Abstract
Event reconstruction is one of the most important steps in digital forensic investigations. It allows investigators to have a clear view of the events that have occurred over a time period. Event reconstruction is a complex task that requires exploration of a large amount of events due to the pervasiveness of new technologies. Any evidence produced at the end of the investigative process must also meet the requirements of the courts, such as reproducibility, verifiability, validation, etc. After defining the most important concepts of event reconstruction, the authors present a survey of the challenges of this field and solutions proposed so far.
TopDefinitions
Event reconstruction is “the process of identifying the underlying conditions and reconstructing the sequence of events that led to a security incident” (Jeyaraman & Atallah, 2006). There are several types of event reconstruction depending on the nature of the incident. This chapter focuses on prosecutorial forensic analysis which is used to solve digital crime, and so, we explain the terminology we use.
Key Terms in this Chapter
Timeline: Structure containing events chronologically ordered. A timeline allows investigators to have a global overview of the case and to know for example which machines was used, which applications were launched or which files have been modified at a given time.
Event Reconstruction: Process allowing to describe exhaustively an incident using information left on a crime scene.
Event: An event is a single action occurring at a given time and for a certain duration. An event may be the drafting of a document, the reading of a webpage or a chat conversation with somebody.
Footprint: Trace of a past activity. In a digital context, a footprint may be a piece of information about web activity, a document or a file left in the bin.
Evidence: Entity used to affirm or refute an assertion.
Digital forensics: Use of computer science to help investigators to solve cybercriminal cases.
Crime Scene: The crime scene is a space where a crime or an incident takes place.
Legal Requirements: To be admissible in a court, each evidence must meet several legal requirements such as reproducibility of the process used, credibility and integrity of data.