Loading

Introduction

Digital forensics is the use of scientific methods for the identification, preservation, extraction and documentation of digital evidence derived from digital sources to enable successful prosecution[1]. In its truest sense, digital forensics provides answers to the questions of when, what, who, where, how, and why a digital crime occurred. The “when” in a computer system investigation, for instance, refers to the window of time that the events occurred. The “what” refers to the tasks carried out on the computer system. The “who” relates to the offender, the “where” to the scene of the crime, the “how” to how the actions were carried out, and the “why” to what the offender was hoping to achieve by committing the crime. Many diverse fields have effectively incorporated data mining.

The most recent of them is the World Wide Web, while others include the field of criminal forensics (digital forensics). It involves a variety of tasks, including as identifying criminal groups involved in a variety of illicit operations and spotting false criminal identities. Typically, the goal of data mining techniques is to extract insight evidence from enormous amounts of data. Investigations into digital crimes or incidents are conducted using a technology called digital forensics. Such inquiries seek to uncover and reveal the facts, which frequently results in prosecution and conviction. A vast array of computer forensic techniques have been developed as a result of the sharp increase in digital crimes. These technologies make ensuring that digital evidence is correctly collected, saved, and processed while maintaining the accuracy of the results

Role of Data Mining in Digital Forensic

Digital forensics uses data mining and soft computing in a variety of ways. These involve locating correlations in forensic data (association), finding and classifying forensic data into groups based on similarity (classification), finding groupings of latent facts/clustering, and identifying patterns in data that can result in helpful predictions/forecasting. This method is excellent for association, classification, grouping, and forecasting, but visualisation benefits from it the most. Digital investigators can quickly and effectively find important information by using visualisation. Additionally, it can point digital investigators in the direction of the best next move in their investigation so that recovering digital evidence is done in a more effective and efficient way.

Digital Forensic Investigation Process Model

Digital forensics were decomposed into a seven step procedure in the first framework created at the DFRWS. Identification, preservation, collecting, inspection, analysis, presentation, and decision-making are those processes.[2]

Identification

This recognizes an incident from indicators and determines its type.

Preservation

Storage, transportation, and packaging are all part of this phase. To ensure that the electronic evidence gathered is not changed or deleted, certain procedures should be followed and recorded .Before packing, it is important to adequately identify and label any potential sources of evidence.

Collection

The gathering of digital or mobile evidence is a crucial stage that needs to be done according to the right procedures or rules.This can be categorized into two categories: Volatile Evidence Collection, and Non-Volatile Evidence Collection

Examination

In this stage, forensic experts examine the contents of the amassed evidence and extract data that is essential for establishing the case. Before starting the examination, the proper amount of evidence backups must be created. The objective of this stage is to make the evidence clear while highlighting its originality and importance. For later analysis, enormous amounts of data gathered during the volatile and non-volatile collection phases need to be reduced to a reasonable size and format.

Analysis

The investigative team conducts this stage mainly as a technical evaluation based on the findings of the evidence examination. Among the tasks to be completed at this stage are establishing connections between data fragments, analysing hidden data, evaluating the importance of the information gleaned from the examination phase, reconstructing the event data based on the extracted data, and drawing the appropriate conclusions.

Presentation

Storage, transportation, and packaging are all part of this phase. To ensure that the electronic evidence gathered is not changed or deleted, certain procedures should be followed and recorded.Before packing, it is important to adequately identify and label any potential sources of evidence. Static electricity may be produced when using regular plastic bags. It is therefore crucial to package evidence antistatically. Before putting the device and accessories in the evidence bag, an envelope should be sealed with the contents.

Decision

The decision phase is the model’s last stage. This entails going over each step of the research and pinpointing areas that could want better. The findings and the interpretation that follows them can be utilised to improve future investigations’ methods for acquiring, examining, and analysing evidence. To gain the full picture of an occurrence or crime, examination and analysis phases must frequently be repeated multiple times. Additionally, by using this information, future regulations and procedures can be improved.

