Abstract
Digital forensic experts need to identify and collect the data stored in electronic devices. Further, this acquired data has to be analyzed to produce digital evidence. Data mining techniques have been successfully implemented in various applications across the domains. Data mining techniques help us to gain insight from a large volume of data. It helps us to predict the pattern, classify the data, and other various aspects of the data based on the users' perspective. Digital forensics is a sophisticated area of research. As the information age is revolutionizing at an inconceivable speed and the information stored in digital form is growing at a rapid rate, law enforcement agencies have a heavy reliance on digital forensic techniques that can provide timely acquisition of data, zero fault data processing, and accurate interpretation of data. This chapter gives an overview of the tasks involved in cyber forensics. It also discusses the traditional approach for digital forensics and how the integration of data mining techniques can enhance the efficiency and reliability of the existing systems used for cyber forensics.
TopIntroduction
Digital forensics is the process that applies state of the art technologies to collect and analyze data stored on electronic media to produce evidence, which is crucial and admissible to cyber investigations.
A digital forensic investigation is an examination of the questionable or unusual activities in the Cyberspace. Figure 1 shows the complete phases of Digital Forensic investigation processes defined by (K. Kent, 2006).
- a)
Collection phase: The first step in the forensic process is to identify potential sources of data and acquire forensic data from them. Major sources of data identified by (Song, 2008) are desktops, storage media, Routers, Cell Phones, Digital Camera, etc. The forensic experts have to decide and plan to acquire data from these sources according to their importance, volatility and other parameters like how much effort is required to collect data.
- b)
Examination phase: In the next phase, the acquired data is examined. This phase consists of assessing and extracting the relevant pieces of information from the data acquired in phase 1.
- c)
Analysis phase: The relevant data, extracted in the previous phase has been analyzed in this phase. The objective of data analysis is to produce evidence related to a certain unwanted or illegal activity performed in the cyberspace. This is the most important phase of the investigation. Investigators have to analyze the acquired data from a different perspective. For example finding the relation between gathered data and the activities, classification or grouping of data, predicting the trends based on the existing data/activities and finding out the unusual activities which are not expected in a system.
- d)
Reporting phase: this is the final stage where a proper document is prepared to report the outcomes of the analysis stage.
Figure 1. The digital forensic investigation processes (K. Kent, 2006)
TopData Mining For Digital Forensics
Digital forensics is a branch of forensic science that focuses on the recovery and investigation of material found in digital devices, about digital crime. The objectives of Digital forensics, is to answers the when, what, who, where, how and why concerning a crime conducted employing electronic media or devices. While investigating a digital crime, forensic experts have to solve the following questions:
- •
‘when’ i.e. the time interval during which the activities took place.
- •
‘what’ i.e. the illegal/unwanted activities performed.
- •
‘who’ i.e. the person(s) accountable for these activities.
- •
‘where’ i.e. the sources from where the data for the evidence can be extracted.
- •
‘how’ i.e. how these activities were performed.
- •
‘why’ i.e. seeks to determine the motives behind these activities.
Since the 1980s, the development of a variety of specialist commercial and freeware tools for cyber forensics began. A lot of tools have been developed and available as software to assist forensic investigators. These tools ensure that the digital evidence required concerning a cybercrime is acquired and preserved properly. These tools also confirm the accuracy of the results obtained by the processing and analysis of digital evidence (Albert Marcella, 2007).
Based on Literature survey, we can categorize these Computer Forensics Tools as follows:
Key Terms in this Chapter
Data Recovery: Data recovery is the process of restoring data that has been lost, accidentally deleted, corrupted, or made inaccessible.
Legal Advisors: Legal advisors are lawyers who are employed by the government, large companies and other organizations to provide legal advice and services to the organization and its employees.
Data Mining: Data mining is the process of discovering patterns in large data sets involving methods at the intersection of machine learning, statistics, and database systems.
Forecasting: Forecasting is the process of making predictions of the future based on past and present data and most commonly by analysis of trends.
Anomaly detection: In data mining, anomaly detection is the identification of rare items, events or observations which raise suspicions by differing significantly from the majority of the data.
Digital Crime: Digital crime begins when there is illegal activity. These activities are done to data or information on computers or networks.
Digital Forensic Tool: Specialized digital forensic tools existed, and consequently investigators often performed live analysis on media, examining computers from within the operating system using existing system admin tools to extract evidence.
Phishing: Phishing is the fraudulent attempt to obtain sensitive information such as usernames, passwords and credit card details by disguising oneself as a trustworthy entity in an electronic communication.