Assisting digital forensic analysis via exploratory information visualisation

Background: Digital forensics is a rapidly expanding field, due to the continuing advances in computer technology and increases in data stage capabilities of devices. However, the tools supporting digital forensics investigations have not kept pace with this evolution, often leaving the investigator to analyse large volumes of textual data and rely heavily on their own intuition and experience. Aim: This research proposes that given the ability of information visualisation to provide an end user with an intuitive way to rapidly analyse large volumes of complex data, such approached could be applied to digital forensics datasets. Such methods will be investigated; supported by a review of literature regarding the use of such techniques in other fields. The hypothesis of this research body is that by utilising exploratory information visualisation techniques in the form of a tool to support digital forensic investigations, gains in investigative effectiveness can be realised. Method:To test the hypothesis, this research examines three different case studies which look at different forms of information visualisation and their implementation with a digital forensic dataset. Two of these case studies take the form of prototype tools developed by the researcher, and one case study utilises a tool created by a third party research group. A pilot study by the researcher is conducted on these cases, with the strengths and weaknesses of each being drawn into the next case study. The culmination of these case studies is a prototype tool which was developed to resemble a timeline visualisation of the user behaviour on a device. This tool was subjected to an experiment involving a class of university digital forensics students who were given a number of questions about a synthetic digital forensic dataset. Approximately half were given the prototype tool, named Insight, to use, and the others given a common open-source tool. The assessed metrics included: how long the participants took to complete all tasks, how accurate their answers to the tasks were, and how easy the participants found the tasks to complete. They were also asked for their feedback at multiple points throughout the task. Results:The results showed that there was a statistically significant increase in accuracy for one of the six tasks for the participants using the Insight prototype tool. Participants also found completing two of the six tasks significantly easier when using the prototype tool. There were no statistically significant different difference between the completion times of both participant groups. There were no statistically significant differences in the accuracy of participant answers for five of the six tasks. Conclusions: The results from this body of research show that there is evidence to suggest that there is the potential for gains in investigative effectiveness when information visualisation techniques are applied to a digital forensic dataset. Specifically, in some scenarios, the investigator can draw conclusions which are more accurate than those drawn when using primarily textual tools. There is also evidence so suggest that the investigators found these conclusions to be reached significantly more easily when using a tool with a visual format. None of the scenarios led to the investigators being at a significant disadvantage in terms of accuracy or usability when using the prototype visual tool over the textual tool. It is noted that this research did not show that the use of information visualisation techniques leads to any statistically significant difference in the time taken to complete a digital forensics investigation.

Using multiple GPUs to accelerate string searching for digital forensic analysis

String searching within a large corpus of data is an important component of digital forensic (DF) analysis techniques such as file carving. The continuing increase in capacity of consumer storage devices requires corresponding im-provements to the performance of string searching techniques. As string search-ing is a trivially-parallelisable problem, GPGPU approaches are a natural fit – but previous studies have found that local storage presents an insurmountable performance bottleneck. We show that this need not be the case with modern hardware, and demonstrate substantial performance improvements from the use of single and multiple GPUs when searching for strings within a typical forensic disk image.

A model for computer profiling

This paper discusses the use of models in automatic computer forensic analysis, and proposes and elaborates on a novel model for use in computer profiling, the computer profiling object model. The computer profiling object model is an information model which models a computer as objects with various attributes and inter-relationships. These together provide the information necessary for a human investigator or an automated reasoning engine to make judgements as to the probable usage and evidentiary value of a computer system. The computer profiling object model can be implemented so as to support automated analysis to provide an investigator with the information needed to decide whether manual analysis is required.

