Data reduction and data mining framework for digital forensic evidence: storage, intelligence, review and archive

With the volume of digital forensic evidence rapidly increasing, this paper proposes a data reduction and data mining framework that incorporates a process of reducing data volume by focusing on a subset of information. Foreword The volume of digital forensic evidence is rapidly increasing, leading to large backlogs. In this paper, a Digital Forensic Data Reduction and Data Mining Framework is proposed. Initial research with sample data from South Australia Police Electronic Crime Section and Digital Corpora Forensic Images using the proposed framework resulted in significant reduction in the storage requirements—the reduced subset is only 0.196 percent and 0.75 percent respectively of the original data volume. The framework outlined is not suggested to replace full analysis, but serves to provide a rapid triage, collection, intelligence analysis, review and storage methodology to support the various stages of digital forensic examinations. Agencies that can undertake rapid assessment of seized data can more effectively target specific criminal matters. The framework may also provide a greater potential intelligence gain from analysis of current and historical data in a timely manner, and the ability to undertake research of trends over time

Digital evidence bags

This thesis analyses the traditional approach and methodology used to conduct digital forensic information capture, analysis and investigation. The predominant toolsets and utilities that are used and the features that they provide are reviewed. This is used to highlight the difficulties that are encountered due to both technological advances and the methodologies employed. It is suggested that these difficulties are compounded by the archaic methods and proprietary formats that are used. An alternative framework for the capture and storage of information used in digital forensics is defined named the `Digital Evidence Bag' (DEB). A DEB is a universal extensible container for the storage of digital information acquired from any digital source. The format of which can be manipulated to meet the requirements of the particular information that is to be stored. The format definition is extensible thereby allowing it to encompass new sources of data, cryptographic and compression algorithms and protocols as developed, whilst also providing the flexibility for some degree of backwards compatibility as the format develops. The DEB framework utilises terminology to define its various components that are analogous with evidence bags, tags and seals used for traditional physical evidence storage and continuity. This is crucial for ensuring that the functionality provided by each component is comprehensible by the general public, judiciary and law enforcement personnel without detracting or obscuring the evidential information contained within. Furthermore, information can be acquired from a dynamic or more traditional static environment and from a disparate range of digital devices. The flexibility of the DEB framework permits selective and/or intelligent acquisition methods to be employed together with enhanced provenance and continuity audit trails to be recorded. Evidential integrity is assured using accepted cryptographic techniques and algorithms. The DEB framework is implemented in a number of tool demonstrators and applied to a number of typical scenarios that illustrate the flexibility of the DEB framework and format. The DEB framework has also formed the basis of a patent application

A Conceptual Framework on Digital Forensics Readiness for Criminals Tracking: Data Reduction Modalities

The ever-growing threats of fraud and security incidents present many challenges to law enforcement and organizations across the globe. The volume of digital forensic evidence is rapidly increasing, leading to large backlogs. However, Digital Forensic Data Reduction and Data Mining Framework is proposed. The framework outlined is not suggested to replace full analysis, but serves to provide a rapid triage, collection, intelligence analysis, and review and storage methodology to support the various stages of digital forensic examinations. This study contributes to the greater body of knowledge on the design and implementation of a digital forensic readiness programme, aimed at maximizing the use of digital evidence in an organization DOI: 10.17762/ijritcc2321-8169.15082

Protecting digital legal professional privilege LPP data

The Best Paper AwardTo enable free communication between legal advisor and his client for proper functioning of the legal system, certain documents, known as Legal professional privilege (LPP) documents, can be excluded as evidence for prosecution. In physical world, protection of LPP information is well addressed and proper procedure for handling LPP articles has been established. However, there does not exist a forensically sound procedure for protecting 'digital' LPP information. In this paper, we try to address this important, but rarely addressed, issue. We point out the difficulties of handling digital LPP data and discuss the shortcomings of the current practices, then we propose a feasible procedure for solving this problem. © 2008 IEEE.published_or_final_versionThe 3rd International Workshop on Systematic Approaches to Digital Forensic Engineering (IEEE/SADFE 2008), Oakland, CA., 22 May 2008. In Proceedings of the 3rd SADFE, 2008, p. 91-10

An Ontology-Based Transformation Model for the Digital Forensics Domain

The creation of an ontology makes it possible to form common information structures, to reuse knowledge, to make assumptions within a domain and to analyse every piece of knowledge. In this paper, we aim to create an ontologybased transformation model and a framework to develop an ontology-based transformation system in the digital forensics domain. We describe the architecture of the ontology-based transformation system and its components for assisting computer forensics experts in the appropriate selection of tools for digital evidence investigation. We consider the use of the attributes of Extensible Markup Language document transformation to map the computer forensics ontology and we use the representations in the National Institute of Standards and Technology's "Computer Forensics Tool Catalog" for aligning one form with the other

Digital Evidence Bag Selection for P2P Network Investigation

The collection and handling of court admissible evidence is a fundamental component of any digital forensic investigation. While the procedures for handling digital evidence take much of their influence from the established policies for the collection of physical evidence, due to the obvious differences in dealing with non-physical evidence, a number of extra policies and procedures are required. This paper compares and contrasts some of the existing digital evidence formats or “bags” and analyses them for their compatibility with evidence gathered from a network source. A new digital extended evidence bag is proposed to specifically deal with evidence gathered from P2P networks, incorporating the network byte stream and on-the-fly metadata generation to aid in expedited identification and analysis

Maintaining hard disk integrity with digital legal professional privilege (LPP) data

published_or_final_versio

An Ontology-Based Forensic Analysis Tool

The analysis of forensic investigation results has generally been identified as the most complex phase of a digital forensic investigation. This phase becomes more complicated and time consuming as the storage capacity of digital devices is increasing, while at the same time the prices of those devices are decreasing. Although there are some tools and techniques that assist the investigator in the analysis of digital evidence, they do not adequately address some of the serious challenges, particularly with the time and effort required to conduct such tasks. In this paper, we consider the use of semantic web technologies and in particular the ontologies, to assist the investigator in analyzing digital evidence. A novel ontology-based framework is proposed for forensic analysis tools, which we believe has the potential to influence the development of such tools. The framework utilizes a set of ontologies to model the environment under investigation. The evidence extracted from the environment is initially annotated using the Resource Description Framework (RDF). The evidence is then merged from various sources to identify new and implicit information with the help of inference engines and classification mechanisms. In addition, we present the ongoing development of a forensic analysis tool to analyze content retrieved from Android smart phones. For this purpose, several ontologies have been created to model some concepts of the smart phone environment. Keywords: digital forensic investigation, digital forensic analysis tool, semantic web, ontology, androi