Abstract— Forensic Investigations came into existence

with the recent attacks in Cloud Environment. Performing

forensics is different from performing it in the traditional

environment. National Institute of Standards & Technology

(NIST) find out about the challenges in the count of 65 to

prove the same thing. But cloud and forensics not added to

that list cloud as a provider of the Xaas & Forensic are

taken as service. It happened because of various

organizational and technical issues. If the provider of the

cloud service (CSP) supports us then it possible to do

environment of cloud investigation. So, we are proposing a

system to solve this problem. In the proposed system named

as FaaSeC. It makes Cloud Service Provider give Forensics

as a Service to the Investigator by extending the forensic

support from CSP.

Keywords— Digital Forensics, Cloud Security, Event

Reconstruction, Log analysis.

I. INTRODUCTION

A. Overview

loud market growth crossed the expected limit. End

users will get more benefits with the uninterrupted

services. Also, services provided with low cost as well as

overheads of reduced maintenance. Recent attacks raised

various questions in cloud security. Trust deficit in the cloud

caused by the security cracks. There are two solutions in the

context. Improving security of the algorithms is one solution

whereas the second solution is performing the forensic

investigations in the cloud no vendors are providing the

forensic investigations in the Cloud environment. Because of

many legal and technical issues no one willing to facilitate

FaaS for the Third party. Here, the third party’s multi-tenant

nature can get a scope for getting another data of tenants

while an investigation of the forensic. Therefore, which leads

to corresponding party’s privacy violation and will be treated

as the offense.

In this paper, we are providing the solution to this issue

with the FaaS advancements with the help of CSP to a 3rd

party. Various Advantages with the usage of FaaS Models

are listed below:

• Knowing the artifacts investigations process which is

based on forensic in the ecosystem of cloud

• The legally admissible forensic investigation came when

the FaaS models correlated with relevant forensic tools.

• Used to enhance interpretation of cloud artifacts which

are acquired.

• Facilitating the comprehensive cloud forensic solutions

for the creation of the repeatable system.

We may not guarantee that the third-party investigator is

trusted. Here, we are considering the worst-case scenario as

not trusted Investigator and gave accessing the

infrastructure of the cloud then the opportunities for

performing suspicious activities are high. In few of the cases,

the untrusted investigator may be loyal to the cloud

organization which as a part of either incident more well-off

with its use. therefore, home automation is going to be

simply accepted by the folks. Responders of the first team or

as the entity which is external. If cloud infrastructure

accessing the user to, the possibility of evidence tampering

is high.

Therefore, it leads to generating the forensic report implied

misleading of the conclusions. So, to avoid this situation we

are proposing a system which provides the FaaS that must

know activities performed by the investigator at the end of

cloud which can increase CSP willingness for providing

forensic services to the investigator.

SeMs and CoPS are the two approaches for detection of

forensically interesting activities in the cloud end from

forensic logs. Both CoPS and SeMS are validated with a

typical investigative scenario.

II. LITERATURE SURVEY & RELATED WORKS

The investigator may have to follow several phases like

Identification, Preservation, Collection, Examination,

Analysis, and Presentation to perform traditional digital

forensics. Because of Multi-tenancy, the procedure can't be

applied to cloud environment directly. It happens also

Enabling Forensics System Services in Cloud Computing

V. Anil Dutt Dr. N. Srinivasu

M. Tech Student, Dept. of CSE, Professor, Dept. of CSE,

Koneru Lakshmaiah Educational Foundation Koneru Lakshmaiah Educational Foundation

Green Fields, Vaddeswaram, Guntur, A.P., India. Green Fields, Vaddeswaram, Guntur, A.P., India.

v.anildutt@outlook.com srinivasu28@kluniversity.in

C

International Journal of Pure and Applied MathematicsVolume 118 No. 20 2018, 273-282ISSN: 1314-3395 (on-line version)url: http://www.ijpam.euSpecial Issue ijpam.eu

273

because of the cloud transparency lagging & elasticity

properties lagging.

Challenges in the Cloud Forensics divided into 3 types:

The First one is Organizational, 2nd ones are Technical and

coming to third one it is Legal. CSP support for forensic

investigations facilitated with the FaaS for reducing

complications in 3 dimensions. To provide FaaS in the

environment of Cloud, we should do a little work.

The drawback of the existing system as they introduced the

smart connector nation. This can by-pass cloud provider

host operating system. Also, access Physical resources of

the node with forensics. This is practically tough without the

usage of CSP invention. Also, filtering schemes also not

proper. The Information Gathering Process (IGP) data

collection is large and they don’t provide and filter the

forensically interested activities. The issue leads to receiving

utmost importance because of cloud multi-tenancy nature.

A. FaaSeC model in Cloud Environment

FaaS which is implemented by us starts an investigation

immediately when the registration of the third party done in

the provider of the cloud. The Syslog records all events in

the 1st node. And it is in sync and store condition

continuously. with the 2nd specified node also. 2nd Node &

operations of the cloud user are which results in more reliable

events. This replication policy of log events having the

advantages for CSP which regularly having the validation.

Figure 1: FaaSeC in Cloud environment

B. Creation and Syncing of Remote log

The cloud stores the logs of CFI. The log events can be

modified and accessed by the investigator in the worst case.

With the help of the remote Syslog concept, the FaaSeC cab

able to control this. here, cloud considers as rsyslog client

and the server of the rsyslog as dedicated host that

implemented for log strong more availability3.2CFTlogs

suspicious events automatic detection.

Multiple log analyzer disadvantages are Google Analytics

[16] & Cloudlytics [15]. Those are widely used for extraction

of the statistical knowledge and which cannot give to the

forensic questions answers directly. For the investigation of

the forensic, our implemented system is well suited. If we

take an example (17); System logs suspicious events from

can be found by the authors with the help of lists of black &

white. individually, this methodology may not apply. So, with

the help of sequence mining & conditional probability, we

can manage this problem. The starting of the event taken as

launch time of application and end of the event taken as

closing time.

C. Review Stage

It is indicated with ER. It was processed for analyzing the

indecent which occurred at the time of crime scene with

traces left [14]. The incident hypothesis can be generated

with it. It is useful for known characteristics of the certain

evidence; therefore, it can be enhanced & interpreted crime

scene which is in under investigation. According to the

extensive literature, the approach of the Event

Reconstruction falls in 2 categories. Those are (1) Basic

Timeline Approach Advanced Timeline ER. Both of these

methods disadvantages are more performing time and manual

analyzation of all events.

To avoid this type of problems, the FORAL engine

invented. it can able to detect any events which are

suspicious in any CFL & other logs. For advanced timeline

construction, all these are given as inputs. The next section

covers the detecting the activities which are suspicious in

the log of the CFI log.

III. PROPOSED METHODOLOGY

While identifying the suspicious events in an application

log we face several issues (here, CFI application log). The

Problem occurred in this is described in the following

section.

A. Description of the Problem

• CFI logs having the various events So the finding the

interest events is difficult for CSP.

• The hypothesis generated by observing the all the events

which takes much time, sometimes we may get the wrong

hypothesis also.

The challenges addressed in above section with the help

of causality models [22] [23] concept. Proposed solutions

able to apply for any log of the application log is the

important thing.

B. Solution

Building model of the causality identifies forensic

interesting events from the applications of cloud forensic

International Journal of Pure and Applied Mathematics Special Issue

274

logs. For showing cause-effect and events/processes

relationship, the models of the Causality useful. causality

can be constructed with Directed Acyclic Graphs (DAG).

DAGs primary advantages - From simple to difficult different

associations can be represented such as confounding, an

association of the endogenous, desperation and etc., [24].

