Automated Artefact Relevancy Determination from Artefact Metadata and Associated Timeline Events

TL;DR

This paper introduces an AI-based method for classifying digital artefacts' relevancy in forensic investigations by analyzing metadata and timeline events, aiming to reduce case backlog and improve evidence prioritization.

Contribution

It presents a novel relevancy determination approach that leverages previous case data and metadata analysis within a DFaaS framework for automated evidence classification.

Findings

Relevancy scores effectively distinguish pertinent files.

Method validated across three experimental scenarios.

Potential to streamline forensic evidence processing.

Abstract

Case-hindering, multi-year digital forensic evidence backlogs have become commonplace in law enforcement agencies throughout the world. This is due to an ever-growing number of cases requiring digital forensic investigation coupled with the growing volume of data to be processed per case. Leveraging previously processed digital forensic cases and their component artefact relevancy classifications can facilitate an opportunity for training automated artificial intelligence based evidence processing systems. These can significantly aid investigators in the discovery and prioritisation of evidence. This paper presents one approach for file artefact relevancy determination building on the growing trend towards a centralised, Digital Forensics as a Service (DFaaS) paradigm. This approach enables the use of previously encountered pertinent files to classify newly discovered files in an investigation. Trained models can aid in the detection of these files during the acquisition stage, i.e., during their upload to a DFaaS system. The technique generates a relevancy score for file similarity using each artefact's filesystem metadata and associated timeline events. The approach presented is validated against three experimental usage scenarios.