WiP: EventTracker-Event Driven Evidence Collection for Digital Forensics

Abstract

Digital forensics involves credible evidence collection from digital assets and analysis to conclusively attribute events to users and sources. Traditional forensic methods only focus on preserving the evidence and audit trail generated. Further they have the standard practices for evidence collection by invoking these methods manually. In this paper, we present EventTracker which has the features of traditional methods to monitor and track file system and user activity, and can also dynamically invoke evidence collection based on events of interest. EventTracker allows the user to specify the kind of evidence required for an event type giving more flexibility to the user. It also allows users to define custom event types and monitor the system and evidence be logged safely. We implement a proof of concept code of EventTracker integrating several open source facilities and also furnish details of experiments with a handful of custom event types. We also perform a measurement study with file monitoring and quantify the frequency and number of changes typical system operations do to the underlying file system and conclude that the number of changes is often high which warrants automated techniques for investigation. © 2022, The Author(s), under exclusive license to Springer Nature Switzerland AG.