Constructing an events and causal factors chart can assist investigators in conducting an in-depth investigation and identifying the root causes of incidents. We regard kernel traces as one of the potential evidence sources for forensic readiness, and propose a systematic approach to construct an events and causal factors chart from kernel traces by employing layers of abstraction. Through employing graphical elements to represent kernel traces and applying clustering techniques to reduce the trace volume, the proposed approach can alleviate the complexity and quantity problems in kernel traces. Moreover, the proposed approach is helpful in improving the readability and understand-ability of kernel traces, facilitating effective communication of the investigation findings, and providing flexibility in depth of investigation.
展开▼
