A Complete Formalized Knowledge Representation Model for ... · r-em – e n-e – e a CheckSem...
26
Yoan Chabot – [email protected] - Equipe de projet Checksem – Laboratoire Electronique Informatique et Image (LE2I – UMR CNRS 5158) IUT Dijon-Auxerre – Université de Bourgogne, BP 47870, 21078 Dijon Cedex, France a CheckSem Team, Laboratoire Le2i, Université de Bourgogne, Dijon, FRANCE b School of Computer Science & Informatics, University College Dublin, IRELAND A Complete Formalized Knowledge Representation Model for Advanced Digital Forensics Timeline Analysis 1 August 5, 2014 Yoan Chabot a,b , Aurélie Bertaux a , Christophe Nicolle a and M-Tahar Kechadi b [email protected]
Transcript of A Complete Formalized Knowledge Representation Model for ... · r-em – e n-e – e a CheckSem...
Yoan
Ch
abo
t –
yoan
.ch
abo
t@ch
ecks
em.f
r -
Equ
ipe
de
pro
jet
Ch
ecks
em –
Lab
ora
toir
e El
ectr
on
iqu
e In
form
atiq
ue
et Im
age
(L
E2I –
UM
R C
NR
S 51
58)
IUT
Dijo
n-A
uxe
rre –
Un
iver
sité
de
Bo
urg
ogn
e, B
P 4
78
70
, 21
07
8 D
ijon
Ce
dex
, Fra
nce
a CheckSem Team, Laboratoire Le2i, Université de Bourgogne, Dijon, FRANCE b School of Computer Science & Informatics, University College Dublin, IRELAND
A Complete Formalized Knowledge Representation Model for Advanced Digital Forensics Timeline Analysis
1
August 5, 2014
Yoan Chabota,b, Aurélie Bertauxa, Christophe Nicollea and M-Tahar Kechadib
Yoan
Ch
abo
t –
yoan
.ch
abo
t@ch
ecks
em.f
r -
Equ
ipe
de
pro
jet
Ch
ecks
em –
Lab
ora
toir
e El
ectr
on
iqu
e In
form
atiq
ue
et Im
age
(L
E2I –
UM
R C
NR
S 51
58)
IUT
Dijo
n-A
uxe
rre –
Un
iver
sité
de
Bo
urg
ogn
e, B
P 4
78
70
, 21
07
8 D
ijon
Ce
dex
, Fra
nce
2
Outline
Problem Statement
The Underlying Issues Existing solutions
Background
Future works Contributions
Conclusion
Our solution
Formal Knowledge Model Extraction Analysis
Yoan
Ch
abo
t –
yoan
.ch
abo
t@ch
ecks
em.f
r -
Equ
ipe
de
pro
jet
Ch
ecks
em –
Lab
ora
toir
e El
ectr
on
iqu
e In
form
atiq
ue
et Im
age
(L
E2I –
UM
R C
NR
S 51
58)
IUT
Dijo
n-A
uxe
rre –
Un
iver
sité
de
Bo
urg
ogn
e, B
P 4
78
70
, 21
07
8 D
ijon
Ce
dex
, Fra
nce
Event Reconstruction
GOAL: Determine the circumstances of the incident
3
Footprints
Conclusions of the investigation Timeline
Problem Statement
Yoan
Ch
abo
t –
yoan
.ch
abo
t@ch
ecks
em.f
r -
Equ
ipe
de
pro
jet
Ch
ecks
em –
Lab
ora
toir
e El
ectr
on
iqu
e In
form
atiq
ue
et Im
age
(L
E2I –
UM
R C
NR
S 51
58)
IUT
Dijo
n-A
uxe
rre –
Un
iver
sité
de
Bo
urg
ogn
e, B
P 4
78
70
, 21
07
8 D
ijon
Ce
dex
, Fra
nce
4
Technical gaps
Legal requirements
• Credibility • Reproducibility • Veracity • Precision
The Underlying Issues
Digital Crime Scene
• Large amount of data
• Heterogeneity (Semantic, Format, Time)
Yoan
Ch
abo
t –
yoan
.ch
abo
t@ch
ecks
em.f
r -
Equ
ipe
de
pro
jet
Ch
ecks
em –
Lab
ora
toir
e El
ectr
on
iqu
e In
form
atiq
ue
et Im
age
(L
E2I –
UM
R C
NR
S 51
58)
IUT
Dijo
n-A
uxe
rre –
Un
iver
sité
de
Bo
urg
ogn
e, B
P 4
78
70
, 21
07
8 D
ijon
Ce
dex
, Fra
nce
5
Existing Solutions
log2timeline by Kristinn Gudjonsson Super-timelines using a large number of sources
• Windows Event Logs • Web Browsers Histories • Apache logs • PDF document metadata • Firewall logs • etc.