For constructing the DAG. we used two methods. those are

the first one is Sequence Mining & the second one is

Conditional Probability.

C. Detecting & Constructing events relation with

Sequence Mining(SeMS) to identify

Following reasons represents the sequence mining

applying for building casualties. From the time of launching

to the closing the events sequences occur.

The ex and ey occurred as events in an application

sequence then consider the ey as cause ex outcome in sequence,

if an event does not come frequently then it can detect easily

with the help of mining sequence. Those events sort

consider like outliers & interesting. Forensically.

We have so many numbers of sequence mining

algorithms. Among them, TKS (Top-k Sequences) it is one

the standard algorithm. Forgetting the frequent item

sequences of the top-k use the TKS initially. 1st Algorithm

which applied for obtaining the sequences which are

suspicious.

For knowing the sequences which are suspicious, CSP

used in the log of CFI, we can compare the log sequence

which is new in T which is the Time Window with sequences

of frequent items (freq seq). If any mismatch found, the

fraction left (per fraction Left) percentage of rapidly grows &

if it grows greater than the threshold value of the user now

we can say that it is the sequence which is suspicious.

Deciding the values of the threshold exactly is the difficult

one every time. For following issues, different threshold

decision parameters are there such as target application

suspicious sequences history, entity experience of the

investigating, log stored environment and etc.

Algorithm 1 from the logs of the cloud forensic application

logs with the help of SeMS finding of the sequences which

are suspicious.

Input: The application of the cloud forensic application sequences during Time Window T, thseq Output: Suspicious sequences Sp, Sq , ..., Sy every sequence having an events set. freq seq[ ] = apply seqMining() for each sequence Si in T ime W indow T do for each sequence Sj from freq seq do for each item I in Sj do if Si contains I then remove Ifrom Si end if end for end for 5residue = original length(Si) − new length(Si) per fractionLeft = (residue/original len) ∗ 100 if per fractionLeft > thseq then consider Si as suspicious end if end for

D. Application events casualties creation with CoPS

(Conditional Probability)

With the help of the conditional probability, we also obtain

the cloud application of the forensic suspicious sequences.

Conditional probability described below:

“The extent of belief of the occurrence of an event Ex

when Ey”

The above can be useful if any application log events

cause as wells as effects the association. The cause extent

can effect probabilities which are associated. Detecting the

sequence which is suspicious becomes trivial if the

calculation of the probabilities completed.

In T which is time window, we consider the new

sequences. which are useful for detecting the sequences

which are suspicious. With the help of a tree data structure, I

implemented a tree Network. Why we use a tree is described

as follows. (a) Here the all the keys are taken as strings So we

can say that this is the ordered tree. Some regular prefix is

presented in each node that is helpful for matching the

sequence.

This Algorithm 2 detects the sequence which is suspicious

with the help of application of cloud forensic logs by the

usage of CoPS.

International Journal of Pure and Applied Mathematics Special Issue

275

Input: While T which is time window and Threshold thseq running, the cloud forensic application sequences set obtained

Output: Suspicious sequences Sp, Sq , ..., Sy

where events set presented in every sequence.

for every "sequence Si in T which is called as Time Window T can able to did to every item Ia of the sequence Si" done

probability P of Ia node can be calculated with account of the item which is previous Ia−1 node occurrence Sj .

end for if P (Ia) < thseq then consider Si; suspicious endif end for

we can calculate the conditional probability for every

sequence in T, every node probability P calculated with the

1st equation.

P = (C(ni)/C(nj )) …….. (1)

a current node represents as ni, parent node of ni

represents as nj & C(ni), C(nj ) represented the count for

respective node.

We can say that the sequence is suspicious is the item

probability of the sequence lower compared with a threshold

which is predefined in Algorithm 2.

E. Comparison of both Algorithms

To detect events which are CFI logs suspicious can be

done by both of these approaches. According to the

requirement of the CSP’s, we can choose the right method.

the following section covers the comparison between these

two.

