1y ago
152.58 KB
7 Pages
Last View : 5d ago
Last Download : 1m ago
Upload by : Brenna Zink

ARTICLE:THE USE OFARTIFICIALINTELLIGENCE INDIGITALFORENSICS: ANINTRODUCTIONArtificial Intelligence (AI) is an important and wellestablished area of modern computer science thatcan often provide a means of tacklingcomputationally large or complex problems in arealistic time-frame. Digital forensics is an areathat is becoming increasingly important incomputing and often requires the intelligentanalysis of large amounts of complex data. Itwould therefore seem that AI is an ideal approachto deal with many of the problems that currentlyexist in digital forensics. The purpose of thispaper is to give a high level introduction to AI as itmight be used in digital forensics.IntroductionDuce and others1 outline what might be considered,from both an academic and a practitioner point of view,to be three of the main challenges in digital forensics:(1) the exponential growth in storage capacity, in singledrives (hard drives, USB sticks, optical media); (2) thegrowth in distributed systems and the sophisticatedforms of attack that can now be launched; (3) thedegree of technical sophistication employed byopponents and the apparent inability of existing toolsand methodologies to keep pace.2 To that a fourthchallenge might now reasonably add: (4) the ubiquity ofelectronic storage and the range and prevalence ofdisparate storage systems.The requirements needed to solve these challengesmight be stated, in a greatly simplified form, as theability to reason and discover over a large amount ofcomplex, potentially disparate, data in a realistic timeframe. The conventional intensive and manual1D. A. Duce, F. R. Mitchell and P. Turner, ‘DigitalForensics: Challenges and Opportunities’, in JohnHaggerty and Madjid Merabti, (eds.), ACSF 2007: Pario Communications Limited, 2010By Dr Faye Mitchellapproaches currently used to search for data are notcapable of dealing with the size of the problem currentlyfound in digital forensics. It is for this reason that it isbecoming apparent that a more selective and intelligentapproach is needed for digital forensic analysis. There isa branch of computer science that tries to tackle thistype of problem – the branch known as ArtificialIntelligence (AI). This paper concentrates on consideringAI generally, and how it might be applied to thechallenges that face digital forensics.Artificial IntelligenceDefining Artificial Intelligence is not simple. There is noone clear definition of AI. Most of the definitions that doexist tend to define AI in terms of “creating a computerprocess that acts intelligently” (but what isintelligence?) or “creating a computer process that canmimic human behaviour” (do humans always actintelligently, what happens if a computer can normallyperform better than a human being?). Other definitionsrefer to “rational behaviour” (but what is rational?) or“doing things that are hard for a computer to do” (doesthis mean that when an AI system has been developedto do the task, it is no longer AI?) and are equallyunhelpful in this discussion. Therefore in order tosimplify the task for the purposes of this article, apragmatic approach is adopted, and AI is defined as“creating a computer process that acts in a manner thatan ordinary person would deem intelligent”, andconsideration is given to some of the various types of AIand AI technologies that might be of concern to peoplein the digital forensics community. Consideration willnot, therefore, be given to techniques such as robotics,which at present have no direct relevance to digitalProceedings of the 2nd Conference on Advances inComputer Security and Forensics, (Liverpool JohnMoores University, School of Computing &2Mathematical Sciences, 2007).NIST Computer Forensics Tool Testing Project at Evidence and Electronic Signature Law Review, Vol 735

THE USE OF ARTIFICIAL INTELLIGENCE IN DIGITAL FORENSICS: AN INTRODUCTIONforensics; other material that may potentially be usefulwill also not be covered, including related fields such asdata visualization. This article will concentrate on theconventional areas, and interested readers arerecommended to consult Luger, or Russell and Norvig asa suitable starting point for more detailed discussion ofAI and other possibly relevant branches of AI.3Representation of knowledgeThe most important concept in the majority of AIsystems is the representation of knowledge (referred toin AI as knowledge representation) and ontology. Thatis, how to represent the information we wish to reasonabout (representation of knowledge) and how weformally structure that representation of knowledge insuch a way that we can reason about it (ontology). It isimportant to note that our representation of knowledgecan be about the properties of objects in the domain(information), how those facts can be processed(knowledge about what rules and techniques to apply ina particular situation) or even how those processes areapplied (strategic or meta knowledge).In the early days of AI, ontology was not consideredan issue and a new representation of knowledge wascreated for each application. However, in the last tenyears, there has been a realisation that being able toreason