AI-Driven Prioritization and Filtering of Windows Artifacts for Enhanced Digital Forensics  

作　　者：Juhwan Kim Baehoon Son Jihyeon Yu Joobeom Yun 

机构地区：[1]Department of Computer and Information Security,and Convergence Engineering for Intelligent Drone,Sejong University,Seoul,05006,Republic of Korea

出　　处：《Computers, Materials & Continua》2024年第11期3371-3393,共23页计算机、材料和连续体（英文）

基　　金：supported by the MSIT(Ministry of Science and ICT),Korea,under the ITRC(Information Technology Research Center)support program(IITP-2024-RS-2024-00437494);supervised by the IITP(Institute for Information&Communications Technology Planning&Evaluation).

摘　　要：Digital forensics aims to uncover evidence of cybercrimes within compromised systems.These cybercrimes are often perpetrated through the deployment of malware,which inevitably leaves discernible traces within the compromised systems.Forensic analysts are tasked with extracting and subsequently analyzing data,termed as artifacts,from these systems to gather evidence.Therefore,forensic analysts must sift through extensive datasets to isolate pertinent evidence.However,manually identifying suspicious traces among numerous artifacts is time-consuming and labor-intensive.Previous studies addressed such inefficiencies by integrating artificial intelligence(AI)technologies into digital forensics.Despite the efforts in previous studies,artifacts were analyzed without considering the nature of the data within them and failed to prove their efficiency through specific evaluations.In this study,we propose a system to prioritize suspicious artifacts from compromised systems infected with malware to facilitate efficient digital forensics.Our system introduces a double-checking method that recognizes the nature of data within target artifacts and employs algorithms ideal for anomaly detection.The key ideas of this method are:(1)prioritize suspicious artifacts and filter remaining artifacts using autoencoder and(2)further prioritize suspicious artifacts and filter remaining artifacts using logarithmic entropy.Our evaluation demonstrates that our system can identify malicious artifacts with high accuracy and that its double-checking method is more efficient than alternative approaches.Our system can significantly reduce the time required for forensic analysis and serve as a reference for future studies.

关 键 词：Digital forensics autoencoder logarithmic entropy PRIORITIZATION anomaly detection windows artifacts artificial intelligence 

分 类 号：TP18[自动化与计算机技术—控制理论与控制工程]