A Digital Forensics Triage methodology based on feature manipulation techniques

The evolution of modern digital devices is outpacing the scalability and effectiveness of Digital Forensics techniques. Digital Forensics Triage is one solution to this problem as it can extract evidence quickly at the crime scene and provide vital intelligence in time critical investigations. Similarly, such methodologies can be used in a laboratory to prioritize deeper analysis of digital devices and alleviate examination backlog. Developments in Digital Forensics Triage methodologies have moved towards automating the device classification process and those which incorporate Machine Learning principles have proven to be successful. Such an approach depends on crime-related features which provide a relevant basis upon which device classification can take place. In addition, to be an accepted and viable methodology it should be also as accurate as possible. Previous work has concentrated on the issues of feature extraction and classification, where less attention has been paid to improving classification accuracy through feature manipulation. In this regard, among the several techniques available for the purpose, we concentrate on feature weighting, a process which places more importance on specific features. A twofold approach is followed: on one hand, automated feature weights are quantified using Kullback-Leibler measure and applied to the training set whereas, on the other hand, manual weights are determined with the contribution of surveyed digital forensic experts. Experimental results of manual and automatic feature weighting are described which conclude that both the techniques are effective in improving device classification accuracy in crime investigations.