Elsevier

Digital Investigation

Volume 15, December 2015, Pages 72-82
Digital Investigation

DESO: Addressing volume and variety in large-scale criminal cases

https://doi.org/10.1016/j.diin.2015.10.002Get rights and content

Abstract

This paper proposes a mechanism for dealing with the growing variety and volume of digital evidence in a criminal investigation.

The challenges posed by this growth have been long recognised and documented. There have been solutions aimed at processing bulk data and others based on event correlation or time lines. Instead we examine if there is an alternate method: to classify digital evidence artefacts in a way that assists selection of the potentially relevant evidence before processing any material. In so doing we wish to avoid generating bulk data and instead start viewing digital evidence from an investigative perspective – not a technological one.

This paper details the continuing development of an ontology for this purpose – the Digital Evidence Semantic Ontology (DESO). This provides an index to a repository of known digital evidence artefacts which are classified according to the location that they are found and the information they represent. Further, this paper also demonstrates how DESO can be applied to criminal investigations to assist lines of enquiry.

Introduction

With the increasing use of digital devices in modern life, so comes the need to examine them when that use touches on a criminal investigation. The increasing volume and variety of the material from these devices have already been well documented and attempts have been made to address the opportunities and problems caused by these two factors. Fast data extraction, keyword searches and time lining can all contribute when used appropriately. Ontologies have also been proposed as a solution to these problems. But many of these options concentrate on some form of processing across all data to be examined before any correlation is made. Others, such as OpenIOC (Mandiant, 2013) and CybOX (2012), focus on cyber incident response – where some form of IT system is the focus of an attack rather than crimes perpetrated using an IT system.

The Digital Evidence Semantic Ontology (DESO) (Brady et al., 2014), was proposed as a different approach. DESO's primary purpose is to act as a repository and classifier of digital evidence artefacts. The way in which DESO connects these artefacts allows a selective view of the data contained on digital devices and provides for them to be compared in a common format. In making a selection of artefacts before attempting to extract them, processing time and storage space is saved.

The earlier explanation of DESO specified two classes Artefact Location and Artefact Type Identifier to perform these tasks with associated object and data properties.

In this paper we expand on DESO's earlier description and show how it can be implemented. In so doing we:

  • provide greater detail on DESO – including the addition of a third class to provide provenance – simplifying the consideration and production of evidential artefacts and their documentation;

  • detail how DESO can be practically applied; and

  • demonstrate how DESO can be integrated into existing and developing digital evidence methods proposed in the fields of incident response and criminal investigation.

Section snippets

Background

Currently, examiners of complex criminal cases may find themselves facing a large number of heterogeneous devices. The previously mentioned problems of volume and variety manifest themselves in that:

  • the abundance and assortment of devices to be examined coupled with insufficient resources often leads to the use of “black box” forensic tools and completion of the “select all” check box for data to be extracted. But this, somewhat haphazard, approach relies on the completeness and accuracy of any

Possible solutions

This section looks at previous research to understand whether, in part or whole, it can assist in solving the identified problems of Availability, Selection and Comparison.

Description of DESO

DESO provides a system for organising and categorising digital evidence artefacts and, in so doing, considerable advantages are offered to the examiner. RDF was used for this ontology as it is a W3C standard and integrates well with other ontologies we intend to link with DESO. In their latest paper, Turnbull and Randhawa (2015) provide a useful overview of the pros and cons of RDF if further detail is required.

DESO will first be explained and then applied to show how these advantages can be

Application of DESO

To illustrate the assistance that DESO can provide we shall consider a case study: a digital evidence examiner is supplied with a USB memory stick taken from a suspect and two computers found in a victim's house running, respectively, Windows 7 and Apple OS X 10.6.8. The suspect is detained in custody and the task of the examiner is to quickly understand what connections, if any, exist between the devices belonging to the suspect and the victim.

Two challenges face the examiner: first, to

Integration with existing tools/methods

The digital evidence field is too large and diverse for one tool to accomplish every technical and investigative task. For DESO to be effective, it must integrate with existing methods and tools such as open source/proprietary computer forensic utilities.

To allow for this, any tool – be it one for examining a Windows file, an OS X device or a mobile phone – can reference DESO and use its artefact codes. Further, the previously referenced higher level ontologies such as DFAX and ParFor can use

Evaluation

This paper suggested that a solution to the challenges posed by increasing volume and variety of material was a tool to: document the availability of digital evidence artefacts, allow for the selection of the appropriate artefacts for a particular line of enquiry and allow correlation of extracted data from heterogeneous sources. We will now evaluate whether DESO performs these roles.

Conclusions and future work

This paper has documented the basic structure of DESO and demonstrated how it can be used. It has been shown how it differs from previously suggested ontologies by focussing on artefact data and the relationships between them rather than using structures such as events or time lines. Clearly, there will be occasions when these latter approaches will be appropriate and further research may look at identifying the decision points for use of the respective techniques.

DESO has only been partially

Acknowledgements

The authors would like to thank Michael Johnson of the Metropolitan Police Service, Lyn Goh of Guidance Software, Damien Dewildt of the Financial Conduct Authority, James Crabtree of QCC Global and Kevin Mansell of Control-F for their helpful suggestions when conducting this research.

References (26)

  • G. Castle

    GRR: find all the badness, collect all the things

    (2014)
  • K. Chen et al.

    ECF – event correlation for forensics

  • CybOX

    The CybOX™ language defined objects specification

    (2012)

    • Cited by (0)

    View full text
    Copyright © 2015 Elsevier Ltd. All rights reserved.