Abstract
The quantity problem and the natural desire of law enforcement to confront suspects with evidence of their guilt close to the time of arrest in order to elicit a confession combine to form a need for both effective digital forensic triage and preliminary forensic examination. This paper discusses computer profiling, a method for automated formal reasoning about a computer system, and its applicability to the problem domain of preliminary digital forensic examination following triage. It proposes an algorithm for using computer profiling at the preliminary examination stage of an investigation, which focusses on constructing an information model describing a suspect’s computer system in the minimal level of detail necessary to address a formal hypothesis about the system proposed by an investigator. The paper concludes by discussing the expanded utility of the algorithm proposed when contrasted to existing approaches in the digital forensic triage and preliminary examination space.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Carrier, B.: Defining digital forensic examination and analysis tools using abstraction layers. Int. J. Digital Evid. 1 (2003)
Casey, E., Ferraro, M., Nguyen, L.: Investigation delayed is justice denied: proposals for expediting forensic examinations of digital evidence. J. Forensic Sci. 54, 1353–1364 (2009)
The American Heritage Dictionary of the English Language. Houghton Mifflin, Boston (2000)
Rogers, M.: The role of criminal profiling in the computer forensics process. Comput. Secur. 22, 292–298 (2003)
Abraham, T., de Vel, O.: Investigative profiling with computer forensic log data and association rules. In: Proceedings of 2002 IEEE International Conference on Data Mining, ICDM 2002, pp. 11–18 (2002)
Marrington, A., Mohay, G., Morarji, H., Clark, A.: A model for computer profiling. In: Third International Workshop on Digital Forensics at the International Conference on Availability, Reliability and Security, Krakow, IEEE, pp. 635–640 (2010)
Batten, L.M., Pan, L.: Using relationship-building in event profiling for digital forensic investigations. In: Lai, X., Gu, D., Jin, B., Wang, Y., Li, H. (eds.) Forensics in Telecommunications, Information, and Multimedia. LNICST, vol. 56, pp. 40–52. Springer, Heidelberg (2011)
Rogers, M.K., Goldman, J., Mislan, R., Wedge, T., Debrota, S.: Computer forensics field triage process model. In: Proceeding of the Conference on Digital Forensics Security and Law, pp. 27–40 (2006)
Garfinkel, S.: Digital media triage with bulk data analysis and bulk-extractor. Comput. Secur. 32, 56–72 (2013)
Gladyshev, P., Patel, A.: Finite state machine approach to digital event reconstruction. Digital Invest. 1, 130–149 (2004)
Carrier, B., Spafford, E.: Categories of digital investigation analysis techniques based on the computer history model. Proc. Sixth Ann. Digital Forensic Res. Workshop (DFRWS ’06) 3, 121–130 (2006)
Buchholz, F., Spafford, E.: On the role of file system metadata in digital forensics. Digital Invest. 1, 298–309 (2004)
Lamport, L.: Time, clocks, and the ordering of events in a distributed system. Commun. ACM 21, 558–565 (1978)
Marrington, A., Mohay, G., Clark, A., Morarji, H.: Event-based computer profiling for the forensic reconstruction of computer activity. In: Clark, A., McPherson, M., Mohay, G. (eds.) AusCERT Asia Pacific Information Technology Security Conference 2007 Refereed R&D Stream, Gold Coast, pp. 71–87 (2007)
Carrier, B.D.: Risks of live digital forensic analysis. Commun. ACM 49, 56–61 (2006)
Roussev, V., Richard III, G., Marziale, L.: Multi-resolution similarity hashing. Digital Invest. 4, 105–113 (2007)
Young, J., Foster, K., Garfinkel, S., Fairbanks, K.: Distinct sector hashes for target file detection. Computer 45, 28–35 (2012)
Garfinkel, S.: Digital forensics XML and the DFXML toolset. Digital Invest. 8, 161–174 (2012)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2014 Institute for Computer Sciences, Social Informatics and Telecommunications Engineering
About this paper
Cite this paper
Marrington, A., Iqbal, F., Baggili, I. (2014). Computer Profiling for Preliminary Forensic Examination. In: Gladyshev, P., Marrington, A., Baggili, I. (eds) Digital Forensics and Cyber Crime. ICDF2C 2013. Lecture Notes of the Institute for Computer Sciences, Social Informatics and Telecommunications Engineering, vol 132. Springer, Cham. https://doi.org/10.1007/978-3-319-14289-0_14
Download citation
DOI: https://doi.org/10.1007/978-3-319-14289-0_14
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-14288-3
Online ISBN: 978-3-319-14289-0
eBook Packages: Computer ScienceComputer Science (R0)