A Case-Based Reasoning Method for Locating Evidence During Digital Forensic Device Triage

The role of triage in digital forensics is disputed, with some practitioners questioning its reliability for identifying evidential data. Although successfully implemented in the field of medicine, triage has not established itself to the same degree in digital forensics. This article presents a novel approach to triage for digital forensics. Case-Based Reasoning Forensic Triager (CBR-FT) is a method for collecting and reusing past digital forensic investigation information in order to highlight likely evidential areas on a suspect operating system, thereby helping an investigator to decide where to search for evidence. The CBR-FT framework is discussed and the results of twenty test triage examinations are presented. CBR-FT has been shown to be a more effective method of triage when compared to a practitioner using a leading commercial application

Creation and Testing of a Semi-Automated Digital Triage Process Model

Digital forensics examiners have a growing problem caused by their own success. The need for digital forensics is increasing and so are the devices that need examining. Not only are the number of devices growing, but so is the amount of information those devices can hold. One result of this problem is a growing backlog that could soon overwhelm digital forensics labs across the country. One way to combat this growing problem is to use digital triage to find the most pertinent information first. Unfortunately, although several digital forensics models have been created, very few digital triage models have been developed. This results in most organizations, if they perform digital triage at all, performing digital triage in an untested ad hoc fashion that varies from office to office. This dissertation will contribute to digital forensics science by creating and testing a digital triage model. This model will be semi-automated to allow for the use by untrained users; it will be as operating system independent as possible; and it will allow the user to customize it based on a specific crime class or classes. The use of this model will decrease the amount of time it takes a digital triage examiner to make a successful assessment concerning evidence

Mobile forensic triage for damaged phones using M_Triage

Mobile forensics triage is a useful technique in a digital forensics investigation for recovering lost or purposely deleted and hidden files from digital storage. It is particularly useful, especially when solving a very sensitive crime, for example, kidnapping, in a timely manner. However, the existing mobile forensics triage tools do not consider performing a triage examination on damaged mobile phones. This research addressed the issues of performing triage examination on damaged Android mobile phones and reduction of false positive result generated by the current mobile forensics triage tools. Furthermore, the research addressed the issues of ignoring possible evidence residing in a bad block memory location. In this research a new forensics triage tool called M_Triage was introduced by extending Decode’s framework to handle data retrieval challenges on damaged Android mobile phones. The tool was designed to obtain evidence quickly and accurately (i.e. valid address book, call logs, SMS, images, and, videos, etc.) on Android damaged mobile phones. The tool was developed using C#, while back end engines was done using C programming and tested using five data sets. Based on the computational time processing comparison with Dec0de, Lifter, XRY and Xaver, the result showed that there was 75% improvement over Dec0de, 36% over Lifter, 28% over XRY and finally 71% over Xaver. Again, based on the experiment done on five data sets, M_Triage was capable of carving valid address book, call logs, SMS, images and videos as compared to Dec0de, Lifter, XRY and Xaver. With the average improvement of 90% over DEC0DE, 30% over Lifter, 40% over XRY and lastly 61% over Xaver. This shows that M_Triage is a better tool to be used because it saves time, carve more relevant files and less false positive result are achieved with the tool

Mobile forensic triage for damaged phones using M_Triage

Mobile forensics triage is a useful technique in a digital forensics investigation for recovering lost or purposely deleted and hidden files from digital storage. It is particularly useful, especially when solving a very sensitive crime, for example, kidnapping, in a timely manner. However, the existing mobile forensics triage tools do not consider performing a triage examination on damaged mobile phones. This research addressed the issues of performing triage examination on damaged Android mobile phones and reduction of false positive result generated by the current mobile forensics triage tools. Furthermore, the research addressed the issues of ignoring possible evidence residing in a bad block memory location. In this research a new forensics triage tool called M_Triage was introduced by extending Decode’s framework to handle data retrieval challenges on damaged Android mobile phones. The tool was designed to obtain evidence quickly and accurately (i.e. valid address book, call logs, SMS, images, and, videos, etc.) on Android damaged mobile phones. The tool was developed using C#, while back end engines was done using C programming and tested using five data sets. Based on the computational time processing comparison with Dec0de, Lifter, XRY and Xaver, the result showed that there was 75% improvement over Dec0de, 36% over Lifter, 28% over XRY and finally 71% over Xaver. Again, based on the experiment done on five data sets, M_Triage was capable of carving valid address book, call logs, SMS, images and videos as compared to Dec0de, Lifter, XRY and Xaver. With the average improvement of 90% over DEC0DE, 30% over Lifter, 40% over XRY and lastly 61% over Xaver. This shows that M_Triage is a better tool to be used because it saves time, carve more relevant files and less false positive result are achieved with the tool

Investigating visualisation techniques for rapid triage of digital forensic evidence

This study investigates the feasibility of a tool that allows digital forensics (DF) investigators to efficiently triage device datasets during the collection phase of an investigation. This tool utilises data visualisation techniques to display images found in near real-time to the end user. Findings indicate that participants were able to accurately identify contraband material whilst using this tool, however, classification accuracy dropped slightly with larger datasets. Combined with participant feedback, the results show that the proposed triage method is indeed feasible, and this tool provides a solid foundation for the continuation of further work

Effective resource management in digital forensics: an exploratory analysis of triage practices in four English constabularies

