Search Model for Searching the Evidence in Digital

Forensic Analysis
Pratap Sakhare
Sweedle Mascarnes Prajyoti Lopes Department of Information
Department of Computer Department of Information Technology
Engineering Technology St. John College of Engineering and
St. Francis Institute of Technology St. Francis Institute of Technology Technology,
Mumbai, India Mumbai, India Mumbai, India
swedle.mascarenhas@gmail.com prajyotilopes@gmail.com prataps@sjcet.co.in

Abstract— Digital forensics investigation involves the
examination of the digital devices to gather evidence associated
with the crime. The amount of data that needs to be processed in
a typical forensic investigation today is immense and extremely
diverse. Thus finding relevant evidence related to the case is
difficult and time-consuming. This research work aims in
designing a search model that hunts pertinent evidence by
analysing large amount of data for faster and more effective
processing in criminal investigation. The proposed work allows
the investigator to semantically cluster the data collected from
digital devices based on the keyword specified by the
investigator or suggested by system. Experiments were
conducted on dummy crime dataset to test the accuracy and the
scalability of the proposed system. Experimental results proved
that subject suggestion improved the accuracy and thus speeds
up the process of searching the evidence.
Keywords - digital forensic investigation; crime investigation;
clustering; subject suggestion.
I. INTRODUCTION
Digital forensics has become an intrinsic activity in
crime investigation. It is a process of inspecting digital media
with the aim of generating digital evidence linked to an
incident under investigation. According to Carrier et al. [1],
digital evidence of an incident is any digital data that
supports or refutes a hypothesis about the incident. The six
basic steps defined by Digital Forensics Research Workshop
(DFRWS) and generally followed in the forensic
investigation are Identification, Preservation, Collection,
Examination, Analysis and Presentation [2].
Out of all the phases mentioned, Examination phase
is the most difficult and time consuming phase. In this phase,
investigators have to go through hundreds and thousands of
unstructured documents gathered from suspect’s digital
devices to fetch the relevant evidence. Identifying significant
evidence using manual browsing is time consuming process.
Therefore there is a necessity for automated search systems.
Traditionally forensic examiners rely on the search engines
provided by operating systems or existing DFI tools namely
Guidance Encase [3], Access Data Forensic Toolkit (FTK)
[4], and Sleuth kit / Authopsy [5] etc. to find evidence.
However, there are some problems with today’s forensic
tools [6]. The search techniques provided by current DFI
tools include file name search, text string based search,
regular expression search and approximate matching search.
Digital forensic tools existing in market work only on a
specific type of data source and are limited for specific tasks
such as file-system analysis, network protocol analysis,
volatile memory analysis etc. Also these tools are not
scalable to large data sets (i.e. Gigabytes and Terabytes).
Data mining is a good solution to handle massive
volumes of data. Data Mining is the process of extracting
knowledge from large data sets. Employing data mining
techniques to aid DFI has many potential advantages [7]. If
applied properly it meets the three-fold goal of reducing
system and human processing time, improving the
effectiveness and quality of the data analysis and reducing
cost. Various data mining techniques have been previously
used by law enforcement agencies. Of all these existing
techniques, clustering is proved as one of the powerful
technique that enables the forensic investigators to explore
large databases quickly and efficiently.
However, these tools and clustering algorithms are
applied directly on suspect’s dataset without any knowledge
about the content within. Hence, the results obtained by these
tools and clustering algorithms leads to false positives and
false negatives.
For faster and more effective processing of data
within criminal investigations, this research work aims in
designing a search model that can automatically analyze large
quantities of data and allows the investigator to semantically
cluster the data set on suspect’s hard drive based on the
keyword specified by the investigator or suggested by
system. The proposed system identifies top frequent
keywords that are commonly appearing in the dataset and
these keywords are suggested to the investigator. The
investigator can either select the subject/keywords suggested
by the proposed model or he can manually enter his own
search query. The proposed model uses novel semantic
document clustering algorithm that groups all documents into
clusters where each cluster represents keyword/subject
specified by the investigator or suggested by the system. In
this way, subject suggestion helps the investigator to initiate