Yoan@Checksem-PC /cygdrive/j/Local Workspace/plaso $ ./log2timeline ../output.dump ../Scenarios/scenario1/EnCase/scenario1.E01 > log.txt ,,, Yoan@Checksem-PC /cygdrive/j/Local Workspace/plaso $ ./psort -w ../timeline.txt ../output.dump > log.txt
ECF, FORE, Finite state machine approach, Zeitline, Neural networks appraoch, CyberForensic TimeLab, etc.
Yoan
Ch
abo
t –
yoan
.ch
abo
t@ch
ecks
em.f
r -
Equ
ipe
de
pro
jet
Ch
ecks
em –
Lab
ora
toir
e El
ectr
on
iqu
e In
form
atiq
ue
et Im
age
(L
E2I –
UM
R C
NR
S 51
58)
IUT
Dijo
n-A
uxe
rre –
Un
iver
sité
de
Bo
urg
ogn
e, B
P 4
78
70
, 21
07
8 D
ijon
Ce
dex
, Fra
nce
6
Knowledge Model
How to analyze this large amount of data?
Yoan
Ch
abo
t –
yoan
.ch
abo
t@ch
ecks
em.f
r -
Equ
ipe
de
pro
jet
Ch
ecks
em –
Lab
ora
toir
e El
ectr
on
iqu
e In
form
atiq
ue
et Im
age
(L
E2I –
UM
R C
NR
S 51
58)
IUT
Dijo
n-A
uxe
rre –
Un
iver
sité
de
Bo
urg
ogn
e, B
P 4
78
70
, 21
07
8 D
ijon
Ce
dex
, Fra
nce
Introduce a semantically rich knowledge representation of events to enhance analysis
capabilities 7
Knowledge Model
Yoan
Ch
abo
t –
yoan
.ch
abo
t@ch
ecks
em.f
r -
Equ
ipe
de
pro
jet
Ch
ecks
em –
Lab
ora
toir
e El
ectr
on
iqu
e In
form
atiq
ue
et Im
age
(L
E2I –
UM
R C
NR
S 51
58)
IUT
Dijo
n-A
uxe
rre –
Un
iver
sité
de
Bo
urg
ogn
e, B
P 4
78
70
, 21
07
8 D
ijon
Ce
dex
, Fra
nce
8
Knowledge Model
Entities • 𝑠 ∈ 𝑆 = 𝑎 ∈ 𝐴𝑠 | 𝑠 𝛼𝑠 𝑎 • 𝑜 ∈ 𝑂 = 𝑎 ∈ 𝐴𝑜 | 𝑥 𝛼𝑜 𝑎 • 𝑂 ⊆ ℘(𝐴𝑜)
• 𝑓 ∈ 𝐹 = 𝑓 ∈ 𝐴𝑓 | 𝑥 𝛼𝑓 𝑎
• 𝑒 ∈ 𝐸 = 𝑡𝑠𝑡𝑎𝑟𝑡 , 𝑡𝑒𝑛𝑑 , 𝑙, 𝑆𝑒 , 𝑂𝑒 , 𝐸𝑒 • 𝑆𝑒 = 𝑠 ∈ 𝑆 𝑒 ∈ 𝐸, 𝑠 𝜎𝑠 𝑒+ • 𝑂𝑒 = 𝑜 ∈ 𝑂 𝑒 ∈ 𝐸, 𝑒 𝜎𝑜 𝑜+ • 𝐸𝑒 = 𝑥 ∈ 𝐸 𝑒 ∈ 𝐸, 𝑒 𝜎𝑒 𝑥+
Yoan
Ch
abo
t –
yoan
.ch
abo
t@ch
ecks
em.f
r -
Equ
ipe
de
pro
jet
Ch
ecks
em –
Lab
ora
toir
e El
ectr
on
iqu
e In
form
atiq
ue
et Im
age
(L
E2I –
UM
R C
NR
S 51
58)
IUT
Dijo
n-A
uxe
rre –
Un
iver
sité
de
Bo
urg
ogn
e, B
P 4
78
70
, 21
07
8 D
ijon
Ce
dex
, Fra
nce
9
Knowledge Model
