Skip navigation

Facilitating forensic examinations of multi-user computer environments through session-to-session analysis of internet history

Facilitating forensic examinations of multi-user computer environments through session-to-session analysis of internet history

Gresty, David, Gan, Diane ORCID logoORCID: https://orcid.org/0000-0002-0920-7572, Loukas, George ORCID logoORCID: https://orcid.org/0000-0003-3559-5182 and Ierotheou, Constantinos (2016) Facilitating forensic examinations of multi-user computer environments through session-to-session analysis of internet history. Digital Investigation, 16 (Suppl.). S124-S133. ISSN 1742-2876 (doi:10.1016/j.diin.2016.01.015)

[thumbnail of Publisher PDF - Open Access]
Preview
PDF (Publisher PDF - Open Access)
15017_Loukas_Facilitating forensic examination pub PDF OA (2016).pdf - Published Version
Available under License Creative Commons Attribution Non-commercial No Derivatives.

Download (1MB) | Preview
[thumbnail of Author's Accepted Manuscript] PDF (Author's Accepted Manuscript)
15017_Loukas_Facilitating forensic examinations (AAM) 2016.pdf - Accepted Version
Restricted to Repository staff only

Download (910kB)

Abstract

This paper proposes a new approach to the forensic investigation of Internet history artefacts by aggregating the history from a recovered device into sessions and comparing those sessions to other sessions to determine whether they are one-time events or form a repetitive or habitual pattern. We describe two approaches for performing the session aggregation: fixed-length sessions and variable-length sessions. We also describe an approach for identifying repetitive pattern of life behaviour and show how such patterns can be extracted and represented as binary strings. Using the Jaccard similarity coefficient, a session-to-session comparison can be performed and the sessions can be analysed to determine to what extent a particular session is similar to any other session in the Internet history, and thus is highly likely to correspond to the same user. Experiments have been conducted using two sets of test data, where multiple users have access to the same computer. By identifying patterns of Internet usage that are unique to each user, our approach exhibits a high success rate in attributing particular sessions of the Internet history to the correct user. This can provide considerable help to a forensic investigator trying to establish which user was using the computer when a web-related crime was committed.

Item Type: Article
Additional Information: © 2016 The Authors. Published by Elsevier Ltd on behalf of DFRWS. This is an open access article under the CC BY-NC-ND license. DFRWS 2016 Europe — Proceedings of the Third Annual DFRWS Europe
Uncontrolled Keywords: Digital forensics; World wide web; Session-to-session analysis; Context analysis; Pattern of life; Internet history analysis
Faculty / School / Research Centre / Research Group: Faculty of Engineering & Science > Internet of Things and Security Research Centre (ISEC)
Faculty of Engineering & Science > School of Computing & Mathematical Sciences (CMS)
Faculty of Engineering & Science
Last Modified: 04 Mar 2022 13:07
URI: http://gala.gre.ac.uk/id/eprint/15017

Actions (login required)

View Item View Item

Downloads

Downloads per month over past year

View more statistics