| Article ID | Journal | Published Year | Pages | File Type |
|---|---|---|---|---|
| 456463 | Digital Investigation | 2009 | 8 Pages |
Abstract
This paper describes a methodology for the reconstruction of digital events by comparing states captured in time. Microsoft Windows Restore Point data is used to illustrate how to organize captured state information into a useful timeline of user and system events. It is shown that by comparing consecutive states, events can be uncovered that would otherwise be unknown by analysis of the current system state alone.
Related Topics
Physical Sciences and Engineering
Computer Science
Computer Networks and Communications
Authors
Yuandong Zhu, Joshua James, Pavel Gladyshev,