Essay details:

  • Subject area(s): Engineering
  • Price: Free download
  • Published on: 7th September 2019
  • File format: Text
  • Number of pages: 2

Text preview of this essay:

This page is a preview - download the full version of this essay above.

A study on reconstruction methods and approaches

Reshma Raj K S

M-tech student, Cyber Forensics and Information Security

College of Engineering, Kallooppara

[email protected]

Abstract— the alarming rate of digital usage and the crimes

raises the need for more concentrated investigations, security

policies and control measures. Any actions that result in a cause

for crime or violations of the laws and policies are considered as

a crime. Even if an investigator conducted his investigation but

fails to produce the evidence properly then we cannot say that his

investigation is completed. Another problem is the lack of

measures and investigation tools for the distributive environment

such as cloud systems. Many challenges faced in this systems are

large storage, remote data collection, physical inaccessibility etc.

And here in this paper another challenge that is crime scene

reconstruction and the existing methods for such are discussed.

Keywords — forensics, cloud systems, events, digital

investigations, crime scene reconstruction.

crime includes the reconstruction of each of the


Our typical investigation phases are a little bit

impractical in several cases of cloud systems and so

is the reconstruction. But the reconstruction cannot

be avoided in many situations in order to prove a

case. It is sometimes inevitable to recreate the scene

of what actually happens in a system and what are

the changes which happens or causes the changes in

the system. This process of recreating a crime by an

investigator or an authorized person is called crime

scene reconstruction.



Digital forensics, sometimes known as digital

forensic science, is a branch of forensic science

which includes the recovery and investigation of

material found in digital devices, often in relation to

crime. Digital forensics investigations have a

variety of applications. The most common is to

support or refute a hypothesis before criminal or

civil (as part of the electronic discovery process)

courts. Cloud systems are one of the most efficient

and pay per use model computer paradigms that are

widely used nowadays. The present cloud

computing architectures are insufficient in cases of

security and forensics. Its dynamic nature presents

researchers a new area of research known as ‘Cloud

Forensics’. These highly scalable facilities in cloud

can be misused by malicious users to perform

attacks from the systems within the cloud system.

This will hide himself and his activities from his

personal system and can even confuse an

investigator. Another important thing is that a crime

is not a single process. It may include a sequence of

actions and different causes. Each of these actions

is normally called as events. So reconstructing a

An investigation is a process of collecting

evidences as well as informations, preserving these

evidences, examining and analysing and finding

who, what, how and when something had happened

regarding a crime or an action. The same is that of

in a digital investigation slightly rather than

physical evidences, digital evidences are considered.

But collecting digital evidences from physical

accessible machines and surroundings is also

considered as a part of the digital investigation.

In normal digital investigations the first action

performed by an investigator is to seize the system

which is considered to be the platform for a

particular crime. This can be performed as dead

analysis or live analysis. Then he tries to collect

informations useful for his case. From these the

relevant informations are gradually considered as

evidences. He then analyses the evidences and find

out suspect and his motive behind the crime. He

then produces these informations and conclusions

as a report before a court or an authority who

assigns him for the case. So in a typical digital

investigation the following steps are involved:

 Collection

 Preservation Analysis

 Presentation

may or may not be needed in physical investigation.

This can result in the difficulty of analysis but at the

same time the automation of some of the procedure

can be easier while using these tools.

An event can be of any type. Some can be a

A. Typical investigation Vs investigations in cloud

cause for an incident while others can be an effect

Many of the assumptions of traditional digital of an incident. Some events even can be of no

forensics are not valid in the cloud computing effects and these can be ignored when the

model. One of the major hurdles is that neither investigation becomes more concentrated. In other

users or nor investigators have physical access to words we can say that an event is an occurrence

the cloud. In cloud each servers contains different which can affect the state of a system or

files from many users. So without violating the information. This event can sometimes be an object

privacy policies of a user it is infeasible to seize which initiates another event. These interested

servers. Another challenge is the reliability of the objects or events are collected and their

evidences as the data is provided by CSP’s (Cloud characteristics are studied. The initiator object is

Service Provider) which is a third party. There is no difficult to identify in many cases. There can be one

specific method to ensure the integrity of the data. or more initiators in some cases.

