Kälber S, Dewald A, Freiling F (2013)
Publication Type: Conference contribution, Original article
Publication year: 2013
Edited Volumes: Proceedings - 7th International Conference on IT Security Incident Management and IT Forensics, IMF 2013
Pages Range: 98-112
Conference Proceedings Title: Proceedings of the 7th International Conference on IT Security Incident Management & IT Forensics
Event location: Nuremberg
DOI: 10.1109/IMF.2013.20
While much work has been invested in tools for aquisition and extraction of digital evidence, there are only few tools that allow for automatic event reconstruction. In this paper, we present a generic approach for forensic event reconstruction based on digital evidence from file systems. Our approach applies the idea of fingerprinting to changes made by applications in file system metadata. We present a system with which it is possible to automatically compute file system fingerprints of individual actions. Using NTFS timestamps as an example, we show that with our approach it is possible to automatically reconstruct actions performed by different applications even if the set of files accessed by those actions overlap. © 2013 IEEE.
APA:
Kälber, S., Dewald, A., & Freiling, F. (2013). Forensic Application-Fingerprinting based on file system Metadata. In Proceedings of the 7th International Conference on IT Security Incident Management & IT Forensics (pp. 98-112). Nuremberg.
MLA:
Kälber, Sven, Andreas Dewald, and Felix Freiling. "Forensic Application-Fingerprinting based on file system Metadata." Proceedings of the 7th International Conference on IT Security Incident Management & IT Forensics (IMF), Nuremberg 2013. 98-112.
BibTeX: Download