Digital Forensics using Machine Learning Methods

• Main Author: Khan, Muhammad Naeem Ahmed
• Published: University of Sussex 2008
• Subjects: 006.3
• Online Access: http://ethos.bl.uk/OrderDetails.do?uin=uk.bl.ethos.487975

The increase in computer related crimes, with particular reference to internet crimes, has led to an increasing demand for state-of-the-art digital forensics. Reconstruction of the past events in chronological order is crucial for digital forensic investigations to pinpoint the execution of relevant application programs and the files manipulated by those applications. The event reconstruction process can be made more objective and rigorous by employing mathematical techniques due to their sound theoretical foundations. The focus of this research is to explore the effectiveness of employing machine learning methodologies for computer forensic analysis by tracing past file system activities and preparing a timeline to facilitate the identification of incriminating evidence. A general criterion for measuring the efficacy of an analysis tool is to corroborate how well the analysis responds to the unforeseen evidence. The generation of a comprehensive timeline of the past events becomes more complicated if some information is missing or certain sources of evidence are contaminated or scrubbed. This thesis provides a genuine contribution to digital forensics research by focusing on the identification of the execution of application programs - a vital area which is not usually directly accessible from the available data. In addition to the neural network techniques; a Bayesian approach for data classification has been explored, this addresses the issue of missing/incomplete data. Bayesian methodology is an improvement over the existing ad hoc digital forensic analysis approaches carried out in bits and pieces. The Bayesian and neural networks techniques have produced encouraging results and these results are reported herein.