With the proliferation of digital based evidence, the need for the timely identification, analysis and interpretation of digital evidence is becoming more crucial. In many investigations critical information is required while at the scene or within a short period of time -measured in hours as opposed to days. The traditional cyber forensics approach of seizing a system(s)/media, transporting it to the lab, making a forensic image(s), and then searching the entire system for potential evidence, is no longer appropriate in some circumstances. In cases such as child abductions, pedophiles, missing or exploited persons, time is of the essence. In these types of cases, investigators dealing with the suspect or crime scene need investigative leads quickly; in some cases it is the difference between life and death for the victim(s). The Cyber Forensic Field Triage Process Model (CFFTPM) proposes an onsite or field approach for providing the identification, analysis and interpretation of digital evidence in a short time frame, without the requirement of having to take the system(s)/media back to the lab for an in-depth examination or acquiring a complete forensic image(s). The proposed model adheres to commonly held forensic principles, and does not negate the ability that once the initial field triage is concluded, the system(s)/storage media be transported back to a lab environment for a more thorough examination and analysis. The CFFTPM has been successfully used in various real world cases, Journal of Digital Forensics, Security and Law, Vol. 1(2) 20 and its investigative importance and pragmatic approach has been amply demonstrated. Furthermore, the derived evidence from these cases has not been challenged in the court proceedings where it has been introduced. The current article describes the CFFTPM in detail, discusses the model's forensic soundness, investigative support capabilities and practical considerations.
Digital evidence plays a crucial role in child pornography investigations. However, in the following case study, the authors argue that the behavioral analysis or "profiling" of digital evidence can also play a vital role in child pornography investigations. The following case study assessed the Internet Browsing History (Internet Explorer Bookmarks, Mozilla Bookmarks, and Mozilla History) from a suspected child pornography user's computer. The suspect in this case claimed to be conducting an ad hoc law enforcement investigation. After the URLs were classified (Neutral; Adult Porn; Child Porn; Adult Dating sites; Pictures from Social Networking Profiles; Chat Sessions; Bestiality; Data Cleaning; Gay Porn), the Internet history files were statistically analyzed to determine prevalence and trends in Internet browsing. First, a frequency analysis was used to determine a baseline of online behavior. Results showed 54% (n = 3205) of the URLs were classified as "neutral" and 38.8% (n = 2265) of the URLs were classified as a porn website. Only 10.8% of the URLs were classified as child pornography websites. However when the IE history file was analyzed by visit, or "hit," count, the Pictures/Profiles (31.5%) category had the highest visit count followed by Neutral (19.3%), Gay Porn (17%), and Child Porn (16.6%). When comparing the frequency of URLs to the Hit Count for each pornography type, it was noted that the accused was accessing gay porn, child porn, chat rooms, and picture profiles (i.e., from Facebook) more often than adult porn and neutral websites. The authors concluded that the suspect in this case was in fact a child pornography user and not an ad hoc investigator, and the findings from the behavioral analysis were admitted as evidence in the sentencing hearing for this case. The authors believe this case study illustrates the ability to conduct a behavioral analysis of digital evidence. More work is required to further validate the behavioral analysis process described, but the ability to infer the predilection for being a consumer of child pornography based on Internet artifacts may prove to be a powerful tool for investigators.
Personality a b s t r a c t The current research study replicated a study by Rogers et al. (Rogers M, Smoak ND, Liu J. Self-reported criminal computer behavior: a big-5, moral choice and manipulative exploitive behavior analysis. Deviant Behavior 2006;27:1-24) and examined the psychological characteristics, moral choice, and exploitive manipulative behaviors of self-reported computer criminals and non-computer criminals. Seventy-seven students enrolled in an information technology program participated in the web-based study. The results of the study indicated that the only significant variable for predicting criminal/deviant computer behavior was extraversion. Those individuals self-reporting criminal computer behavior were significantly more introverted than those reporting no criminal/deviant computer behavior. This finding is contrary to the findings of the previous study. The current study confirmed that the four psychometric instruments were reliable for conducting research in the field of criminal/deviant computer behavior. The impact of the findings on the field of digital forensic investigations is discussed as well as possible reasons for the apparent contradiction between the two studies.
scite is a Brooklyn-based organization that helps researchers better discover and understand research articles through Smart Citations–citations that display the context of the citation and describe whether the article provides supporting or contrasting evidence. scite is used by students and researchers from around the world and is funded in part by the National Science Foundation and the National Institute on Drug Abuse of the National Institutes of Health.