| Automated recognition of event scenarios for digital forensics |
| Full text |
 Pdf
(342 KB)
|
| Source
|
Symposium on Applied Computing
archive
Proceedings of the 2006 ACM symposium on Applied computing
table of contents
Dijon, France
SESSION: Computer forensics (CF)
table of contents
Pages: 293 - 300
Year of Publication: 2006
ISBN:1-59593-108-2
|
|
Authors
|
|
Jonathon Abbott
|
Queensland University of Technology, Brisbane, Qld, Australia
|
|
Jim Bell
|
Defence Science and Technology Org., Edinburgh SA, Australia
|
|
Andrew Clark
|
Queensland University of Technology, Brisbane, Qld, Australia
|
|
Olivier De Vel
|
Defence Science and Technology Org., Edinburgh SA, Australia
|
|
George Mohay
|
Queensland University of Technology, Brisbane, Qld, Australia
|
|
| Sponsor |
|
| Publisher |
|
| Bibliometrics |
Downloads (6 Weeks): 14, Downloads (12 Months): 109, Citation Count: 0
|
|
|
 ABSTRACT
The authors have previously developed the ECF (Event Correlation for Forensics) framework for scenario matching in the forensic investigation of activity manifested in digital transactional logs. ECF incorporated a suite of log parsers to reduce event records from heterogeneous logs to a canonical form for lodging in an SQL database. This paper presents work since then, the Auto-ECF system, which represents significant advances on ECF. The paper reports on the development and implementation of the new event abstraction and scenario specification methodology and on the development of the Auto-ECF system which builds on that to achieve the automated recognition of event scenarios. The paper also reports on the evaluation of Auto-ECF using three scenarios including one from the well known DARPA test data.
REFERENCES
Note: OCR errors may be found in this Reference List extracted from the full text article. ACM has opted to expose the complete List rather than only correct and linked references.
| |
1
|
Chen Kevin, Andrew Clark, Olivier De Vel and George Mohay "ECF - Event Correlation for Forensics" In Proceedings of 1st Australian Computer, Network & Information Forensics Conference Perth, Western Australia, 2003.
|
| |
2
|
NetForensics, "NetForensics," http://www.netforensics.com/, 2003.
|
| |
3
|
GuardedNet, "GuardedNet neuSECURE," http://www.guarded.net/, 2003.
|
| |
4
|
e-Security Inc., "e-Security Management System," http://www.esecurityinc.com/, 2003.
|
| |
5
|
GFI Software USA, "LANguard Security Event Log Monitor," http://www.gfisoftware.de/, 2003.
|
| |
6
|
Sawmill, "Flowerfire," www.sawmill.net, 2003.
|
| |
7
|
TNT Software, "ELM Log Manager," https://www.tnttechnology.com/, 2003.
|
| |
8
|
I3P - Institute for Information Infrastructure Protection, "National Information Infrastructure Protection Research and Development Agenda Initiative Report, Information Infrastructure Protection: Survey of Products, Tools and Services," http://www.thei3p.org, 9 Sept 2002.
|
| |
9
|
|
| |
10
|
Bishop M. "A Standard Audit Trail Format" In Proceedings of 18th National Information Systems Security Conference, 1995. pp. 136--145.
|
| |
11
|
CERIAS, "Audit Trails Format Group," http://www.cerias.purdue.edu/about/history/coast/projects/audit-trails-format.php: Purdue University, 2003.
|
| |
12
|
CERIAS Audit Trail Reduction Group, http://www.cerias.purdue.edu/about/history/coast/projects/audit-trails-reduce.php: Purdue University, 2003.
|
|
Adobe Acrobat
QuickTime
Windows Media Player
Real Player
K.6