Implementing the Automated Phases of the Partially-Automated Digital Triage Process Model

Digital triage is a pre-digital-forensic phase that sometimes takes place as a way of gathering quick intelligence. Although effort has been undertaken to model the digital forensics process, little has been done to-date to model digital triage. This work discusses the further development of a model that attempts to address digital triage, the Partially-automated Crime Specific Digital Triage Process model. The model itself will be presented along with a description of how its automated functionality was implemented to facilitate model testing

Creation and Testing of a Semi-Automated Digital Triage Process Model

Digital forensics examiners have a growing problem caused by their own success. The need for digital forensics is increasing and so are the devices that need examining. Not only are the number of devices growing, but so is the amount of information those devices can hold. One result of this problem is a growing backlog that could soon overwhelm digital forensics labs across the country. One way to combat this growing problem is to use digital triage to find the most pertinent information first. Unfortunately, although several digital forensics models have been created, very few digital triage models have been developed. This results in most organizations, if they perform digital triage at all, performing digital triage in an untested ad hoc fashion that varies from office to office. This dissertation will contribute to digital forensics science by creating and testing a digital triage model. This model will be semi-automated to allow for the use by untrained users; it will be as operating system independent as possible; and it will allow the user to customize it based on a specific crime class or classes. The use of this model will decrease the amount of time it takes a digital triage examiner to make a successful assessment concerning evidence

Teaching Data Carving Using The Real World Problem of Text Message Extraction From Unstructured Mobile Device Data Dumps

Data carving is a technique used in data recovery to isolate and extract files based on file content without any file system guidance. It is an important part of data recovery and digital forensics, but it is also useful in teaching computer science students about file structure and binary encoding of information especially within a digital forensics program. This work demonstrates how the authors teach data carving using a real world problem they encounter in digital forensics evidence processing involving the extracting of text messages from unstructured small device binary extractions. The authors have used this problem for instruction in digital forensics courses and in other computer science courses

Triage of IoT Attacks Through Process Mining

The impressive growth of the IoT we witnessed in the recent years came together with a surge in cyber attacks that target it. Factories adhering to digital transformation programs are quickly adopting the IoT paradigm and are thus increasingly exposed to a large number of cyber threats that need to be detected, analyzed and appropriately mitigated. In this scenario, a common approach that is used in large organizations is to setup an attack triage system. In this setting, security operators can cherry-pick new attack patterns requiring further in-depth investigation from a mass of known attacks that can be managed automatically. In this paper, we propose an attack triage system that helps operators to quickly identify attacks with unknown behaviors, and later analyze them in detail. The novelty introduced by our solution is in the usage of process mining techniques to model known attacks and identify new variants. We demonstrate the feasibility of our approach through an evaluation based on three well-known IoT botnets, BASHLITE, LIGHTAIDRA and MIRAI, and on real current attack patterns collected through an IoT honeypot

eVisits in the digital era of Swedish primary care

Objective: To evaluate asynchronous digital visits (eVisits) with regard to digital communication, clinical decisionmaking,and subsequent care utilization in the digital era of primary care in Sweden.Methods: A mixed-methods approach was adopted across the various papers in the thesis, with all studiesevaluating the eVisit platform Flow in various clinical contexts.- Paper I was a comparative study of digital triage decisions when presented with automated patienthistory reports generated by the platform. Inter-rater reliability of triage decisions by majority vote in apanel of five physicians was compared to triage decisions by a machine learning model trained usingdata labelled by an expert primary care physician.- Paper II was a qualitative focus group study of nurse and physician experiences of digitalcommunication at three primary health care centers using the platform. Themes were generated usingqualitative content analysis as described by Graneheim and Lundman.- Papers III and IV were observational studies comparing office visits in the Skåne Region from Capio,a large private health care provider, to eVisit patients from Capio Go, a national eVisit service. Adultpatients with a chief complaint of sore throat, dysuria, or cough/common cold/influenza were recruited.eVisit patients were recruited prospectively digitally prior to their eVisit, while the office visit controlgroup was recruited retrospectively using letters. Paper III primarily compared antibiotic prescriptionrates per sore throat visit, while paper IV primarily compared subsequent physical health careutilization within two weeks for patients in the Skåne Region.Results: Interrater reliability was low (Cohen κ 0.17) between the panel majority vote and the machine learningmodel. Physicians and nurses experienced digitally filtered primary care, adjusting to a novel medium ofcommunication highlighting challenges in interpreting symptoms through text as well as alterations in practiceworkflow using asynchronous communication. Antibiotics prescription rate within three days was not higher aftereVisits compared to office visits (169/798 (21.2%) vs. 124/312 (39.7%) for sore throat, respectively; P<.001). Nosignificant differences in subsequent physical visits within two weeks (excluding the first 48 h of expected “digi-physical”care) were noted following eVisits compared to office visits (179 (18.0%) vs. 102 (17.6%); P = .854).Conclusions: eVisits do not seem to be associated with over-prescription of antibiotics, or over-utilization ofphysical health care when assessing common infectious symptoms. Given staff experiencing uncertainties ininterpretation of symptoms and triage decisions being inconsistent, eVisits may be best used as one of manymodalities to access primary care, with focus placed on facilitating patient-centered professional judgement bystaff, rather than automation of complex decisions

Social Media User Relationship Framework (SMURF)

The use of social media has spread through many aspects of society, allowing millions of individuals, corporate as well as government entities to leverage the opportunities it affords. These opportunities often end up being exploited by a small percentage of the user community who use it for objectionable or unlawful activities; for example, trolling, cyber bullying, grooming, luring. In some cases, these unlawful activities result in investigations where swift retrieval of critical evidence required in order to save a life. This paper presents a proof of concept (PoC) framework for social media user attribution. The framework aims to provide digital evidence that can be used to substantiate user activity in live triage investigations. This paper highlights the use of live triage as a viable technique for the investigation of social media activity, contextualizing user activity and attributing actions to users. It discusses the reliability of artefacts other than the communications content as a means of drawing inferences about user social media activity, taking into account the proportionality and relevance of such evidenc