SeMS - Finding of the frequent sequence items top-k

& residue calculations can be done with comparing

all sequences in T which is the Time window; CoPS

- All events conditional probabilities can find out

with T which is time window input sequences.

SeMS - The sequences which are given as input is if

greater than the threshold then those can be taken

as suspicious; CoPS - conditional prob-ability input

sequences which are less than the threshold can

consider as suspicious.

SeMS - If the data is less than the Memory is

efficient; CoPS - if the data is more then the Memory

is efficient.

SeMS - patterns of the top-k frequent finding is Time

Complexity: O(M*N); N describes as sequences of

the user sequences., whereas the input sequences

of the M; CoPS - building of Time Complexity trie:

O(N*L), Here L took as a sequence length which is

largest whereas the N is taken as user sequences

numbers.

SeMS: With the help of k value and threshold the

Accuracy depends. when the k value is incorrect

then suspicious sequences may do. CoPS:

threshold only governors the Accuracy.

IV. SCENARIO DESCRIPTION

The implemented scheme is for detecting events which are

suspicious those cabs be able to apply for an application of

the cloud. For an example, consider the CFI application which

is implemented by us that helpful to perform the forensics in

an environment of the cloud. The following section covers

the details regarding the Scenario.

The user of the cloud which used the V Mx i.e. a virtual

machine that can be a combination of the V Mi which is the

virtual machine of the intruder’s. A complaint can be raised

by a user of the V Mx’s to CSP. Now the hiring of the 3rd

party investigator can be done. With the help of our Fasces,

the investigation started by the investigator. That requires

the cloud forensic application operation as the primary thing.

The tool of the CFI which implemented by us; can be

explained in the following section in the investigation of the

forensic:

Step 1 as New Case: At first a new case can be created by

an investigator. All the case details can be entered by that

investigator registered complaint.

Step 2 as Configuration Settings: credentials of the

different nodes can be entered by the investigator in this

step. If we take an illustration: If in open stack, the

application of the cloud forensic application can be running,

then the credentials of the nodes can be entered by the

investigator. In the open stack, Node which is used for

computing acts as the hypervisor. each user vdisk is

presented in this node. The credentials of the users of the

Open stack dashboard can be accepted by this configuration

dashboard where the vRAM which is virtual machine’s

target acquired. Trust violation chance may occur sometimes

in this process that can be described in next step.

Step 3 as a Selective acquisition: All the target user

evidences VM which are available if the CFI authentication

International Journal of Pure and Applied Mathematics Special Issue

276

goes successfully. Now the required evidence can be

collected by the investigator. The calculation of the

checksum can be done on the side of the cloud and the at a

node of the investigator the recalculation can do for proving

the court of law abut that case. It can be accepted legally if

we achieve the equal checksums.

Step 4 as Analysis: in our cloud forensic application,

analyzation of the all acquired evidence can do after that

results will export to proceed legally.

A. Complications handling of the above scenario

If we observe, in step 2 and 3 certain problems raised.

For an illustration take the step 2, user of vdisk as two parts.

Figure 2. Pre-processing CFT events log

details of the node for computing can be entered by the

investigator. This may be having another user as the cloud is

presented in the environment of the multi-tenant which leads

the violation of the privacy violation while running the

acquisition. We have the trusted investigator in of CFI which

is our assumption, this is may or may not be correct always.

i.e. when an investigator is an untruth then any activity of

the suspicious can be performed by he/her by using the v of

three other users’.

For growing the support of the CSP in the investigation of

the cloud forensic, the provider of the cloud ought to

identify the performed activities of the investigator while the

investigation running. for achieving these we introducing the

facility of the remote logging in our implemented CFI tool. So

the CSP can able to detect the activities done by an

investigator which are suspicious by observing the events

that are logged. one more issue here is, How the event which

is suspicious can be found automatically? We have a number

of the event nearly in 1000's in the log of CFI at the side of

CSP. Practically, we can say that is is difficult to know

suspicious events occurs or occur or not by the provider of

the cloud. Giving answers for these quires manually if a

tough one. That’s why we did all these processes with the

help of these SeMS and CoPS.

