UPM Institutional Repository

Method of Event Reconstruction in Digital Investigation and its Visualization


Citation

Abdullah, Mohd. Taufik (2011) Method of Event Reconstruction in Digital Investigation and its Visualization. PhD thesis, Universiti Putra Malaysia.

Abstract

A reconstruction of sequences of events that leads to a suspicious incident is an important phase in digital forensics investigation. Event reconstruction answers the question concerning the existence of digital object within computer at any particular time either triggered by an event or an effect of an event. Various event reconstruction techniques are used for representing the sequence of event that caused presence of the digital objects. The reconstruction of events in digital investigations is fairly complicated. Unaided reasoning is usually insufficient to comprehensively analyze the sequence of events to identify suspect, apprehend the guilty and defend the innocent. Most present techniques lacks of thoroughness, relevancy, and user friendliness. A development of a sound technique which could reduce the possibility of reasoning errors and hence increases the effectiveness of the analysis is crucial. This research defines a new method of event reconstruction which associates the capability to handle infinite set of incident scenarios, determine the relevancy of witness statements, and visualize all possibilities of incident scenarios. This study proposed a new method for representing the functionality of system under investigation as well as evidential statements. Some previous works only represent the functionality of the system under investigation as Finite State Machine (FSM). In the proposed method, the functionality of the system under investigation is represented as FSM whereby witness statement is represented as regular expression. An algorithm is developed to derive a Deterministic Finite Automaton (DFA) that accepts computations of FSM that represent the functionality of system under investigation. Similarly, the regular expression is transformed into another DFA using standard algorithms. Finally, the two DFAs are intersected to produce another DFA known as Diagram of Digital Event Reconstruction and Analysis (DDERA). Having both the functionality of system under investigation and evidential statement represented as DFAs, the event reconstruction is reduced to the problem of automata intersection. The proposed method of event reconstruction in this research has an ability to represent infinite sets of incident scenarios. Therefore, it is capable of handling problematic even transition graphs with loops. Moreover, it allows relevancy checking among given statements themselves as well as against the representation of the functionality of system under investigation. Visualization of all possible scenarios of incident in graphical manner facilitates efficient insight gaining into digital evidence. Above all, the whole research formalizes and automates digital forensic analysis into a new horizon.


Download File

[img]
Preview
PDF
FSKTM_2011_2.pdf

Download (707kB) | Preview

Additional Metadata

Item Type: Thesis (PhD)
Subject: Visualization
Subject: Forensic computer scientists
Subject: Image reconstruction
Call Number: FSKTM 2011 2
Chairman Supervisor: Associate Professor Ramlan Mahmod, PhD
Divisions: Faculty of Computer Science and Information Technology
Depositing User: Ms. Nida Hidayati Ghazali
Date Deposited: 12 Jun 2014 03:20
Last Modified: 12 Jun 2014 06:29
URI: http://psasir.upm.edu.my/id/eprint/19635
Statistic Details: View Download Statistic

Actions (login required)

View Item View Item