Dissertation/Thesis Abstract

Analysis of Time Activity Data Characteristics and Data Degradation in Digital Forensics
by Smallman, Andrew C., Ph.D., George Mason University, 2020, 150; 28088941
Abstract (Summary)

Activity analysis is an increasingly common task in complex investigative digital forensics examinations. This analysis relies on extracting data from a system and projecting backwards to identify and explain events that took place in the past. There have historically been two approaches: either examiners look at each log individually, or all individual records are extracted from all available sources and combined into a massive database for analysis. Either method ignores potentially relevant information about the context of the individual records as well as the characteristics of their sources. It is also challenging to identify if any records were once present but are now missing due to either intentional obfuscation or simply routine system operation and interactions.

This work presents a taxonomy for describing time-activity data (TAD) and TAD source characteristics and describes an inferential analysis strategy based on the characteristics of TAD sources. This enables examiners to identify and describe the characteristics for different sources and how they may enhance or complicate activity analysis conclusions. This work also presents a state-based approach to activity analysis. This model for system state changes over time in response to user actions provides a method for the analysis of TAD records from successive disk images. This method was then applied to a series of images from the M57-Patents dataset to analyze the degradation of TAD record data over time from a series of linked images from the same system. The data was analyzed to see if the degradation varies by record source or type and to look for variation across three separate systems.

Indexing (document details)
Advisor: Jones, James
Commitee: Tecuci, Gheorghe, Carr, Daniel, Wijesekera, Duminda, Osgood, Robert, Goodings, Deborah, Ball, Kenneth S.
School: George Mason University
Department: Computer Forensics
School Location: United States -- Virginia
Source: DAI-A 82/3(E), Dissertation Abstracts International
Source Type: DISSERTATION
Subjects: Information Technology, Computer science, Criminology
Keywords: Activity analysis, Activity cascade, Data degradation, Digital forensics, System activity model, Time activity data
Publication Number: 28088941
ISBN: 9798672192420
Copyright © 2020 ProQuest LLC. All rights reserved. Terms and Conditions Privacy Policy Cookie Policy
ProQuest