On Producing Events Timeline for Memory
Forensics: An Experimental Study
Ethar Qawasmeh∗ , Mohammed I. Al-Saleh∗†
2020 Seventh International Conference on Information Technology Trends (ITT) | 978-1-7281-8379-4/20/$31.00 ©2020 IEEE | DOI: 10.1109/ITT51279.2020.9396748
∗ Jordan
University of Science and Technology, Irbid, Jordan
† Higher Colleges of Technology, Computer Information System, United Arab Emirates
eaqawasmeh16@cit.just.edu.jo, misaleh@just.edu.jo
Abstract—Cybercrimes have risen dramatically recently as a
result of the widespread usage of the various digital devices.
Digital forensic science has been founded to address cybercrimes
aspects. It follows a standard procedure to extract digital evidence
and finally get it admitted to courtrooms. Fortunately, many
artifacts can be extracted from such devices in convicting
cybercriminals and inhibiting their actions. Identifying what
a criminal had been doing during a certain time frame can
be very informative to the investigative process. Identifying
the timestamped events and putting them in a timeline helps
achieving the investigative purposes. In this paper, we intend to
extract various events out of the system memory and present
them in chronological order to be utilized by the investigators.
We design and investigate several scenarios and show that user
activities that happen during a specific time frame can be
correlated and summarized in a useful timeline.
Index Terms—Memory Forensics, Event Extraction, Timeline,
Digital Evidence
I. I NTRODUCTION
Cybercriminals accomplish their actions by attacking digital
devices and performing illegal activities. For example, they
steal users’ information, execute malicious programs or cause
damage to systems. Digital Forensic (DF) science has found
to investigate these kinds of attacks. DF is accomplished by
extracting digital evidence from digital devices and convicting
criminals in courtrooms [1]. Once a cybercrime is identified, DF
can be utilized in many aspects. For example, it can be used in
assigning the evidence, specifying the intent, and interrogation
of suspects [2].
DF seeks to extract digital evidence from various digital
storage sources such as hard drives, memory ( or RAM), and
network devices. Memory Forensics (MF) plays a crucial role in
digital forensic investigations. Its value comes from the volatile
data that can only be extracted from memory. MF has a superior
characteristic where the source piece of information only can
be found in is memory. For example, inspecting a running
process from memory might generate data that will never be
carried in other secondary storage. Factually, different attacks
of cybercrimes may be performed by exploiting memory-only
information [3–5]. Furthermore, the application’s source code
and its Object-Oriented programming structure can be utilized
to explore the program’s state and its execution behavior[6, 7].
The investigation in these cases is required at the memory-level.
Moreover, MF can be utilized in incident response, malware
analysis and reverse engineering procedures [8]. Also, it is
Authorized licensed use limited to: Carleton University. Downloaded on May 30,2021 at 12:46:12 UTC from IEEE Xplore. Restrictions apply.
valuable to extract informatin such as files, processes, registry
keys and hives, passwords and network data.
Extracting events from memory can be utilized in tracking
file system artifacts. It is a substantial step for examiners to
recognize when a certain behavior has occurred. In addition,
events correlation is important to have a better picture of what
has happened. Timestamps can be extracted from file systems
and log files.
Constructing events timeline provides a general overview of
what events have occurred before, during, and after a specific
incident [9]. Although the timeline construction is part of
event construction, the events of interest can be viewed in
chronological order in a timeline forensic. The investigators
always need to keep track of these events of interest. The
existing methods include manual search or requiring looking
for a high occurrence of specific keyword [10, 11]. However,
the automation of generating a forensic timeline has been
partially done by several methods [12, 13]. In this paper, we
shed light on the importance of creating timeline for events
extracted from memory.
This paper is organized as follows. Related work is covered
in Section II followed by III that presents overview of event
reconstruction in memory forensics. Our investigation model
is presented in Section IV. This is followed by Section V
that explains our experimental setup. Our results are shown in
Section VI followed by the conclusion.
II. R ELATED W ORK
Although digital forensics is a standalone science, it has
some overlap with other computing domains such as computer
security and data recovery. Recently, a trend towards live mem-
ory forensics that involves investigating a computer’s volatile
memory (RAM) has grown, resulting in newly developed tools.