B. Detecting of CFI logs suspicious events using

sequence mining & conditional probability

Our cloud which is Open stack is designed with the help of

a configuration which is the high end that follows the

networking architecture of the legacy. So, we consider me as

a bad investigator and ding the activities which are

suspicious in CFI tool of Open stack cloud. in the side of the

cloud, CFI tools activities logged. So, in CFI log, the for

identifying the activities which are suspicious can be done

by CoPS. & SeMS.

Figure 3. With SeMS identified the Frequent top-ksequences

Fig 4: DAG with CFI log healthy causalities

V. RESULTS

SeMS

The events in logs the application restricted. For that every

event assigned by a unique number which is described in

Figure 2. With the help of the CFI, investigator generates the

event. This event can be represented by a unique number. If

we take an illustration; The log of the pre-processed of event

1 represents the new object of the case which is requested;

International Journal of Pure and Applied Mathematics Special Issue

277

the investigator entered all case details that can be

represented as number 2; Each CFI event can be represented

each number in the five 2. For separating the 2 events the -1

is used. If the CFI log which is pre-processed applied given

to the algorithm of the sequence mining as input, then in a

one-time instance, the frequent sequence of top - k obtained

as output that described in figure 3. In multiple instances, if

we run the TKS as results the DAG can be constructed. then

the 1st algorithm gets the input from every user as a

sequence in the time T. Now it observers the input can be

suspicious or unsuspicious. Figure 5 describes the all this

process. The threshold of the user can be taken as 25 percent

in this.

CoPS

With the help of structure of the data; in the specified

window of the Time T, the sequences can be repressed by

us. Now the iterated can be done with the help of tried the

sequence of every non T application. Each node count can

be updated for the purpose the prefix matching.

Figure 5. SeMS detected Suspicious sequences

Figure 6. CoPS detected Suspicious sequences

Event occurrence probability which can be represented as P.

Now the bu using the Algorithm.2, we can calculate the

sequences. we can suspicious an event when its probability

of occurrence is lesser than the pre-specified value. The

CoPSC can be detected the events which are suspicious that

represents in Fig.6. for the process which is shown in Fig.2.

Table 1 represents the SeMS & CoPS comparison. it's the

summarization of the time os the execution of the SeMS. If

the SeMS is greater than the CoPS. In this, the COPSC

memory consumption is greater than the SeMS. in Fig.5 &

Fig. 6 also represents the Suspicious events as we gave the

same events of CFI log given to the SeMS & CoPSC as the

inputs. The sequences of the suspicious events which are

identified as follows

"Seq: {1} -1 {2} -1 {3} -1 {5} -1 {6} -1 {7} -1 {8} -1 {9} -1 {13} -1

{4})"

The object of the case which is new can be created by an

investigator which represents as item 1. item 2 is the all the

details entered by the investigator. Whereas the 3rd item

specifies the target VM enumeration which is considered as

basic? Item 5 is target disk acquired by the VM. Item 6 -

nova. API log can be modified at the compute node /var/log/.

Item 7 - keystone modifications at the compute node /var/log.

Item 8 - VM vdish which is no targeted acquirization; Item - 9

- VM which is no targeted advanced enumeration; Item 13 -

logs of the Host OS modifications; Item 4 - application exist

without close. the above we mentioned are in description s of

the messages that are presented in CFI log as as events.

depending on the applications these can be varied

SeMS and CoPS Correctness

SeMS and CoPS having the activities of suspicious events

generated. By sing the inspection of manual, we cannot

know the activities which are suspicious. With the help of

limit events, proper modulation, the high accuracy can be

achieved.

