DOI QR코드

DOI QR Code

이벤트 재구성을 위한 타임스탬프 갱신 임계치

Update Thresholds of More Accurate Time Stamp for Event Reconstruction

  • 투고 : 2017.02.23
  • 심사 : 2017.04.07
  • 발행 : 2017.04.30

초록

용의자가 어떤 행위를 했는지 특정하기 위한 경우와 같이 디지털 조사에서 특정한 행위나 이벤트의 발생시간을 확인하기 위해 타임스팸프에 의존하는 시스템이 많다. 하지만 객체의 갱신은 실제 이벤트의 발생시점보다 약간의 시간차를 두고 이루어지게 된다. 이 논문에서는 타임스탬프와 관련된 객체를 가진 디지털시스템의 간단한 모델을 정의한다. 이 모델은 타임스탬프와 관련된 객체의 갱신 패턴을 예측하는데 사용되며 갱신 시간차 범위에 대한 예측을 가능하게 한다. 경험적 연구를 통해 타임스탬프 갱신패턴이 동시적이지 않다는 것을 보이고 특정한 시스템에서 보다 정확한 행위시점을 결정하기 위한 타임스탬프 갱신 분포를 계산하는 방법을 제시한다.

Many systems rely on reliable timestamps to determine the time of a particular action or event. This is especially true in digital investigations where investigators are attempting to determine when a suspect actually committed an action. The challenge, however, is that objects are not updated at the exact moment that an event occurs, but within some time-span after the actual event. In this work we define a simple model of digital systems with objects that have associated timestamps. The model is used to predict object update patterns for objects with associated timestamps, and make predictions about these update time-spans. Through empirical studies of digital systems, we show that timestamp update patterns are not instantaneous. We then provide a method for calculating the distribution of timestamp updates on a particular system to determine more accurate action instance times.

키워드

참고문헌

  1. S. Willassen, "Hypothesis-Based Investigation of Digital Timestamps," in Advances in Digital Forensics IV, Boston, MA: Springer US, 2008, pp. 75-86. DOI: https://doi.org/10.1007/978-0-387-84927-0_7
  2. S. Y. Willassen, "Timestamp evidence correlation by model based clock hypothesis testing," in Proceedings of the 1st International ICST Conference on Forensic Applications and Techniques in Telecommunications, Information and Multimedia, 2008. DOI: https://doi.org/10.4108/e-forensics.2008.2637
  3. B. D. Carrier "A hypothesis-based approach to digital forensic investigations," 2006.
  4. P. Gladyshev and A. Patel, "Finite state machine approach to digital event reconstruction," Digit. Investig., vol. 1, no. 2, pp. 130-149, Jun. 2004. DOI: https://doi.org/10.7236/JIIBC.2016.16.3.21
  5. R. Koen and M. S. Olivier, "The Use of File Timestamps in Digital Forensics.," 2008.
  6. B. Yoo, "Analysis of File Time Change by File Manipulation of Linux System," J. Inst. Internet Broadcast. Commun., vol. 16, no. 3, pp. 21-28, Jun. 2016. DOI: https://doi.org/10.7236/JIIBC.2016.16.3.21
  7. J. I. James and P. Gladyshev, "Modeling Timestamp Update Patterns for Automated Event Reconstruction," in Proceedings of the 11th International Conference on the Systematic Approaches to Digital Forensics Engineering, 2016, pp. 79-94.
  8. J. I. James and P. Gladyshev, "Automated inference of past action instances in digital investigations," Int. J. Inf. Secur., vol. 14, no. 3, pp. 249-261, 2015. DOI: https://doi.org/10.1007/s10207-014-0249-6
  9. H. Min and J. Heo, "An Estimation Model of Missing Data for Smart Phone Sensing," J. Inst. Webcasting, Internet Telecommun., vol. 13, no. 3, pp. 33-38, Jun. 2013. DOI: https://doi.org/10.7236/JIIBC.2013.13.3.33
  10. M. W. Stevens, "Unification of relative time frames for digital forensics," Digit. Investig., vol. 1, no. 3, pp. 225-239, Sep. 2004. DOI: https://doi.org/10.1016/j.diin.2004.07.003
  11. M. Kang, S. Park, S. Kim, and K. Kim, "Detection of Complex Event Patterns over Interval-based Events," J. Inst. Internet, Broadcast. Commun., vol. 12, no. 4, pp. 201-209, 2012. DOI: https://doi.org/10.7236/JIWIT.2012.12.4.201
  12. D. Farmer and W. Venema, Forensic discovery, vol. 6. Addison-Wesley Upper Saddle River, 2005.
  13. J. I. James, P. Gladyshev, and Y. Zhu, "Signature Based Detection of User Events for Post-mortem Forensic Analysis," in Lecture Notes of the Institute for Computer Sciences, Social-Informatics and Telecommunications Engineering, LNICST, vol. 53, 2011, pp. 96-109. DOI: https://doi.org/10.1007/978-3-642-19513-6_8