File system modelling for digital triage: An inductive profiling approach

Digital Triage is the initial, rapid screening of electronic devices as a precursor to full forensic analysis. Triage has numerous benefits including resource prioritisation, greater involvement of criminal investigators and the rapid provision of initial outcomes. In traditional scientific forensics and criminology, certain behavioural attributes and character traits can be identified and used to construct a case profile to focus an investigation and narrow down a list of suspects. This research introduces the Triage Modelling Tool (TMT), that uses a profiling approach to identify how offenders utilise and structure files through the creation of file system models. Results from the TMT have proven to be extremely promising when compared to Encase’s similar in-built functionality, which provides a strong justification for future work within this area

Methodology for the Automated Metadata-Based Classification of Incriminating Digital Forensic Artefacts

The ever increasing volume of data in digital forensic investigation is one of the most discussed challenges in the field. Usually, most of the file artefacts on seized devices are not pertinent to the investigation. Manually retrieving suspicious files relevant to the investigation is akin to finding a needle in a haystack. In this paper, a methodology for the automatic prioritisation of suspicious file artefacts (i.e., file artefacts that are pertinent to the investigation) is proposed to reduce the manual analysis effort required. This methodology is designed to work in a human-in-the-loop fashion. In other words, it predicts/recommends that an artefact is likely to be suspicious rather than giving the final analysis result. A supervised machine learning approach is employed, which leverages the recorded results of previously processed cases. The process of features extraction, dataset generation, training and evaluation are presented in this paper. In addition, a toolkit for data extraction from disk images is outlined, which enables this method to be integrated with the conventional investigation process and work in an automated fashion

Implementing the Automated Phases of the Partially-Automated Digital Triage Process Model

Digital triage is a pre-digital-forensic phase that sometimes takes place as a way of gathering quick intelligence. Although effort has been undertaken to model the digital forensics process, little has been done to-date to model digital triage. This work discusses the further development of a model that attempts to address digital triage, the Partially-automated Crime Specific Digital Triage Process model. The model itself will be presented along with a description of how its automated functionality was implemented to facilitate model testing

Research Toward a Partially-Automated, and Crime Specific Digital Triage Process Model

The digital forensic process as traditionally laid out begins with the collection, duplication, and authentication of every piece of digital media prior to examination. These first three phases of the digital forensic process are by far the most costly. However, complete forensic duplication is standard practice among digital forensic laboratories. The time it takes to complete these stages is quickly becoming a serious problem. Digital forensic laboratories do not have the resources and time to keep up with the growing demand for digital forensic examinations with the current methodologies. One solution to this problem is the use of pre-examination techniques commonly referred to as digital triage. Pre-examination techniques can assist the examiner with intelligence that can be used to prioritize and lead the examination process. This work discusses a proposed model for digital triage that is currently under development at Mississippi State University

Triage in-Lab : Case Backlog Reduction with Forensic Digital Profiling

Since it exist a huge backlog of cases and few digital forensic specialists in the Justice System, usually there is not possible to move them to contribute directly into the digital crime scene. On the other side, the law enforcement has a lack of skilled forensic staff available to perform forensic triage. Moreover, the reviews on the fly are taking significant time delays, under pressure, technical restrictions and time framed. At this point, when a suspect target system and data are found, it leads to be seized and moved to a dedicated forensic laboratory where the expert can perform the analysis of their content. Under some circumstances, all that may be required is to quickly and efficiently review a number of target systems to establish if they are likely to contain material of interest to an investigation. However, when the digital evidence comes to the specialist, he has a little knowledge of the previous stage, and it is difficult to make decisions about the priorities or activities on the sized devices. Such reviews are often referred to as "forensic triage" reviews and must be performed using forensically acceptable methods in order that any evidence that is identified during the forensic triage process is not damaged, modified or contaminated, literally or from a legal perspective, by the process of acquiring and reviewing the evidence. We have developed a novel triage tool, which tries to catch a criminal profile with an automated predictive classifier focused on child pornography and intellectual property theft. This software detects few critical attributes into the digital evidence and they are compared with other vectors of characteristics extracted from a digital data corpus based on devices of past cases. As a result of this automated process, a criminal profile prediction is done. This tool will assist to computer forensic experts, in order to make decisions about priorities to make full analysis of suspect devices or discard them with low probabilities of losing digital evidence. Our approach should be useful to mitigate the backlog of computer forensics laboratories.Sociedad Argentina de Informática e Investigación Operativ