| Abstract [eng] |
Acquiring a clear perspective of events and artefacts that occur over time is a challenging objective to accomplish in digital forensics. Reconstruction of the timeline of events and artefacts, which enables digital investigators to understand the timeline of digital crime and interpret the conclusion in the form of digital evidence, is one of the most paramount and challenging tasks in digital forensics. This challenging task requires the analysis of immense amounts of events because of the explosive growth of the internet, interconnected devices, and innovative technology nowadays. Various approaches have been developed during the last decade, but most of them are not able to handle huge volumes of data, explore evidence, and enhance the understandability of timelines in a competent way to assist the investigator. For this purpose, we introduce a methodology backed by an abstraction concept and forensic tools that can support investigators during the reconstruction, understanding of the timeline of events and artefacts, and interpretation of evidence by tracing the activities performed by users of the typical computer system. The Java programming language is used to implement the proposed methodology, which is object-oriented and follows the symmetry definition in software. Generally, symmetry in software can be viewed as an invariant change that aims to preserve a specific property of the system, namely its structure, behaviour, regularity, similarity, familiarity and uniformity. Similarly, the abstraction-based methodology also permits us to follow the properties of symmetry. For instance, a uniform structure is stipulated for all the sources at the particular level of abstraction, such as the number of fields to be considered to provide the abstract level of timeline. The primary purpose of this approach is to assist with the analysis of the timeline in an optimum way. This paper illustrates the approach and then focuses on conceptual aspects of the methodology. The performed experiment shows that the proposed approach enhanced the analysis of the timeline. |
