Skip navigation

Digital forensic system profiling using context analysis

Digital forensic system profiling using context analysis

Gresty, David William (2018) Digital forensic system profiling using context analysis. PhD thesis, University of Greenwich.

[img]
Preview
PDF
David William Gresty 2018 - secured.pdf - Published Version
Available under License Creative Commons Attribution Non-commercial No Derivatives.

Download (12MB) | Preview

Abstract

Conventional digital forensic investigations search digital devices for specific events or specific artefacts that indicate a crime has occurred. This does fulfil the investigative need to identify a crime, but it does not attribute the user of that digital device when the crime occurred. If a crime occurs frequently, such as accessing unlawful pornography, or is an isolated event but is co-located in time with other frequently occurring events, such as the one-off sending of a harassing message, then there may be investigative value in processing the history of the device to determine if there are patterns of repetitive behaviour present at the times of interest.

This research project investigates the habitual use of a digital device by analysing the Internet history that can be recovered from the physical digital device, or from logs that are retained as the device is connected to a firewall or service provider. The presumption in this project is that there is zero-knowledge of the content of the web history, page content or even an accurate classification of the nature of the sites that are visited. We propose in this research that the patterns of usage themselves are a significant indicator of who the user is, or the type of usage that is being performed.

We define context analysis as the investigation not of what is contained within the artefacts, but rather the investigation of the meta-data relating to that artefact and any other similar artefacts within a proximity, be it temporal, spatial or potentially spatio-temporal. Specifically, we show in this thesis that given suitable feature selection the context analysis we define is effective at identifying patterns of habitual behaviour, as evaluated in the case of Internet history artefacts.

We present as our major contributions: the methods of analysing periods of Internet history in contextual groups of sessions; the novel approaches to feature selection for the Internet history sessions; and the display of the results on a network graph such that techniques such as community detection can be used to automatically cluster the Internet history.

Item Type: Thesis (PhD)
Uncontrolled Keywords: Digital forensics; digital forensic science; zero-knowledge internet history; session analysis;
Subjects: Q Science > QA Mathematics
T Technology > TK Electrical engineering. Electronics Nuclear engineering
Faculty / School / Research Centre / Research Group: Faculty of Engineering & Science > School of Computing & Mathematical Sciences (CMS)
Faculty of Engineering & Science
Last Modified: 04 Mar 2022 13:07
URI: http://gala.gre.ac.uk/id/eprint/23656

Actions (login required)

View Item View Item

Downloads

Downloads per month over past year

View more statistics