Evaluating tamper resistance of digital forensic artifacts during event reconstruction

TL;DR

The paper addresses the fragility of timeline-based event reconstruction in digital forensics due to tampering of artifacts. It proposes a formal framework to assess tamper resistance using seven factors (visibility, permissions, editing software, observed access, encryption, file format, and data organization) and a qualitative scoring system inspired by security risk assessment. Through case studies, it demonstrates that common sources (e.g., USB connections) can be less tamper-resistant than commonly assumed, while some sources like Event Logs can offer higher resistance. The work aims to improve the reliability of forensic interpretations, guide practitioners in evaluating sources, and pave the way for tool-assisted, quantitative assessments of trace trustworthiness.

Abstract

Event reconstruction is a fundamental part of the digital forensic process, helping to answer key questions like who, what, when, and how. A common way of accomplishing that is to use tools to create timelines, which are then analyzed. However, various challenges exist, such as large volumes of data or contamination. While prior research has focused on simplifying timelines, less attention has been given to tampering, i.e., the deliberate manipulation of evidence, which can lead to errors in interpretation. This article addresses the issue by proposing a framework to assess the tamper resistance of data sources used in event reconstruction. We discuss factors affecting data resilience, introduce a scoring system for evaluation, and illustrate its application with case studies. This work aims to improve the reliability of forensic event reconstruction by considering tamper resistance.