Detecting Falsified Timestamps in Evidence Graph via Attack Graph

Network forensics investigations aims to find a chain of evidences that helps reconstructing the alleged attack scenario. This often requires the check of timestamps of the logs to reconstruct the event. Yet, it is relatively easy for criminals to tamper with the event logs, which results in the evidence graph with falsified timestamps and hence hinders the event reconstruction. The aim of this work paper is to propose an algorithm detects these falsified timestamps and re-creates the true evidence graph. Our algorithm relies on attack graphs of the system environment which models known vulnerability sequences that were exploited to launch the attack. We demonstrate the effectiveness and performance of our algorithm via a possible attack scenario in a network environment running a file server and a database server.