A case-based reasoning method for locating evidence during digital forensic device triage

Horsman, Graeme; Laing, Christopher; Vickers, Paul

doi:10.1016/j.dss.2014.01.007

Cited by 35 publications

(25 citation statements)

References 30 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Horsman et al [10] extend the ideas presented in [37] and discuss a Case-Based Reasoning Forensic Triager (CBR-FT) method for retrieving the evidential data based on the location of the digital evidence in the past cases. The CBR-FT maintains a knowledge base for gathering the previous experience.…”

Section: Methods Of Post-mortem Triagementioning

confidence: 99%

“…The runtimes are very short, however, it is not clear why they are so short, and an explanation is not provided. Moreover, Horsman et al [10] state that hashing and keyword searching approaches can limit the effectiveness of digital triage because they are too restrictive. The limitations of the ANT solution are the following: there is no possibility to boot from the external source and encrypted data could not be analysed.…”

Section: A Hash Database Index Filementioning

confidence: 99%

“…Storing and using the knowledge of the past cases, presented by Horsman et al [10,37] and Bashir and Khan [39] 2.…”

Section: Lessons Learned From the Reviewmentioning

confidence: 99%

“…There are many other definitions of triage, which slightly differ depending on the attributed qualities [7][8][9][10][11][12]. The diversity of triage definitions reflects the variety of the views and indicates the immaturity of the field.…”

Section: Introductionmentioning

confidence: 99%

See 3 more Smart Citations

Methods and Tools of Digital Triage in Forensic Context: Survey and Future Directions

2017

View full text Add to dashboard Cite

Digital triage is the first investigative step of the forensic examination. The digital triage comes in two forms, live triage and post-mortem triage. The primary goal of the live triage is a rapid extraction of an intelligence from the potential sources. The live triage raises legitimate concerns. The post-mortem triage is conducted in the laboratory and its main goal is ranking of the seized devices for the possible existence of the relevant evidence. The digital triage has the potential to quickly identify items that are likely to contain the evidential data. Therefore, it is a solution to the problem of case backlogs. However, existing methods and tools of the digital triage have limitations, especially, in the forensic context. Nevertheless, we have no better solution for the time being. In this paper, we critically review published research works and the proposed solutions for digital triage. The review is divided into four sections as follows: live triage, post-mortem triage, mobile device triage, and triage tools. We conclude that many challenges are awaiting for the developers in creating methods and tools of digital triage in order to keep pace with the development of new technologies.

show abstract

Section: Methods Of Post-mortem Triagementioning

confidence: 99%

Section: A Hash Database Index Filementioning

confidence: 99%

“…Storing and using the knowledge of the past cases, presented by Horsman et al [10,37] and Bashir and Khan [39] 2.…”

Section: Lessons Learned From the Reviewmentioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%

See 2 more Smart Citations

Methods and Tools of Digital Triage in Forensic Context: Survey and Future Directions

2017

View full text Add to dashboard Cite

show abstract

“…Not only are more devices in need of investigation, each device typically maintains a greater level of internal storage. The task of processing larger volumes of data remains a topic of interest, and one still in need of a universal consistent solution (Horsman et al, 2014;Quick and Choo, 2014). As a result, the time restrictions of pre-charge bail are being applied to a moving target, one where feasibility remains an issue.…”

Section: Implications Of Time On Investigationsmentioning

confidence: 99%

Policing and Crime Act 2017: Changes to pre-charge bail and the impact on digital forensic analysis

Horsman

King

2018

Computer Law & Security Review

Self Cite

View full text Add to dashboard Cite

Following the enactment of the Police and Crime Act 2017, subsequent amendments to the Police and Criminal Evidence Act 1984 have seen a 'cap' placed on the length of time a suspect can be released on bail; a process commonly referred to as 'police bail' or 'pre-charge bail'. Whilst designed to instil consistency and certainty into bail processes to prevent individuals being subject to lengthy periods of regulation and uncertainty, it places additional pressures on forensic services. With a focus on digital forensics, examination of digital media is a complex and time consuming process, with existing backlogs well documented. The need for timely completion of investigations to adhere to pre-charge bail rules places additional stress on an already stretched service. This comment submission provides an initial analysis of new pre-charge bail regulations, assessing their impact on digital forensic services.

show abstract

Standardizing digital forensic examination procedures: A look at Windows 10 in cases involving images depicting child sexual abuse

Horsman

2021

WIREs Forensic Science

Self Cite

View full text Add to dashboard Cite

As a topic area, the need for the standardization of operational practices in digital forensics has seen much discussion. There are clear benefits for digital forensics if its procedures can be harmonized including increasing the reliability of the work produced by its practitioners, consistency of practice, and the potential for greater quality control, however, attaining standardization is a difficult task, and further work in this field is required. This work discusses the “standardization challenge” assessing both the need for standardization and the feasibility of achieving it. It is suggested that those actively contributing in this area should consider the development of models for defining operational practice which are offence‐specific, device‐specific and operating system‐specific. To support this proposal, an example standard is offered and discussed which suggests and documents the minimum expected requirements for the examination of Windows 10 devices in cases involving images depicting child sexual abuse. This article is categorized under: Digital and Multimedia Science > Cybercrime Investigation

show abstract

A case-based reasoning method for locating evidence during digital forensic device triage

Cited by 35 publications

References 30 publications

Methods and Tools of Digital Triage in Forensic Context: Survey and Future Directions

Methods and Tools of Digital Triage in Forensic Context: Survey and Future Directions

Policing and Crime Act 2017: Changes to pre-charge bail and the impact on digital forensic analysis

Standardizing digital forensic examination procedures: A look at Windows 10 in cases involving images depicting child sexual abuse

Contact Info

Product

Resources

About