CSP can be alerted by SeMS & CoPS if the investigator

can do any suspicious activity.

FaaSeC model having the various advantages. the below

is some of them.

International Journal of Pure and Applied Mathematics Special Issue

278

Bilateral cloud-FaaSec system

This is the best solution where we cannot use the third party.

Here the CSC & CSP operated independently but the

provided outputs are same at last. An agreement which is

bilateral among the 2 component services, as a result, we can

obtain a trusted result. It consists of 2 basic problems. Those

are the First one is How to make the CSCs & CSP gathered

the information that gives trusted outcome based on the

agreement of investigation of forensic. The second one is

How to make the CSCs & CSPs as the conflicts resolvers of

investigation of forensic.

Forensic data collection

In CFaaS system, the FDM is for forensic data collection

named as FDC which Forensic Data Collector is . The

acquisition of digital evidence done by this. After that, the

data can be sent to the cloud computing. Here, the remaining

data from the client can be collected by the Cloud Service

Consumers (CSC) by using the interface of CFaaS. the

analyzation data also can be done with the comments by

CSCs at service interface of CFaaS. CFaaS system interface

can be accessed by CSPs. That can be exposed to CSCs and

the interface of the resource. It can also retrieve the data with

the help of CFaaS. the remaining data presented in CSCs

should be gathered by CSPs. For this FDC added to the

CSPs. This FDC saves the data on the machine of the client.

Figure7. Cloud storage forensics services

Here, we have to provide protection for FDC as a

tamper-resistance.

Figure 8. Bilateral agreement

Agreement of the trusted forensics output

Even there done the same operations, but there are not

using the same algorithms in CFaaS system. So, the

problem arises. The possibility of divergence may

occur. For this, we used comparison & CCRA. This a

supported protocol. It supports the following things.

1. The individual outcome is compared to identifying

the divergences.

2. for an illustration: when the p is the output –

Output c ∣≤ d, c - consumer p - provider d agreed on

divergence, r

3. conflict abuses automation

4. If divergence more than d, consumer & provider

negotiation protocol execution done for single

output agreement

5. If the fails of negotiation protocol in detecting

conflict then the offline process can do for conflict

detection. it known as LEA.

6. the non-repudiable output which is trusted should

produce for LEA.

The last property is mandatory when the client or

provider delay CCRP execution. Now they obey the

delayed agreement otherwise provide LEA. For helping

the LEA correlation & divergence visualization, CSCs &

CSPs identifies the trusted outputs.

Figure 9. Bilateral CFaaS View

Here, the bilateral cloud forensics can be completed with

services of the components and CCRP execution. The

CSCs & CSPs data collection shown in below figure.

International Journal of Pure and Applied Mathematics Special Issue

279

Figure 10. Model of the Bilateral CFaaS

FDM - Forensic Data Manager, FAM - forensic

application manager, FWM forensic workflow manager,

forensic data manager. Did the root of trust. it can be

determined by executing the CCRP that obey trusted

output. Here the output obtained is bilateral. forensic

analysis can be verified by CSCs. bilateral CFaaS system

is orthogonal to this verification. when the dispute

resolution does not solve by negotiation then LEA helps

to these two parties for correlating the equal outputs to

avoid the dispute. Like this FDC & FDP non-repudiation

presented in LEA solve the disputation.

VI. CONCLUSION

Like this from the providers of cloud the customers are

increases. digital evidence which is potential will be in

premises where the data of the forensic can be produced

by provider unilaterally. for adapting & developing a

process of cloud forensics, we need cloud forensic which

is helpful for the investigators for gathering the data and

analyzing the data on both sides. So here, the data can be

verified exactly. bilateral cloud forensic as a service

(CFaaS) become successful based on 2 factors. Here, the

collection data, comparison, dispute resolution done in

quality manner. with agreement done mutually. In some

situations the providers is no need to gather the data

directly. That's Why the perfect techniques of forensic

analysis needed. procedures of the CCRP also helpful in-

service level agreement.

