Analysis of Forensic Super Timelines
Abstract
As the use and adoption of networked electronic devices grows, their use in conjunction with crimes also increases. Extracting the probative evidence from these devices requires experienced digital forensics examiners. These examiners use several specialized tools that interpret the raw binary data present in digital media. Once the evidentiary artifacts are collected, one of the examiners goals is to assemble a narrative that describes when events occurred based on the time associated with the artifacts. Unfortunately, generating and evaluating these narrative super timelines is a manual and labor intensive process. This research focuses on aiding the examiner in evaluation through the generation of several queries that can extract and connect the temporal artifacts, and produce concise timelines. Extracting and analyzing these concise timelines allows the examiner to decrease the number artifacts to search through from hundreds of thousands of artifacts to only a hundred artifacts or less. Additionally, queries that correlate various artifacts allow the examiner to confirm or deny attribution of the user's actions. Application of the queries presented on a fictitious event demonstrates their ability to reduce the number of artifacts and facilitate the understanding of the activities surrounding the incident.
Document Details
- Document Type
- Technical Report
- Publication Date
- Jun 14, 2012
- Accession Number
- ADA562672
Entities
People
- Stephen J. Esposito
Organizations
- Air Force Institute of Technology