978-1-4673-7910-6/15/$31.00 2015
c IEEE 1353
the process of finding the evidence from an unknown dataset.
Experiments were conducted on dummy crime dataset to test
the Accuracy and the Scalability of the proposed system.
Experimental results show that the subject suggestion model
improves the Accuracy and thus enhances the performance of
existing DFI framework.
II. RELATED WORK
Data mining techniques are specifically designed to
find and retrieve relevant data amongst voluminous amounts
of data [8]. Hence, they are able to support digital
investigations. The broad classification of data mining
techniques and its applications in Digital Forensic field have
been explained in the following sections.
A. Association Rule Mining:
Association rule mining is one of the vital
techniques of data mining, receiving increasing attention in
Forensic Investigation. Association rules are the if/then
statements that help to uncover relationships between
seemingly unrelated data. Apriori & FP-growth algorithms
have been one of the most famous algorithms used for
Frequent Pattern mining. D. Bansal and L. Bhambhu [9] have
used Apriori algorithm to extract frequent patterns occurring
in a dataset. In [10], authors have presented a unified data
mining solution to find the author by studying the linguistic
and computational characteristics of the written documents.
B. Supervised learning/Classification:
Classification techniques are applied to organize
different crime entities as per the properties common in them.
In [11] and [12], a Support Vector Machine (SVM) has been
applied to determine the author and the gender of the author
of an e-mail. S.Yamuna and N. Bhuvaneswari [13] have used
decision tree algorithm to analyze and predict the future
crime.
In summary, text classification approaches all
depend on the availability of training data for the purpose of
training their classifiers. Therefore, text classification has
failed to address this subject/keyword-based clustering
problem because of the lack of training data in DFI.
C. Unsupervised Text Clustering:
Clustering has been a well-known data mining
technique. There have been few research articles reporting
the use of these clustering techniques in the DFI field.
Link analysis is a technique used for investigation of
criminal activity to identify relationships between
organizations, people and transactions. Chen et al. [14] have
introduced a crime data mining framework that identifies
relationships between different crime entities by applying
different clustering techniques.
The research presented in [15] has used a Kohonen
Self-Organizing Map to cluster search results retrieved during
1354 2015 International Conference on Green Computing and Internet of Things (ICGCIoT)
text string search and thus helps investigators to locate
relevant document relevant more quickly. In [16], SOM-
based algorithms have been used for clustering files by taking
according to creation dates/times and file extensions. So it’s
an easy task for the forensic investigator for the analysis once
he got specified pattern.
R. Hadjidj [17] has proposed email forensic analysis
tool which helps to gather the evidences related to crime in
the court of law. The problem of clustering e-mails for
forensic analysis has also been addressed in [18], where a
Kernel-based variant of K-means was applied. The forensic
examiner only analyses the clusters which are relevant to the
admitted case, hence this speed up the forensic analysis
process.
In all the papers discussed above, the number of
clusters needs to be specified explicitly before applying
clustering techniques. But, in real time to specify the number
of clusters explicitly is not an easy task because forensic
investigator does not know amount and the nature of data
gathered from suspect’s digital devices. This is one of the
biggest limitations of most of the clustering algorithms.
D. Summary:
To summarize, researchers have developed several
data mining techniques to automate the process of
investigation; however, it has been observed that none of the
existing data mining techniques take advantage of the
information the investigator initially provides while taking in
consideration that no training data is available.
The research work presented in [19] has focused on a
subject-based semantic document clustering algorithm that
allows an investigator to cluster the data gathered from
suspect’s digital devices, according to the subject initially
defined by the investigator (e.g. hacking, child pornography
etc.). The limitation of this method is that, the investigators
may often fail to give an appropriate search query, as they are
unlikely to have the advance knowledge of all criminal events
that have already occurred on a suspect's computer.
The presented research work overcomes this
limitation by introducing a novel search model integrated
with keyword suggestion feature. The objective of the
proposed framework is to help investigators efficiently
identify relevant information from the unknown dataset in
order to improve the performance of existing DFI framework.
III. PROPOSED WORK
This section depicts the workflow of the collection
of the data from suspect’s digital devices to finding the
relevant evidence in Figure 1 and Figure 2. The data from
suspect’s digital devices found at the crime scene is collected
and brought to forensic department for further investigation.
These data is preprocessed by applying various preprocessing
techniques as shown in the Figure 1.

