Automated inference of past action instances in digital investigations

James, Joshua I.; Gladyshev, Pavel

doi:10.1007/s10207-014-0249-6

Cited by 22 publications

(12 citation statements)

References 13 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…The cause and effect nature of event reconstruction has been studied, and James and Gladyshev [13] have defined action instances, a state transition model where an action produces a trace. If traces can be identified, then actions can be implied because of the causal nature of certain state transitions on computer systems.…”

Section: Related Workmentioning

confidence: 99%

Towards Web Usage Attribution via Graph Community Detection in Grouped Internet Connection Records

Gresty

Loukas

Gan

et al. 2017

2017 IEEE International Conference on Internet of Things (iThings) and IEEE Green Computing and Communications (GreenCom) and I

View full text Add to dashboard Cite

Internet connection records can be very useful to digital forensic analysts in producing Internet history timelines and making deductions about the cause and effect of activity. However, the available data may include only a subset of the data that would be available from physical extraction. For example, the new UK legislation allows the collection of host website details, time of access and subscriber details, but not the specific uniform resource locator visited. Here, we investigate how to process data from Internet connections records to extract the websites, and construct the sessions of activity that are likely to be idiosyncratic the individual users, from the set of multiple possible users. We demonstrate how to display Internet history sessions as a network and perform graph community detection, showing a scheme for breaking up the component parts of the Internet history sessions into groups. We also introduce the use of websites' relative popularity for identifying websites that are likely to be meaningful to particular users of particular devices, further improving the accuracy of attributing a particular activity session to a particular user at a particular point in time.

show abstract

Section: Related Workmentioning

confidence: 99%

Towards Web Usage Attribution via Graph Community Detection in Grouped Internet Connection Records

Gresty

Loukas

Gan

et al. 2017

2017 IEEE International Conference on Internet of Things (iThings) and IEEE Green Computing and Communications (GreenCom) and I

View full text Add to dashboard Cite

show abstract

“…A number of techniques have been employed to streamline the current digital forensic process, including efficient workflow management [11], DFaaS [12,13], triage [14,4] and automation [9,15]. However, significant resources are being wasted with the current processing model; both in terms of the computer and manpower overheads.…”

Section: B Expedited Digital Forensic Processingmentioning

confidence: 99%

Battling the digital forensic backlog through data deduplication

Scanlon

2016

2016 Sixth International Conference on Innovative Computing Technology (INTECH)

View full text Add to dashboard Cite

Abstract-In recent years, technology has become truly pervasive in everyday life. Technological advancement can be found in many facets of life, including personal computers, mobile devices, wearables, cloud services, video gaming, web-powered messaging, social media, Internet-connected devices, etc. This technological influence has resulted in these technologies being employed by criminals to conduct a range of crimes -both online and offline. Both the number of cases requiring digital forensic analysis and the sheer volume of information to be processed in each case has increased rapidly in recent years. As a result, the requirement for digital forensic investigation has ballooned, and law enforcement agencies throughout the world are scrambling to address this demand. While more and more members of law enforcement are being trained to perform the required investigations, the supply is not keeping up with the demand. Current digital forensic techniques are arduously timeconsuming and require a significant amount of man power to execute. This paper discusses a novel solution to combat the digital forensic backlog. This solution leverages a deduplicationbased paradigm to eliminate the reacquisition, redundant storage, and reanalysis of previously processed data.

show abstract

“…The backlogs have grown due to a number of factors including the volume of cases requiring analysis, the number of devices per case, the volume of data on each device, and the limited availability of skilled experts (Quick & Choo, 2014). Automated techniques are in continuous development to aid investigators, but due to the sensitive nature of this work, the ultimate inferences and decisions will always be made by skilled human experts (James & Gladyshev, 2015).…”

Section: Introductionmentioning

confidence: 99%

Hierarchical Bloom Filter Trees for Approximate Matching

Lillis¹,

Breitinger²,

Scanlon³

2018

JDFSL

View full text Add to dashboard Cite

Bytewise approximate matching algorithms have in recent years shown significant promise in detecting files that are similar at the byte level. This is very useful for digital forensic investigators, who are regularly faced with the problem of searching through a seized device for pertinent data. A common scenario is where an investigator is in possession of a collection of "known-illegal" files (e.g. a collection of child abuse material) and wishes to find whether copies of these are stored on the seized device. Approximate matching addresses shortcomings in traditional hashing, which can only find identical files, by also being able to deal with cases of merged files, embedded files, partial files, or if a file has been changed in any way. Most approximate matching algorithms work by comparing pairs of files, which is not a scalable approach when faced with large corpora. This paper demonstrates the effectiveness of using a "Hierarchical Bloom Filter Tree" (HBFT) data structure to reduce the running time of collection-againstcollection matching, with a specific focus on the MRSH-v2 algorithm. Three experiments are discussed, which explore the effects of different configurations of HBFTs. The proposed approach dramatically reduces the number of pairwise comparisons required, and demonstrates substantial speed gains, while maintaining effectiveness.

show abstract

Automated inference of past action instances in digital investigations

Cited by 22 publications

References 13 publications

Towards Web Usage Attribution via Graph Community Detection in Grouped Internet Connection Records

Towards Web Usage Attribution via Graph Community Detection in Grouped Internet Connection Records

Battling the digital forensic backlog through data deduplication

Hierarchical Bloom Filter Trees for Approximate Matching

Contact Info

Product

Resources

About