Method of Event Reconstruction in Digital Investigation and its Visualization

A reconstruction of sequences of events that leads to a suspicious incident is an important phase in digital forensics investigation. Event reconstruction answers the question concerning the existence of digital object within computer at any particular time either triggered by an event or an effect of an event. Various event reconstruction techniques are used for representing the sequence of event that caused presence of the digital objects. The reconstruction of events in digital investigations is fairly complicated. Unaided reasoning is usually insufficient to comprehensively analyze the sequence of events to identify suspect, apprehend the guilty and defend the innocent. Most present techniques lacks of thoroughness, relevancy, and user friendliness. A development of a sound technique which could reduce the possibility of reasoning errors and hence increases the effectiveness of the analysis is crucial. This research defines a new method of event reconstruction which associates the capability to handle infinite set of incident scenarios, determine the relevancy of witness statements, and visualize all possibilities of incident scenarios. This study proposed a new method for representing the functionality of system under investigation as well as evidential statements. Some previous works only represent the functionality of the system under investigation as Finite State Machine (FSM). In the proposed method, the functionality of the system under investigation is represented as FSM whereby witness statement is represented as regular expression. An algorithm is developed to derive a Deterministic Finite Automaton (DFA) that accepts computations of FSM that represent the functionality of system under investigation. Similarly, the regular expression is transformed into another DFA using standard algorithms. Finally, the two DFAs are intersected to produce another DFA known as Diagram of Digital Event Reconstruction and Analysis (DDERA). Having both the functionality of system under investigation and evidential statement represented as DFAs, the event reconstruction is reduced to the problem of automata intersection. The proposed method of event reconstruction in this research has an ability to represent infinite sets of incident scenarios. Therefore, it is capable of handling problematic even transition graphs with loops. Moreover, it allows relevancy checking among given statements themselves as well as against the representation of the functionality of system under investigation. Visualization of all possible scenarios of incident in graphical manner facilitates efficient insight gaining into digital evidence. Above all, the whole research formalizes and automates digital forensic analysis into a new horizon.