This is the author accepted manuscript. The final version is available from Emerald via the DOI in this recordPurpose: Building on the findings of a British Academy-funded project on the development of digital forensics in England and Wales, this article explores how triage, a process that helps prioritise digital devices for in-depth forensic analysis is experienced by digital forensic examiners and police officers in four English police forces. It is argued that while as a strategy triage can address the increasing demand in the examination of digital exhibits, careful consideration needs to be paid to the ways in which its set-up, undertaking and outcomes impact on the ability of law enforcement agencies to solve cases. Design/methodology/approach: The findings presented are the result of ethnographic observations and semi-structured interviews. They emphasise the challenges in the triage of digital exhibits as they are encountered in everyday practice. The discussion focuses on the tensions between the delivery of timely and accurate investigation results and current gaps in the infrastructural arrangements. It also emphasises the need to provide police officers with a baseline understanding of the role of digital forensics and the importance of clearly defined strategies in the examination of digital devices. Originality/value:This article aims to bridge policy and practice through an analysis of the ways in which digital forensic practitioners and police officers in four English constabularies reflect on the uses of triage in digital forensics to address backlogs and investigative demands. Highlighting the importance of digital awareness beyond the technical remit of digital forensic units, it offers new insights into the ways in which police forces seek to improve the evidential trail with limited resources.British AcademyEconomic and Social Research Council (ESRC

Use of KAOS in operational digital forensic investigations

Abstract. This paper focuses on the operations involved in the digital forensic process using the requirements engineering framework KAOS. The idea is to enforce the claim that a requirements engineering approach to digital forensics produces reusable patterns for future incidents. Our patterns here will be opera-tion-focused, rather than requirement-focused, which is simpler because the op-erations can potentially be exhaustively enumerated and evaluated. Thus, for example, given the complexity of the Ceglia versus Zuckerberg Facebook case involving alleged document forgery, we can show that one of the benefits com-ing out of the modelling exercise was the set of operations needed. This will give an estimate for the future of what kind of capabilities and resources are needed for other complex document-forgery cases involving computers. It may also help to plan investigations and prioritise the use of resources more widely within the case workload of investigators.

A framework for the forensic investigation of unstructured email relationship data

Our continued reliance on email communications ensures that it remains a major source of evidence during a digital investigation. Emails comprise both structured and unstructured data. Structured data provides qualitative information to the forensics examiner and is typically viewed through existing tools. Unstructured data is more complex as it comprises information associated with social networks, such as relationships within the network, identification of key actors and power relations, and there are currently no standardised tools for its forensic analysis. Moreover, email investigations may involve many hundreds of actors and thousands of messages. This paper posits a framework for the forensic investigation of email data. In particular, it focuses on the triage and analysis of unstructured data to identify key actors and relationships within an email network. This paper demonstrates the applicability of the approach by applying relevant stages of the framework to the Enron email corpus. The paper illustrates the advantage of triaging this data to identify (and discount) actors and potential sources of further evidence. It then applies social network analysis techniques to key actors within the data set. This paper posits that visualisation of unstructured data can greatly aid the examiner in their analysis of evidence discovered during an investigation

Forensic triage of email network narratives through visualisation

Purpose – The purpose of this paper is to propose a novel approach that automates the visualisation of both quantitative data (the network) and qualitative data (the content) within emails to aid the triage of evidence during a forensics investigation. Email remains a key source of evidence during a digital investigation, and a forensics examiner may be required to triage and analyse large email data sets for evidence. Current practice utilises tools and techniques that require a manual trawl through such data, which is a time-consuming process. Design/methodology/approach – This paper applies the methodology to the Enron email corpus, and in particular one key suspect, to demonstrate the applicability of the approach. Resulting visualisations of network narratives are discussed to show how network narratives may be used to triage large evidence data sets. Findings – Using the network narrative approach enables a forensics examiner to quickly identify relevant evidence within large email data sets. Within the case study presented in this paper, the results identify key witnesses, other actors of interest to the investigation and potential sources of further evidence. Practical implications – The implications are for digital forensics examiners or for security investigations that involve email data. The approach posited in this paper demonstrates the triage and visualisation of email network narratives to aid an investigation and identify potential sources of electronic evidence. Originality/value – There are a number of network visualisation applications in use. However, none of these enable the combined visualisation of quantitative and qualitative data to provide a view of what the actors are discussing and how this shapes the network in email data sets

AN ML BASED DIGITAL FORENSICS SOFTWARE FOR TRIAGE ANALYSIS THROUGH FACE RECOGNITION

Since the past few years, the complexity and heterogeneity of digital crimes has increased exponentially, which has made the digital evidence & digital forensics paramount for both criminal investigation and civil litigation cases. Some of the routine digital forensic analysis tasks are cumbersome and can increase the number of pending cases especially when there is a shortage of domain experts. While the work is not very complex, the sheer scale can be taxing. With the current scenarios and future predictions, crimes are only going to become more complex and the precedent of collecting and examining digital evidence is only going to increase. In this research, we propose an ML based Digital Forensics Software for Triage Analysis called Synthetic Forensic Omnituens (SynFO) that can automate evidence acquisition, extraction of relevant files, perform automated triage analysis and generate a basic report for the analyst. Results of this research show a promising future for automation with the help of Machine Learning