Prior Publisher

The Association of Digital Forensics, Security and Law (ADFSL)


Attackers tend to use complex techniques such as combining multi-step, multi-stage attack with anti-forensic tools to make it difficult to find incriminating evidence and reconstruct attack scenarios that can stand up to the expected level of evidence admissibility in a court of law. As a solution, we propose to integrate the legal aspects of evidence correlation into a Prolog based reasoner to address the admissibility requirements by creating most probable attack scenarios that satisfy admissibility standards for substantiating evidence. Using a prototype implementation, we show how evidence extracted by using forensic tools can be integrated with legal reasoning to reconstruct network attack scenarios. Our experiment shows this implemented reasoner can provide pre-estimate of admissibility on a digital crime towards an attacked network.


Alferes, J., & Pereira, L.M. (1996). Reasoning with Logic Programming. Springer, Berlin.

Balls, M., Amcoff, P., Bremer, S., Casati, S., Coecke, S., & Clothier, R. (2005). The principles of weight of evidence validation of test methods and test strategies. Altern Lab Anim, 34:603-20. Casey, E. Digital evidence and computer crime. Forensic Science, Computers, and the Internet, 3rd ed. Academic Press, 840. ISBN 978-0123742681.

Dain, O., & Cunningham, R. (2001). Building scenarios from a heterogeneous alert stream, Proceedings of the 2001 IEEE Workshop on Information Assurance and Security, 231-235.

Daubert v. Merrell Dow Pharmaceuticals. (1993). Inc., 509 U.S. 579.

Debar H., & Wespi, A. (2001). Aggregation and correlation of intrusion-detection alerts, in Recent Advances in Intrusion Detection, LNCS 2212, 85-103.

Eoghan, C. (2002). Error, uncertainty, and loss in digital evidence. International Journal of Digital Evidence, 1(2), Summer 2002.

Federal Rules of Evidence. (2010). Retrieved from http://www.uscourts.gov/uscourts/rulesan dpolicies/rules/2010%20rules/evidence.pdf

Keppens J., & Zeleznikow, J. (2003). A model based reasoning approach for generating plausible crime scenarios from evidence. Proceedings of the 9th International Conference on Artificial Intelligence and Law.

Keppens, J., Shen, Q., & Schafer, B. (2005). Probabilistic abductive computation of evidence collection strategies in crime investigation. Proceedings of the 10th International Conference on Artificial Intelligence and Law.

Kwan, M., Chow, K. P., Law F., & Lai, P. (2008). Reasoning about evidence using Bayesian network, Advances. Digital Forensics IV, International Federation for Information Processing (IFIP), Tokyo, 141-155.

Liu, C., Singhal, A., & Wijesekera, D. (2012). Mapping evidence graphs to attack graphs. IEEE International Workshop on Information Forensics and Security, December 2012.

Liu, C., Singhal, A., & Wijesekera, D. (2013). Creating integrated evidence graphs for network forensics. IFIP International Conference of Digital Forensics, 227-241.

Liu, C., Singhal, A., & Wijesekera, D. (2014). A model towards using evidence from security events for network attack analysis. 11th International Workshop on Security in Information Systems, April, 2014. Magistrates’ Court at Tuen Mun, Hong Kong Special Administrative Region v. Chan Nai Ming, TMCC 1268/2005, Hong Kong, China 2005. Retrieved from http://www.hklii.hk/eng/hk/cases/hksc/2 005/

Ou, X., Boyer, W. & McQueen, M. (2006). A scalable approach to attack graph generation. Proceedings of the 13th ACM Conference on Computer and Communications Security, 336-345.

Ryan, D. J., & Shpantzer, G. (2003). Legal Aspects of Digital Forensics. May, 2014. Retrieved from http://euro.ecom.cmu.edu/program/law/0 8-732/Evidence/RyanShpantzer.pdf

Sommer, P. (2003). Intrusion Detection Systems as Evidence, Recent Advances in Intrusion detection 1998, RAID98, and electronic version retrieved 17th December 2003.

Wang, W., & Thomas, E.D. (2008). A graph based approach toward network forensics analysis, ACM Transactions on Information and Systems Security, 12(1).

Weiss, C. (2003). Expressing Scientific Uncertainty, Law, Probability and Risk, (2), 25-46.



To view the content in your browser, please download Adobe Reader or, alternately,
you may Download the file to your hard drive.

NOTE: The latest versions of Adobe Reader do not support viewing PDF files within Firefox on Mac OS and if you are using a modern (Intel) Mac, there is no official plugin for viewing PDF files within the browser window.