Digital Evidence Composition in Fraud Detection
30 Sep 2009-pp 1-8
TL;DR: An evidence composition model based on the time of occurrence of events which determines quantitatively the extent of correlation between the events and is scalable to an arbitrary set of evidence sources.
Abstract: In recent times, digital evidence has found its way into several digital devices. The storage capacity in these devices is also growing exponentially. When investigators come across such devices during a digital investigation, it may take several man-hours to completely analyze the contents. To date, there has been little achieved in the zone that attempts to bring together different evidence sources and attempt to correlate the events they record. In this paper, we present an evidence composition model based on the time of occurrence of such events. The time interval between events promises to reveal many key associations across events, especially when on multiple sources. The time interval is then used as a parameter to a correlation function which determines quantitatively the extent of correlation between the events. The approach has been demonstrated on a network capture sequence involving phishing of a bank website. The model is scalable to an arbitrary set of evidence sources and preliminary results indicate that the approach has tremendous potential in determining correlations on vast repositories of case data.
Citations
More filters
[...]
01 Jan 2014
TL;DR: The scope of identifying valuable information that one might use for analysis during a forensic investigation or for security analysis purposes is outlined, which largely focuses on what is being stored today in digital image and word processing documents.
Abstract: Recent events have provided the much-needed impetus to understand the use of 'metadata' in everyday digital life. Metadata are a part of any information that is stored digitally to simplify the handling and management of data. More recently, metadata has taken center-stage with its potential for monitoring users and manipulating usage. Metadata contain information relating to who, how and when the artifacts were created or modifi ed or accessed, be it a fi le, a log record or even a network packet. During analysis, focusing on metadata enables us to understand the evolution of artifacts and assess them in relation to other artifacts. This article outlines the scope of identifying valuable information that one might fi nd useful for analysis during a forensic investigation or for security analysis purposes. We touch upon the use of metadata in log fi les and network packets but largely focus on what is being stored today in digital image fi les and word processing documents.
Cites methods from "Digital Evidence Composition in Fra..."
...Raghavan and Raghavan [9] proposed a timestamp correlation method to detect and attribute a phishing incident on a banking network....
[...]
References
More filters
TL;DR: The PyFlag architecture is described and in particular how that is used in the network forensics context and the PyFlag page rendering is demonstrated.
264 citations
"Digital Evidence Composition in Fra..." refers background in this paper
...Cohen [4] describes the PyFlag network forensic architecture, which is an open-source effort in providing a common framework for integrating forensic analysis from diverse digital sources....
[...]
TL;DR: FACE is presented, a framework for automatic evidence discovery and correlation from a variety of forensic targets, and an advanced open-source memory analysis tool, ramparser, for the automated analysis of Linux systems is presented.
136 citations
"Digital Evidence Composition in Fra..." refers background in this paper
...Case et al [3] propose the FACE framework for performing automatic correlations in forensic investigation....
[...]
TL;DR: This paper presents a rigorous method for reconstructing events in digital systems based on the idea, that once the system is described as a finite state machine, its state space can be explored to determine all possible scenarios of the incident.
133 citations
"Digital Evidence Composition in Fra..." refers background in this paper
...Gladyshev and Patel [5] propose a finite state model approach for event reconstruction....
[...]
TL;DR: A model based on the history of a computer is used to define categories and classes of analysis techniques that support the existing higher-level frameworks and can be used to more clearly compare the frameworks.
66 citations
"Digital Evidence Composition in Fra..." refers methods in this paper
...Carrier and Spafford [2] propose a method for analysis using the computer history model....
[...]
Proceedings Article•
01 Jan 2005
TL;DR: The evidence graph is proposed as a novel graph model to facilitate the presentation and manipulation of intrusion evidence and a hierarchical reasoning framework that includes local reasoning and global reasoning is developed.
Abstract: We develop a prototype network forensics analysis tool that integrates presentation, manipulation and automated reasoning of intrusion evidence. We propose the evidence graph as a novel graph model to facilitate the presentation and manipulation of intrusion evidence. For automated evidence analysis, we develop a hierarchical reasoning framework that includes local reasoning and global reasoning. In local reasoning, we apply Rule-based Fuzzy Cognitive Maps (RBFCM) to model the state evolution of suspicious hosts. In global reasoning, we aim to identify group of strongly correlated hosts in the attack and derive their relationships in the attack scenario. Our analysis mechanism effectively integrates analyst feedbacks into the automated reasoning process. Experimental results demonstrate the potential of our proposed techniques.
33 citations
"Digital Evidence Composition in Fra..." refers background in this paper
...Wang and Daniels [9] propose an evidence graph approach to network forensic analysis and build a correlation graph using network captures....
[...]