Fast User Classifying to Establish Forensic Analysis Priorities

In computer and common crimes, important evidence or clues are increasingly stored in the computers hard disks. The huge and increasing penetration of computers in the daily life together with a considerable increase of storage capacity in mass-market computers, pose, currently, new challenges to forensic operators. Usually a digital forensic investigator has to spend a lot of time in order to find documents, clues or evidence related to the investigation among the huge amount of data extracted from one or more sized hard drive. In particular, the seized material could be very huge, and, very often, only few devices are considered relevant for the investigation. In this paper we propose a methodology and a tool to support a fast computer user profiling via a classification into investigator-defined categories in order to quickly classify the seized computer user. The main purpose of the methodology discussed is to define the class of the user in order to establish an effective schedule with priorities based on the computer user content.