A framework for post-event timeline reconstruction using neural networks

Digital forensic analysis Neural networks a b s t r a c t Post-event timeline reconstruction plays a critical role in forensic investigation and serves as a means of identifying evidence of the digital crime. We present an artificial neural networks based approach for post-event timeline reconstruction using the file system activities. A variety of digital forensic tools have been developed during the past two decades to assist computer forensic investigators undertaking digital timeline analysis, but most of the tools cannot handle large volumes of data efficiently. This paper looks at the effectiveness of employing neural network methodology for computer forensic analysis by preparing a timeline of relevant events occurring on a computing machine by tracing the previous file system activities. Our approach consists of monitoring the file system manipulations , capturing file system snapshots at discrete intervals of time to characterise the use of different software applications, and then using this captured data to train a neural network to recognise execution patterns of the application programs. The trained version of the network may then be used to generate a post-event timeline of a seized hard disk to verify the execution of different applications at different time intervals to assist in the identification of available evidence. Digital forensics, also called computer forensics or cyber forensics, has emerged as a new field of study over the last decade due to the rise in the highly technical nature of computer crimes. Digital forensics aims to find and explain the cause for an event or set of events occurred on a computer. This field is very diverse as digital evidence is required in a wide range of computer-related crimes and a range of methods and techniques within the disciplines of engineering and computer science have been studied and implemented. The incidences of computer-related crimes are increasing rapidly mainly due to widespread usage of the Internet and electronic transformation of businesses and personal communications. In addition, the advent of pervasive electronic devices being compatible with the computing machines has made the forensic investigations more complex; consequently , digital forensic investigators have to analyse increasingly larger volumes of data of varying diversity. Larger and more diverse data sets often result in the use of additional resources and greater costs required to complete effective digital forensic investigations. In such scenarios, an efficacious event reconstruction process may be of additional value during digital forensic investigations. During a …