A case-based reasoning method for locating evidence during digital forensic device triage

TLDR: Case-Based Reasoning Forensic Triager (CBR-FT) is a method for collecting and reusing past digital forensic investigation information in order to highlight likely evidential areas on a suspect operating system, thereby helping an investigator to decide where to search for evidence.

Abstract: The role of triage in digital forensics is disputed, with some practitioners questioning its reliability for identifying evidential data. Although successfully implemented in the field of medicine, triage has not established itself to the same degree in digital forensics. This article presents a novel approach to triage for digital forensics. Case-Based Reasoning Forensic Triager (CBR-FT) is a method for collecting and reusing past digital forensic investigation information in order to highlight likely evidential areas on a suspect operating system, thereby helping an investigator to decide where to search for evidence. The CBR-FT framework is discussed and the results of twenty test triage examinations are presented. CBR-FT has been shown to be a more effective method of triage when compared to a practitioner using a leading commercial application.

Figures

Table 3: The recall and precision rates of EnCase and CBR-FT for the twenty test cases. For both systems the total number of files retrieved and the number of evidential files retrieved are given from which recall and precision are calculated. The second column shows the total number of evidential files available for retrieval for each case (i.e., the number of files found by the independent practitioner and which were sufficient for forensic needs). Figures in bold text indicate where one tool outperformed the other.

Figure 1: Demonstrates the PRF of each evidential location. As more cases enter the CBR-FT knowledge base, the PRF of each location fluctuates to correspond with any findings in a DF investigation. Each observation on the seven plots shows the change caused by the addition of a new case to the knowledge base.

Figure 6: The redundancy per evidential file retrieved for the twenty test cases (redundancy = no. files retrieved/no. evidential files retrieved).

Figure 3: Structure of the CBR-FT framework for Stage 2. The cases FC1 and FC3 are those cases in the knowledge base with locations matching those found in the current investigation during Stage 1. These locations are analysed to identify a further set of lower-priority locations of possible evidence.

Table 2: Locations used in Stage 1

Figure 2: Structure of the CBR-FT framework for Stage 1. Distinct offence types have their own knowledge base. Here, a fraud base contains a number of cases (FC1 . . . FCn) and a theft base contains cases TC1 . . . TCn.

Frequently asked questions

Q1. What have the authors contributed in "A case-based reasoning method for locating evidence during digital forensic device triage" ?

This article presents a novel approach to triage for digital forensics. 

Q2. What are the future works mentioned in the paper "A case-based reasoning method for locating evidence during digital forensic device triage" ?

While this article has only used fraud crimes for test cases, CBR-FT could be applied to other crime types and this is an area for further work. 

Q3. What is the drawback of the universal file path?

One drawback of the universal file path is that looking at a volume’s root folder has the potential for recovering large quantities of non-relevant data owing to the presence of system folders containing standard operating system files (e.g., C:\\Windows). 

Q4. What is the main limitation of perceptual hashing?

perceptual hashingmaintains processing overheads which would increase the overall length of the DT process, thereby negatively affecting the efficiency of the investigation. 

Q5. Why is it important to keep the volume of data of no evidential value to a?

Because a practitioner must review all recovered data to establish whether any evidential files exist it is important to keep the volume of data of no evidential value to a minimum. 

Q6. Why is EnCase able to recover more evidence than CBR-FT?

As EnCase extracts data by type rather than location, where EnCase’s recall is low, it is due to evidence existing in a format which is not targeted for collection and which is, therefore, missed. 

Q7. What is the DT model used to determine the priority of particular locations?

CBR-FT uses the ERRs as a prior probability distribution in a Bayesian model to determine the priority of particular locations for searching during DT. 

Q8. Why is it harder for a suspect to circumvent DT?

Because CBR-FT does not rely on hash or keyword matching it is harder for a suspect to circumvent DT by adjusting file content to evade a hash match. 

Q9. What are the main advantages of hashing and keyword searching?

as discussed below, both hashing and keyword searching approaches can limit the effectiveness of DT because they are too restrictive, leading to a failure to identify digital evidence. 

Q10. What is the way to determine the relevance of evidence in a DT scenario?

it is well suited to the DT scenario in which uncertainty exists about which areas of a suspect system to interrogate for evidence, and knowledge of the relevance of evidence in prior cases can be used to prioritise locations to search in new cases. 

Q11. Why have ACPO been cautious to recommend DT?

ACPO [4] have been cautious to recommend DT owing to the perception that it carries an increased risk of missing evidential files.