[14] studied the impact of the antivirus software programs
on digital evidence that can be found in RAM. Based on
experiments, three popular antivirus software programs (Sophos,
Symantec, and Kaspersy) were tested against a non-installed
antivirus case. The results showed that the antivirus had a
noticeable effect on the data that can be extracted from RAM
artifacts. The data lifetime of tcp buffers was also utilized for
digital forensic purpose [15].
The acquisition of memory samples and information extrac-
tion is essential in the field of memory forensics. Memory
information can be analyzed to extract digital evidence in
forensic investigations [16–18]. Moreover, Al-Saleh and Al-
Shamaileh [19] collected digital evidences from deleted user ac-
counts. Their study showed that different clues about a deleted
account could be recovered from various sources of artifacts
such as Windows Event Logs, Registry hives, RAM, Pagefile,
and Hard Drive. In [20], the authors used memory forensic
approaches to study the impact of network reconnaissance
detection. Regarding memory forensics at the application level,
the authors in [21] proposed a solution to investigate any
application by utilizing debugging information and application’s
data structures. Several studies have considered application-
level data to extract useful evidence from memory [22–25].
Typically, event reconstruction utilizes timestamps to gener-
ate a timeline of events. Working on the forensic timeline has Fig. 1: Investigation Framework
been recently brought into attention. Moreover, much research
has been conducted to automate building a timeline. In [26], the
authors employed an artificial neural network-based approach for performances purpose. Some of these artifacts disappear
using the file system activities to reconstruct the post-event quickly, while others last longer. Many disk artifacts can be
timeline. They inspected the footprint that an application leaves extracted. Extracting events from memory is also useful since
on disk to build their approach for classification of application the time spent in acquiring and analyzing memory is much
programs. Also, they developed a neural network based on input less than disk due to the major difference in their image sizes.
parameters derived from the disk image to be able to detect Various types of artifacts can be extracted from memory dumps.
application activity accurately. The electronic footprint that Master File Table (MFT), processes, DLLs, threads, sockets,
they used were: Log files, file system activities, free blocks and and registry keys are valuable artifact sources for the forensic
slack space, and registry records. The method of reconstructing timeline of events. Typically, the investigators leveraged these
high-level events from various devices has been proposed by artifacts to create a timeline in order to analyze data based
[27]. Their technique demonstrated the process of automatically on temporal correlation between many of digital artifacts in
generated high-level timelines. However, the produced low- memory. This process aids the examiners to have a complete
level timelines are pretty useful to notice such evidence source. understanding of the cybercrime. Therefore, they can deduce
They provided various examples that use timelines, including what happened before, during, and after certain events.
Skype calls, USB stick connections, and access to files on a B. Volatility
memory card. Multiple disk images were captured to examine Volatility is considered one of the most popular open-source
their results. memory forensic frameworks [33]. It has useful functions
A formalized knowledge representation model named
and various plugins that allow analysts to extract digital
SADFC for digital forensics timeline analysis is presented
artifacts from memory. There are two volatility plugins that
in [28]. Their approach aimed to reconstruct scenarios from
can be used to extract timestamped artifacts: timeliner and
suspect data and analyze them by utilizing the use of ex-
mftparser.
perts’ knowledge and semantic tools. After that, a timeline
• timeliner: this plugin could extract most of the
reconstruction and formal incident modeling are generated to
timestamped artifacts in addition to registry keys that
guarantee the veracity of the investigation process. Furthermore,
requires additional command line option 1 .
in terms of digital forensics of mobile phones, the examination
• mftparser: this plugin extracts Master File Table
and analysis of events has been proposed [29]. The authors
(MFT) entries. MFT is a special file that can be
utilized timestamps of events that took place during the phone
found at the root of the NTFS file system. The plu-
usage as digital evidence to draw their findings with mobile
gin’s output currently supports FILE_NAME, STAN-
phone investigation. Also, a proposed forensic technique was
DARD_INFORMATION, and DATA attributes of MFT
able to automatically generate a timeline of user activities on
entries.
