{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,5,21]],"date-time":"2026-05-21T16:54:37Z","timestamp":1779382477925,"version":"3.53.1"},"reference-count":28,"publisher":"Association for Computing Machinery (ACM)","issue":"4","content-domain":{"domain":["dl.acm.org"],"crossmark-restriction":true},"short-container-title":["Digital Threats"],"published-print":{"date-parts":[[2025,12,31]]},"abstract":"<jats:p>\n                    Due to the increasing number of cyber attacks, there is a growing need for incident responders who are able to reconstruct events and assess the actual damage caused by an incident using Digital Forensics (DF). For this reason, DF datasets are crucial for education, training and tool testing. Currently, such datasets are available either as statically prepared images via one of the publicly available dataset repositories. Alternatively, a dataset generation framework can be used to synthesise individually configurable datasets. In this article, we use the second approach and extend an established framework for our purposes. Our extension applies to both the target operating system and the framework traces induced by the data generation framework. More specifically, we take the existing data synthesis framework\n                    <jats:monospace>ForTrace<\/jats:monospace>\n                    as a baseline and integrate our concept of a Linux module that can perform (semi-)automatic attacks on Linux systems in order to create appropriate Indicators of Compromise (IoC) within the generated image. In doing so, we evaluate the suitability of Infrastructure as Code (IaC) for configuring vulnerable target systems and assess the effectiveness of our approach to avoiding undesirable artefacts caused by the data generation framework. To evaluate our framework extension, we generate synthetic datasets from two types of compromised systems as proof of concept using our new approach and then compare the actual traces generated with the expected traces based on the respective scenario.\n                  <\/jats:p>","DOI":"10.1145\/3748268","type":"journal-article","created":{"date-parts":[[2025,9,9]],"date-time":"2025-09-09T12:14:22Z","timestamp":1757420062000},"page":"1-21","update-policy":"https:\/\/doi.org\/10.1145\/crossmark-policy","source":"Crossref","is-referenced-by-count":1,"title":["From IaC to IoC\u2014Using Infrastructure as Code (IaC) to Generate Synthetic Datasets of Compromised (IoC) Linux Systems for Use in Digital Forensics"],"prefix":"10.1145","volume":"6","author":[{"ORCID":"https:\/\/orcid.org\/0009-0001-5670-8150","authenticated-orcid":false,"given":"Thomas","family":"G\u00f6bel","sequence":"first","affiliation":[{"name":"Research Institute CODE, University of the Bundeswehr Munich, Neubiberg, Germany"}],"role":[{"vocabulary":"crossref","role":"author"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-9254-6398","authenticated-orcid":false,"given":"Harald","family":"Baier","sequence":"additional","affiliation":[{"name":"Research Institute CODE, University of the Bundeswehr Munich, Neubiberg, Germany"}],"role":[{"vocabulary":"crossref","role":"author"}]}],"member":"320","published-online":{"date-parts":[[2025,12,13]]},"reference":[{"key":"e_1_3_3_2_2","doi-asserted-by":"publisher","DOI":"10.1109\/BADGERS.2014.11"},{"key":"e_1_3_3_3_2","volume-title":"2015 AAAI Spring Symposium Series","author":"Baggili Ibrahim","year":"2015","unstructured":"Ibrahim Baggili and Frank Breitinger. 2015. Data sources for advancing cyber forensics: What the social world has to offer. In 2015 AAAI Spring Symposium Series."},{"key":"e_1_3_3_4_2","doi-asserted-by":"publisher","DOI":"10.1016\/j.fsidi.2023.301562"},{"key":"e_1_3_3_5_2","doi-asserted-by":"publisher","DOI":"10.1109\/ACCESS.2022.3154059"},{"key":"e_1_3_3_6_2","doi-asserted-by":"publisher","DOI":"10.1016\/j.fsidi.2021.301133"},{"key":"e_1_3_3_7_2","doi-asserted-by":"publisher","DOI":"10.1016\/j.diin.2009.06.016"},{"key":"e_1_3_3_8_2","doi-asserted-by":"publisher","DOI":"10.1145\/3609863"},{"key":"e_1_3_3_9_2","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-030-56223-6_5"},{"key":"e_1_3_3_10_2","doi-asserted-by":"publisher","DOI":"10.1016\/j.diin.2017.06.004"},{"key":"e_1_3_3_11_2","doi-asserted-by":"publisher","DOI":"10.18420\/inf2024_25"},{"key":"e_1_3_3_12_2","doi-asserted-by":"publisher","DOI":"10.1016\/j.fsidi.2025.301882"},{"key":"e_1_3_3_13_2","doi-asserted-by":"publisher","DOI":"10.1016\/j.fsidi.2022.301344"},{"key":"e_1_3_3_14_2","unstructured":"Ali Hadi and Mariam Khader. 