over multiple sources of knowledge is veryimportant. This has focused interest in producingontologies for domains that can be shared amongstapplications and systems. For the most part, this hasfocused on XML, RDF4 and related technologies,although other notations such as ontolingua5 are alsooccasionally used. It is perhaps here that AI has thepotential to have the most effect on digital forensics, inproviding expertise to help with the standardisation ofthe representation of knowledge and information in thedigital forensic domain. This lack of standards hindersthe exchange of information for even the most basic oftasks in digital forensics, such as the exchange of imageinformation between forensic imaging tools,6 and this34536George F. Luger, Artificial Intelligence: Structuresand Strategies for Complex Problem Solving (6thedition, 2009 Addison-Wesley); Stuart Russell andPeter Norvig, Artificial Intelligence: A ModernApproach (3rd edition, 2010, Prentice Hall).W3C (2004) RDF Primer at; W3C (2006)Extensible Markup Language (XML) 1.1 (SecondEdition) at Farquhar, Richard Fikes and James Rice,‘The Ontolingua Server: a Tool for CollaborativeOntology Construction’, International Journal ofHuman-Computer Studies, 1997, Volume 46, pp707-727.678unfortunately means that digital forensics is behind theaccepted good practice in many other scientific domainswhere there has been a concerted effort to produce astandard domain ontology.The creation of standardised international domainontology for digital forensics would have obviousbenefits in, for instance, a multi-national case covering anumber of jurisdictions, in that it would provide a formalframework for the discussion of digital evidence, but itwould also provide other benefits in that it wouldenable the creation of a large, re-usable caserepository.7 Such a case repository would containknown, sanitised examples of digital forensicinvestigations with known properties and results. Thiscould be useful in testing the performance of experts,be they human or AI systems, and could provide auseful method for training digital forensic practitioners,and has proven extremely valuable in other areas of AI.8The use of a standardised ontology could also proveinvaluable in creating a standard, reusable collection ofbackground knowledge9 that could be used by AItechniques.Explaining the reasoning processAn important issue for AI in the forensic arena is theability to explain the reasoning process. That is, theability of the AI technique or algorithm used to explainthe reasoning process. AI techniques are often dividedinto two categories: symbolic (those that reason withdiscrete entities in a knowledge base) and sub symbolic(those where the knowledge is spread around therepresentation structure). One of the most commontypes of symbolic reasoning is the expert system. Expertsystems follow a predefined rule base,10 and normallyhave a limited strategy for choosing which rule to use atany particular moment in time. Expert systems can,therefore, at any point, provide an explanation of thereasoning for the conclusions obtained. This enables anoutside entity to criticise the reasoning process and tohighlight any flaws there might be with the reasoningPhilip Turner, ‘Unification of digital evidence fromdisparate sources (Digital Evidence Bags)’, DigitalInvestigation (2005) 2(3), pp 223-228.D. A. Duce, F. R. Mitchell and P. Turner, ‘DigitalForensics: Challenges and Opportunities’, in JohnHaggerty and Madjid Merabti, (eds), ACSF 2007:Proceedings of the 2nd Conference on Advances inComputer Security and Forensics, (Liverpool JohnMoores University, School of Computing &Mathematical Sciences, 2007).The UCI Machine Learning Repository( is an example ofsuch a case repository, and is used by the MachineLearning community to test new algorithms.Digital Evidence and Electronic Signature Law Review, Vol 7910Background knowledge is the term given toknowledge about a domain that is often commonsense, and often extremely large (e.g. If I throw aball in the air it will normally come down; thiswindows file is normally found in this position inthe directory tree). AI systems can be set up to usethis knowledge to help their reasoning processes.A rule base is essentially an ordered collection ofrules where each rule is in the form IF antecedent set THEN consequents . Therule base can use certainty factors, probability andfuzzy sets where the domain has to deal withvagueness and uncertainty. Pario Communications Limited, 2010

