This research aims to ascertain fi lesystem access patterns produced by different application programs, and evaluates their potential utility in improving digital forensic analyses. The access patterns produced by the proposed methodology can serve as a decision support system for determining the possible execution of certain applications in the event of computer misuse. For this purpose, we propose the use of a causal Bayesian network that summarizes the most important relationships among integral parameters relating to fi lesystem activities such as access, creation, modifi cation, fi le deletion, audit logs, registry entries and the manner in which the applications manipulate these parameters. Determining the state of a fi lesystem at a particular period of time is vital for conducting digital forensic analyses. Herein, we describe a Bayesian network-based technique to determine the state of a computer fi lesystem in terms of the program execution and fi les manipulated during some specific time period. Specifi cally, we discuss the construction of a Bayesian network from our prior knowledge of the manipulation of the fi lesystem and metadata information by a set of applications. The variations among the execution patterns of different applications indicate that the Bayesian network-based model is an appropriate tool, due to its ability to enable pattern learning and detection, even from an incomplete dataset. The focus of this paper is to highlight the merits of the Bayesian methods for learning, with regard to the techniques used for supervised learning in ordinary neural networks.
Digital Forensics, Digital Evidence.
To return to the Volume/Number webpage, click here.
THE INTERNATIONAL JOURNAL OF FORENSIC COMPUTER SCIENCE - IJoFCS
Volume 2, Number 1, pp 50-64, DOI: 10.5769/J200701004 or http://dx.doi.org/10.5769/J200701004
Extracting Evidences from Filesystem Activity Using Bayesian Network
By Muhammad Khan, Chris Chatwin, and Rupert Young
To download this paper, click here