http://iet.metastore.ingenta.com
1887

Event reconstruction using temporal pattern of file system modification

Event reconstruction using temporal pattern of file system modification

For access to this article, please select a purchase option:

Buy eFirst article PDF
£12.50
(plus tax if applicable)
Buy Knowledge Pack
10 articles for £75.00
(plus taxes if applicable)

IET members benefit from discounts to all IET publications and free access to E&T Magazine. If you are an IET member, log in to your account and the discounts will automatically be applied.

Learn more about IET membership 

Recommend Title Publication to library

You must fill out fields marked with: *

Librarian details
Name:*
Email:*
Your details
Name:*
Email:*
Department:*
Why are you recommending this title?
Select reason:
 
 
 
 
 
IET Information Security — Recommend this title to your library

Thank you

Your recommendation has been sent to your librarian.

Nowadays, several digital forensic tools extract a lot of low-level information from different parts of the system. Constructing high-level information from low-level ones is very challenging. This study reconstructs high-level events by using the traces of applications that are found in the file system metadata. In this regard, an event reconstruction framework is proposed that determines which applications have been run on a compromised system. The proposed framework works in two phases. In the training phase, the signatures of various applications are constructed. The signature of an application is the temporal pattern of file system modification of the application. In the detection phase, at first, the temporal pattern of file system modification of the hard disk (TPFSM-D) of the compromised system is constructed. Then in order to determine whether a particular application has been run on the compromised system, the distance between the signature of the application and the TPFSM-D of the hard disk is calculated by using a proposed distance measure. Finally, a decision engine decides whether the application has been run on the compromised system. The proposed event reconstruction framework has been tested on different scenarios. The empirical results suggest that the framework is effective in reconstructing events.

http://iet.metastore.ingenta.com/content/journals/10.1049/iet-ifs.2018.5209
Loading

Related content

content/journals/10.1049/iet-ifs.2018.5209
pub_keyword,iet_inspecKeyword,pub_concept
6
6
Loading
This is a required field
Please enter a valid email address