Article thumbnail
Location of Repository

Event-based computer profiling for the forensic reconstruction of computer activity

By Andrew D. Marrington, George M. Mohay, Andrew J. Clark and Hasmukh L. Morarji

Abstract

In cases where an investigator has no prior knowledge of a computer system to be investigated, the significant investment of time and resources required to undertake a detailed computer forensic examination may deter investigators, given it is not known whether it will yield any relevant evidence. This problem is particularly acute in cases involving acceptable usage monitoring or intelligence operations, where an investigator has no particular expectations about the digital evidence which might be found on a collection of computer systems, or no prior knowledge of their usage. Computer profiling is a process by which a computer system is automatically examined, without direction, to determine whether the computer system is of interest to a human investigator. This paper proposes a new technique for automated computer forensic investigations which provides a computer profile with historical timelining of user and application activity. A prototype software implementation of the technique is described and experimental results are provided and discussed which demonstrate the feasibility and value of incorporating activity traces into a computer profile

Topics: 080499 Data Format not elsewhere classified
Publisher: University of Queensland
Year: 2007
OAI identifier: oai:eprints.qut.edu.au:15579

Suggested articles


To submit an update or takedown request for this paper, please submit an Update/Correction/Removal Request.