Skip to Main content Skip to Navigation
Conference papers

Automated Collection and Correlation of File Provenance Information

Ryan Good 1 Gilbert Peterson 1
1 Air Force Institute of Technology
Abstract : The provenance of a file is a detailing of its origins and activities. Tools have been developed that help maintain the provenance of files. However, these tools require prior installation on a computer of interest before and while provenance-generating events occur. The automated tool described in this chapter can reconstruct the provenance of a file from a variety of artifacts. It identifies relevant temporal and user correlations between the artifacts and presents them to an investigator. Results from six use cases demonstrate that these correlations are reliable and valuable in digital forensic investigations.
Keywords : File provenance Windows operating systems Forensic timelines
Document type :
Conference papers
Complete list of metadata

Cited literature [12 references]  Display  Hide  Download
https://hal.inria.fr/hal-01716392
Contributor : Hal Ifip <>
Submitted on : Friday, February 23, 2018 - 3:49:47 PM
Last modification on : Friday, February 23, 2018 - 3:52:13 PM
Long-term archiving on: : Friday, May 25, 2018 - 6:27:51 AM

File

Vignette du document
456364_1_En_15_Chapter.pdf
Files produced by the author(s)

Licence

Distributed under a Creative Commons Attribution 4.0 International License

Identifiers

Collections

IFIP | IFIP-AICT | IFIP-AICT-511 | IFIP-DF | IFIP-LNCS | IFIP-TC11 | IFIP-TC | IFIP-WG11-9 | IFIP-WG

Citation

Ryan Good, Gilbert Peterson. Automated Collection and Correlation of File Provenance Information. 13th IFIP International Conference on Digital Forensics (DigitalForensics), Jan 2017, Orlando, FL, United States. pp.269-284, ⟨10.1007/978-3-319-67208-3_15⟩. ⟨hal-01716392⟩

Export

BibTeX TEI DC DCterms EndNote

Share

Metrics

Record views

161

Files downloads

116

 

Contact                    Legal Notice                    Personal Data