Computer profiling for forensic purposes

Computer forensics is the process of gathering and analysing evidence from computer systems to aid in the investigation of a crime. Typically, such investigations are undertaken by human forensic examiners using purpose-built software to discover evidence from a computer disk. This process is a manual one, and the time it takes for a forensic examiner to conduct such an investigation is proportional to the storage capacity of the computer's disk drives. The heterogeneity and complexity of various data formats stored on modern computer systems compounds the problems posed by the sheer volume of data. The decision to undertake a computer forensic examination of a computer system is a decision to commit significant quantities of a human examiner's time. Where there is no prior knowledge of the information contained on a computer system, this commitment of time and energy occurs with little idea of the potential benefit to the investigation. The key contribution of this research is the design and development of an automated process to describe a computer system and its activity for the purposes of a computer forensic investigation. The term proposed for this process is computer profiling. A model of a computer system and its activity has been developed over the course of this research. Using this model a computer system, which is the subj ect of investigation, can be automatically described in terms useful to a forensic investigator. The computer profiling process IS resilient to attempts to disguise malicious computer activity. This resilience is achieved by detecting inconsistencies in the information used to infer the apparent activity of the computer. The practicality of the computer profiling process has been demonstrated by a proof-of concept software implementation. The model and the prototype implementation utilising the model were tested with data from real computer systems. The resilience of the process to attempts to disguise malicious activity has also been demonstrated with practical experiments conducted with the same prototype software implementation.

Dealing with temporal inconsistency in automated computer forensic profiling

Computer profiling is the automated forensic examination of a computer system in order to provide a human investigator with a characterisation of the activities that have taken place on that system. As part of this process, the logical components of the computer system – components such as users, files and applications - are enumerated and the relationships between them discovered and reported. This information is enriched with traces of historical activity drawn from system logs and from evidence of events found in the computer file system. A potential problem with the use of such information is that some of it may be inconsistent and contradictory thus compromising its value. This work examines the impact of temporal inconsistency in such information and discusses two types of temporal inconsistency that may arise – inconsistency arising out of the normal errant behaviour of a computer system, and inconsistency arising out of deliberate tampering by a suspect – and techniques for dealing with inconsistencies of the latter kind. We examine the impact of deliberate tampering through experiments conducted with prototype computer profiling software. Based on the results of these experiments, we discuss techniques which can be employed in computer profiling to deal with such temporal inconsistencies.

FIA : an open foresic integration architecture for composing digital evidence

The analysis and value of digital evidence in an investigation has been the domain of discourse in the digital forensic community for several years. While many works have considered different approaches to model digital evidence, a comprehensive understanding of the process of merging different evidence items recovered during a forensic analysis is still a distant dream. With the advent of modern technologies, pro-active measures are integral to keeping abreast of all forms of cyber crimes and attacks. This paper motivates the need to formalize the process of analyzing digital evidence from multiple sources simultaneously. In this paper, we present the forensic integration architecture (FIA) which provides a framework for abstracting the evidence source and storage format information from digital evidence and explores the concept of integrating evidence information from multiple sources. The FIA architecture identifies evidence information from multiple sources that enables an investigator to build theories to reconstruct the past. FIA is hierarchically composed of multiple layers and adopts a technology independent approach. FIA is also open and extensible making it simple to adapt to technological changes. We present a case study using a hypothetical car theft case to demonstrate the concepts and illustrate the value it brings into the field.

A framework for identifying associations in digital evidence using metadata

Digital forensics concerns the analysis of electronic artifacts to reconstruct events such as cyber crimes. This research produced a framework to support forensic analyses by identifying associations in digital evidence using metadata. It showed that metadata based associations can help uncover the inherent relationships between heterogeneous digital artifacts thereby aiding reconstruction of past events by identifying artifact dependencies and time sequencing. It also showed that metadata association based analysis is amenable to automation by virtue of the ubiquitous nature of metadata across forensic disk images, files, system and application logs and network packet captures. The results prove that metadata based associations can be used to extract meaningful relationships between digital artifacts, thus potentially benefiting real-life forensics investigations.

Extending the advanced forensic format to accommodate multiple data sources, logical evidence, arbitrary information and forensic workflow

Forensic analysis requires the acquisition and management of many different types of evidence, including individual disk drives, RAID sets, network packets, memory images, and extracted files. Often the same evidence is reviewed by several different tools or examiners in different locations. We propose a backwards-compatible redesign of the Advanced Forensic Formatdan open, extensible file format for storing and sharing of evidence, arbitrary case related information and analysis results among different tools. The new specification, termed AFF4, is designed to be simple to implement, built upon the well supported ZIP file format specification. Furthermore, the AFF4 implementation has downward comparability with existing AFF files.

