Forensic event reconstruction with process mining

  • Event reconstruction is a fundamental aspect of the investigative process in digital forensics. During this process, one systematically analyzes and organizes evidence to formulate a hypothesis regarding past events. The starting point is often the raw data from forensic timelines (e.g., a table including all parsed events), which may include millions of timeline entries. Various tools and techniques have been proposed to analyze these entries. However, the feasibility of applying process mining solutions remains unexplored. Process mining, with its ability to uncover patterns, deviations, and process flows from event data, can offer valuable insights into forensic event reconstruction. In this study, we explore the utilization of episode mining to generate case identifiers and provide event sequences, visualizations, and evaluation metrics from process models generated by process mining algorithms. As a result, we developed an open-source, web-based prototype application. ExperimentsEvent reconstruction is a fundamental aspect of the investigative process in digital forensics. During this process, one systematically analyzes and organizes evidence to formulate a hypothesis regarding past events. The starting point is often the raw data from forensic timelines (e.g., a table including all parsed events), which may include millions of timeline entries. Various tools and techniques have been proposed to analyze these entries. However, the feasibility of applying process mining solutions remains unexplored. Process mining, with its ability to uncover patterns, deviations, and process flows from event data, can offer valuable insights into forensic event reconstruction. In this study, we explore the utilization of episode mining to generate case identifiers and provide event sequences, visualizations, and evaluation metrics from process models generated by process mining algorithms. As a result, we developed an open-source, web-based prototype application. Experiments and case studies conclude that the proposed method can reconstruct digital forensic events and provide intuitive results to forensic investigators.show moreshow less

Download full text files

Export metadata

Statistics

Number of document requests

Additional Services

Share in Twitter Search Google Scholar
Metadaten
Author:Rida Adila, Hudan Studiawan, Frank BreitingerORCiDGND
URN:urn:nbn:de:bvb:384-opus4-1279158
Frontdoor URLhttps://opus.bibliothek.uni-augsburg.de/opus4/127915
ISSN:2169-3536OPAC
Parent Title (English):IEEE Access
Publisher:Institute of Electrical and Electronics Engineers (IEEE)
Place of publication:New York, NY
Type:Article
Language:English
Year of first Publication:2026
Publishing Institution:Universität Augsburg
Release Date:2026/02/04
Volume:14
First Page:18964
Last Page:18985
DOI:https://doi.org/10.1109/access.2026.3660165
Institutes:Fakultät für Angewandte Informatik
Fakultät für Angewandte Informatik / Institut für Informatik
Fakultät für Angewandte Informatik / Institut für Informatik / Lehrstuhl für Cybersicherheit
Dewey Decimal Classification:0 Informatik, Informationswissenschaft, allgemeine Werke / 00 Informatik, Wissen, Systeme / 004 Datenverarbeitung; Informatik
Licence (German):CC-BY 4.0: Creative Commons: Namensnennung

OPUS4 Logo