Relationships • 𝜎𝑠= *𝑝𝑎𝑟𝑡𝑖𝑐𝑖𝑝𝑎𝑡𝑖𝑜𝑛, 𝑟𝑒𝑝𝑒𝑟𝑐𝑢𝑠𝑠𝑖𝑜𝑛+ • 𝜎𝑜= *𝑐𝑟𝑒𝑎𝑡𝑖𝑜𝑛, 𝑠𝑢𝑝𝑝𝑟𝑒𝑠𝑠𝑖𝑜𝑛,𝑚𝑜𝑑𝑖𝑓𝑖𝑐𝑎𝑡𝑖𝑜𝑛, 𝑢𝑡𝑖𝑙𝑖𝑧𝑎𝑡𝑖𝑜𝑛+ • 𝜎𝑒= *𝑐𝑜𝑟𝑟𝑒𝑙𝑎𝑡𝑖𝑜𝑛+ • 𝜎𝑓= 𝑠𝑢𝑝𝑝𝑜𝑟𝑡 • 𝑠𝑢𝑝𝑝𝑜𝑟𝑡 𝑒𝑛 ∈ 𝐸 × 𝑂 × 𝑆 = 𝑓 ∈ 𝐹 𝑓 𝜎𝑓 𝑒𝑛+
Yoan
Ch
abo
t –
yoan
.ch
abo
t@ch
ecks
em.f
r -
Equ
ipe
de
pro
jet
Ch
ecks
em –
Lab
ora
toir
e El
ectr
on
iqu
e In
form
atiq
ue
et Im
age
(L
E2I –
UM
R C
NR
S 51
58)
IUT
Dijo
n-A
uxe
rre –
Un
iver
sité
de
Bo
urg
ogn
e, B
P 4
78
70
, 21
07
8 D
ijon
Ce
dex
, Fra
nce
Footprints left on the crime scene
Extraction and Mapping Operators
Inference Operators
Analysis Operators
Enhanced Timeline Conclusions
Operators
Knowledge Base
10
Yoan
Ch
abo
t –
yoan
.ch
abo
t@ch
ecks
em.f
r -
Equ
ipe
de
pro
jet
Ch
ecks
em –
Lab
ora
toir
e El
ectr
on
iqu
e In
form
atiq
ue
et Im
age
(L
E2I –
UM
R C
NR
S 51
58)
IUT
Dijo
n-A
uxe
rre –
Un
iver
sité
de
Bo
urg
ogn
e, B
P 4
78
70
, 21
07
8 D
ijon
Ce
dex
, Fra
nce
From Raw Data To Giant Graphs
2014-07-03T07:36:39.408000+00:00,Last Visited Time,WEBHIST,MSIE Cache File URL record,Location: Visited: Yoan@file:///C:/Users/Yoan/Pictures/dfrws12-039.jpg Number of hits: 2 Cached file size: 0,msiecf,TSK:/Users/Yoan/AppData/Local/Microsoft/Windows/History/History.IE5/index.dat,-,3,378480
e1
Event
rdf:type
2014-07-03T07:36:39
:hasTime
15455222
:hasID
WEBHIST :hasType
Cache Access
:hasSubType
Mapping: 1st Example
11
Yoan
Ch
abo
t –
yoan
.ch
abo
t@ch
ecks
em.f
r -
Equ
ipe
de
pro
jet
Ch
ecks
em –
Lab
ora
toir
e El
ectr
on
iqu
e In
form
atiq
ue
et Im
age
(L
E2I –
UM
R C
NR
S 51
58)
IUT
Dijo
n-A
uxe
rre –
Un
iver
sité
de
Bo
urg
ogn
e, B
P 4
78
70
, 21
07
8 D
ijon
Ce
dex
, Fra
nce
From Raw Data To Giant Graphs
2014-07-03T07:36:39.408000+00:00,Last Visited Time,WEBHIST,MSIE Cache File URL record,Location: Visited: Yoan@file:///C:/Users/Yoan/Pictures/dfrws12-039.jpg Number of hits: 2 Cached file size: 0,msiecf,TSK:/Users/Yoan/AppData/Local/Microsoft/Windows/History/History.IE5/index.dat,-,3,378480
e1
Event Object
o1
rdf:type rdf:type
