TraceGen: User activity emulation for digital forensic test image generation

Digital forensic test images are commonly used across a variety of digital use cases including education and training, tool testing validation, proficiency testing, malware analysis, research development. Using real evidence for these purposes is often not viable or permissible, especially when factoring in the ethical some legal considerations working with individuals' personal data. Furthermore, using data it usually known what actions were performed when, i.e., was ‘ground truth’. The creation synthetic typically involves an arduous, time-consuming process manually performing list actions, following ‘story’ to generate artefacts subsequently imaged disk. Besides manual effort time needed executing relevant scenario, there little room build realistic volume non-pertinent wear-and-tear ‘background noise’ on suspect device, meaning resulting disk inherently limited certain extent simplistic. This work presents TraceGen framework, automated system focused emulation user create comprehensive auditable reproducible manner. framework consists series contained within scripts that executed both externally internally target virtual machine. These existing automation APIs emulate user's behaviour Windows artefacts. can be quickly scripted together form complex stories image. In addition development evaluation also terms ability produce background at scale, realism compared their human-generated counterparts.