an Android device across all applications [30]. The effective
employment of the recent technologies of machine learning IV. I NVESTIGATION F RAMEWORK
and sentiment analysis in the context of the forensic timeline Our investigation framework is shown in Figure 1. In the
of events has been discussed in [31, 32]. first phase, preparation, a set of user activities, such as creating
III. E VENTS RECONSTRUCTION FROM M EMORY files and browsing the web, are performed. Then, a memory
A. Overview capture is conducted in the imaging phase. In examining phase,
we utilize volatility plugin’s timeliner and mftparser
Memory artifacts of file systems can always be recovered as in order to extract the corresponding events along with their
users and systems heavily utilize file systems and thus traces
can be found in memory. Microsoft Windows caches some data 1 http://gleeda.blogspot.com/2011/09/volatility-20

Authorized licensed use limited to: Carleton University. Downloaded on May 30,2021 at 12:46:12 UTC from IEEE Xplore. Restrictions apply.
timestamps from the memory capture. As a result, a timeline
is presented in the reporting phase.
V. E XPERIMENTAL S ETUP
In our experimentation, we use Oracle’s VirtualBox’s virtual
machine (VM) for memory acquisition 2 . The experimentation
is conducted on Windows 7 and 1 GB of RAM in the VM
machine. We performed four different scenarios, following
our investigation framework that is explained in the previous Fig. 2: Timeliner plugin output with using process filter type
section:
Scenario 1: Run MS-Word, create a new file, write on it,
then save it.
Scenario 2: Run Internet Explorer and open several web-
sites.
Scenario 3: Open several images using Windows Photo
Viewer application.
Scenario 4: Run MS-Word, create a new file, write on it,
save it, close MS-Word, copy the file into another location, cybercriminals’
and delete the original copy.
A memory image is captured while VM is running on a events to achieve effective investigation.
specific scenario.
VI. R ESULTS
We run Volatility against timeliner and mftparser
plugins. Sleuthkit’s mactime utility 3 leverages the plugins’
body format output to sort the outputs in chronological order.
The timeliner plugin output includes processes create and
exit times, DLL load time, and registry keys. For a simple
presentation of timeliner output, we only focus on process-
related output. Figure 2 shows the access time of the targeted
processes for tested scenarios, respectively. The winword.exe is
the name process of Microsoft word application, iexplore.exe
refers to Internet Explorer and ois.exe represents Microsoft
Office Manager application.
Figure 3 shows the results of mftparser plugin. Figures
3a and 3c indicate that the tested files not only were the files
on the system, but also it shows user interaction (indicated by
LNK files).
Furthermore, Figure 3b shows that the XML files for the
opened websites have been found in the mtfparser output along
with their timestamps. MTF entries are altered upon file system
changes. Figure 3d shows that when copying a file into another
location, a new MTF entry has been created. Also, when
deleting the original file, the old MTF entry has been removed.
Although the deleted file has no direct MTF entry, we can find
Recycle Bin information in the verbose mode of mtfparser
output even if Recycle Bin is emptied. As shown in the Figure
4, the $IAV69B3.docx file was created in Recycle Bin at the
time of performing the file deletion. In addition, MFT-resident
data holds the original full path to the document file as well
as the file size 0x2eb0 and embedded timestamp "\xa0 \x42
\xf4 \x5b \x2f \x61 \xd6 \x01 " .
2 https://www.virtualbox.org/
3 http://www.sleuthkit.org/sleuthkit/man/mactime.html
Authorized licensed use limited to: Carleton University. Downloaded on May 30,2021 at 12:46:12 UTC from IEEE Xplore. Restrictions apply.
VII. C ONCLUSION
Current forensic research focuses on system-generated events
for building a useful timeline of events. Because the memory
holds various file system artifacts, event extraction is a
valuable process to create a timeline in order to re-depict the
activities. This paper tested several scenarios
that cover common user activities. Our results encourage the
work on utilizing the chronological order of system-generated
R EFERENCES
[1] M. Reith, C. Carr, and G. Gunsch, “An examination of
digital forensic models,” International Journal of Digital
Evidence, vol. 1, no. 3, pp. 1–12, 2002.