:utilization 2014-07-03T07:36:39
:hasTime
15455222
:hasID
WEBHIST :hasType
Cache Access
:hasSubType
12455 :hasID
dfrws12-039.jpg :hasName
C:/Users/Yoan/Pictures/dfrws12-039.jpg
:hasPath
Mapping: 1st Example
12
Yoan
Ch
abo
t –
yoan
.ch
abo
t@ch
ecks
em.f
r -
Equ
ipe
de
pro
jet
Ch
ecks
em –
Lab
ora
toir
e El
ectr
on
iqu
e In
form
atiq
ue
et Im
age
(L
E2I –
UM
R C
NR
S 51
58)
IUT
Dijo
n-A
uxe
rre –
Un
iver
sité
de
Bo
urg
ogn
e, B
P 4
78
70
, 21
07
8 D
ijon
Ce
dex
, Fra
nce
From Raw Data To Giant Graphs
2014-07-03T07:36:39.408000+00:00,Last Visited Time,WEBHIST,MSIE Cache File URL record,Location: Visited: Yoan@file:///C:/Users/Yoan/Pictures/dfrws12-039.jpg Number of hits: 2 Cached file size: 0,msiecf,TSK:/Users/Yoan/AppData/Local/Microsoft/Windows/History/History.IE5/index.dat,-,3,378480
e1
Event Object
o1
rdf:type rdf:type
:utilization
s1
Subject
rdf:type
:participation
2014-07-03T07:36:39
:hasTime
15455222
:hasID
WEBHIST :hasType
Cache Access
:hasSubType
12455 :hasID
dfrws12-039.jpg :hasName
C:/Users/Yoan/Pictures/dfrws12-039.jpg
:hasPath
12 :hasID
Internet Explorer :hasName
Mapping: 1st Example
13
Yoan
Ch
abo
t –
yoan
.ch
abo
t@ch
ecks
em.f
r -
Equ
ipe
de
pro
jet
Ch
ecks
em –
Lab
ora
toir
e El
ectr
on
iqu
e In
form
atiq
ue
et Im
age
(L
E2I –
UM
R C
NR
S 51
58)
IUT
Dijo
n-A
uxe
rre –
Un
iver
sité
de
Bo
urg
ogn
e, B
P 4
78
70
, 21
07
8 D
ijon
Ce
dex
, Fra
nce
From Raw Data To Giant Graphs
2014-07-03T07:36:46.662000+00:00,Content Deletion Time,RECBIN,Recycle Bin,C:\Users\Yoan\Pictures\dfrws12-039.jpg,recycle_bin,TSK:/$Recycle.Bin/S-1-5-21-3724914695-4089496160-3424763353-1000/$IAXNK4E.jpg,-,3,378521
e2
Event
rdf:type
2014-07-03T07:36:46
:hasTime
15458548
:hasID
RECBIN :hasType
Content Deletion
:hasSubType
Mapping: 2nd Example
14
Yoan
Ch
abo
t –
yoan
.ch
abo
t@ch
ecks
em.f
r -
Equ
ipe
de
pro
jet
Ch
ecks
em –
Lab
ora
toir
e El
ectr
on
iqu
e In
form
atiq
ue
et Im
age
(L
E2I –
UM
R C
NR
S 51
58)
