Analysis of Time Activity Data Characteristics and Data Degradation in Digital Forensics
Date
2020
Authors
Journal Title
Journal ISSN
Volume Title
Publisher
Abstract
Activity analysis is an increasingly common task in complex investigative digital forensics examinations. This analysis relies on extracting data from a system and projecting backwards to identify and explain events that took place in the past. There have historically been two approaches: either examiners look at each log individually, or all individual records are extracted from all available sources and combined into a massive database for analysis. Either method ignores potentially relevant information about the context of the individual records as well as the characteristics of their sources. It is also challenging to identify if any records were once present but are now missing due to either intentional obfuscation or simply routine system operation and interactions. This work presents a taxonomy for describing time-activity data (TAD) and TAD source characteristics and describes an inferential analysis strategy based on the characteristics of TAD sources. This enables examiners to identify and describe the characteristics for different sources and how they may enhance or complicate activity analysis conclusions. This work also presents a state-based approach to activity analysis. This model for system state changes over time in response to user actions provides a method for the analysis of TAD records from successive disk images. This method was then applied to a series of images from the M57-Patents dataset to analyze the degradation of TAD record data over time from a series of linked images from the same system. The data was analyzed to see if the degradation varies by record source or type and to look for variation across three separate systems.