2022. Performing Linux Forensic Analysis and Why You Should Care. Retrieved August 30 2025 from https:\/\/dfrws.org\/presentation\/performing-linux-forensic-analysis-and-why-you-should-care-2"},{"key":"e_1_3_3_15_2","unstructured":"Ali Hadi Mariam Khader Alayna Cash Tom Claflin and Leahy Center. 2023. Linux Forensic Cases. Retrieved August 30 2025 from https:\/\/www.ashemery.com\/dfir.html#LinuxForensics"},{"key":"e_1_3_3_16_2","unstructured":"Raphael Hiesgen Marcin Nawrocki Thomas C. Schmidt and Matthias W\u00e4hlisch. 2022. The race to the vulnerable: Measuring the Log4j shell incident. arXiv:2205.02544. Retrieved from https:\/\/arxiv.org\/abs\/2205.02544"},{"key":"e_1_3_3_17_2","doi-asserted-by":"publisher","DOI":"10.1111\/1556-4029.15524"},{"key":"e_1_3_3_18_2","first-page":"80","article-title":"Intelligence-driven computer network defense informed by analysis of adversary campaigns and intrusion kill chains","author":"Hutchins Eric M.","year":"2011","unstructured":"Eric M. Hutchins, Michael J. Cloppert, and Rohan M. Amin. 2011. Intelligence-driven computer network defense informed by analysis of adversary campaigns and intrusion kill chains. In Leading Issues in Information Warfare and Security Research, 80\u2013106. Retrieved from https:\/\/books.google.de\/books?hl=de&lr=&id=oukNfumrXpcC&oi=fnd&pg=PA80&dq=Intelligence-driven+computer+network+defense+informed+by+analysis+of+adversary+campaigns+and+intrusion+kill+chains.&ots=fdJX7shYY9&sig=69zQLGcxND0saKI7H2_y9Th6_S8&redir_esc=y#v=onepage&q=Intelligence-driven%20computer%20network%20defense%20informed%20by%20analysis%20of%20adversary%20campaigns%20and%20intrusion%20kill%20chains.&f=false","journal-title":"Leading Issues in Information Warfare and Security Research"},{"key":"e_1_3_3_19_2","doi-asserted-by":"publisher","DOI":"10.1111\/1556-4029.12809"},{"key":"e_1_3_3_20_2","doi-asserted-by":"publisher","DOI":"10.1016\/j.forsciint.2023.111769"},{"key":"e_1_3_3_21_2","doi-asserted-by":"publisher","DOI":"10.1109\/IMF.2009.8"},{"key":"e_1_3_3_22_2","doi-asserted-by":"crossref","first-page":"238","DOI":"10.1007\/978-3-642-35515-8_20","volume-title":"Digital Forensics and Cyber Crime","author":"Moch Christian","year":"2012","unstructured":"Christian Moch and Felix C. Freiling. 2012. Evaluating the forensic image generator generator. In Digital Forensics and Cyber Crime. Pavel Gladyshev and Marcus K. Rogers (Eds.), Springer, Berlin, 238\u2013252."},{"key":"e_1_3_3_23_2","doi-asserted-by":"publisher","DOI":"10.1109\/ICGS3.2019.8688020"},{"key":"e_1_3_3_24_2","doi-asserted-by":"publisher","DOI":"10.1016\/j.fsidi.2022.301480"},{"key":"e_1_3_3_25_2","unstructured":"Orange Cyberdefense SA. 2022. Security navigator 2022\u2014Research-driven insights to build a safer digital society. (2022) 10\u201311. Retrieved from https:\/\/www.orangecyberdefense.com\/za\/insights\/white-papers\/security-navigator-2022"},{"key":"e_1_3_3_26_2","doi-asserted-by":"publisher","DOI":"10.1016\/j.diin.2017.01.010"},{"key":"e_1_3_3_27_2","doi-asserted-by":"publisher","DOI":"10.1186\/s42400-019-0043-x"},{"key":"e_1_3_3_28_2","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-319-20125-2_14"},{"key":"e_1_3_3_29_2","doi-asserted-by":"publisher","DOI":"10.1016\/j.fsidi.2023.301690"}],"container-title":["Digital Threats: Research and Practice"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/dl.acm.org\/doi\/pdf\/10.1145\/3748268","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,12,13]],"date-time":"2025-12-13T11:59:19Z","timestamp":1765627159000},"score":1,"resource":{"primary":{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3748268"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2025,12,13]]},"references-count":28,"journal-issue":{"issue":"4","published-print":{"date-parts":[[2025,12,31]]}},"alternative-id":["10.1145\/3748268"],"URL":"https:\/\/doi.org\/10.1145\/3748268","relation":{},"ISSN":["2692-1626","2576-5337"],"issn-type":[{"value":"2692-1626","type":"print"},{"value":"2576-5337","type":"electronic"}],"subject":[],"published":{"date-parts":[[2025,12,13]]},"assertion":[{"value":"2025-05-12","order":0,"name":"received","label":"Received","group":{"name":"publication_history","label":"Publication History"}},{"value":"2025-07-07","order":2,"name":"accepted","label":"Accepted","group":{"name":"publication_history","label":"Publication History"}},{"value":"2025-12-13","order":3,"name":"published","label":"Published","group":{"name":"publication_history","label":"Publication History"}}]}}