1. Field
The present inventive concept pertains to a system and method of conducting a forensic investigation on a computer system following an incident. The present inventive concept more particularly concerns an improved system and method for organizing and manipulating recorded event data and generating a wrinkle timeline report for display to computer forensics investigators.
2. Discussion of Related Art
As more businesses and governmental entities increasingly rely on computer networks to conduct their operations and store relevant data, security of these networks has become increasingly important. The need for increased security is emphasized when these networks are connected to non-secure networks such as the Internet. The preservation of important data and the ability to retrieve and analyze the data in the aftermath of a security breach or incident has become a major focus of forensic investigators.
Various technologies may be employed to aid in the processing and organizing of data, including search technologies, software that copies the entire contents of the hard drive in a computer system, and software that allows an analyst to review its contents and categorize it based on their observations. Certain of the data stored in computer memory that may be of interest to forensic investigators may be found in log files or timelines, that is, files that contain records of the activities of a computer system as lists of data entries specifying, without limitation, the date/time of events occurring in or in connection with the computer system along with each associated event source (an event source may be a software program which is modified in the computer system thus giving rise to a data entry, such as a timestamp, showing the date/time of the modification and the name of the program).
This sort of log file or timeline analysis may be conducted to determine how a computer system has changed over time. This is helpful in finding indicators of a security breach or determining exactly what has changed when a security breach has occurred so that the changes may be corrected. For example, during a computer security incident, looking at file modification dates in line with the dates and times for various system log entries can help create a picture of the activity an attacker may have engaged in while on a system. Existing methods of examining such data are slow and cumbersome, with the majority relying on finding a particular log entry and “walking” forward and backward in the log file or timeline looking for other entries that might be relevant.
Thus there exists a need for additional technologies to analyze and manipulate event data and display same in a fashion that increases efficiency of investigation, controls costs and reduces time spent on analysis.