quote:

---

The area of event reconstruction in computer forensics deals with analyzing and evaluating data obtained from a system and use it to determine what happened. The data recovery process is a well-covered area within computer forensics, but little work has been done on how to actually analyze and evaluate the data. Only very crude tools, such as mactimes or individual log analyzers, exist. A comprehensive event reconstruction on a system that takes into account data from various sources, such as file MAC times, system logs, firewall logs, and application data, is mostly done manually by the investigator. With storage capacities growing rapidly and systems permanently being connected to global networks more and more, it is not uncommon that the number of events recorded by a system easily goes into the hundreds of thousands.

To provide an investigator a tool that helps him process this large amount of data, we are developing a graphical time line editor. The tool should allow the grouping of events into super-events. The main data structure for the time line analyzer is the event. An event consists of a time span when the event took place, a source to denote the origin of the event, and a description of the event. An event can contain a list of sub-events and can also be part of a super event's sub-list. Starting with events at discrete times that were generated from the system information, events that belong to the same ``action'' can thus be grouped together into event hierarchies. For example, the three events ``access program gcc'', ``access file x'' and ``access library y'' could be grouped together into a super event by an investigator labeled ``compile program x'', which in turn could be part of another super event ``install rootkit z''.

---