Figure 1 Preprocessing of the data collected form suspect’s digital
devices
A. Pre-processing:
Pre-processing is an important task and critical step
in information retrieval and text mining. Preprocessing is to
separates the text into individual words. The following pre-
processing procedures are applied on the suspect's document
set.
1) Stop words Removal:
Stop words are linguistic words which carry no
information. In this phase, pronouns (I, am, he, she,
they), preposition (to, for, a, in, the) and conjunctions
(so, and, or, but) are removed since they do not have any
effect on the text mining process. Similarly, special
characters and punctuations are also removed. The upper
case characters are converted to lower case in this
process.
2) Stemming:
Stemming is the process of removing affixes (prefixes
and suffixes) of each word. For example: convert,
converts, converted, and converting. From this example,
2015 International Conference on Green Computing and Internet of Things (ICGCIoT)
the set of features is conflated into a single feature by
removal of the different suffixes -s, -ed, -ing to get the
single feature convert.
In the present work, stemming is done with the
help of WordNet stemmer. The WordNet [20] is the
online dictionary for English language which gives
synonyms, definitions, several senses of a word. The
WordNet dictionary contains the WordNet stemmer
class, which is used to stem the word with to its root
form.
The working of WordNet stemmer is explained below:
• Morph the word by applying the morphing rules
provided by WordNet stemmer interface. Check
whether the morphed word exits in the WordNet
dictionary.
• If the morph word (root form of the word) exists
in the dictionary, then returned the morph word.
• If the morphed word does not exist in the
dictionary, returned the original word.
3) Tokenization:
Tokenization is the process of breaking a sentence into
words, phrases, symbols, or other meaningful elements
called tokens. The tokenization process separates the
stream of text into tokens by using white spaces and
punctuation marks as separators.
For example, the string “Ram and Sham are best
friends” will yield four tokens: “Ram”, “Sham”, “best”
and “friends”.
B. Indexing:
The objective of indexing is to compute the weight
of all the distinct terms obtained after preprocessing. The
weight is assigned based on frequency of occurrence of the
term in the document and the number of documents that has
the term. The two main components that affect the
significance of a term in a document are the Term Frequency
(TF) factor and Inverse Document Frequency (IDF) factor
[21]. TF-IDF is a very popular weight assignment technique
used in text mining and information retrieval field.
After pre-processing, the system identifies top
frequent keywords that are commonly appearing in the
dataset and these keywords are suggested to the investigator.
The investigator can either select the keywords suggested by
the proposed model or he can manually enter his own search
query. The proposed model uses novel semantic document
clustering algorithm that groups all documents into clusters
where each cluster represents keyword specified by the
investigator. The basic components of the proposed system as
shown in Figure 2 are explained in detail in each sub section.
1355

