Recent advances in computer internetworking and continued increases in Internet usage have been accompanied by a continued increase in the incidence of computer related crime. At the same time, the number of sources of potential evidence in any particular computer forensic investigation has grown considerably, as evidence of the occurrence of relevant events can potentially be drawn not only from multiple computers, networks, and electronic systems but also from disparate personal, organizational, and governmental contexts. Potentially, this leads to significant improvements in forensic outcomes but is accompanied by an increase in both the complexity and scale of event information. In order for forensic investigators to effectively investigate this mass of data, semantically strong representational models and automated methods of correlating such event data is becoming a necessity. The contribution of the work described in this paper is the automated detection of a computer forensic scenario, based upon facts automatically derived from digital event logs. We present an expert systems based approach that has the ability to manage the scalability and semantic issues arising in such inter-domain forensics, using an extensible, semantic domain model specified using the Web Ontology Language (OWL). We have developed a prototype system, Forensics of Rich Events (FORE), which supports investigation of heterogeneous event data using a novel form of manipulation of hypothetical knowledge, while supporting the application of standard rule and signature based event correlation techniques. We demonstrate proof of concept of our approach by applying the prototype we have developed to a test case scenario that demonstrates the flexibility of the approach in a single domain context. Key Words: A.I., Search Algorithms, Information Security. 1
To submit an update or takedown request for this paper, please submit an Update/Correction/Removal Request.