Formal concept analysis approach to understand digital evidence relationships

Abstract

The number of cyber attacks is constantly increasing daily, which demands organizations to respond quickly and adequately to security incidents. Digital forensics plays an essential role in these activities. In the digital investigation process, it is necessary to identify and separate relevant digital evidence from that which is not. In this paper, we describe the construction of ordinary and fuzzy formal contexts based on digital evidence collected from event logs and the filesystem (New Technology File System). We generated four concept lattices for various subsets of attributes regarding timestamps, types of files, or event logs. The association rules and their connections with Formal Concept Analysis are explored, and several algorithms, including GUHA methods, are applied to our data. We compare, evaluate and interpret the various methods for association rules mining. Moreover, we describe the state-of-the-art of fuzzy attribute implications in Formal Concept Analysis and provide the interpretation of implications in our epoch-time attributes. Our solution provides warnings for the security analyst to manually check and inspect the suspicious records in data. Hence, the analyst can quickly find relevant records for the case and perform further analysis.