Article

Automated recognition of event scenarios for digital forensics

Authors:

George MohayAuthors Info & Claims

SAC '06: Proceedings of the 2006 ACM symposium on Applied computing

Pages 293 - 300

https://doi.org/10.1145/1141277.1141346

Published: 23 April 2006 Publication History

Get Access

Abstract

The authors have previously developed the ECF (Event Correlation for Forensics) framework for scenario matching in the forensic investigation of activity manifested in digital transactional logs. ECF incorporated a suite of log parsers to reduce event records from heterogeneous logs to a canonical form for lodging in an SQL database. This paper presents work since then, the Auto-ECF system, which represents significant advances on ECF. The paper reports on the development and implementation of the new event abstraction and scenario specification methodology and on the development of the Auto-ECF system which builds on that to achieve the automated recognition of event scenarios. The paper also reports on the evaluation of Auto-ECF using three scenarios including one from the well known DARPA test data.

References

[1]

Chen Kevin, Andrew Clark, Olivier De Vel and George Mohay "ECF - Event Correlation for Forensics" In Proceedings of 1st Australian Computer, Network & Information Forensics Conference Perth, Western Australia, 2003.

Google Scholar

[2]

NetForensics, "NetForensics," http://www.netforensics.com/, 2003.

Google Scholar

[3]

GuardedNet, "GuardedNet neuSECURE," http://www.guarded.net/, 2003.

Google Scholar

[4]

e-Security Inc., "e-Security Management System," http://www.esecurityinc.com/, 2003.

Google Scholar

[5]

GFI Software USA, "LANguard Security Event Log Monitor," http://www.gfisoftware.de/, 2003.

Google Scholar

[6]

Sawmill, "Flowerfire," www.sawmill.net, 2003.

Google Scholar

[7]

TNT Software, "ELM Log Manager," https://www.tnttechnology.com/, 2003.

Google Scholar

[8]

I3P - Institute for Information Infrastructure Protection, "National Information Infrastructure Protection Research and Development Agenda Initiative Report, Information Infrastructure Protection: Survey of Products, Tools and Services," http://www.thei3p.org, 9 Sept 2002.

Google Scholar

[9]

Haines Joshua, Dorene Kewley Ryder, Laura Tinnel, Stephen Taylor, "Validation of Sensor Alert Correlators," IEEE Security & Privacy, vol. 1, 2003.

Digital Library

Google Scholar

[10]

Bishop M. "A Standard Audit Trail Format" In Proceedings of 18th National Information Systems Security Conference, 1995. pp. 136--145.

Google Scholar

[11]

CERIAS, "Audit Trails Format Group," http://www.cerias.purdue.edu/about/history/coast/projects/audit-trails-format.php: Purdue University, 2003.

Google Scholar

[12]

CERIAS Audit Trail Reduction Group, http://www.cerias.purdue.edu/about/history/coast/projects/audit-trails-reduce.php: Purdue University, 2003.

Google Scholar

Cited By

View all

Chabot YBertaux ANicolle CKechadi T(2018)An ontology-based approach for the reconstruction and analysis of digital incidents timelinesDigital Investigation: The International Journal of Digital Forensics & Incident Response10.1016/j.diin.2015.07.00515:C(83-100)Online publication date: 20-Dec-2018
https://dl.acm.org/doi/10.1016/j.diin.2015.07.005
Alrajeh DPasquale LNuseibeh BBodden ESchäfer WDeursen AZisman A(2017)On evidence preservation requirements for forensic-ready systemsProceedings of the 2017 11th Joint Meeting on Foundations of Software Engineering10.1145/3106237.3106308(559-569)Online publication date: 21-Aug-2017
https://dl.acm.org/doi/10.1145/3106237.3106308
Chabot YBertaux AKechadi TNicolle C(2015)Event ReconstructionHandbook of Research on Digital Crime, Cyberspace Security, and Information Assurance10.4018/978-1-4666-6324-4.ch015(231-245)Online publication date: 2015
https://doi.org/10.4018/978-1-4666-6324-4.ch015
Show More Cited By

Index Terms

Automated recognition of event scenarios for digital forensics
1. Security and privacy
  1. Intrusion/anomaly detection and malware mitigation
2. Social and professional topics
  1. Computing / technology policy
    1. Computer crime

Recommendations

Context-oriented programming with EventJava
COP '09: Proceedings of the 1st ACM International Workshop on Context-Oriented Programming

Recent research on Distributed Event-based Systems (DEBS) has focussed on event correlation, which is the task of processing events to identify meaningful patterns of events in the event cloud. In DEBS, software components communicate by generating, ...
Automated Windows event log forensics

This paper proposes methods to automate recovery and analysis of Windows NT5 (XP and 2003) event logs for computer forensics. Requirements are formulated and methods are evaluated with respect to motivation and process models. A new, freely available ...
Towards event ordering in digital forensics
MM&Sec '10: Proceedings of the 12th ACM workshop on Multimedia and security

In criminal investigation and criminal justice, investigators are usually faced with several reports, which contain a set of events of interest. Often, it is important to be able to order these events so that relevant queries can be posed on this ...

