forensics
    • Do Do Kim, H.P. In
    • Computer Science
    • 2008 International Conference on Information Security and Assurance (isa 2008)
    • 2008
    • 4
    Signature-Based Approach for Intrusion Detection
    • B. Sy
    • Computer Science
    • MLDM
    • 2005
    • 13
    • PDF
    A Consistency Study of the Windows Registry
    • 5
    • PDF
    Formalising Event Time Bounding in Digital Investigations
    • 48
    • PDF
    Timestamp evidence correlation by model based clock hypothesis testing
    • 28
    Guide to Intrusion Detection and Prevention Systems (IDPS)
    • 1,152
    • PDF
    Extraction and Categorisation of User Activity from Windows Restore Points
    • 9
    • PDF