Quantifying Digital Forensic Investigations
- Speaker: Dr Richard E Overill, Department of Informatics, King’s College London
- Date: Tuesday, 25 October 2016 from 16:00 to 17:00
- Location: Room 151
Until recently, an inability to quantify the likelihood of alternative hypotheses and the probative value of digital evidence has prevented digital forensics from developing into a mature scientific / engineering discipline from the qualitative (botany-like) subject that it originally was.
The methods of digital meta-forensics were developed recently to explore ways of quantifying the relative plausibility of several alternative explanations (hypotheses) for the existence of the recovered digital evidence in a given case. The Likelihood Ratios (LRs), odds and probabilities produced by such approaches, together with their associated uncertainties, can provide law enforcement and court-of-law officials with a quantitative scale against which to assess the likelihood of a successful prosecution, or the merit of a not-guilty plea.
When it comes to triage and prioritisation of digital forensic investigations in the light of the ever-increasing volumes of data and varieties of device, the economics of digital forensics (for which we coined the term digital forensonomics) provides a quantitative basis upon which to prioritise the search for digital evidence in a given case. Linked to the well-understood economic concepts of Return on Investment (RoI) and Cost-Benefit Ratio (CBR), a list of the expected items of digital evidence for a given case is drawn up, ordered by decreasing order of RoI (or equivalently increasing CBR) within decreasing order of probative value. The RoI (or equivalently the inverse of the CBR) is defined as the ratio of the probative value (or weight) of that item of digital evidence to the cost of its recovery and analysis. The cost is measured in terms of the resources required, typically investigator hours and any specialist equipment time; this is in principle straightforward to quantify. The probative value, however, has not so far been accorded a quantified metric, being generally based on the prior experienced of expert digital forensic investigators. We point out that a valid metric for the probative value of any item of digital evidence in a particular case can be obtained from the Bayesian Network (BN) for that case as follows. The posterior probability of the BN with all digital evidence present is compared with the posterior probability of the BN with an item of digital evidence absent, and the relative difference of these two quantities provides a direct measure of the probative value of that item of digital evidence.