File(s) not publicly available
Extracting Evidence from Filesystem Activity using Bayesian Networks
journal contribution
posted on 2023-06-08, 07:26 authored by Muhammad Naeem Ahmed Khan, Chris ChatwinChris Chatwin, Rupert YoungRupert YoungThis research aims to ascertain fi lesystem access patterns produced by different application programs, and evaluates their potential utility in improving digital forensic analyses. The access patterns produced by the proposed methodology can serve as a decision support system for determining the possible execution of certain applications in the event of computer misuse. For this purpose, we propose the use of a causal Bayesian network that summarizes the most important relationships among integral parameters relating to fi lesystem activities such as access, creation, modifi cation, fi le deletion, audit logs, registry entries and the manner in which the applications manipulate these parameters. Determining the state of a fi lesystem at a particular period of time is vital for conducting digital forensic analyses. Herein, we describe a Bayesian network-based technique to determine the state of a computer fi lesystem in terms of the program execution and fi les manipulated during some specific time period. Specifi cally, we discuss the construction of a Bayesian network from our prior knowledge of the manipulation of the fi lesystem and metadata information by a set of applications. The variations among the execution patterns of different applications indicate that the Bayesian network-based model is an appropriate tool, due to its ability to enable pattern learning and detection, even from an incomplete dataset. The focus of this paper is to highlight the merits of the Bayesian methods for learning, with regard to the techniques used for supervised learning in ordinary neural networks.
History
Publication status
- Published
Journal
International Journal of Forensic Computer ScienceISSN
1809-9807Issue
1Volume
2Page range
50-64Department affiliated with
- Engineering and Design Publications
Notes
http://www.ijofcs.org/V02N1-P04 - Extracting Evidence from Filesystem.pdfFull text available
- No
Peer reviewed?
- Yes
Legacy Posted Date
2012-02-06Usage metrics
Categories
No categories selectedKeywords
Licence
Exports
RefWorks
BibTeX
Ref. manager
Endnote
DataCite
NLM
DC