Title : 
CAT Record (computer activity timeline record): A unified agent based approach for real time computer forensic evidence collection
         
        
            Author : 
Al Awawdeh, Shadi ; Baggili, Ibrahim ; Marrington, Andrew ; Iqbal, Farkhund
         
        
            Author_Institution : 
Coll. of Technol. Innovation, Zayed Univ., Dubai, United Arab Emirates
         
        
        
        
        
        
            Abstract : 
In this paper we present CAT Record - a real time computer forensics agent that records computer activity for subsequent forensic investigation on a Windows computer system as actions are taking place on a system. This approach is different from the traditional post-mortem approach of examining a hard disk since activities are being recorded as they are happening. The prototype agent included six modules 1) Windows Event Watcher - which records the Windows Operating System events 2) Active Window Detector - which records the active windows on the screen 3) Font-Time-Power-Resolution Detector - which records changes in font, time, power or resolution on the system 4) Explorers Monitor - which records the activity when opening an item from the Windows Explorer or Internet Explorer 5) Removable Devices Detector - which records any external devices that are plugged in or removed from a system and 6) File System Watcher - which records the activity taking place on the file system. CAT Record was stress tested in three scenarios using an automated program that was written to test the accuracy of the agent and its memory consumption on Windows XP and Windows 7. Overall, the results indicated that the amount of recorded data varied between Windows XP and Windows 7 and that CAT Record on average did not consume more than 42,876 KB of memory per second during its operation under extremely stressful tests.
         
        
            Keywords : 
cloud computing; digital forensics; operating systems (computers); CAT record; Internet Explorer; Windows 7; Windows Explorer; Windows XP; Windows computer system; Windows event watcher; Windows operating system events; active window detector; cloud forensics; computer activity recording; computer activity timeline record; explorers monitor; external devices; file system watcher; font-time-power-resolution detector; forensic investigation; memory consumption; real time computer forensic evidence collection; real time computer forensics agent; removable devices detector; unified agent based approach; Computers; Databases; Detectors; File systems; Forensics; Monitoring; Real-time systems; Cloud Forensics; Computer events; Computer forensics; Corpora; Corporate investigations; LEP; Network forensics; Real time; Testing; Timeline detection; Tools; Verbosity;
         
        
        
        
            Conference_Titel : 
Systematic Approaches to Digital Forensic Engineering (SADFE), 2013 Eighth International Workshop on
         
        
            Conference_Location : 
Hong Kong
         
        
        
            DOI : 
10.1109/SADFE.2013.6911539