Activity analysis is an increasingly common task in complex investigative digital forensics examinations. This analysis relies on extracting data from a system and projecting backwards to identify and explain events that took place in the past. There have historically been two approaches: either examiners look at each log individually, or all individual records are extracted from all available sources and combined into a massive database for analysis. Either method ignores potentially relevant information about the context of the individual records as well as the characteristics of their sources. It is also challenging to identify if any records were once present but are now missing due to either intentional obfuscation or simply routine system operation and interactions.
This work presents a taxonomy for describing time-activity data (TAD) and TAD source characteristics and describes an inferential analysis strategy based on the characteristics of TAD sources. This enables examiners to identify and describe the characteristics for different sources and how they may enhance or complicate activity analysis conclusions. This work also presents a state-based approach to activity analysis. This model for system state changes over time in response to user actions provides a method for the analysis of TAD records from successive disk images. This method was then applied to a series of images from the M57-Patents dataset to analyze the degradation of TAD record data over time from a series of linked images from the same system. The data was analyzed to see if the degradation varies by record source or type and to look for variation across three separate systems.
|Commitee:||Tecuci, Gheorghe, Carr, Daniel, Wijesekera, Duminda, Osgood, Robert, Goodings, Deborah, Ball, Kenneth S.|
|School:||George Mason University|
|School Location:||United States -- Virginia|
|Source:||DAI-A 82/3(E), Dissertation Abstracts International|
|Subjects:||Information Technology, Computer science, Criminology|
|Keywords:||Activity analysis, Activity cascade, Data degradation, Digital forensics, System activity model, Time activity data|
Copyright in each Dissertation and Thesis is retained by the author. All Rights Reserved
The supplemental file or files you are about to download were provided to ProQuest by the author as part of a
dissertation or thesis. The supplemental files are provided "AS IS" without warranty. ProQuest is not responsible for the
content, format or impact on the supplemental file(s) on our system. in some cases, the file type may be unknown or
may be a .exe file. We recommend caution as you open such files.
Copyright of the original materials contained in the supplemental file is retained by the author and your access to the
supplemental files is subject to the ProQuest Terms and Conditions of use.
Depending on the size of the file(s) you are downloading, the system may take some time to download them. Please be