SoK: Timeline based event reconstruction for digital forensics: Terminology, methodology, and current challenges
Event reconstruction is a technique that examiners can use to attempt to infer past activities by analyzing digital artifacts. Despite its significance, the field suffers from fragmented research, with studies often focusing narrowly on aspects like timeline creation or tampering detection. This paper addresses the lack of a unified perspective by proposing a comprehensive framework for timeline-based event reconstruction, adapted from traditional forensic science models. We begin by harmonizing existing terminology and presenting a cohesive diagram that clarifies the relationships between key elements of the reconstruction process. Through a comprehensive literature survey, we classify and organize the main challenges, extending the discussion beyond common issues like data volume. Lastly, we highlight recent advancements and propose directions for future research, including specific research gaps. By providing a structured approach, key findings, and a clearer understanding of the underlying challenges, this work aims to strengthen the foundation of digital forensics.
View on arXiv@article{breitinger2025_2504.18131,
title={ SoK: Timeline based event reconstruction for digital forensics: Terminology, methodology, and current challenges },
author={ Frank Breitinger and Hudan Studiawan and Chris Hargreaves },
journal={arXiv preprint arXiv:2504.18131},
year={ 2025 }
}