3 research outputs found
Deduplicated Disk Image Evidence Acquisition and Forensically-Sound Reconstruction
The 17th IEEE International Conference on Trust, Security and Privacy in Computing and Communication (TustCom), New York, United States of America, 1-3 August 2018The ever-growing backlog of digital evidence waiting for analysis has become a significant issue for law enforcement agencies throughout the world. This is due to an increase in the number of cases requiring digital forensic analysis coupled with the increasing volume of data to process per case. This has created a demand for a paradigm shift in the method that evidence is acquired, stored, and analyzed. The ultimate goal of the research presented in this paper is to revolutionize the current digital forensic process through the leveraging of centralized deduplicated acquisition and processing approach. Focusing on this first step in digital evidence processing, acquisition, a system is presented enabling deduplicated evidence acquisition with the capability of automated, forensically-sound complete disk image reconstruction. As the number of cases acquired by the proposed system increases, the more duplicate artifacts will be encountered, and the more efficient the processing of each new case will become. This results in a time saving for digital investigators, and provides a platform to enable non-expert evidence processing, alongside the benefits of reduced storage and bandwidth requirements
Methodology for the Automated Metadata-Based Classification of Incriminating Digital Forensic Artefacts
The ever increasing volume of data in digital forensic investigation is one
of the most discussed challenges in the field. Usually, most of the file
artefacts on seized devices are not pertinent to the investigation. Manually
retrieving suspicious files relevant to the investigation is akin to finding a
needle in a haystack. In this paper, a methodology for the automatic
prioritisation of suspicious file artefacts (i.e., file artefacts that are
pertinent to the investigation) is proposed to reduce the manual analysis
effort required. This methodology is designed to work in a human-in-the-loop
fashion. In other words, it predicts/recommends that an artefact is likely to
be suspicious rather than giving the final analysis result. A supervised
machine learning approach is employed, which leverages the recorded results of
previously processed cases. The process of features extraction, dataset
generation, training and evaluation are presented in this paper. In addition, a
toolkit for data extraction from disk images is outlined, which enables this
method to be integrated with the conventional investigation process and work in
an automated fashion