Supporting Process Mining with Recovered Residual Data

Abstract

Understanding how workflows are actually carried out within an organisation can provide a crucial contribution to business process improvement. This paper presents a concept for reconstructing a business process by using file residuals on a hard-drive and without the need for existing event logs. Thereby, methods from the area of process mining are enriched with approaches from digital forensics investigations in a Digital Trace Miner. First, a framework that extracts traces originating from business process execution based on residual data is developed in order to link them to the processes. The traces from the extraction are used in a life-cycle to keep related data up-to-date. This approach has been implemented and evaluated by a prototype. The evaluation shows that this approach enables useful insights regarding the tasks performed on a suspect computer by associating recovered files by using file-carving mechanisms