Skip to content
Back to outputs

A suspect-oriented intelligent and automated computer forensic analysis

Research output: Contribution to journalArticlepeer-review

Standard

A suspect-oriented intelligent and automated computer forensic analysis. / Al Fahdi, M.; Clarke, N. L.; Li, F.; Furnell, S. M.

In: Digital Investigation, Vol. 18, 01.09.2016, p. 65-76.

Research output: Contribution to journalArticlepeer-review

Harvard

Al Fahdi, M, Clarke, NL, Li, F & Furnell, SM 2016, 'A suspect-oriented intelligent and automated computer forensic analysis', Digital Investigation, vol. 18, pp. 65-76. https://doi.org/10.1016/j.diin.2016.08.001

APA

Al Fahdi, M., Clarke, N. L., Li, F., & Furnell, S. M. (2016). A suspect-oriented intelligent and automated computer forensic analysis. Digital Investigation, 18, 65-76. https://doi.org/10.1016/j.diin.2016.08.001

Vancouver

Al Fahdi M, Clarke NL, Li F, Furnell SM. A suspect-oriented intelligent and automated computer forensic analysis. Digital Investigation. 2016 Sep 1;18:65-76. https://doi.org/10.1016/j.diin.2016.08.001

Author

Al Fahdi, M. ; Clarke, N. L. ; Li, F. ; Furnell, S. M. / A suspect-oriented intelligent and automated computer forensic analysis. In: Digital Investigation. 2016 ; Vol. 18. pp. 65-76.

Bibtex

@article{9791fb98dcd54a1f8d81fc359b6982f4,
title = "A suspect-oriented intelligent and automated computer forensic analysis",
abstract = "Computer forensics faces a range of challenges due to the widespread use of computing technologies. Examples include the increasing volume of data and devices that need to be analysed in any single case, differing platforms, use of encryption and new technology paradigms (such as cloud computing and the Internet of Things). Automation within forensic tools exists, but only to perform very simple tasks, such as data carving and file signature analysis. Investigators are responsible for undertaking the cognitively challenging and time-consuming process of identifying relevant artefacts. Due to the volume of cyber-dependent (e.g., malware and hacking) and cyber-enabled (e.g., fraud and online harassment) crimes, this results in a large backlog of cases. With the aim of speeding up the analysis process, this paper investigates the role that unsupervised pattern recognition can have in identifying notable artefacts. A study utilising the Self-Organising Map (SOM) to automatically cluster notable artefacts was devised using a series of four cases. Several SOMs were created – a File List SOM containing the metadata of files based upon the file system, and a series of application level SOMs based upon metadata extracted from files themselves (e.g., EXIF data extracted from JPEGs and email metadata extracted from email files). A total of 275 sets of experiments were conducted to determine the viability of clustering across a range of network configurations. The results reveal that more than 93.5% of notable artefacts were grouped within the rank-five clusters in all four cases. The best performance was achieved by using a 10 × 10 SOM where all notables were clustered in a single cell with only 1.6% of the non-notable artefacts (noise) being present, highlighting that SOM-based analysis does have the potential to cluster notable versus noise files to a degree that would significantly reduce the investigation time. Whilst clustering has proven to be successful, operationalizing it is still a challenge (for example, how to identify the cluster containing the largest proportion of notables within the case). The paper continues to propose a process that capitalises upon SOM and other parameters such as the timeline to identify notable artefacts whilst minimising noise files. Overall, based solely upon unsupervised learning, the approach is able to achieve a recall rate of up to 93%.",
keywords = "automation, clustering, cybercrime, digital forensics, self-organising map, SOM",
author = "{Al Fahdi}, M. and Clarke, {N. L.} and F. Li and Furnell, {S. M.}",
year = "2016",
month = sep,
day = "1",
doi = "10.1016/j.diin.2016.08.001",
language = "English",
volume = "18",
pages = "65--76",
journal = "Digital Investigation",
issn = "1742-2876",
publisher = "Elsevier Limited",

}

RIS

TY - JOUR

T1 - A suspect-oriented intelligent and automated computer forensic analysis

AU - Al Fahdi, M.

AU - Clarke, N. L.

AU - Li, F.

AU - Furnell, S. M.

