University of Sussex
Browse

File(s) not publicly available

Extracting Evidence from Filesystem Activity using Bayesian Networks

journal contribution
posted on 2023-06-08, 07:26 authored by Muhammad Naeem Ahmed Khan, Chris ChatwinChris Chatwin, Rupert YoungRupert Young
This research aims to ascertain fi lesystem access patterns produced by different application programs, and evaluates their potential utility in improving digital forensic analyses. The access patterns produced by the proposed methodology can serve as a decision support system for determining the possible execution of certain applications in the event of computer misuse. For this purpose, we propose the use of a causal Bayesian network that summarizes the most important relationships among integral parameters relating to fi lesystem activities such as access, creation, modifi cation, fi le deletion, audit logs, registry entries and the manner in which the applications manipulate these parameters. Determining the state of a fi lesystem at a particular period of time is vital for conducting digital forensic analyses. Herein, we describe a Bayesian network-based technique to determine the state of a computer fi lesystem in terms of the program execution and fi les manipulated during some specific time period. Specifi cally, we discuss the construction of a Bayesian network from our prior knowledge of the manipulation of the fi lesystem and metadata information by a set of applications. The variations among the execution patterns of different applications indicate that the Bayesian network-based model is an appropriate tool, due to its ability to enable pattern learning and detection, even from an incomplete dataset. The focus of this paper is to highlight the merits of the Bayesian methods for learning, with regard to the techniques used for supervised learning in ordinary neural networks.

History

Publication status

  • Published

Journal

International Journal of Forensic Computer Science

ISSN

1809-9807

Issue

1

Volume

2

Page range

50-64

Department affiliated with

  • Engineering and Design Publications

Notes

http://www.ijofcs.org/V02N1-P04 - Extracting Evidence from Filesystem.pdf

Full text available

  • No

Peer reviewed?

  • Yes

Legacy Posted Date

2012-02-06

Usage metrics

    University of Sussex (Publications)

    Categories

    No categories selected

    Exports

    RefWorks
    BibTeX
    Ref. manager
    Endnote
    DataCite
    NLM
    DC