A study on reconstruction methods and approaches
Reshma Raj K S
M-tech student, Cyber Forensics and Information Security
College of Engineering, Kallooppara
reshmamuth29@gmail.com
Abstract— the alarming rate of digital usage and the crimes
raises the need for more concentrated investigations, security
policies and control measures. Any actions that result in a cause
for crime or violations of the laws and policies are considered as
a crime. Even if an investigator conducted his investigation but
fails to produce the evidence properly then we cannot say that his
investigation is completed. Another problem is the lack of
measures and investigation tools for the distributive environment
such as cloud systems. Many challenges faced in this systems are
large storage, remote data collection, physical inaccessibility etc.
And here in this paper another challenge that is crime scene
reconstruction and the existing methods for such are discussed.
Keywords — forensics, cloud systems, events, digital
investigations, crime scene reconstruction.
crime includes the reconstruction of each of the
events.
Our typical investigation phases are a little bit
impractical in several cases of cloud systems and so
is the reconstruction. But the reconstruction cannot
be avoided in many situations in order to prove a
case. It is sometimes inevitable to recreate the scene
of what actually happens in a system and what are
the changes which happens or causes the changes in
the system. This process of recreating a crime by an
investigator or an authorized person is called crime
scene reconstruction.
II. DIGITAL INVESTIGATION
I. I NTRODUCTION
Digital forensics, sometimes known as digital
forensic science, is a branch of forensic science
which includes the recovery and investigation of
material found in digital devices, often in relation to
crime. Digital forensics investigations have a
variety of applications. The most common is to
support or refute a hypothesis before criminal or
civil (as part of the electronic discovery process)
courts. Cloud systems are one of the most efficient
and pay per use model computer paradigms that are
widely used nowadays. The present cloud
computing architectures are insufficient in cases of
security and forensics. Its dynamic nature presents
researchers a new area of research known as ‘Cloud
Forensics’. These highly scalable facilities in cloud
can be misused by malicious users to perform
attacks from the systems within the cloud system.
This will hide himself and his activities from his
personal system and can even confuse an
investigator. Another important thing is that a crime
is not a single process. It may include a sequence of
actions and different causes. Each of these actions
is normally called as events. So reconstructing a
An investigation is a process of collecting
evidences as well as informations, preserving these
evidences, examining and analysing and finding
who, what, how and when something had happened
regarding a crime or an action. The same is that of
in a digital investigation slightly rather than
physical evidences, digital evidences are considered.
But collecting digital evidences from physical
accessible machines and surroundings is also
considered as a part of the digital investigation.
In normal digital investigations the first action
performed by an investigator is to seize the system
which is considered to be the platform for a
particular crime. This can be performed as dead
analysis or live analysis. Then he tries to collect
informations useful for his case. From these the
relevant informations are gradually considered as
evidences. He then analyses the evidences and find
out suspect and his motive behind the crime. He
then produces these informations and conclusions
as a report before a court or an authority who
assigns him for the case. So in a typical digital
investigation the following steps are involved:
Collection
Preservation Analysis
Presentation
may or may not be needed in physical investigation.
This can result in the difficulty of analysis but at the
same time the automation of some of the procedure
can be easier while using these tools.
An event can be of any type. Some can be a
A. Typical investigation Vs investigations in cloud
cause for an incident while others can be an effect
Many of the assumptions of traditional digital of an incident. Some events even can be of no
forensics are not valid in the cloud computing effects and these can be ignored when the
model. One of the major hurdles is that neither investigation becomes more concentrated. In other
users or nor investigators have physical access to words we can say that an event is an occurrence
the cloud. In cloud each servers contains different which can affect the state of a system or
files from many users. So without violating the information. This event can sometimes be an object
privacy policies of a user it is infeasible to seize which initiates another event. These interested
servers. Another challenge is the reliability of the objects or events are collected and their
evidences as the data is provided by CSP’s (Cloud characteristics are studied. The initiator object is
Service Provider) which is a third party. There is no difficult to identify in many cases. There can be one
specific method to ensure the integrity of the data. or more initiators in some cases.
