Thanks to my co-authors Céline Vanini and Chris Hargreaves for working with me on this article which is available open access in ACM DTAP. The work can be access here and will be presented at the IMF 2025 conference in September 2025. An earlier version of the paper is available here: https://arxiv.org/abs/2412.12814
Here are the details about the paper:
Abstract
Event reconstruction is a fundamental part of the digital forensic process, helping to answer key questions like who, what, when, and how. A common way of accomplishing that is to use tools to create timelines, which are then analyzed. However, various challenges exist, such as large volumes of data or contamination. While prior research has focused on simplifying timelines, less attention has been given to tampering, i.e., the deliberate manipulation of evidence, which can lead to errors in interpretation. This article addresses the issue by proposing a framework to assess the relative tamper resistance of different data sources used in event reconstruction. We discuss factors affecting data resilience, introduce a scoring system for evaluation, and illustrate its application with case studies. This work aims to improve the reliability of forensic event reconstruction by considering tamper resistance.