Dealing with temporal inconsistency in automated computer forensic profiling

Computer profiling is the automated forensic examination of a computer system in order to provide a human investigator with a characterisation of the activities that have taken place on that system. As part of this process, the logical components of the computer system – components such as users, files and applications - are enumerated and the relationships between them discovered and reported. This information is enriched with traces of historical activity drawn from system logs and from evidence of events found in the computer file system. A potential problem with the use of such information is that some of it may be inconsistent and contradictory thus compromising its value. This work examines the impact of temporal inconsistency in such information and discusses two types of temporal inconsistency that may arise – inconsistency arising out of the normal errant behaviour of a computer system, and inconsistency arising out of deliberate tampering by a suspect – and techniques for dealing with inconsistencies of the latter kind. We examine the impact of deliberate tampering through experiments conducted with prototype computer profiling software. Based on the results of these experiments, we discuss techniques which can be employed in computer profiling to deal with such temporal inconsistencies.

Forensic analysis of fibres by vibrational spectroscopy

Fibres are extremely common. They can originate directly from human and animal hair, and also from textiles in the form of clothing, upholstery and carpets. Hair and textile fibres are relatively easily shed and transferred, which means that it is highly likely that fibres will be found at crime scenes. If such fibres are carefully characterised they can be of immense value in the forensic environment. Vibrational spectroscopy is one of the most important methods for the characterisation of natural and synthetic fibres. The vibrational spectrum, whether mid-IR or Raman, can be considered to be a fingerprint of the molecular structure of the fibre and as such has a very high information content.

A computer image analysis system for microvessel density measurement in solid tumours

Microvessel density (MVD) is a widely used surrogate measure of angiogenesis in pathological specimens and tumour models. Measurement of MVD can be achieved by several methods. Automation of counting methods aims to increase the speed, reliability and reproducibility of these techniques. The image analysis system described here enables MVD measurement to be carried out with minimal expense in any reasonably equipped pathology department or laboratory. It is demonstrated that the system translates easily between tumour types which are suitably stained with minimal calibration. The aim of this paper is to offer this technique to a wider field of researchers in angiogenesis.

Computer-aided analysis of the structure of kinematic chains

Using the link-link incidence matrix to represent a simple-jointed kinematic chain algebraic procedures have been developed to determine its structural characteristics such as the type of freedom of the chain, the number of distinct mechanisms and driving mechanisms that can be derived from the chain. A computer program incorporating these graph theory based procedures has been applied successfully for the structural analysis of several typical chains.

Computer-aided analysis of high-speed protective relays

Most of the modern distance relays are designed to avoid overreaching due to the transient d.c. component of the fault current, whereas a more likely source of transients in e.h.v. systems is the oscillatory discharge of the system charging current into the fault. Until now attempts have not been made to reproduce these transients in the laboratory. This paper describes an analogue and an accurate digital simulation of these harmonic transients. The dynamic behaviour of a typical polarised mho-type relay is analysed, and results are presented. The paper also advocates the use of active filters for filtering the harmonics associated with e.h.v. system, and hence, to improve the speed of response and accuracy of the protective relays.

Forensic analysis of analgesics by TLC

An introductory laboratory on the identification of analgesics in an unknown sample. Ideal for the first week of an organic chemistry sequence to get students familiar with their surroundings. Students extract, isolate, and perform thin layer chromatography on aspirin, acetominophen, or ibuprofen.

Computer modelling analysis of the globtop's effects on aluminium wirebond reliability

In power electronics modules, heavy aluminium wires, i.e. wire diameters greater than 100 microns, are bonded to the active semiconductor devices and conductor metallization to form electric circuits of the power electronic module. Due to the high currents that may flow through these wires, a single connection usually contains several wires and thus, a large number of wires are used in a power electronics module. Under normal operation or test condition, a significant amount of stresses and strains induced in the wire and bonding interfaces, resulting in failure over time. In this paper, computer modelling techniques are used to analyse the effect of globtop design on the reliability of aluminium wirebonds under cyclic thermal-mechanical loading conditions. The results will show the sensitivity of the reliability of the wirebonds to the changes in the geometry and the material properties of the wirebond globtop.