Figure 2 The proposed Keyword/Subject Suggestion model for DFI
A. Subject Suggestion:
The key contribution of this research work is
keyword/subject suggestion module. The aim to provide
keyword suggestions is to help the investigator to initiate the
process of finding the evidence from an unknown dataset.
Keyword/Subject Suggestion module recommends the top
frequent keywords that repeatedly appear in the dataset.
The steps to identify the top frequent keywords are as
follows:
• For each word, determine the frequency of the
occurrence of the word in the dataset.
• Determine the total number of words in the entire
dataset.
• Finally, for each word, compute the keyword score
by using the TF-IDF formula.
• Compare the keyword score of all the words and
arrange the words in the descending order, based
on their keyword score.
Once the keyword score of all the words in the
dataset is computed then the top ten keywords who’s
‘Keyword_score’ is highest among all the keywords, are
highlighted and suggested/recommended by the system.
The investigator can either select the subject from
the suggested list of keywords or manually enter his/her own
search query. By suggesting these subject keywords it aids
1356 2015 International Conference on Green Computing and Internet of Things (ICGCIoT)
the investigator for formalizing the search query as they are
unaware of the suspect’s dataset. Hence the subject
suggestion model attempts to improve the Accuracy and thus
enhances the performance of existing DFI framework.
B. Search Query Expansion:
The subject keywords that are suggested by the
system or entered manually by the investigator are further
expanded by finding its synonyms through WordNet [20].
The proposed framework integrates WordNet to find out
semantic relations among words and thus make an attempt to
improve the effectiveness of retrieval.
C. Proposed Clustering Algorithm:
The expanded query obtained from the previous step
is searched on the indexed dataset. The proposed framework
uses a novel semantic document clustering algorithm, to
cluster the documents. Algorithm 1 provides an overview of
the clustering process used to semantically cluster the
documents stored on suspect’s hard disk.
The input to this algorithm is the indexed dataset
obtained after applying preprocessing techniques as discussed
in Section 3.2 and the search query entered by the user. Each
searched keyword is stemmed to its root form and its
synonyms are fetched from the WordNet dictionary as
illustrated in step 2 and 3 of the algorithm. Then the cosine
similarity [19] is computed between final query vector which
consist of the search keyword and its synonyms and each
document from the document set. The cosine similarity is
used to measure similarity between two documents. The
documents whose similarity_score is more than 0 for the
corresponding keyword are clustered together whereas the
other documents are grouped in generic cluster.
Algorithm 1: Document clustering.
Input: Indexed dataset, Search_query_vector S Null
1. for each search keyword si ‫ א‬S do
2. Root_word r ĸ find_stem(si)
3. Synonym [1..N] ĸ find_synonyms(r)
4. Final_query_vector qi ĸ si ‫ ׫‬Synonym[1..N]
5. for each document dj ‫ א‬D do
6. similarity_score ĸcalculate
cosine_similarity(dj,qi)
7. if (similarity_score>0) then
8. Ci ĸ dj
9. else
10. general_cluster ĸ dj
11. end if
12. end for
13. end for
Output: A set of clusters
In this way the proposed framework is designed to
quickly find the relevant evidence from large dataset found at
the crime scene by suggesting the keywords or the subjects
on which the investigator can search for the evidence.
 IV. SYSTEM IMPLEMENTATION TABLE I ACCURACY OF THE PROPOSED SEARCH MODEL
With subject Without subject
A. Datasets: Accuracy Parameters
suggestion suggestion
For validating the proposed system, experiments Average Precision 1 0.93
Average Recall 0.93 0.89
were conducted on the following datasets. The dataset consists Average F-measure 0.96 0.90
of the documents of .txt, .doc, .pdf, .ppt, .pptx, .xls and .xlsx
extension. Below is a brief summarization of each data set's Here the Average F-measure with subject suggestion
characteristics: module is 0.96 whereas Average F-measure without subject
1. Crime Dataset_1: suggestion module is 0.90. Thus, it is concluded that the
This dataset is also used to test the Accuracy of subject suggestion module improves the overall Accuracy of
system. The dataset comprises of total 220 the system.
documents, out of which, there are 100 crime Scalability:
documents of 4 different classes namely, Kidnap, Table II illustrates the Scalability of the proposed
Robbery, Sexual Assault and Murder and 120 other system. To test the Scalability of the proposed system,
general documents. experiments were conducted on ‘Classic3’ dataset, consisting
2. Crime Dataset_2: of 10,000.
Crime Dataset_2 is further extended to build a larger TABLE II SCALABILITY OF THE PROPOSED SEARCH MODEL
data set comprising of 1000 documents in which
there are, 700 crime documents of 14 different crime
Subject
categories and 300 other documents. This dataset is Sr. No. of
Preprocessing
Suggestion
Searching Total
used to check the Accuracy as well as the Scalability time time time
No. Documents time
(seconds) (seconds) (seconds)
of the system so that the correlation between (seconds)
Accuracy and Scalability can be studied. 1 10 1 0 1 2

