Abstract
Reconstructing the sequence of computer events that led to a particular event
is an essential part of the digital investigation process.
The ability to quantify the accuracy of automatic event reconstruction systems is an essential step in standardizing the digital investigation process thereby making it resilient to tactics such as the Trojan Horse defense.
In this paper, we present findings from an empirical study to measure and compare the accuracy and effectiveness
of a suite of such event reconstruction techniques.
We quantify (as applicable) the rates of false positives, false negatives,
and scalability both in terms of computational burden and memory-usage. Some of our
findings are quite surprising in the sense of not matching a priori expectations,
and whereas other findings qualitatively match the a priori expectations they were
never before quantitatively put to the test to determine the boundaries of
their applicability. For example, our results show that automatic event reconstruction systems proposed in literature have very high false-positive rates (up to 96\%).