Integrating time forgetting mechanisms into topic-based user interest profiling

The rapid development of the World Wide Web has created massive information leading to the information overload problem. Under this circumstance, personalization techniques have been brought out to help users in finding content which meet their personalized interests or needs out of massively increasing information. User profiling techniques have performed the core role in this research. Traditionally, most user profiling techniques create user representations in a static way. However, changes of user interests may occur with time in real world applications. In this research we develop algorithms for mining user interests by integrating time decay mechanisms into topic-based user interest profiling. Time forgetting functions will be integrated into the calculation of topic interest measurements on in-depth level. The experimental study shows that, considering temporal effects of user interests by integrating time forgetting mechanisms shows better performance of recommendation.

Some empirical evidence on offender time discount rates

The conventional wisdom is that offenders have very high discount rates not only with respect to income and fines but also with respect to time incarcerated. These rates are difficult to measure objectively and the usual approach is to ask subjects hypothetical questions and infer time preference from their answers. In this article, we propose estimating rates at which offenders discount time incarcerated by specifying their equilibrium plea, defined as the discount rate, which equates the time and expected time spent in jail following a guilty plea and a trial. Offenders are assumed to exhibit positive time preference and discount time spent in jail at a constant rate. Our choice of sample is interesting because the offenders are not on bail, punishment is not delayed and the offences are planned therefore conforming to Becker’s model of the decision to commit a crime. Contrary to the discussion in the literature, we do not find evidence of consistently high time discount rates, and therefore cannot unequivocally infer that the prison experience always results in low levels of specific deterrence.

Upper-body morbidity after breast cancer : incidence and evidence for evaluation, prevention, and management within a prospective surveillance model of care

The purpose of this paper is to review the incidence of upper-body morbidity (arm and breast symptoms, impairments, and lymphedema), methods for diagnosis, and prevention and treatment strategies. It was also the purpose to highlight the evidence base for integration of prospective surveillance for upper-body morbidity within standard clinical care of women with breast cancer. Between 10% and 64% of women report upper-body symptoms between 6 months and 3 years after breast cancer, and approximately 20% develop lymphedema. Symptoms remain common into longer-term survivorship, and although lymphedema may be transient for some, those who present with mild lymphedema are at increased risk of developing moderate to severe lymphedema. The etiology of morbidity seems to be multifactorial, with the most consistent risk factors being those associated with extent of treatment. However, known risk factors cannot reliably distinguish between those who will and will not develop upper-body morbidity. Upper-body morbidity may be treatable with physical therapy. There is also evidence in support of integrating regular surveillance for upper-body morbidity into the routine care provided to women with breast cancer, with early diagnosis potentially contributing to more effective management and prevention of progression of these conditions.

Time-independent charge carrier mobility in a model polymer:fullerene organic solar cell

The technique of photo-CELIV (charge extraction by linearly increasing voltage) is one of the more straightforward and popular approaches to measure the faster carrier mobility in measurement geometries that are relevant for operational solar cells and other optoelectronic devices. It has been used to demonstrate a time-dependent photocarrier mobility in pristine polymers, attributed to energetic relaxation within the density of states. Conversely, in solar cell blends, the presence or absence of such energetic relaxation on transport timescales remains under debate. We developed a complete numerical model and performed photo-CELIV experiments on the model high efficiency organic solar cell blend poly[3,6-dithiophene-2-yl-2,5-di(2-octyldodecyl)-pyrrolo[3,4-c]pyrrole-1,4-dione-alt-naphthalene] (PDPP-TNT):[6,6]-phenyl-C71-butyric-acid-methyl-ester (PC70BM). In the studied solar cells a constant, time-independent mobility on the scale relevant to charge extraction was observed, where thermalisation of photocarriers occurs on time scales much shorter than the transit time. Therefore, photocarrier relaxation effects are insignificant for charge transport in these efficient photovoltaic devices.

Performative digital asset management: To propose a framework and proof of concept model that effectively enables researchers to document, archive and curate their non-traditional research data

This cross disciplinary study was conducted as two research and development projects. The outcome is a multimodal and dynamic chronicle, which incorporates the tracking of spatial, temporal and visual elements of performative practice-led and design-led research journeys. The distilled model provides a strong new approach to demonstrate rigour in non-traditional research outputs including provenance and an 'augmented web of facticity'.

A model for computer profiling

This paper discusses the use of models in automatic computer forensic analysis, and proposes and elaborates on a novel model for use in computer profiling, the computer profiling object model. The computer profiling object model is an information model which models a computer as objects with various attributes and inter-relationships. These together provide the information necessary for a human investigator or an automated reasoning engine to make judgements as to the probable usage and evidentiary value of a computer system. The computer profiling object model can be implemented so as to support automated analysis to provide an investigator with the information needed to decide whether manual analysis is required.

Hash based disk imaging using AFF4

Forensic imaging has been facing scalability challenges for some time. As disk capacity growth continues to outpace storage IO bandwidth, the demands placed on storage and time are ever increasing. Data reduction and de-duplication technologies are now commonplace in the Enterprise space, and are potentially applicable to forensic acquisition. Using the new AFF4 forensic file format we employ a hash based compression scheme to leverage an existing corpus of images, reducing both acquisition time and storage requirements. This paper additionally describes some of the recent evolution in the AFF4 file format making the efficient implementation of hash based imaging a reality.