Use this URL to cite or link to this record in EThOS:
Title: Digital forensic system profiling using context analysis
Author: Gresty, David William
ISNI:       0000 0004 7963 4339
Awarding Body: University of Greenwich
Current Institution: University of Greenwich
Date of Award: 2018
Availability of Full Text:
Access from EThOS:
Access from Institution:
Conventional digital forensic investigations search digital devices for specific events or specific artefacts that indicate a crime has occurred. This does fulfil the investigative need to identify a crime, but it does not attribute the user of that digital device when the crime occurred. If a crime occurs frequently, such as accessing unlawful pornography, or is an isolated event but is co-located in time with other frequently occurring events, such as the one-off sending of a harassing message, then there may be investigative value in processing the history of the device to determine if there are patterns of repetitive behaviour present at the times of interest. This research project investigates the habitual use of a digital device by analysing the Internet history that can be recovered from the physical digital device, or from logs that are retained as the device is connected to a firewall or service provider. The presumption in this project is that there is zero-knowledge of the content of the web history, page content or even an accurate classification of the nature of the sites that are visited. We propose in this research that the patterns of usage themselves are a significant indicator of who the user is, or the type of usage that is being performed. We define context analysis as the investigation not of what is contained within the artefacts, but rather the investigation of the meta-data relating to that artefact and any other similar artefacts within a proximity, be it temporal, spatial or potentially spatio-temporal. Specifically, we show in this thesis that given suitable feature selection the context analysis we define is effective at identifying patterns of habitual behaviour, as evaluated in the case of Internet history artefacts. We present as our major contributions: the methods of analysing periods of Internet history in contextual groups of sessions; the novel approaches to feature selection for the Internet history sessions; and the display of the results on a network graph such that techniques such as community detection can be used to automatically cluster the Internet history.
Supervisor: Gan, Diane ; Loukas, George ; Ierotheou, Constantinos Sponsor: Not available
Qualification Name: Thesis (Ph.D.) Qualification Level: Doctoral
EThOS ID:  DOI: Not available
Keywords: QA Mathematics ; TK Electrical engineering. Electronics Nuclear engineering