Another thing to be concerned is that an

In order to provide services on demand cloud

doesn’t support persistent data storage in case of investigator cannot find out all of the steps which

terminated virtual machines (VM). So the data from are continuously performed by the criminal in

cloud VM’s are not available in such cases. Other earlier stages. For a continuous process he is only

challenges are multi-tenancy, large bandwidth, able to find out some of the discrete steps or events

and some of them are through his assumptions. This

logging and standards.

Besides these challenges cloud has some is because some of the events can occur at the same

advantages over traditional forensics like large data time while some can be on discrete time.

An event chaining is a sequence of events that

storage, huge computational performances,


cause one after the other or we can say if event

availability of resources, computation available

through VM’s, easiness of acquisition, preserving, e i is a cause for e i+1 and the series of events e i for

which i= 0,1,...K for k events. In their

cryptanalysis and copying and transferring of data.

reconstruction process they describe about 5 phases.


They are:

1. Evidence Examination



2. Role Classification

3. Event Construction and Testing

As already mentioned a crime is not a single

4. Event Sequencing

process but sequences of events. So reconstructing

5. Hypothesis Testing.

each event is a modular part in crime scene

In the first phase their main objective is to

reconstruction. Brian D. Carrier and Eugene H.


relevant objects and its characteristics. An

Spafford an approach;

object can have 2 properties; individual as well as

class characteristics. Individual properties include

 Role based event reconstruction

Research by Liao and Langweg proposed another unique characters that it has and class properties are

those characteristics which are common with other



 Resource based event reconstruction

In the role identification phase some of these

individual objects can be considered as initiators

A. Role based event reconstruction

which either exhibit as a cause for an event. Also

For the examination of the evidences tools must the events that are an effect of an event is also

be needed in case of digital investigation whichfiltered out. Now we get 2 classes of objects cause

objects and effect objects.

In the next phase we continuously construct and

test our causing objects and effects. This can be

time consuming and erroneous. Sometimes in this

phase we may end up in searching for further

objects. For the missing roles and objects

hypothesis is created and tested. This is repeated for

all the events.

In the event sequencing phase they are trying to

correlate each of these events into one single

process or event chains. The time stamp and other

temporal informations help to sequence these

events easily. In other cases several another

sequencing techniques like relational and functional


In the last phase i.e. hypothesis testing the

number of event chains and their sequences are

tested based on several hypothesis.

Resource based event reconstruction

This is similar to that of pole based except that it

may contain a readiness phase for the evidence

admissibility. It has the following phases:

 Readiness for collecting system call traces

 Deployment phase for receiving detection


 Investigation phase for preserving and

recognising evidences

 Reconstructing events

This approach basically focuses on pre-detecting


1. Initially retrieve the preserved data to collect


2. Clustering or grouping of data with similar


3. Searching within these clusters for possible


4. Similarity measure is performed.

5. Reporting the event.

The main advantage of this model is that it helps

the investigator to identify possible causes for his

hypothesis from the characteristics and properties

shown by the potential evidences.


Database reconstructions

This includes normal methods which are

performed during any transactions. When a

transaction is aborted then all the events related to

that particular transaction is roll backed to the

previous consistent state. Any changes to the

database can be easily roll backed by aborting the




The paper discusses about the existing scenarios

for event reconstruction. In case of cloud systems a

single framework or tool is developed for the

process. The paper tries to prove that the existing

methods rely mainly on event reconstruction which

can be further extending for the crime scene

reconstruction. Many of the forensic tools mostly

focus on data collection and analysis. So the need

for an efficient reconstruction framework or tool is

on urge.

Another automated approach for crime scene

...(download the rest of the essay above)

About this essay:

This essay was submitted to us by a student in order to help you with your studies.

If you use part of this page in your own work, you need to provide a citation, as follows:

Essay Sauce, . Available from:< > [Accessed 02.06.20].