Dealing with temporal inconsistency in automated computer forensic profiling

Computer profiling is the automated forensic examination of a computer system in order to provide a human investigator with a characterisation of the activities that have taken place on that system. As part of this process, the logical components of the computer system – components such as users, files and applications - are enumerated and the relationships between them discovered and reported. This information is enriched with traces of historical activity drawn from system logs and from evidence of events found in the computer file system. A potential problem with the use of such information is that some of it may be inconsistent and contradictory thus compromising its value. This work examines the impact of temporal inconsistency in such information and discusses two types of temporal inconsistency that may arise – inconsistency arising out of the normal errant behaviour of a computer system, and inconsistency arising out of deliberate tampering by a suspect – and techniques for dealing with inconsistencies of the latter kind. We examine the impact of deliberate tampering through experiments conducted with prototype computer profiling software. Based on the results of these experiments, we discuss techniques which can be employed in computer profiling to deal with such temporal inconsistencies

A model for computer profiling

This paper discusses the use of models in automatic computer forensic analysis, and proposes and elaborates on a novel model for use in computer profiling, the computer profiling object model. The computer profiling object model is an information model which models a computer as objects with various attributes and inter-relationships. These together provide the information necessary for a human investigator or an automated reasoning engine to make judgements as to the probable usage and evidentiary value of a computer system. The computer profiling object model can be implemented so as to support automated analysis to provide an investigator with the information needed to decide whether manual analysis is required

Event-based computer profiling for the forensic reconstruction of computer activity

In cases where an investigator has no prior knowledge of a computer\ud system to be investigated, the significant investment of time and resources\ud required to undertake a detailed computer forensic examination may deter\ud investigators, given it is not known whether it will yield any relevant evidence.\ud This problem is particularly acute in cases involving acceptable usage\ud monitoring or intelligence operations, where an investigator has no particular\ud expectations about the digital evidence which might be found on a collection of\ud computer systems, or no prior knowledge of their usage. Computer profiling is\ud a process by which a computer system is automatically examined, without\ud direction, to determine whether the computer system is of interest to a human\ud investigator. This paper proposes a new technique for automated computer\ud forensic investigations which provides a computer profile with historical timelining\ud of user and application activity. A prototype software implementation of\ud the technique is described and experimental results are provided and discussed\ud which demonstrate the feasibility and value of incorporating activity traces into\ud a computer profile