IUT
Dijo
n-A
uxe
rre –
Un
iver
sité
de
Bo
urg
ogn
e, B
P 4
78
70
, 21
07
8 D
ijon
Ce
dex
, Fra
nce
From Raw Data To Giant Graphs
2014-07-03T07:36:46.662000+00:00,Content Deletion Time,RECBIN,Recycle Bin,C:\Users\Yoan\Pictures\dfrws12-039.jpg,recycle_bin,TSK:/$Recycle.Bin/S-1-5-21-3724914695-4089496160-3424763353-1000/$IAXNK4E.jpg,-,3,378521
e2
Event Object
o1
rdf:type rdf:type
:deletion
2014-07-03T07:36:46
:hasTime
15458548
:hasID
RECBIN :hasType
Content Deletion
:hasSubType
12455 :hasID
dfrws12-039.jpg :hasName
C:/Users/Yoan/Pictures/dfrws12-039.jpg
:hasPath
Mapping: 2nd Example
15
Yoan
Ch
abo
t –
yoan
.ch
abo
t@ch
ecks
em.f
r -
Equ
ipe
de
pro
jet
Ch
ecks
em –
Lab
ora
toir
e El
ectr
on
iqu
e In
form
atiq
ue
et Im
age
(L
E2I –
UM
R C
NR
S 51
58)
IUT
Dijo
n-A
uxe
rre –
Un
iver
sité
de
Bo
urg
ogn
e, B
P 4
78
70
, 21
07
8 D
ijon
Ce
dex
, Fra
nce
From Raw Data To Giant Graphs
e1
rdf:type
:utilization
s1
Subject
rdf:type
:participation
2014-07-03T07:36:39
:hasTime
15455222
:hasID
WEBHIST :hasType
Cache Access
:hasSubType
12 :hasID
Internet Explorer :hasName
e2
Event
Object
o1
rdf:type
rdf:type
2014-07-03T07:36:46 :hasTime
15458548
:hasID
RECBIN
:hasType
Content Deletion
:hasSubType
12455 :hasID
dfrws12-039.jpg :hasName
C:/Users/Yoan/Pictures/dfrws12-039.jpg
:hasPath
:deletion
Graph Connections
16
Yoan
Ch
abo
t –
yoan
.ch
abo
t@ch
ecks
em.f
r -
Equ
ipe
de
pro
jet
Ch
ecks
em –
Lab
ora
toir
e El
ectr
on
iqu
e In
form
atiq
ue
et Im
age
(L
E2I –
UM
R C
NR
S 51
58)
IUT
Dijo
n-A
uxe
rre –
Un
iver
sité
de
Bo
urg
ogn
e, B
P 4
78
70
, 21
07
8 D
ijon
Ce
dex
, Fra
nce
From Raw Data To Giant Graphs
17
Yoan
Ch
abo
t –
yoan
.ch
abo
t@ch
ecks
em.f
r -
Equ
ipe
de
pro
jet
Ch
ecks
em –
Lab
ora
toir
e El
ectr
on
iqu
e In
form
atiq
ue
et Im
age
(L
E2I –
UM
R C
NR
S 51
58)
IUT
Dijo
n-A
uxe
rre –
Un
iver
sité
de
Bo
urg
ogn
e, B
P 4
78
70
, 21
07
8 D
ijon
Ce
dex
, Fra
nce
Object Correlation Subject Correlation
