DESO: Addressing volume and variety in large-scale criminal cases
Introduction
With the increasing use of digital devices in modern life, so comes the need to examine them when that use touches on a criminal investigation. The increasing volume and variety of the material from these devices have already been well documented and attempts have been made to address the opportunities and problems caused by these two factors. Fast data extraction, keyword searches and time lining can all contribute when used appropriately. Ontologies have also been proposed as a solution to these problems. But many of these options concentrate on some form of processing across all data to be examined before any correlation is made. Others, such as OpenIOC (Mandiant, 2013) and CybOX (2012), focus on cyber incident response – where some form of IT system is the focus of an attack rather than crimes perpetrated using an IT system.
The Digital Evidence Semantic Ontology (DESO) (Brady et al., 2014), was proposed as a different approach. DESO's primary purpose is to act as a repository and classifier of digital evidence artefacts. The way in which DESO connects these artefacts allows a selective view of the data contained on digital devices and provides for them to be compared in a common format. In making a selection of artefacts before attempting to extract them, processing time and storage space is saved.
The earlier explanation of DESO specified two classes Artefact Location and Artefact Type Identifier to perform these tasks with associated object and data properties.
In this paper we expand on DESO's earlier description and show how it can be implemented. In so doing we:
- •
provide greater detail on DESO – including the addition of a third class to provide provenance – simplifying the consideration and production of evidential artefacts and their documentation;
- •
detail how DESO can be practically applied; and
- •
demonstrate how DESO can be integrated into existing and developing digital evidence methods proposed in the fields of incident response and criminal investigation.
Section snippets
Background
Currently, examiners of complex criminal cases may find themselves facing a large number of heterogeneous devices. The previously mentioned problems of volume and variety manifest themselves in that:
- •
the abundance and assortment of devices to be examined coupled with insufficient resources often leads to the use of “black box” forensic tools and completion of the “select all” check box for data to be extracted. But this, somewhat haphazard, approach relies on the completeness and accuracy of any
Possible solutions
This section looks at previous research to understand whether, in part or whole, it can assist in solving the identified problems of Availability, Selection and Comparison.
Description of DESO
DESO provides a system for organising and categorising digital evidence artefacts and, in so doing, considerable advantages are offered to the examiner. RDF was used for this ontology as it is a W3C standard and integrates well with other ontologies we intend to link with DESO. In their latest paper, Turnbull and Randhawa (2015) provide a useful overview of the pros and cons of RDF if further detail is required.
DESO will first be explained and then applied to show how these advantages can be
Application of DESO
To illustrate the assistance that DESO can provide we shall consider a case study: a digital evidence examiner is supplied with a USB memory stick taken from a suspect and two computers found in a victim's house running, respectively, Windows 7 and Apple OS X 10.6.8. The suspect is detained in custody and the task of the examiner is to quickly understand what connections, if any, exist between the devices belonging to the suspect and the victim.
Two challenges face the examiner: first, to
Integration with existing tools/methods
The digital evidence field is too large and diverse for one tool to accomplish every technical and investigative task. For DESO to be effective, it must integrate with existing methods and tools such as open source/proprietary computer forensic utilities.
To allow for this, any tool – be it one for examining a Windows file, an OS X device or a mobile phone – can reference DESO and use its artefact codes. Further, the previously referenced higher level ontologies such as DFAX and ParFor can use
Evaluation
This paper suggested that a solution to the challenges posed by increasing volume and variety of material was a tool to: document the availability of digital evidence artefacts, allow for the selection of the appropriate artefacts for a particular line of enquiry and allow correlation of extracted data from heterogeneous sources. We will now evaluate whether DESO performs these roles.
Conclusions and future work
This paper has documented the basic structure of DESO and demonstrated how it can be used. It has been shown how it differs from previously suggested ontologies by focussing on artefact data and the relationships between them rather than using structures such as events or time lines. Clearly, there will be occasions when these latter approaches will be appropriate and further research may look at identifying the decision points for use of the respective techniques.
DESO has only been partially
Acknowledgements
The authors would like to thank Michael Johnson of the Metropolitan Police Service, Lyn Goh of Guidance Software, Damien Dewildt of the Financial Conduct Authority, James Crabtree of QCC Global and Kevin Mansell of Control-F for their helpful suggestions when conducting this research.
References (26)
- et al.
Face: automated digital evidence discovery and correlation
Digit Investig
(2008) - et al.
Leveraging Cybox to standardize representation and exchange of digital forensic information
Digit Investig
(2015) - et al.
A complete formalized knowledge representation model for advanced digital forensics timeline analysis
Digit Investig
(2014) - et al.
Semantic representation and integration of digital evidence
Procedia Comput Sci
(2013) Toward principles for the design of ontologies used for knowledge sharing
Int J Human-Computer Stud
(1995)- et al.
Automated event and social network extraction from digital evidence sources with ontological mapping
Digit Investig
(2015) - et al.
Gene ontology: tool for the unification of biology. The Gene Ontology Consortium
Nat Genet
(2000) Practice advice on core investigative doctrine
(2005)- et al.
Addressing the increasing volume and variety of digital evidence using an ontology
- et al.
Friend of a friend vocabulary
(2014)