Title :
Time Bounding Event Reasoning in Computer Forensic
Author :
Jun, Liu Zhi ; Guo, Zhang Huan
Author_Institution :
Hubei Police Univ., Wuhan
Abstract :
Timestamps are widely used in computing and offer an easy way to determine the time of events in digital investigations. Unfortunately, the ability of users to change clock settings, the difficult to recover the multi-level overwriting data in a disk, etc. can not provide the efficient timestamp for event reasoning. In this paper, we present techniques to use lay technique to deal with the time of a file on local machine, even its data block of a file had been re-written many times or deleted long ago, and adopt the time offset mechanism to deal with the deviation time of the file at time t. Use a logging mechanism to record the time of modifications to each disk block and its deviation time at time t to calculate the real time of a file for reasoning the order of the events and obtaining a timeline of activities on a file.
Keywords :
file organisation; police data processing; computer forensic; digital investigations; logging mechanism; multilevel overwriting data; time bounding event reasoning; time offset mechanism; timestamps; Algorithm design and analysis; Clocks; Computational intelligence; Computer security; Forensics; Hard disks; Information security; Information technology; Web pages; Web server;
Conference_Titel :
Computational Intelligence and Security Workshops, 2007. CISW 2007. International Conference on
Conference_Location :
Harbin
Print_ISBN :
978-0-7695-3073-4
DOI :
10.1109/CISW.2007.4425652
