A novel approach to evaluating similarity in computer forensic investigations

Abstraction-based approaches to data analysis in computer forensics require substantial human effort to determine what data is useful. Automated or semi-automated, similarity-based approaches allow rapid computer forensics analysis of large data sets with less focus on untangling many layers of abstraction. Rapid and automated ranking of data by its value to a computer forensics investigation eliminates much of the human effort required in the computer forensics process, leaving investigators to judge and specify what data is interesting, and automating the rest of analysis. In this paper, we develop two algorithms that find portions of a string relevant to an investigation, then refine that portion using a combination of human and computer analysis to rapidly and effectively extract the most useful data from the string, speeding, automatically documenting, and partially automating analysis.