The Applicability of Information Retrieval

The chance to enhance the conventional digital forensic procedure with more advanced automated techniques has arisen with the development of a high-capacity, cloud-based digital forensic investigation platform. This may allow investigators to spend less time performing their current duties while also giving them more freedom to participate actively in other areas of the inquiry. One source of such methods is the field of information retrieval (IR), which is concerned with locating materials that meet a user’s “information requirement” (often text documents, though multimedia IR is also an active study topic). The information needed is anything that is relevant to the inquiry being done, as it is used in the context of digital forensics.

Data Mining Techniques in Digital Forensics

Association Rules

It has been used to profile user behaviour and spot anomalies in log files; these anomalies can help find evidence that could be important to a digital inquiry. Association rule mining can be useful in digital forensics for extracting user login information from computer system log files. A forensic expert can identify user behavioural anomalies by creating rule sets with the use of user behavioural profiles.

Outlier Analysis

It has been used to find potential evidence in hidden or distinct from their surrounding files and directories files and directories. In digital forensics, outlier analysis is used to find hidden files, compare each file’s attributes to those of other files in the directory, and find probable outliers. In order to find hidden directories, a method identical to this one compares the properties of directories at the same level.

Support Vector Machines (SVM)

The SVM has been used in a number of digital forensics research projects. A support vector machine (SVM) is a classification technique that looks for categorised data based on some key data characteristics.

Discriminant Analysis

Digital forensics have used discriminant analysis to ascertain if illicit images, such child pornography, were downloaded on purpose or without the user’s agreement.

People who have been charged with crimes using digital evidence frequently argue that a virus or Trojan horse they had installed on their computer system was to blame. Discriminant analysis in this case provided a mechanism for event reconstruction and allowed digital investigators to bypass the Trojan defence by analysing the data’s properties.

Bayesian Networks

It has been applied to digital investigative automation. Baye’s theorem of posterior probability serves as the foundation for Bayesian networks. A directed acyclic graph called a Bayesian network is used to represent the probabilistic connections between a number of random variables. The objective was to compile data on potential attacks, attacker behaviours, the most vulnerable software systems, and recommended research approaches.

Conclusion

Data mining is now a significant component of digital forensics and is used in many areas of computer forensics. From the development of IDS to the creation of quicker and more precise detection systems. finding inappropriate content on the Internet using image mining. Criminal network analysis uses data mining techniques to dissect the network of criminal organisations, as well as to detect email abusers and locate sexual offenders. Data mining has been shown to be helpful by law enforcement and other governmental organisations in helping them solve crimes and discover more about criminal organisations. Due to the use of data mining and other techniques like machine learning and artificial intelligence, computer forensics has advanced to a new level.

The traditional forensic analysis seeks to deliver precise information resulting from the application of tried-and-true and well-recognized procedures. Only after extensive, repeated testing and in-depth scientific research has forensic science used in courts of law sought to use frequently used techniques and equipment. A sophisticated and cutting-edge field of ground-breaking research is digital forensics. With the massive digitization of the information economy, the scope of digital forensic inquiry and application is expanding rapidly. Organizations in the armed forces and law enforcement rely heavily on digital forensic today. The essence of the problem is the requirement for accurate intellectual interception, prompt retrieval, and virtually error-free processing of digital data as the information age evolves at an unimaginable rate.


References:

[1] Kruse II, W.G. and Heiser, Computer forensics: incident response essentials, AddisonWesley. J.G. 2002.

[2] Raburu George , Omollo Richard, Okumu Daniel, Applying Data Mining Principles in the Extraction of Digital Evidence, IJCSMC, Vol. 7, Issue. 3, March 2018, pg.101 – 109.


0 Comments

Leave a Reply

Avatar placeholder

Your email address will not be published. Required fields are marked *