Digital forensics

Cyber security attacks are a fundamental threat to all – from the largest companies to the smallest SMEs, to charitable organisations and the general public. The field of digital forensics has been established to provide the procedures, processes and tools to enable law enforcement agencies and computer security response teams to investigate the attacks and bring culprits to justice. 

CSCAN has a focus upon exploring solutions to current technological limitations, driving innovation through empirical based experimentation and actively participating and collaborating with the wider national and international community.

Research themes include: 

  • application of artificial intelligence to resolve issues with excessive volumes and complexity of data
  • exploring the heterogeneity of data and seeking to develop intelligent approaches for data querying across evidence sources
  • seeking new approaches to perform forensic analyses that parse, process and visualise evidence in a manner than reduces investigative time and cognitive load on the investigator
  • the role of traditional and innovative biometric technologies in the identification of suspects.

Project insights

Identifying users from encrypted network traffic 

The prevalence of the Internet and cloud-based applications has resulted in users relying upon network connectivity more than ever before. This results in an increasingly voluminous footprint with respect to the network traffic. For network forensic examiners, this traffic represents a vital source of independent evidence in an environment where anti-forensics is increasingly challenging the validity of computer-based forensics. Our research combines our expertise in the developing innovative biometrics alongside the need to be able to map network requests and attacks to an individual rather than simply an IP address. 

Links for more information:

https://www.sciencedirect.com/science/article/pii/S0167404817301384

Using machine learning to automate the identification of evidence 

Forensic investigations are becoming incredibly resource intensive, particularly because of the volume of data that needs to be investigated. Our research explores how unsupervised clustering can be used alongside an analysis of file metadata as a triage tool for prioritising relevant electronic artefacts from irrelevant. Analysis of real-world cases suggests a high correlation between metadata attributes that aid in the clustering. Going beyond an empirical understanding of the novel solution, our research has also developed algorithmic solutions for practical applications. 

Links for more information:

https://www.sciencedirect.com/science/article/pii/S1742287616300792 

https://pearl.plymouth.ac.uk/handle/10026.1/8090

Next generation facial recognition for digital forensics 

The application of facial recognition to digital forensics provides an enormous opportunity to automate the processing of multimedia data in order to identify individuals. For example, the automated processing of CCTV to identify individuals involved in child abduction, theft and social disturbances would provide a huge reduction in the resources required in comparison to the typical manual analysis currently performed. However, whilst facial recognition is a mature technology for access control applications (eg border control, mobile access), the application to digital forensics has significant shortcomings. These shortcomings are borne out of the fact that facial recognition only works well with complicit users and in very well controlled environments (controlling light, distance from camera and facial orientation). In a forensic application, none of these are typically present. This project seeks to identify approaches to provide better recognition performance with varying environmental factors but also to develop forensic analyses that permit investigators to ask higher-level investigative questions of the data – reducing cognitive load for the investigator and speeding up the analysis of samples in often very time critical situations.

Proactive forensics: imprinting of biometric information into company files

Information leakage through insider misuse is a serious concern for organisations. After all, security countermeasures are typically designed to keep unauthorised individuals from accessing commercially sensitive company information. The countermeasures are specifically designed to allow their own staff access – however, this gives rise to an increasing problem of insider misuse. This project seeks to develop an approach that allows investigators to more rapidly identify the source of the leakage. The technology draws upon the field of transparent authentication to capture employees biometric information in an implicit/non-intrusive fashion (ie capturing samples in the background whilst they are engaged in normal use of a computer or mobile) and using steganographic techniques embed this information into the file or data object they are interacting with at that point in time. Each file and data object will therefore contain a biometric signature of the last individual who interact or edited the file. Should that file be leaked and subsequently identified (i.e. posted on a forum), it is possible to extract the biometric signature from the file and identify the employee.

Links for more information:

https://worldwide.espacenet.com/publicationDetails/biblio?FT=D&date=20171207&DB=EPODOC&locale=en_EP&CC=WO&NR=2017207998A1&KC=A1&ND=4 

https://www.c-mric.com/100107 

https://pearl.plymouth.ac.uk/handle/10026.1/15562