Temporal Correlation Knowledge-Based Correlation
Event Correlation
Automatic Analysis Operators
e1 e2
e3
Event
Object
o2
o3
o1
rdf:type rdf:type
rdf:type
rdf:type
sadfc:creation
sadfc:utilization
sadfc:creation
sadfc:modification
sadfc:modification
𝐶𝑜𝑟𝑟𝑒𝑙𝑎𝑡𝑖𝑜𝑛𝑂 𝑒, 𝑥 = 𝑂𝑒 ∩ 𝑂𝑥 /max(|𝑂𝑒|, |𝑂𝑥|)
18
1/3 1/3
0
Yoan
Ch
abo
t –
yoan
.ch
abo
t@ch
ecks
em.f
r -
Equ
ipe
de
pro
jet
Ch
ecks
em –
Lab
ora
toir
e El
ectr
on
iqu
e In
form
atiq
ue
et Im
age
(L
E2I –
UM
R C
NR
S 51
58)
IUT
Dijo
n-A
uxe
rre –
Un
iver
sité
de
Bo
urg
ogn
e, B
P 4
78
70
, 21
07
8 D
ijon
Ce
dex
, Fra
nce
Automatic Analysis Operators
e1 e2
e3 s1
s2
s3
s4 sadfc:participation
sadfc:participation
sadfc:participation
sadfc:consequence
sadfc:participation
Event
rdf:type
Subject
Person Process
rdf:type
rdf:type
rdfs:subClassOf
rdfs:subClassOf
rdf:type
rdf:type
Object Correlation Subject Correlation
Temporal Correlation Knowledge-Based Correlation
Event Correlation
𝐶𝑜𝑟𝑟𝑒𝑙𝑎𝑡𝑖𝑜𝑛𝑆 𝑒, 𝑥 = 𝑆𝑒 ∩ 𝑆𝑥 /max(|𝑆𝑒|, |𝑆𝑥|)
19
1/2 0
0
Yoan
Ch
abo
t –
yoan
.ch
abo
t@ch
ecks
em.f
r -
Equ
ipe
de
pro
jet
Ch
ecks
em –
Lab
ora
toir
e El
ectr
on
iqu
e In
form
atiq
ue
et Im
age
(L
E2I –
UM
R C
NR
S 51
58)
IUT
Dijo
n-A
uxe
rre –
Un
iver
sité
de
Bo
urg
ogn
e, B
P 4
78
70
, 21
07
8 D
ijon
Ce
dex
, Fra
nce
Automatic Analysis Operators
Object Correlation Subject Correlation
Temporal Correlation Knowledge-Based Correlation
Event Correlation
𝐶𝑜𝑟𝑟𝑒𝑙𝑎𝑡𝑖𝑜𝑛𝑇 𝑒, 𝑥= 𝛼 × 𝑠𝑡𝑎𝑟𝑡𝑠 𝑒, 𝑥 + 𝛼× 𝑒𝑞𝑢𝑎𝑙𝑠 𝑒, 𝑥 + 𝑚𝑒𝑒𝑡𝑠 𝑒, 𝑥+ 𝑜𝑣𝑒𝑟𝑙𝑎𝑝𝑠 𝑒, 𝑥 + 𝑑𝑢𝑟𝑖𝑛𝑔 𝑒, 𝑥+ 𝑓𝑖𝑛𝑖𝑠𝑒𝑠 𝑒, 𝑥 + 𝑏𝑒𝑓𝑜𝑟𝑒 𝑒, 𝑥
20
Yoan
Ch
abo
t –
yoan
.ch
abo
t@ch
ecks
em.f
r -
Equ
ipe
de
pro
jet
Ch
ecks
em –
Lab
ora
toir
e El
ectr
on
iqu
e In
form
atiq
ue
et Im
age
(L
E2I –
UM
R C
NR
S 51
58)
IUT
Dijo
n-A
uxe
rre –
Un
iver
sité
de
Bo
urg
ogn
e, B
P 4
78
70
, 21
07
8 D
ijon
Ce
dex
, Fra
nce
