Facilitating forensic examinations of multi-user computer environments through session-to-session analysis of internet history
Gresty, David, Gan, Diane ORCID: https://orcid.org/0000-0002-0920-7572, Loukas, George ORCID: https://orcid.org/0000-0003-3559-5182 and Ierotheou, Constantinos (2016) Facilitating forensic examinations of multi-user computer environments through session-to-session analysis of internet history. Digital Investigation, 16 (Suppl.). S124-S133. ISSN 1742-2876 (doi:10.1016/j.diin.2016.01.015)
Preview |
PDF (Publisher PDF - Open Access)
15017_Loukas_Facilitating forensic examination pub PDF OA (2016).pdf - Published Version Available under License Creative Commons Attribution Non-commercial No Derivatives. Download (1MB) | Preview |
PDF (Author's Accepted Manuscript)
15017_Loukas_Facilitating forensic examinations (AAM) 2016.pdf - Accepted Version Restricted to Repository staff only Download (910kB) |
Abstract
This paper proposes a new approach to the forensic investigation of Internet history artefacts by aggregating the history from a recovered device into sessions and comparing those sessions to other sessions to determine whether they are one-time events or form a repetitive or habitual pattern. We describe two approaches for performing the session aggregation: fixed-length sessions and variable-length sessions. We also describe an approach for identifying repetitive pattern of life behaviour and show how such patterns can be extracted and represented as binary strings. Using the Jaccard similarity coefficient, a session-to-session comparison can be performed and the sessions can be analysed to determine to what extent a particular session is similar to any other session in the Internet history, and thus is highly likely to correspond to the same user. Experiments have been conducted using two sets of test data, where multiple users have access to the same computer. By identifying patterns of Internet usage that are unique to each user, our approach exhibits a high success rate in attributing particular sessions of the Internet history to the correct user. This can provide considerable help to a forensic investigator trying to establish which user was using the computer when a web-related crime was committed.
Item Type: | Article |
---|---|
Additional Information: | © 2016 The Authors. Published by Elsevier Ltd on behalf of DFRWS. This is an open access article under the CC BY-NC-ND license. DFRWS 2016 Europe — Proceedings of the Third Annual DFRWS Europe |
Uncontrolled Keywords: | Digital forensics; World wide web; Session-to-session analysis; Context analysis; Pattern of life; Internet history analysis |
Faculty / School / Research Centre / Research Group: | Faculty of Engineering & Science > Internet of Things and Security Research Centre (ISEC) Faculty of Engineering & Science > School of Computing & Mathematical Sciences (CMS) Faculty of Engineering & Science |
Last Modified: | 04 Mar 2022 13:07 |
URI: | http://gala.gre.ac.uk/id/eprint/15017 |
Actions (login required)
View Item |
Downloads
Downloads per month over past year