PY - 2016/9/1

Y1 - 2016/9/1

N2 - Computer forensics faces a range of challenges due to the widespread use of computing technologies. Examples include the increasing volume of data and devices that need to be analysed in any single case, differing platforms, use of encryption and new technology paradigms (such as cloud computing and the Internet of Things). Automation within forensic tools exists, but only to perform very simple tasks, such as data carving and file signature analysis. Investigators are responsible for undertaking the cognitively challenging and time-consuming process of identifying relevant artefacts. Due to the volume of cyber-dependent (e.g., malware and hacking) and cyber-enabled (e.g., fraud and online harassment) crimes, this results in a large backlog of cases. With the aim of speeding up the analysis process, this paper investigates the role that unsupervised pattern recognition can have in identifying notable artefacts. A study utilising the Self-Organising Map (SOM) to automatically cluster notable artefacts was devised using a series of four cases. Several SOMs were created – a File List SOM containing the metadata of files based upon the file system, and a series of application level SOMs based upon metadata extracted from files themselves (e.g., EXIF data extracted from JPEGs and email metadata extracted from email files). A total of 275 sets of experiments were conducted to determine the viability of clustering across a range of network configurations. The results reveal that more than 93.5% of notable artefacts were grouped within the rank-five clusters in all four cases. The best performance was achieved by using a 10 × 10 SOM where all notables were clustered in a single cell with only 1.6% of the non-notable artefacts (noise) being present, highlighting that SOM-based analysis does have the potential to cluster notable versus noise files to a degree that would significantly reduce the investigation time. Whilst clustering has proven to be successful, operationalizing it is still a challenge (for example, how to identify the cluster containing the largest proportion of notables within the case). The paper continues to propose a process that capitalises upon SOM and other parameters such as the timeline to identify notable artefacts whilst minimising noise files. Overall, based solely upon unsupervised learning, the approach is able to achieve a recall rate of up to 93%.

AB - Computer forensics faces a range of challenges due to the widespread use of computing technologies. Examples include the increasing volume of data and devices that need to be analysed in any single case, differing platforms, use of encryption and new technology paradigms (such as cloud computing and the Internet of Things). Automation within forensic tools exists, but only to perform very simple tasks, such as data carving and file signature analysis. Investigators are responsible for undertaking the cognitively challenging and time-consuming process of identifying relevant artefacts. Due to the volume of cyber-dependent (e.g., malware and hacking) and cyber-enabled (e.g., fraud and online harassment) crimes, this results in a large backlog of cases. With the aim of speeding up the analysis process, this paper investigates the role that unsupervised pattern recognition can have in identifying notable artefacts. A study utilising the Self-Organising Map (SOM) to automatically cluster notable artefacts was devised using a series of four cases. Several SOMs were created – a File List SOM containing the metadata of files based upon the file system, and a series of application level SOMs based upon metadata extracted from files themselves (e.g., EXIF data extracted from JPEGs and email metadata extracted from email files). A total of 275 sets of experiments were conducted to determine the viability of clustering across a range of network configurations. The results reveal that more than 93.5% of notable artefacts were grouped within the rank-five clusters in all four cases. The best performance was achieved by using a 10 × 10 SOM where all notables were clustered in a single cell with only 1.6% of the non-notable artefacts (noise) being present, highlighting that SOM-based analysis does have the potential to cluster notable versus noise files to a degree that would significantly reduce the investigation time. Whilst clustering has proven to be successful, operationalizing it is still a challenge (for example, how to identify the cluster containing the largest proportion of notables within the case). The paper continues to propose a process that capitalises upon SOM and other parameters such as the timeline to identify notable artefacts whilst minimising noise files. Overall, based solely upon unsupervised learning, the approach is able to achieve a recall rate of up to 93%.

KW - automation

KW - clustering

KW - cybercrime

KW - digital forensics

KW - self-organising map

KW - SOM

UR - http://www.scopus.com/inward/record.url?scp=84983479296&partnerID=8YFLogxK

U2 - 10.1016/j.diin.2016.08.001

DO - 10.1016/j.diin.2016.08.001

M3 - Article

AN - SCOPUS:84983479296

VL - 18

SP - 65

EP - 76

JO - Digital Investigation

JF - Digital Investigation

SN - 1742-2876

ER -

ID: 7977934