2014-06-20T13:57:16.544000+00:00 | Creation Time | WEBHIST | Firefox History | Bookmark URL CheckSem - Semantic Intelligence Research (http://checksem.u-bourgogne.fr/www/)| sqlite | TSK:/Users/Yoan/AppData/Roaming/Mozilla/Firefox/Profiles/94zxtt2a.default/places.sqlite | - | 3 | 373176 |
Automatic Analysis Operators
2014-06-20T13:57:21.474000+00:00 | Page Visited | WEBHIST | Firefox History | http://checksem.u-bourgogne.fr/www/ (CheckSem - Semantic Intelligence Research Host: checksem.u-bourgogne.fr visited from: http://checksem.u-bourgogne.fr/www/ (checksem.u-bourgogne.fr) Transition: BOOKMARK | sqlite | TSK:/Users/Yoan/AppData/Roaming/Mozilla/Firefox/Profiles/94zxtt2a.default/places.sqlite | - | 3 | 373182 |
Bookmark Created
Page Visited
Object Correlation Subject Correlation
Temporal Correlation Knowledge-Based Correlation
Event Correlation
𝐶𝑜𝑟𝑟𝑒𝑙𝑎𝑡𝑖𝑜𝑛𝐾𝐵𝑅 𝑒, 𝑥 = 𝑟𝑢𝑙𝑒𝑟(𝑒, 𝑥)𝑛
𝑟=1
With 𝑟𝑢𝑙𝑒𝑟 𝑒, 𝑥 = 1 if the rule is satisfied and 0 otherwise
21
Yoan
Ch
abo
t –
yoan
.ch
abo
t@ch
ecks
em.f
r -
Equ
ipe
de
pro
jet
Ch
ecks
em –
Lab
ora
toir
e El
ectr
on
iqu
e In
form
atiq
ue
et Im
age
(L
E2I –
UM
R C
NR
S 51
58)
IUT
Dijo
n-A
uxe
rre –
Un
iver
sité
de
Bo
urg
ogn
e, B
P 4
78
70
, 21
07
8 D
ijon
Ce
dex
, Fra
nce
22
Automatic Analysis Operators
𝑪𝒐𝒓𝒓𝒆𝒍𝒂𝒕𝒊𝒐𝒏 𝒆𝟏, 𝒆𝟐 ≈1,143 • 𝐶𝑜𝑟𝑟𝑒𝑙𝑎𝑡𝑖𝑜𝑛𝑂 𝑒1, 𝑒2 : o1 1/1 = 1 • 𝐶𝑜𝑟𝑟𝑒𝑙𝑎𝑡𝑖𝑜𝑛𝑆 𝑒1, 𝑒2 : ∅ 0/1 = 0 • 𝐶𝑜𝑟𝑟𝑒𝑙𝑎𝑡𝑖𝑜𝑛𝑇 𝑒1, 𝑒2 : 2014-07-03T07:36:39 <-> 2014-07-03T07:36:46 ≈0,143 • 𝐶𝑜𝑟𝑟𝑒𝑙𝑎𝑡𝑖𝑜𝑛𝐾𝐵𝑅 𝑒1, 𝑒2 : 0
𝐶𝑜𝑟𝑟𝑒𝑙𝑎𝑡𝑖𝑜𝑛 𝑒, 𝑥= 𝐶𝑜𝑟𝑟𝑒𝑙𝑎𝑡𝑖𝑜𝑛𝑇 𝑒, 𝑥 + 𝐶𝑜𝑟𝑟𝑒𝑙𝑎𝑡𝑖𝑜𝑛𝑆 𝑒, 𝑥+ 𝐶𝑜𝑟𝑟𝑒𝑙𝑎𝑡𝑖𝑜𝑛𝑂 𝑒, 𝑥 + 𝐶𝑜𝑟𝑟𝑒𝑙𝑎𝑡𝑖𝑜𝑛𝐾𝐵𝑅(𝑒, 𝑥)
:deletion
Yoan
Ch
abo
t –
yoan
.ch
abo
t@ch
ecks
em.f
r -
Equ
ipe
de
pro
jet
Ch
ecks
em –
Lab
ora
toir
e El
ectr
on
iqu
e In
form
atiq
ue
et Im
age
(L
E2I –
UM
R C
NR
S 51
58)
IUT
Dijo
n-A
uxe
rre –
Un
iver
sité
de
Bo
urg
ogn
e, B
P 4
78
70
, 21
07
8 D
ijon
Ce
dex
, Fra
nce
𝑪𝒐𝒓𝒓𝒆𝒍𝒂𝒕𝒊𝒐𝒏 𝒆𝟏, 𝒆𝟑 ≈ 𝟎 • 𝐶𝑜𝑟𝑟𝑒𝑙𝑎𝑡𝑖𝑜𝑛𝑂 𝑒1, 𝑒3 : ∅ 0/1= 0 • 𝐶𝑜𝑟𝑟𝑒𝑙𝑎𝑡𝑖𝑜𝑛𝑆 𝑒1, 𝑒3 : ∅ 0/1= 0 • 𝐶𝑜𝑟𝑟𝑒𝑙𝑎𝑡𝑖𝑜𝑛𝑇 𝑒1, 𝑒3 : 2014-07-03T07:36:39 <-> 2010-11-20T04:58:26 ≈0 • 𝐶𝑜𝑟𝑟𝑒𝑙𝑎𝑡𝑖𝑜𝑛𝐾𝐵𝑅 𝑒1, 𝑒3 : 0