3. Classic3: 2 50 4 0 1 5

Classic3 is a benchmark data set used in text mining 3 100 6 1 1 7

[22]. It consists of 7095 documents from 4 disjoint 4 500 15 1 4 20
classes: 1400 CRAN documents, 1033 MED 5 1000 26 2 6 34
documents, 1460 CISI documents and 3204 CACM
6 5000 194 4 46 244
documents. This dataset is used to check the
Scalability of system. 7 10,000 289 5 55 349

B. Experimental Results: Results show that pre-processing phase consumes

The performance of our proposed system is
evaluated based on two parameters: Accuracy and
Scalability.This Section depicts the experimental results
obtained after testing the Accuracy and Scalability of the
proposed framework. It also illustrates the correlation
between Accuracy and Scalability.
Accuracy:
Accuracy of the system is based on three parameters
i.e. Precision, Recall and F-measure as shown in Table I. To
check the system Accuracy, experiments were conducted on
‘Crime Dataset_1’. Accuracy of the system is tested for
around 50 keywords.
maximum system runtime. The runtime is directly
proportional to the data set's size. Since each phase of the
algorithm grows linearly with respect to the total number of
documents, hence the experimental results suggest that the
system presented in this work is scalable.
Accuracy and Scalability correlation:
To see the correlation between Accuracy and
Scalability, experiments were conducted on ‘Crime
Dataset_2’. The objective of these experiments was to check
whether the Accuracy of the system gets affected as the
datasets size grows. Table III illustrates the relation between
the Precision, Recall and F-measure score with the runtime
calculation of each phase.

TABLE III ACCURACY AND SCALABILITY CORRELATION

Without Subject Suggestion

Preprocessing Subject Searching With Subject Suggestion
No. Of Total Time
Time Suggestion Time Time
Documents (seconds)
(seconds) (seconds) (seconds) AP AR AF AP AR AF

10 4 0 1 5 1 1 1 1 1 1
100 18 1 3 22 1 0.98 0.99 1 0.96 0.98
1000 63 3 13 79 1 0.95 0.97 1 0.91 0.95