[2] E. Casey, Handbook of digital forensics and investigation.
Academic Press, 2009.
[3] M. Al-Saleh and Z. Al-Sharif, “Ram forensics against
cyber crimes involving files,” in The Second International
Conference on Cyber Security, Cyber Peacefare and
Digital Forensic (CyberSec2013), 2013, pp. 189–197.
[4] Z. Al-Sharif, D. Odeh, and M. Al-Saleh, “Towards carving
pdf files in the main memory,” in The International
Technology Management Conference (ITMC2015), 2015,
pp. 24–31.
[5] Z. A. Al-Sharif, M. I. Al-Saleh, Y. Jararweh, L. Alawneh,
and A. S. Shatnawi, “The effects of platforms and
languages on the memory footprint of the executable
program: A memory forensic approach,” Journal of
Universal Computer Science, vol. 25, no. 9, pp. 1174–
1198, sep 2019.
[6] Z. A. Al-Sharif, M. I. Al-Saleh, and L. Alawneh, “Towards
the memory forensics of oop execution behavior,” in 2017
8th International Conference on Information, Intelligence,
Systems & Applications (IISA). IEEE, 2017, pp. 1–6.
[7] Z. A. Al-Sharif, M. I. Al-Saleh, L. M. Alawneh, Y. I.
Jararweh, and B. Gupta, “Live forensics of software
attacks on cyber–physical systems,” Future Generation
Computer Systems, 2018.
[8] A. Schuster, “Searching for processes and threads in
microsoft windows memory dumps,” digital investigation,
vol. 3, pp. 10–16, 2006.
[9] Y. Chabot, A. Bertaux, C. Nicolle, and M.-T. Kechadi,
“A complete formalized knowledge representation model
 (a) Scenario 1
(c) Scenario 3
Fig. 3: Results of mtfparser plugin for all scnarios
Fig. 4: Searching for a deleted file using mtfparser plugin.
for advanced digital forensics timeline analysis,” Digital
Investigation, vol. 11, pp. S95–S105, 2014.
[10] K. Guðjónsson, “Mastering the super timeline with
log2timeline,” SANS Institute, 2010.
Authorized licensed use limited to: Carleton University. Downloaded on May 30,2021 at 12:46:12 UTC from IEEE Xplore. Restrictions apply.
(b) Scenario 2
(d) Scenario 4
[11] M. Debinski, F. Breitinger, and P. Mohan, “Timeline2gui:
A log2timeline csv parser and training scenarios,” Digital
Investigation, vol. 28, pp. 34–43, 2019.
[12] C. Hargreaves and J. Patterson, “An automated timeline
reconstruction approach for digital forensic investigations,”
Digital Investigation, vol. 9, pp. S69–S79, 2012.
[13] Y. Chabot, A. Bertaux, C. Nicolle, and T. Kechadi, “Au-
tomatic timeline construction and analysis for computer
forensics purposes,” in 2014 IEEE Joint Intelligence and
Security Informatics Conference. IEEE, 2014, pp. 276–
279.
[14] M. I. Al-Saleh, “The impact of the antivirus on the digital
evidence.” IJESDF, vol. 5, no. 3/4, pp. 229–240, 2013.
[15] M. I. Al-Saleh and Z. A. Al-Sharif, “Utilizing data lifetime
of tcp buffers in digital forensics: Empirical study,” Digital
Investigation, vol. 9, no. 2, pp. 119–124, 2012.
[16] H. Inoue, F. Adelstein, and R. A. Joyce, “Visualization
in testing a volatile memory forensic tool,” Digital
Investigation, vol. 8, no. Supplement, pp. S42–S51,
 2011. [Online]. Available: http://linkinghub.elsevier.com/ [29] S. Dogan and E. Akbal, “Analysis of mobile phones in
retrieve/pii/S1742287611000302 digital forensics,” in 2017 40th International Convention
[17] A. Schuster, “The impact of microsoft windows pool on Information and Communication Technology, Electron-
allocation strategies on memory forensics,” Digital ics and Microelectronics (MIPRO). IEEE, 2017, pp.