8. REFERENCES

[1] Sutte J.: Twitter hack raises questions about cloud

computing, In:

http://edition.cnn.com/2009/TECH/07/16/twitter.hack/,

(2009), accessed 21-07-2013.

[2] Higgins K.: Dropbox, wordpress used as cloud

cover in new apt attacks,In:

http://www.darkreading.com/attacksbreaches/

dropbox-wordpress-used-as-cloud-coverin/

240158057, (2013), accessed 22-07-2013.

[3] Inci, Mehmet Sinan, et al,.: Seriously, get off

my cloud! Cross-VM RSA Key Recovery in a

Public Cloud. In: IACR Cryptology ePrint

Archive, 2015.

[4] Kumar, Puneet, and Harwant Singh Arri. Data

location in cloud computing. International Journal

for Science and Emerging Technologies with Latest

Trends 5.1 (2013): 24-27.

[5] Thorpe, Sean, et al. Cloud log forensics metadata

analysis. Computer Software and Applications

Conference Workshops (COMPSACW), 2012 IEEE 36th

Annual. IEEE, 2012.

[6] Fabio Marturana et al., "A Forensic-as-a-Service

Delivery Platform for Law Enforcement Agencies", IGI

Global, pp. 313-330, 2013, ISBN 978-1-4666-2693-5.

[7] Grispos George, Tim Storer, William Bradley Glisson,

"Calm before the storm: the challenges of

cloud", Emerging digital forensics applications for

crime detection prevention and security, vol. 4, pp. 28-

48, 2013.

[8] Jon Rav Gagan Shende, Forensics as a Service. IGI

Global, pp. 266-290, 2013, ISBN 978-1-4666-2693-5.

[9] Dener Didone et al., Forensics as a Service. IGI

Global, pp. 291-312, 2013, ISBN 978-1-4666-2693-5.

[10] R. B. Van Baar, H. M. A. van Beek, E. J. van Eijk,

"Digital Forensics as a Service: A game changer", Digital

Investigation, vol. 11, pp. S54-S62, 2014.

[11] Lee Jooyoung, Sungyong Un, "Digital forensics as

a service: A case study of forensic indexed search", ICT

Convergence (ICTC) 2012, 2012.

[12] Kumar Bksp, G. Meera, G. Geethakumari, "Cloud

forensic investigation: A sneak-peek into

acquisition", International Conference on Computing

and Network Communications (CoCoNet), 2015.

[13] Khan Suleman et al., "Cloud Log Forensics:

Foundations State of the Art and Future

Directions", ACM Computing Surveys (CSUR) , vol.

49.1, pp. 7, 2016.

[14] "Detecting Security Incidents Using Windows

Workstation Event Logs", SANS Institute Reading

Room, 2013.

[15] Florian P. Buchholz, Falk. Courtney, "Design and

Implementation of Zeitline: a Forensic Timeline

Editor", DFRWS, 2005.

[16] Hargreaves Christopher, Jonathan Patterson, "An

automated timeline reconstruction approach for digital

International Journal of Pure and Applied Mathematics Special Issue

280

forensic investigations", Digital Investigation, pp. S69-

S79, 2012.

[17] P Gladyshev, A. Patel, "Finite state machine

approach to digital event reconstruction", Digit

Investigation Journal, vol. 1, no. 2, 2004.

[18] Pearl Judea, "Causality: models reasoning and

inference", Econometric Theory, vol. 19, pp. 675-685,

2003.

[19] Leland Gerson Neuberg, "Causality: Models

Reasoning and Inference", Econometric Theory, vol.

19.04, 2003.

[20] Arthur P. Dempster, "Upper and lower probabilities

induced by a multivalued mapping", The annals of

mathematical statistics, pp. 325-339, 1967.

International Journal of Pure and Applied Mathematics Special Issue

281

282