Where: *AP= Average Precision, *AR= Average Recall, *AF= Average F-measure

2015 International Conference on Green Computing and Internet of Things (ICGCIoT) 1357
From the above Table III it was observed that the average F
measure with subject suggestion module and without subject
suggestion module does not degrade much as the number of
documents is increased.
V. CONCLUSIONS AND FUTURE WORK
This research work developed a search model that
can automatically analyze large quantities of data and allows
the investigator to semantically cluster the data set on
suspect’s hard drive based on the keywords specified by the
investigator or suggested by system. Experiments were
performed on different dummy crime datasets to test the
Accuracy and Scalability of the proposed DFI framework.
Thus, the experimental tests proved that subject
recommendations improved the Accuracy (F-measure) of the
system. Next, the experiments were conducted on the classic3
dataset to test the Scalability of the system. The objective of
this Scalability experiment was to measure the runtime of
each phase and thus to ensure that the system works well for
10 documents to 10,000 documents. From the experimental
results, it was proved that the model presented in this work is
scalable. The correlation between the Accuracy and
Scalability was tested on Crime Dataset_3 and it was
observed that the Accuracy of the system was not affected
much as the dataset increases. Thus, the proposed DFI
framework attempted to speed-up the investigation process
and reduced the time taken for a digital investigation.
REFERENCES
[1] E. Casey, 1st ed., Digital Evidence and Computer Crime: Forensic
Science, Computers and the Internet with CD-ROM, Academic
Press, USA, 2000.
[2] G. Palmer and M. Corporation, “A road map for digital forensic
research”, in Proc. the 1st Digital Forensic Research Workshop,
2001, pp. 1-48.
[3] Guidance Encase Tool, [Online],
http://www.guidancesoftware.com/, 2014.
[4] Access Data Forensic Toolkit, [Online],
http://www.accessdata.com, 2014.
[5] Sleuth Kit & Authopsy Tool, [Online], http://www.sleuthkit.org,
2014.
[6] Spyridon Dosisa, Irvin Homema and Oliver Popova, “Semantic
Representation and Integration of Digital Evidence”, in Proc. 17th
International Conference in Knowledge Based and Intelligent
Information and Engineering Systems, 2013, pp. 1266 – 1275.
[7] Nicole Beebe and Jan Clark, Advances In Digital Forensics,
Springer, 2005.
[8] J. Han and M. Kamber, 2nd ed., Data mining: Concepts and
Techniques, Elsevier, 2006.
1358 2015 International Conference on Green Computing and Internet of Things (ICGCIoT)
[9] D. Bansal and L. Bhambhu, “Execution of APRIORI Algorithm o
Data Mining Directed Towards Tumultuous Crimes Concerning
Women”, International Journal of Advanced Research in
Computer Science and Software Engineering, Vol.3, Issue. 1
pp.54-62, 2013.
[10] F. Iqbal, H. Binsalleeh, B. Fung and M. Debbabi, “A unified data
mining solution for authorship analysis in anonymous textua
communications”, Journal of Information Sciences, Vol. 231, pp
98–112, 2013.
[11] Corney, M., de Vel, O., Anderson, A., and Mohay, “Gende
preferential Text Mining of E-mail Discourse”, in Proc. the 18th
annual Computer Security Applications Conference, 2002, pp
282-289.
[12] De Vel, O. Corney, M. and Mohay, “Mining E-Mail Content fo
Author Identification Forensics”, Journal of SIGMOD Record
ACM Press, Vol. 30, Issue. 4, pp. 55–64, 2001.
[13] S.Yamuna and N. Bhuvaneswari, “Data Mining Techniques to
Analyze and Predict Crimes”, International Journal of
Engineering And Science, Vol.1, Issue.2, pp.243-247, 2012.
[14] H. Chen, W. Chung, J. J. Xu, G. Wang, Y. Qin, and M. Chau
“Crime data mining: A general framework and some examples”
Journal of Computer, Vol. 37, Issue. 4, pp. 50–56, 2004.
[15] N. L. Beebe and J. G. Clark, “Post-retrieval search hit clustering to
improve information retrieval effectiveness: Two digital forensic
case studies”, Journal of Decision Support Systems, Vol.51, Issue
4, pp. 732–744, 2011.
[16] N. L. Beebe and J. G. Clark, “Digital forensic text string searching
Improving information retrieval effectiveness by thematically
clustering search results”, Journal of Digital Investigation
Elsevier, Vol. 4, pp. 49–54, 1997.
[17] R. Hadjidj, M. Debbabi, H. Lounis, F. Iqbal, A. Szporer, and D
Benredjem, “Towards an integrated e-mail forensic analysi
framework”, Journal of Digital Investigation, Elsevier, Vol. 5
Issue. 3, pp. 124–137, 2009.
[18] S. Decherchi, S. Tacconi, J. Redi, A. Leoncini, F. Sangiacomo, and
R. Zunino, “Text clustering for digital forensics analysis,” Journa
of Information Assurance and Security, Vol. 5, Issue. 2, pp. 384–
391, 2010.
[19] G. Dagher and B. Fung, “Subject-based semantic documen
clustering for DFIs”, Journal of Data & Knowledge Engineering
Vol. 86, pp. 224–241, 2013.
[20] G.A. Miller, “WordNet: a lexical database for English”, Journal of
Communications of the ACM, Vol. 38, Issue. 11, pp. 39–41, 1995.
[21] Sweedle Mascarnes and Joanne Gomes, “Subject based Clustering
for DFI with Subject Suggestion”, International Journal of
Computer Applications (IJCA), Vol. 102, No. 11, 2014.
[22] Classic3 Dataset, [Online], ftp://ftp.cs.cornell.edu/pub/smart/
2013.