Title: A survey on forensic event reconstruction systems

Authors: Abes Dabir; AbdelRahman M. Abdou; Ashraf Matrawy

Addresses: Systems and Computer Engineering, Carleton University, 1125 Colonel By Drive, Ottawa, ON, K1S 5B6, Canada ' Systems and Computer Engineering, Carleton University, 1125 Colonel By Drive, Ottawa, ON, K1S 5B6, Canada ' School of Information Technology, Carleton University, 1125 Colonel By Drive, Ottawa, ON, K1S 5B6, Canada

Abstract: Security related incidents such as unauthorised system access, data tampering and theft have been noticeably rising. Tools such as firewalls, intrusion detection systems and anti-virus software strive to prevent these incidents. Since these tools only prevent an attack, once an illegal intrusion occurs, they cease to provide useful information beyond this point. Consequently, system administrators are interested in identifying the vulnerability in order to: 1) avoid future exploitation; 2) recover corrupted data; 3) present the attacker to law enforcement where possible. As such, forensic event reconstruction systems are used to provide the administrators with possible information. We present a survey on the current approaches towards forensic event reconstruction systems proposed over the past few years. Technical details are discussed, as well as analysis to their effectiveness, advantages and limitations. The presented tools are compared and assessed based on the primary principles that a forensic technique is expected to follow.

Keywords: forensic event reconstruction; ReVirt; Forensix; backtracker.

DOI: 10.1504/IJICS.2017.087565

International Journal of Information and Computer Security, 2017 Vol.9 No.4, pp.337 - 360

Received: 02 Aug 2016
Accepted: 06 Aug 2016
Published online: 19 Oct 2017 *

Full-text access for editors Full-text access for subscribers Purchase this article Comment on this article