Investigation, vol. 5, Supplement, no. 0, pp. S58 – S64, 1241–1244.
2008, the Proceedings of the Eighth Annual DFRWS [30] R. Bhatia, B. Saltaformaggio, S. J. Yang, A. I. Ali-Gombe,
Conference. [Online]. Available: http://www.sciencedirect. X. Zhang, D. Xu, and G. G. Richard III, “Tipped off
com/science/article/pii/S1742287608000339 by your memory allocator: Device-wide user activity
[18] A. Walters and N. L. Petroni, “Volatools sequencing from android memory images.” in NDSS,
: Integrating volatile memory forensics into 2018.
the digital investigation process,” Digital In- [31] R. M. A. Mohammad and M. Alqahtani, “A comparison
vestigation, pp. 1–18, 2007. [Online]. Avail- of machine learning techniques for file system forensics
able: http://scholar.google.co.uk/scholar?q=volatools&hl= analysis,” Journal of Information Security and Applica-
en&btnG=Search&as_sdt=2001&as_sdtp=on#0 tions, vol. 46, pp. 53–61, 2019.
[19] M. I. Al-Saleh and M. J. Al-Shamaileh, “Forensic arte- [32] H. Studiawan, F. Sohel, and C. Payne, “Sentiment analysis
facts associated with intentionally deleted user accounts.” in a forensic timeline with deep learning,” IEEE Access,
IJESDF, vol. 9, no. 2, pp. 167–179, 2017. vol. 8, pp. 60 664–60 675, 2020.
[20] M. I. Al-Saleh, Z. A. Al-Sharif, and L. Alawneh, “Net- [33] A. Walters, “The volatility framework: Volatile memory
work reconnaissance investigation: A memory forensics artifact extraction utility framework,” 2007.
approach,” in 2019 10th International Conference on
Information and Communication Systems (ICICS). IEEE,
2019, pp. 36–40.
[21] E. Qawasmeh, M. I. Al-Saleh, and Z. A. Al-Sharif,
“Towards a generic approach for memory forensics,” in
2019 Sixth HCT Information Technology Trends (ITT).
IEEE, 2019, pp. 094–098.
[22] D. J. Ohana and N. Shashidhar, “Do private and portable
web browsers leave incriminating evidence?: a forensic
analysis of residual artifacts from private and portable
web browsing sessions,” EURASIP Journal on Information
Security, vol. 2013, no. 1, p. 6, 2013.
[23] A. Al-Khaleel, D. Bani-Salameh, and M. I. Al-Saleh, “On
the memory artifacts of the tor browser bundle,” in The
International Conference on Computing Technology and
Information Management (ICCTIM). Society of Digital
Information and Wireless Communication, 2014, p. 41.
[24] Z. A. Al-Sharif, M. I. Al-Saleh, and L. Alawneh, “Towards
the memory forensics of oop execution behavior,” in 2017
8th International Conference on Information, Intelligence,
Systems & Applications (IISA). IEEE, 2017, pp. 1–6.
[25] Z. A. Al-Sharif, M. I. Al-Saleh, L. M. Alawneh, Y. I.
Jararweh, and B. Gupta, “Live forensics of software
attacks on cyber–physical systems,” Future Generation
Computer Systems, 2018.
[26] M. Khan, C. R. Chatwin, and R. C. Young, “A framework
for post-event timeline reconstruction using neural net-
works,” digital investigation, vol. 4, no. 3-4, pp. 146–157,
2007.
[27] J. Patterson and C. Hargreaves, “The potential for cross-
drive analysis using automated digital forensic timelines,”
in In proceedings of 6th International Conference on
Cybercrime Forensics Education and Training, 2012.
[28] Y. Chabot, A. Bertaux, C. Nicolle, and M.-T. Kechadi,
“A complete formalized knowledge representation model
for advanced digital forensics timeline analysis,” Digital
Investigation, vol. 11, pp. S95–S105, 2014.

Authorized licensed use limited to: Carleton University. Downloaded on May 30,2021 at 12:46:12 UTC from IEEE Xplore. Restrictions apply.