Another thing to be concerned is that an
In order to provide services on demand cloud
doesn’t support persistent data storage in case of investigator cannot find out all of the steps which
terminated virtual machines (VM). So the data from are continuously performed by the criminal in
cloud VM’s are not available in such cases. Other earlier stages. For a continuous process he is only
challenges are multi-tenancy, large bandwidth, able to find out some of the discrete steps or events
and some of them are through his assumptions. This
logging and standards.
Besides these challenges cloud has some is because some of the events can occur at the same
advantages over traditional forensics like large data time while some can be on discrete time.
An event chaining is a sequence of events that
storage, huge computational performances,
can
cause one after the other or we can say if event
availability of resources, computation available
through VM’s, easiness of acquisition, preserving, e i is a cause for e i+1 and the series of events e i for
which i= 0,1,…K for k events. In their
cryptanalysis and copying and transferring of data.
reconstruction process they describe about 5 phases.
.
They are:
1. Evidence Examination
III. EXISTING RECONSTRUCTION METHODS AND
TOOLS
2. Role Classification
3. Event Construction and Testing
As already mentioned a crime is not a single
4. Event Sequencing
process but sequences of events. So reconstructing
5. Hypothesis Testing.
each event is a modular part in crime scene
In the first phase their main objective is to
reconstruction. Brian D. Carrier and Eugene H.
identify
relevant objects and its characteristics. An
Spafford an approach;
object can have 2 properties; individual as well as
class characteristics. Individual properties include
Role based event reconstruction
Research by Liao and Langweg proposed another unique characters that it has and class properties are
those characteristics which are common with other
model
objects.
Resource based event reconstruction
In the role identification phase some of these
individual objects can be considered as initiators
A. Role based event reconstruction
which either exhibit as a cause for an event. Also
For the examination of the evidences tools must the events that are an effect of an event is also
be needed in case of digital investigation whichfiltered out. Now we get 2 classes of objects cause
objects and effect objects.
In the next phase we continuously construct and
test our causing objects and effects. This can be
time consuming and erroneous. Sometimes in this
phase we may end up in searching for further
objects. For the missing roles and objects
hypothesis is created and tested. This is repeated for
all the events.
In the event sequencing phase they are trying to
correlate each of these events into one single
process or event chains. The time stamp and other
temporal informations help to sequence these
events easily. In other cases several another
sequencing techniques like relational and functional
informations.
In the last phase i.e. hypothesis testing the
number of event chains and their sequences are
tested based on several hypothesis.
Resource based event reconstruction
This is similar to that of pole based except that it
may contain a readiness phase for the evidence
admissibility. It has the following phases:
Readiness for collecting system call traces
Deployment phase for receiving detection
alerts
Investigation phase for preserving and
recognising evidences
Reconstructing events
This approach basically focuses on pre-detecting
crimes.
1. Initially retrieve the preserved data to collect
informations
2. Clustering or grouping of data with similar
functionalities.
3. Searching within these clusters for possible
events.
4. Similarity measure is performed.
5. Reporting the event.
The main advantage of this model is that it helps
the investigator to identify possible causes for his
hypothesis from the characteristics and properties
shown by the potential evidences.
C.
Database reconstructions
This includes normal methods which are
performed during any transactions. When a
transaction is aborted then all the events related to
that particular transaction is roll backed to the
previous consistent state. Any changes to the
database can be easily roll backed by aborting the
transactions.
B.
IV. C ONCLUSIONS
The paper discusses about the existing scenarios
for event reconstruction. In case of cloud systems a
single framework or tool is developed for the
process. The paper tries to prove that the existing
methods rely mainly on event reconstruction which
can be further extending for the crime scene
reconstruction. Many of the forensic tools mostly
focus on data collection and analysis. So the need
for an efficient reconstruction framework or tool is
on urge.
Another automated approach for crime scene