Final Report Abstract

Within the project, we have analyzed different approaches for generic event reconstruction in the field of forensic computing. For this purpose, we have set up a private-cloud infrastructure that provides sufficient computing power and enables scalability and load balancing. Moreover, we have implemented a forensic fingerprinting framework that is not only server-client based but also fully automated. The framework is capable of automatically performing interactions with a computer system, just the way a normal user would. This enables us to observe and extract the timestamp modification patterns that arise in the file system whenever an action on a computer system is executed. Installing and uninstalling software, startup of an application, sending e-mails and instant messages as well as deleting the web browser’s history are all examples of such actions. Based on those timestamp modification patterns, we implemented three different approaches to extract characteristic evidence as digital fingerprints using techniques from machine learning. In order to do that, the input data must first be represented in a way amenable to mathematical methods, i.e. the data has to be mapped to a vector space where different learning algorithms, such as Support Vector Machines can be used to train a classifier. Additionally, we implemented and evaluated four different approaches to match the data of an unknown hard disk to the database of fingerprints. Moreover, we analyzed the possibility of skipping the creation of fingerprints by clustering the timestamps of a file system along its timeline to individual events. Our evaluation has shown that it is possible to reconstruct events on a computer system based on fingerprints generated from timestamp metadata. However, the comparison of different approaches has also shown that the application of machine learning techniques could not yield significant enhancements for the procedure of generating fingerprints or the matching of the foresaid fingerprints.

Publications

• An algebraic method for approximate rank one factorization of rank deficient matrices. In Fabian Theis, Andrzej Cichocki, Arie Yeredor, and Michael Zibulevsky, editors, Latent Variable Analysis and Signal Separation, volume 7191 of Lecture Notes in Computer Science, pages 272–279. Springer Berlin Heidelberg, 2012
  Franz J. Király, Andreas Ziehe, and Klaus-Robert Müller
  
• Early detection of malicious behavior in javascript code. In Proceedings of the 5th ACM Workshop on Security and Artificial Intelligence, AISec 2012, Raleigh, NC, USA, October 19, 2012, pages 15–24, 2012
  Kristof Schütt, Marius Kloft, Alexander Bikadorov, and Konrad Rieck
  
• Sally: A tool for embedding strings in vector spaces. Journal of Machine Learning Research, 13:3247–3251, 2012
  Konrad Rieck, Christian Wressnegger, and Alexander Bikadorov
  
• Support vector machines. In James E. Gentle, Wolfgang Härdle, and Yuichi Mori, editors, Handbook of Computational Statistics: Concepts and Methods, Springer handbooks of computational statistics, chapter 30, page 883–926. Springer, Berlin, 2nd edition, 2012
  Konrad Rieck, Sören Sonnenburg, Sebastian Mika, Christian Schäfer, Pavel Laskov, David Tax, and Klaus-Robert Müller
  
• Forensic application - fingerprinting based on file system metadata. In IT Security Incident Management and IT Forensics (IMF), 2013 Seventh International Conference on, pages 98–112, 2013
  Sven Kälber, Andreas Dewald, and Felix C. Freiling
  
• Toward supervised anomaly detection. Journal of Artificial Intelligence Research, 46:235– 262, 2013
  Nico Görnitz, Marius Kloft, Konrad Rieck, and Ulf Brefeld
  
• Forensic Zero-Knowledge Event Reconstruction on Filesystem Metadata. In Gesellschaft für Informatik, editor, Sicherheit, pages 331–343, 2014
  Sven Kälber, Andreas Dewald, and Steffen Idler