Event-based computer profiling for the forensic reconstruction of computer activity

Marrington, Andrew D., Mohay, George M., Clark, Andrew J., & Morarji, Hasmukh L. (2007) Event-based computer profiling for the forensic reconstruction of computer activity. In Clark, A., McPherson, M., & Mohay, G. (Eds.) AusCERT Asia Pacific Information Technology Security Conference (AusCERT2007): Refereed R&D Stream, 20-25 May, 2007, Gold Coast, Qld.


In cases where an investigator has no prior knowledge of a computer system to be investigated, the significant investment of time and resources required to undertake a detailed computer forensic examination may deter investigators, given it is not known whether it will yield any relevant evidence. This problem is particularly acute in cases involving acceptable usage monitoring or intelligence operations, where an investigator has no particular expectations about the digital evidence which might be found on a collection of computer systems, or no prior knowledge of their usage. Computer profiling is a process by which a computer system is automatically examined, without direction, to determine whether the computer system is of interest to a human investigator. This paper proposes a new technique for automated computer forensic investigations which provides a computer profile with historical timelining of user and application activity. A prototype software implementation of the technique is described and experimental results are provided and discussed which demonstrate the feasibility and value of incorporating activity traces into a computer profile.

Impact and interest:

Search Google Scholar™

Citation counts are sourced monthly from Scopus and Web of Science® citation databases.

These databases contain citations from different subsets of available publications and different time periods and thus the citation count from each is usually different. Some works are not in either database and no count is displayed. Scopus includes citations from articles published in 1996 onwards, and Web of Science® generally from 1980 onwards.

Citations counts from the Google Scholar™ indexing service can be viewed at the linked Google Scholar™ search.

Full-text downloads:

1,211 since deposited on 11 Nov 2008
30 in the past twelve months

Full-text downloads displays the total number of times this work’s files (e.g., a PDF) have been downloaded from QUT ePrints as well as the number of downloads in the previous 365 days. The count includes downloads for all files if a work has more than one.

ID Code: 15579
Item Type: Conference Paper
Refereed: Yes
Additional Information: The contents of this conference can be freely accessed online via the web page provided (see hypertext link).
Additional URLs:
ISBN: 9781864998771
Subjects: Australian and New Zealand Standard Research Classification > INFORMATION AND COMPUTING SCIENCES (080000) > DATA FORMAT (080400) > Data Format not elsewhere classified (080499)
Divisions: Past > QUT Faculties & Divisions > Faculty of Science and Technology
Past > Institutes > Information Security Institute
Copyright Owner: Copyright 2007 (please consult author)
Deposited On: 11 Nov 2008 00:00
Last Modified: 29 Feb 2012 13:31

Export: EndNote | Dublin Core | BibTeX

Repository Staff Only: item control page