Comments

Information & Contributors

Information

Published In

SAC '06: Proceedings of the 2006 ACM symposium on Applied computing

April 2006

1967 pages

ISBN:1595931082

DOI:10.1145/1141277

Conference Chair:
Hisham M. Haddad
Kennesaw State University, Kennesaw, Georgia

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 23 April 2006

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Article

Conference

SAC06

Sponsor:

SIGAPP

SAC06: The 2006 ACM Symposium on Applied Computing

April 23 - 27, 2006

Dijon, France

Acceptance Rates

Overall Acceptance Rate 1,650 of 6,669 submissions, 25%

Upcoming Conference

SAC '25

Sponsor:
sigapp

The 40th ACM/SIGAPP Symposium on Applied Computing

March 31 - April 4, 2025

Catania , Italy

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

9
Total Citations
View Citations
926
Total Downloads

Downloads (Last 12 months)5
Downloads (Last 6 weeks)1

Reflects downloads up to 25 Feb 2025

Other Metrics

View Author Metrics

Citations

Cited By

View all

Chabot YBertaux ANicolle CKechadi T(2018)An ontology-based approach for the reconstruction and analysis of digital incidents timelinesDigital Investigation: The International Journal of Digital Forensics & Incident Response10.1016/j.diin.2015.07.00515:C(83-100)Online publication date: 20-Dec-2018
https://dl.acm.org/doi/10.1016/j.diin.2015.07.005
Alrajeh DPasquale LNuseibeh BBodden ESchäfer WDeursen AZisman A(2017)On evidence preservation requirements for forensic-ready systemsProceedings of the 2017 11th Joint Meeting on Foundations of Software Engineering10.1145/3106237.3106308(559-569)Online publication date: 21-Aug-2017
https://dl.acm.org/doi/10.1145/3106237.3106308
Chabot YBertaux AKechadi TNicolle C(2015)Event ReconstructionHandbook of Research on Digital Crime, Cyberspace Security, and Information Assurance10.4018/978-1-4666-6324-4.ch015(231-245)Online publication date: 2015
https://doi.org/10.4018/978-1-4666-6324-4.ch015
Gidwani TArgano MYan WIssa F(2013)A Comprehensive Survey of Event AnalyticsEmerging Digital Forensics Applications for Crime Detection, Prevention, and Security10.4018/978-1-4666-4006-1.ch012(166-180)Online publication date: 2013
https://doi.org/10.4018/978-1-4666-4006-1.ch012
Al Awawdeh SBaggili IMarrington AIqbal F(2013)CAT Record (computer activity timeline record): A unified agent based approach for real time computer forensic evidence collection2013 8th International Workshop on Systematic Approaches to Digital Forensics Engineering (SADFE)10.1109/SADFE.2013.6911539(1-8)Online publication date: Nov-2013
https://doi.org/10.1109/SADFE.2013.6911539
Gidwani TArgano MYan WIssa F(2012)A Comprehensive Survey of Event AnalyticsInternational Journal of Digital Crime and Forensics10.4018/jdcf.20120701034:3(33-46)Online publication date: 1-Jul-2012
https://doi.org/10.4018/jdcf.2012070103
Chu HYang SPark J(2012)A partially reconstructed previous Gmail session by live digital evidences investigation through volatile data acquisitionSecurity and Communication Networks10.1002/sec.5115:10(1193-1198)Online publication date: 26-Apr-2012
https://doi.org/10.1002/sec.511
Corney MMohay GClark A(2011)Detection of anomalies from user profiles generated from system logsProceedings of the Ninth Australasian Information Security Conference - Volume 11610.5555/2460416.2460421(23-32)Online publication date: 17-Jan-2011
https://dl.acm.org/doi/10.5555/2460416.2460421
Årnes AHaas PVigna GKemmerer R(2006)Using a virtual security testbed for digital forensic reconstructionJournal in Computer Virology10.1007/s11416-006-0033-x2:4(275-289)Online publication date: 21-Dec-2006
https://doi.org/10.1007/s11416-006-0033-x

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

Abstract

References

Cited By

Index Terms

Recommendations

Context-oriented programming with EventJava

Automated Windows event log forensics

Towards event ordering in digital forensics

Comments

Information

Published In

Sponsors

Publisher

Publication History

Permissions

Check for updates

Author Tags

Qualifiers

Conference

Acceptance Rates

Upcoming Conference

Contributors

Other Metrics

Bibliometrics

Article Metrics

Other Metrics

Citations

Cited By

Login options

Full Access

View options

PDF

eReader

Share

Share this Publication link

Share on social media

Affiliations