On Producing Events Timeline for Memory Forensics: An Experimental Study

Cybercrimes have risen dramatically recently as a result of the widespread usage of the various digital devices. Digital forensic science has been founded to address cybercrimes aspects. It follows a standard procedure to extract digital evidence and finally get it admitted to courtrooms. Fortunately, many artifacts can be extracted from such devices in convicting cybercriminals and inhibiting their actions. Identifying what a criminal had been doing during a certain time frame can be very informative to the investigative process. Identifying the timestamped events and putting them in a timeline helps achieving the investigative purposes. In this paper, we intend to extract various events out of the system memory and present them in chronological order to be utilized by the investigators. We design and investigate several scenarios and show that user activities that happen during a specific time frame can be correlated and summarized in a useful timeline.