Yoan Chabot
Aurelie Bertaux
Christophe Nicolle
Tahar Kechadi

Abstract

Having a clear view of events that occurred over time is a difficult objective to achieve in

digital investigations (DI). Event reconstruction, which allows investigators to understand

the timeline of a crime, is one of the most important step of a DI process. This complex task

requires exploration of a large amount of events due to the pervasiveness of new tech-

nologies nowadays. Any evidence produced at the end of the investigative process must

also meet the requirements of the courts, such as reproducibility, verifiablity, validation,

etc. For this purpose, we propose a new methodology, supported by theoretical concepts,

that can assist investigators through the whole process including the construction and the

interpretation of the events describing the case. The proposed approach is based on a

model which integrates knowledge of experts from the fields of digital forensics and

software development to allow a semantically rich representation of events related to the

incident. The main purpose of this model is to allow the analysis of these events in an

automatic and efficient way. This paper describes the approach and then focuses on the

main conceptual and formal aspects: a formal incident modelization and operators for

timeline reconstruction and analysis.

©

2014 Digital Forensics Research Workshop. Published by Elsevier Limited. All rights

reserved.