Computer Profiling for Preliminary Forensic Examination

  • Andrew Marrington
  • Farkhund Iqbal
  • Ibrahim Baggili
Conference paper
Part of the Lecture Notes of the Institute for Computer Sciences, Social Informatics and Telecommunications Engineering book series (LNICST, volume 132)


The quantity problem and the natural desire of law enforcement to confront suspects with evidence of their guilt close to the time of arrest in order to elicit a confession combine to form a need for both effective digital forensic triage and preliminary forensic examination. This paper discusses computer profiling, a method for automated formal reasoning about a computer system, and its applicability to the problem domain of preliminary digital forensic examination following triage. It proposes an algorithm for using computer profiling at the preliminary examination stage of an investigation, which focusses on constructing an information model describing a suspect’s computer system in the minimal level of detail necessary to address a formal hypothesis about the system proposed by an investigator. The paper concludes by discussing the expanded utility of the algorithm proposed when contrasted to existing approaches in the digital forensic triage and preliminary examination space.


Computer profiling Triage Formal methods Preliminary examination 


  1. 1.
    Carrier, B.: Defining digital forensic examination and analysis tools using abstraction layers. Int. J. Digital Evid. 1 (2003)Google Scholar
  2. 2.
    Casey, E., Ferraro, M., Nguyen, L.: Investigation delayed is justice denied: proposals for expediting forensic examinations of digital evidence. J. Forensic Sci. 54, 1353–1364 (2009)CrossRefGoogle Scholar
  3. 3.
    The American Heritage Dictionary of the English Language. Houghton Mifflin, Boston (2000)Google Scholar
  4. 4.
    Rogers, M.: The role of criminal profiling in the computer forensics process. Comput. Secur. 22, 292–298 (2003)CrossRefGoogle Scholar
  5. 5.
    Abraham, T., de Vel, O.: Investigative profiling with computer forensic log data and association rules. In: Proceedings of 2002 IEEE International Conference on Data Mining, ICDM 2002, pp. 11–18 (2002)Google Scholar
  6. 6.
    Marrington, A., Mohay, G., Morarji, H., Clark, A.: A model for computer profiling. In: Third International Workshop on Digital Forensics at the International Conference on Availability, Reliability and Security, Krakow, IEEE, pp. 635–640 (2010)Google Scholar
  7. 7.
    Batten, L.M., Pan, L.: Using relationship-building in event profiling for digital forensic investigations. In: Lai, X., Gu, D., Jin, B., Wang, Y., Li, H. (eds.) Forensics in Telecommunications, Information, and Multimedia. LNICST, vol. 56, pp. 40–52. Springer, Heidelberg (2011)CrossRefGoogle Scholar
  8. 8.
    Rogers, M.K., Goldman, J., Mislan, R., Wedge, T., Debrota, S.: Computer forensics field triage process model. In: Proceeding of the Conference on Digital Forensics Security and Law, pp. 27–40 (2006)Google Scholar
  9. 9.
    Garfinkel, S.: Digital media triage with bulk data analysis and bulk-extractor. Comput. Secur. 32, 56–72 (2013)CrossRefGoogle Scholar
  10. 10.
    Gladyshev, P., Patel, A.: Finite state machine approach to digital event reconstruction. Digital Invest. 1, 130–149 (2004)CrossRefGoogle Scholar
  11. 11.
    Carrier, B., Spafford, E.: Categories of digital investigation analysis techniques based on the computer history model. Proc. Sixth Ann. Digital Forensic Res. Workshop (DFRWS ’06) 3, 121–130 (2006)Google Scholar
  12. 12.
    Buchholz, F., Spafford, E.: On the role of file system metadata in digital forensics. Digital Invest. 1, 298–309 (2004)CrossRefGoogle Scholar
  13. 13.
    Lamport, L.: Time, clocks, and the ordering of events in a distributed system. Commun. ACM 21, 558–565 (1978)CrossRefMATHGoogle Scholar
  14. 14.
    Marrington, A., Mohay, G., Clark, A., Morarji, H.: Event-based computer profiling for the forensic reconstruction of computer activity. In: Clark, A., McPherson, M., Mohay, G. (eds.) AusCERT Asia Pacific Information Technology Security Conference 2007 Refereed R&D Stream, Gold Coast, pp. 71–87 (2007)Google Scholar
  15. 15.
    Carrier, B.D.: Risks of live digital forensic analysis. Commun. ACM 49, 56–61 (2006)CrossRefGoogle Scholar
  16. 16.
    Roussev, V., Richard III, G., Marziale, L.: Multi-resolution similarity hashing. Digital Invest. 4, 105–113 (2007)CrossRefGoogle Scholar
  17. 17.
    Young, J., Foster, K., Garfinkel, S., Fairbanks, K.: Distinct sector hashes for target file detection. Computer 45, 28–35 (2012)CrossRefGoogle Scholar
  18. 18.
    Garfinkel, S.: Digital forensics XML and the DFXML toolset. Digital Invest. 8, 161–174 (2012)CrossRefGoogle Scholar

Copyright information

© Institute for Computer Sciences, Social Informatics and Telecommunications Engineering 2014

Authors and Affiliations

  • Andrew Marrington
    • 1
  • Farkhund Iqbal
    • 1
  • Ibrahim Baggili
    • 2
  1. 1.Advanced Cyber Forensics Research Laboratory, College of Technological InnovationZayed UniversityDubaiUnited Arab Emirates
  2. 2.Tagliatela College of EngineeringUniversity of New HavenWest HavenUSA

Personalised recommendations