A framework for post-event timeline reconstruction using neural networks

Authors:
M. N. A. Khan;C. R. Chatwin;R. C. D. Young
Affiliations:
Industrial Informatics and Manufacturing Systems, Department of Engineering and Design,University of Sussex, Falmer, Brighton, East Sussex BN1 9QT, UK;Industrial Informatics and Manufacturing Systems, Department of Engineering and Design,University of Sussex, Falmer, Brighton, East Sussex BN1 9QT, UK;Industrial Informatics and Manufacturing Systems, Department of Engineering and Design,University of Sussex, Falmer, Brighton, East Sussex BN1 9QT, UK
Venue:
Digital Investigation: The International Journal of Digital Forensics & Incident Response
Year:
2007

Citing 9
Cited 2

Intrusion detection with neural networks

NIPS '97 Proceedings of the 1997 conference on Advances in neural information processing systems 10
Neural Networks: A Comprehensive Foundation

Neural Networks: A Comprehensive Foundation
Fundamentals of Artificial Neural Networks

Fundamentals of Artificial Neural Networks
Statistical Foundations of Audit Trail Analysis for the Detection of Computer Misuse

IEEE Transactions on Software Engineering
Text classification using string kernels

The Journal of Machine Learning Research
Backtracking intrusions

SOSP '03 Proceedings of the nineteenth ACM symposium on Operating systems principles
Forensix: A Robust, High-Performance Reconstruction System

ICDCSW '05 Proceedings of the Second International Workshop on Security in Distributed Computing Systems (SDCS) (ICDCSW'05) - Volume 02
A comparative evaluation of two algorithms for Windows Registry Anomaly Detection

Journal of Computer Security
An empirical study of automatic event reconstruction systems

Digital Investigation: The International Journal of Digital Forensics & Incident Response

Network forensics based on fuzzy logic and expert system

Computer Communications
Machine learning in computer forensics (and the lessons learned from machine learning in computer security)

Proceedings of the 4th ACM workshop on Security and artificial intelligence

Quantified Score

Hi-index	0.00

Visualization

Abstract

Post-event timeline reconstruction plays a critical role in forensic investigation and serves as a means of identifying evidence of the digital crime. We present an artificial neural networks based approach for post-event timeline reconstruction using the file system activities. A variety of digital forensic tools have been developed during the past two decades to assist computer forensic investigators undertaking digital timeline analysis, but most of the tools cannot handle large volumes of data efficiently. This paper looks at the effectiveness of employing neural network methodology for computer forensic analysis by preparing a timeline of relevant events occurring on a computing machine by tracing the previous file system activities. Our approach consists of monitoring the file system manipulations, capturing file system snapshots at discrete intervals of time to characterise the use of different software applications, and then using this captured data to train a neural network to recognise execution patterns of the application programs. The trained version of the network may then be used to generate a post-event timeline of a seized hard disk to verify the execution of different applications at different time intervals to assist in the identification of available evidence.