Automatic Analysis Operators
23
Yoan
Ch
abo
t –
yoan
.ch
abo
t@ch
ecks
em.f
r -
Equ
ipe
de
pro
jet
Ch
ecks
em –
Lab
ora
toir
e El
ectr
on
iqu
e In
form
atiq
ue
et Im
age
(L
E2I –
UM
R C
NR
S 51
58)
IUT
Dijo
n-A
uxe
rre –
Un
iver
sité
de
Bo
urg
ogn
e, B
P 4
78
70
, 21
07
8 D
ijon
Ce
dex
, Fra
nce
24
Data volume
Automatic Operators
Scalable Technologies
Heterogeneity
Unified model of knowledge
representation
Extractors dedicated to each source
Credibility
Based on a formal
knowledge representation
Reproducibility
Storing information
about provenance
Contributions
Yoan
Ch
abo
t –
yoan
.ch
abo
t@ch
ecks
em.f
r -
Equ
ipe
de
pro
jet
Ch
ecks
em –
Lab
ora
toir
e El
ectr
on
iqu
e In
form
atiq
ue
et Im
age
(L
E2I –
UM
R C
NR
S 51
58)
IUT
Dijo
n-A
uxe
rre –
Un
iver
sité
de
Bo
urg
ogn
e, B
P 4
78
70
, 21
07
8 D
ijon
Ce
dex
, Fra
nce
25
Future Works
SADFC
New Analysis operators
New Semantic dimensions
Mechanisms for knowledge checking and reproducibility
Yoan
Ch
abo
t –
yoan
.ch
abo
t@ch
ecks
em.f
r -
Equ
ipe
de
pro
jet
Ch
ecks
em –
Lab
ora
toir
e El
ectr
on
iqu
e In
form
atiq
ue
et Im
age
(L
E2I –
UM
R C
NR
S 51
58)
IUT
Dijo
n-A
uxe
rre –
Un
iver
sité
de
Bo
urg
ogn
e, B
P 4
78
70
, 21
07
8 D
ijon
Ce
dex
, Fra
nce
a CheckSem Team, Laboratoire Le2i, Université de Bourgogne, Dijon, FRANCE b School of Computer Science & Informatics, University College Dublin, IRELAND
A Complete Formalized Knowledge Representation Model for Advanced Digital Forensics Timeline Analysis
August 5, 2014
Yoan Chabota,b, Aurélie Bertauxa, Christophe Nicollea and M-Tahar Kechadib
26
![arXiv:0711.2372v1 [math.GR] 15 Nov 2007Luis Paris Institut de Math´ematiques de Bourgogne – UMR 5584 du CNRS Universit´e de Bourgogne, BP 47870 21078 Dijon cedex, France email:lparis@u-bourgogne.fr](https://static.fdocuments.in/doc/165x107/5ecb72870746fe0230439dd8/arxiv07112372v1-mathgr-15-nov-2007-luis-paris-institut-de-mathematiques-de.jpg)
