Skip to main content
SpringerLink
Log in

Computer Profiling for Preliminary Forensic Examination

  • Conference paper
  • First Online:
Book cover Digital Forensics and Cyber Crime (ICDF2C 2013)

Included in the following conference series:

  • 1301 Accesses

Abstract

The quantity problem and the natural desire of law enforcement to confront suspects with evidence of their guilt close to the time of arrest in order to elicit a confession combine to form a need for both effective digital forensic triage and preliminary forensic examination. This paper discusses computer profiling, a method for automated formal reasoning about a computer system, and its applicability to the problem domain of preliminary digital forensic examination following triage. It proposes an algorithm for using computer profiling at the preliminary examination stage of an investigation, which focusses on constructing an information model describing a suspect’s computer system in the minimal level of detail necessary to address a formal hypothesis about the system proposed by an investigator. The paper concludes by discussing the expanded utility of the algorithm proposed when contrasted to existing approaches in the digital forensic triage and preliminary examination space.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 54.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 72.00
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

References

  1. Carrier, B.: Defining digital forensic examination and analysis tools using abstraction layers. Int. J. Digital Evid. 1 (2003)

    Google Scholar 

  2. Casey, E., Ferraro, M., Nguyen, L.: Investigation delayed is justice denied: proposals for expediting forensic examinations of digital evidence. J. Forensic Sci. 54, 1353–1364 (2009)

    Article  Google Scholar 

  3. The American Heritage Dictionary of the English Language. Houghton Mifflin, Boston (2000)

    Google Scholar 

  4. Rogers, M.: The role of criminal profiling in the computer forensics process. Comput. Secur. 22, 292–298 (2003)

    Article  Google Scholar 

  5. Abraham, T., de Vel, O.: Investigative profiling with computer forensic log data and association rules. In: Proceedings of 2002 IEEE International Conference on Data Mining, ICDM 2002, pp. 11–18 (2002)

    Google Scholar 

  6. Marrington, A., Mohay, G., Morarji, H., Clark, A.: A model for computer profiling. In: Third International Workshop on Digital Forensics at the International Conference on Availability, Reliability and Security, Krakow, IEEE, pp. 635–640 (2010)

    Google Scholar 

  7. Batten, L.M., Pan, L.: Using relationship-building in event profiling for digital forensic investigations. In: Lai, X., Gu, D., Jin, B., Wang, Y., Li, H. (eds.) Forensics in Telecommunications, Information, and Multimedia. LNICST, vol. 56, pp. 40–52. Springer, Heidelberg (2011)

    Chapter  Google Scholar 

  8. Rogers, M.K., Goldman, J., Mislan, R., Wedge, T., Debrota, S.: Computer forensics field triage process model. In: Proceeding of the Conference on Digital Forensics Security and Law, pp. 27–40 (2006)

    Google Scholar 

  9. Garfinkel, S.: Digital media triage with bulk data analysis and bulk-extractor. Comput. Secur. 32, 56–72 (2013)

    Article  Google Scholar 

  10. Gladyshev, P., Patel, A.: Finite state machine approach to digital event reconstruction. Digital Invest. 1, 130–149 (2004)

    Article  Google Scholar 

  11. Carrier, B., Spafford, E.: Categories of digital investigation analysis techniques based on the computer history model. Proc. Sixth Ann. Digital Forensic Res. Workshop (DFRWS ’06) 3, 121–130 (2006)

    Google Scholar 

  12. Buchholz, F., Spafford, E.: On the role of file system metadata in digital forensics. Digital Invest. 1, 298–309 (2004)

    Article  Google Scholar 

  13. Lamport, L.: Time, clocks, and the ordering of events in a distributed system. Commun. ACM 21, 558–565 (1978)

    Article  MATH  Google Scholar 

  14. Marrington, A., Mohay, G., Clark, A., Morarji, H.: Event-based computer profiling for the forensic reconstruction of computer activity. In: Clark, A., McPherson, M., Mohay, G. (eds.) AusCERT Asia Pacific Information Technology Security Conference 2007 Refereed R&D Stream, Gold Coast, pp. 71–87 (2007)

    Google Scholar 

  15. Carrier, B.D.: Risks of live digital forensic analysis. Commun. ACM 49, 56–61 (2006)

    Article  Google Scholar 

  16. Roussev, V., Richard III, G., Marziale, L.: Multi-resolution similarity hashing. Digital Invest. 4, 105–113 (2007)

    Article  Google Scholar 

  17. Young, J., Foster, K., Garfinkel, S., Fairbanks, K.: Distinct sector hashes for target file detection. Computer 45, 28–35 (2012)

    Article  Google Scholar 

  18. Garfinkel, S.: Digital forensics XML and the DFXML toolset. Digital Invest. 8, 161–174 (2012)

    Article  Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Advanced Cyber Forensics Research Laboratory, College of Technological Innovation, Zayed University, P.O. Box 19282, Dubai, United Arab Emirates

    Andrew Marrington & Farkhund Iqbal

  2. Tagliatela College of Engineering, University of New Haven, 300 Boston Post Road, West Haven, CT, 06516, USA

    Ibrahim Baggili

Authors
  1. Andrew Marrington
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Farkhund Iqbal
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Ibrahim Baggili
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Andrew Marrington .

Editor information

Editors and Affiliations

  1. School of Computer Science and Informatics, University College Dublin, Dublin, Ireland

    Pavel Gladyshev

  2. College of Technical Innovation, Zayed University, Dubai, Utd.Arab.Emir.

    Andrew Marrington

  3. Tagliatela College of Engineering, University of New Haven, West Haven, USA

    Ibrahim Baggili

Rights and permissions

Reprints and permissions

Copyright information

© 2014 Institute for Computer Sciences, Social Informatics and Telecommunications Engineering

About this paper

Cite this paper

Marrington, A., Iqbal, F., Baggili, I. (2014). Computer Profiling for Preliminary Forensic Examination. In: Gladyshev, P., Marrington, A., Baggili, I. (eds) Digital Forensics and Cyber Crime. ICDF2C 2013. Lecture Notes of the Institute for Computer Sciences, Social Informatics and Telecommunications Engineering, vol 132. Springer, Cham. https://doi.org/10.1007/978-3-319-14289-0_14

Download citation

  • DOI: https://doi.org/10.1007/978-3-319-14289-0_14

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-319-14288-3

  • Online ISBN: 978-3-319-14289-0

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation