Show simple item record

dc.contributor.authorRowe, Neil C.
dc.date2019
dc.date.accessioned2019-05-09T15:52:46Z
dc.date.available2019-05-09T15:52:46Z
dc.date.issued2019
dc.identifier.citationRowe, Neil C. "Associating Drives Based on Their Artifact and Metadata Distributions." International Conference on Digital Forensics and Cyber Crime. Springer, Cham, 2019.en_US
dc.identifier.urihttp://hdl.handle.net/10945/62129
dc.descriptionThe article of record as published may be found at https://doi.org/10.1007/978-3-030-05487-8_9en_US
dc.description.abstractAssociations between drive images can be important in many forensic investigations, particularly those involving organizations, conspiracies, or contraband. This work investigated metrics for comparing drives based on the distributions of 18 types of clues. The clues were email addresses, phone numbers, personal names, street addresses, possible bank-card numbers, GPS data, files in zip archives, files in rar archives, IP addresses, keyword searches, hash values on files, words in file names, words in file names of Web sites, file extensions, immediate directories of files, file sizes, weeks of file creation times, and minutes within weeks of file creation. Using a large corpus of drives, we computed distributions of document association using the cosine similarity TF/IDF formula and Kullback-Leibler divergence formula. We provide signif- icance criteria for similarity based on our tests that are well above those obtained from random distributions. We also compared similarity and divergence values, investigated the benefits of filtering and sampling the data before measuring association, examined the similarities of the same drive at different times, and developed useful visualization techniques for the associations.en_US
dc.format.extent18 p.en_US
dc.publisherICST Institute for Computer Sciences, Social Informatics and Telecommunications Engineeringen_US
dc.rightsThis publication is a work of the U.S. Government as defined in Title 17, United States Code, Section 101. Copyright protection is not available for this work in the United States.en_US
dc.titleAssociating Drives Based on Their Artifact and Metadata Distributionsen_US
dc.typeArticleen_US
dc.contributor.corporateNaval Postgraduate School (U.S.)en_US
dc.contributor.departmentComputer Science (CS)
dc.subject.authorDrivesen_US
dc.subject.authorForensicsen_US
dc.subject.authorLink analysisen_US
dc.subject.authorSimilarityen_US
dc.subject.authorDivergence Artifactsen_US
dc.subject.authorMetadataen_US


Files in this item

Thumbnail

This item appears in the following Collection(s)

Show simple item record