A suspect-oriented intelligent and automated computer forensic analysis
| dc.contributor.author | Al Fahdi, M | |
| dc.contributor.author | Clarke, Nathan | |
| dc.contributor.author | Li, F | |
| dc.contributor.author | Furnell, Steven | |
| dc.date.accessioned | 2016-08-30T10:30:15Z | |
| dc.date.accessioned | 2016-11-11T09:31:51Z | |
| dc.date.available | 2016-08-30T10:30:15Z | |
| dc.date.available | 2016-11-11T09:31:51Z | |
| dc.date.issued | 2016-09 | |
| dc.identifier.issn | 1742-2876 | |
| dc.identifier.issn | 1873-202X | |
| dc.identifier.uri | http://hdl.handle.net/10026.1/6714 | |
| dc.description.abstract |
Computer forensics faces a range of challenges due to the widespread use of computing technologies. Examples include the increasing volume of data and devices that need to be analysed in any single case, differing platforms, use of encryption and new technology paradigms (such as cloud computing and the Internet of Things). Automation within forensic tools exists, but only to perform very simple tasks, such as data carving and file signature analysis. Investigators are responsible for undertaking the cognitively challenging and time-consuming process of identifying relevant artefacts. Due to the volume of cyber-dependent (e.g., malware and hacking) and cyber-enabled (e.g., fraud and online harassment) crimes, this results in a large backlog of cases. With the aim of speeding up the analysis process, this paper investigates the role that unsupervised pattern recognition can have in identifying notable artefacts. A study utilising the Self-Organising Map (SOM) to automatically cluster notable artefacts was devised using a series of four cases. Several SOMs were created – a File List SOM containing the metadata of files based upon the file system, and a series of application level SOMs based upon metadata extracted from files themselves (e.g., EXIF data extracted from JPEGs and email metadata extracted from email files). A total of 275 sets of experiments were conducted to determine the viability of clustering across a range of network configurations. The results reveal that more than 93.5% of notable artefacts were grouped within the rank-five clusters in all four cases. The best performance was achieved by using a 10 × 10 SOM where all notables were clustered in a single cell with only 1.6% of the non-notable artefacts (noise) being present, highlighting that SOM-based analysis does have the potential to cluster notable versus noise files to a degree that would significantly reduce the investigation time. Whilst clustering has proven to be successful, operationalizing it is still a challenge (for example, how to identify the cluster containing the largest proportion of notables within the case). The paper continues to propose a process that capitalises upon SOM and other parameters such as the timeline to identify notable artefacts whilst minimising noise files. Overall, based solely upon unsupervised learning, the approach is able to achieve a recall rate of up to 93%. | |
| dc.format.extent | 65-76 | |
| dc.language | en | |
| dc.language.iso | en | |
| dc.publisher | Elsevier BV | |
| dc.relation.replaces | http://hdl.handle.net/10026.1/5393 | |
| dc.relation.replaces | 10026.1/5393 | |
| dc.subject | SOM | |
| dc.subject | Digital forensics | |
| dc.subject | Automation | |
| dc.subject | Clustering | |
| dc.subject | Self-organising map | |
| dc.subject | Cybercrime | |
| dc.title | A suspect-oriented intelligent and automated computer forensic analysis | |
| dc.type | journal-article | |
| dc.type | Journal Article | |
| plymouth.author-url | http://gateway.webofknowledge.com/gateway/Gateway.cgi?GWVersion=2&SrcApp=PARTNER_APP&SrcAuth=LinksAMR&KeyUT=WOS:000386767300007&DestLinkType=FullRecord&DestApp=ALL_WOS&UsrCustomerID=11bb513d99f797142bcfeffcc58ea008 | |
| plymouth.volume | 18 | |
| plymouth.publication-status | Published | |
| plymouth.journal | DIGITAL INVESTIGATION | |
| dc.identifier.doi | 10.1016/j.diin.2016.08.001 | |
| plymouth.organisational-group | /Plymouth | |
| plymouth.organisational-group | /Plymouth/Faculty of Science and Engineering | |
| plymouth.organisational-group | /Plymouth/Faculty of Science and Engineering/School of Engineering, Computing and Mathematics | |
| plymouth.organisational-group | /Plymouth/REF 2021 Researchers by UoA | |
| plymouth.organisational-group | /Plymouth/REF 2021 Researchers by UoA/UoA11 Computer Science and Informatics | |
| plymouth.organisational-group | /Plymouth/Users by role | |
| plymouth.organisational-group | /Plymouth/Users by role/Academics | |
| dcterms.dateAccepted | 2016-08-15 | |
| dc.rights.embargodate | 2017-8-16 | |
| dc.identifier.eissn | 1873-202X | |
| dc.rights.embargoperiod | 24 months | |
| rioxxterms.funder | Engineering and Physical Sciences Research Council | |
| rioxxterms.identifier.project | Identifying and Modelling Victim, Business, Regulatory and Malware Behaviours in a Changing Cyberthreat Landscape | |
| rioxxterms.versionofrecord | 10.1016/j.diin.2016.08.001 | |
| rioxxterms.licenseref.uri | http://www.rioxx.net/licenses/under-embargo-all-rights-reserved | |
| rioxxterms.licenseref.startdate | 2016-09 | |
| rioxxterms.type | Journal Article/Review | |
| plymouth.funder | Identifying and Modelling Victim, Business, Regulatory and Malware Behaviours in a Changing Cyberthreat Landscape::Engineering and Physical Sciences Research Council |
