Event logs are a powerful source of digital evidence as they contain detailed information about activities performed on a computer. Forensic investigation of the event logs is a challenging and time-consuming task due to their large volume and continuous generation. A significant amount of time, effort, and knowledge is required to interpret their contents, discovering irregular events that are potentially pertinent to the investigation. As the number of digital investigations increases, so too must resources available to investigators. This requires new techniques to make the process easier and faster, reducing the burden on human investigators as well as being resource efficient. In this paper, a novel solution is presented to examine event logs and automatically identify irregular activities during forensic analysis. The proposed solution utilises a rare itemset mining approach to establish relationships among event entries, based on their contents. Following on, identified event relationships are ordered based on their temporal order to represent the timeline or sequence of activity. The solution is also capable of prioritising identified activities by calculating their degree of irregularity. The empirical analysis is performed on 15 live machines, and the results are discussed in terms of accuracy and performance metrics.
Read full abstract