THE USE OF ARTIFICIAL INTELLIGENCE IN DIGITAL FORENSICS: AN INTRODUCTIONused. However, systems that exhibit the property of theability to explain the reasoning process often have twomajor drawbacks.The first of these drawbacks is that they operate in aclosed world.11 That is, if it is not in the rule base, then itdoes not exist or get taken into consideration. This canbe a serious issue in an area such as computing, wherethe technology changes at an extremely rapid rate.Rebuilding a rule base is known to be a time consumingtask, and adding additional rules (a processes known asrule base repair) can damage the original performanceand result in rules that would have previously worked,but no longer function.12 The second drawback is thatexpert systems do not cope well with large quantities ofdata. This is a particularly major disadvantage for thedirect use of expert systems in digital forensicinvestigations where the amount of data investigated isbecoming larger and larger, and is increasing at analmost exponential rate.Where techniques such as expert systems mightprove to be useful, however, is in higher order situationssuch as guiding an investigator on what to try next, or toadvise on what the policy of the organisation is in agiven situation.CasesCase Based Reasoners (CBRs) are a type of (normally)symbolic AI that are an attempt to avoid some of theproblems associated with symbolic rule based systemssuch as expert systems. CBRs are based on wellunderstood notions from psychology on how domainexperts themselves represent information.13 Mostdomain experts rely heavily on their past experiences,and when faced with a problem, will attempt to matchthe problem to one they have experienced before. Onlywhen an expert has exhausted all possible similar casesin their experience do they use first principles toattempt to find a solution to the problem.A CBR system works in a similar fashion, in that alarge collection of cases (and in digital forensics, theresultant actions) is obtained, and a metric14 is used to111213This is also an issue with respect to the dataavailable. If the expert system is not provided withall the necessary information available, the outputmay not be reliable.There is a technique known as ‘Knowledge BaseRefinement’ which can help automate the rulebase changes, but even that can still result inbreaking the rule base unless steps are taken. Thisis discussed further under ‘KnowledgeRefinement’, below.F. R. Mitchell, ‘An introduction to KnowledgeAcquisition’, School of Computing andMathematical Sciences, Oxford Brookes UniversityTechnical Report (1998, CMS-TR-98-06; also Pario Communications Limited, 201014match the current situation with one found in the casebase. If a perfect match is found, then the action carriedout in the initial case is applied to the existing situation.If no perfect match is found, but a match is found that isdeemed to be close enough, then the system mayattempt to adapt the action of the matched case to thecurrent situation using what are called ‘repair’ rules.15CBR systems have the advantage of approaching aproblem in a way that is familiar to the expert, can copewith large amounts of data, and can deal with situationsthat have not previously been encountered. Theyaddress in part the ability to explain the reasoningprocess, because the reasoning can be inspected (thiscase was most like X, and in X you did Y). This, however,means that the user might rely very heavily on thequality of the cases in the case base, together with agood coverage of the possible scenarios. CBRs are alsolimited, in that although they can help guide theprocess of the investigation, they are perhaps ill suitedto helping to automate the lower level activities (such as“find all pictures with naked people in them”).Pattern recognitionIdentifying specific types or clusters of data in aninvestigation is best handled by a type of AI known aspattern recognition. The type of pattern recognition thatpeople are most familiar with is perhaps imagerecognition, where the software attempts to identifyparts of a picture. Other forms of pattern and imagerecognition also exist, such as detecting a pattern in ane-mail message which indicates SPAM, or a pattern in adisk image that might indicate it is part of a sound file.Many of the techniques used rely very heavily onstatistics or probabilistic reasoning or both. The morecomplex and accurate forms of image recognition thatmight be used to locate certain types of picture, rely onan understanding of how the human perceptual systemworks. However, at present these have a high rate offalse positives or false negatives (depending on wherethe thresholds are set) as well as being verycomputationally intensive.published as F. Mitchell, ‘An introduction toKnowledge Acquisition’, (1998, AUCS/TR9804,Department of Computing Science, University ofAberdeen Technical Report; although not withinthe context of AI, others have discussed the sameissues relating to experts: Peter M. Bednar, VasiliosKatos and Cheryl Hennel, ‘On the complexity ofcollaborative cyber crime investigations’, DigitalEvidence and Electronic Signature Law Review, 6(2009) pp 241-219.In AI, the term ‘metric’ is used to mean any systemof measurement by which items may be compared.For instance a ‘similarity metric’ measures howsimilar two items are or a distance metric measures15the distance (under some notion of distance)between two items.These repair rules tell the system in what ways andin what order a rule can be changed. For instance,if the original case specified a hard disc, but theparticular instance was about a USB stick, the CBRsystem might reason that they both containwriteable file systems, so the rule could be used inthis situation. However, if the particular instancewas about a CD-R, then it might indicate thatbecause this system is not writeable to, this rulecan never be made to apply.Digital Evidence and Electronic Signature Law Review, Vol 737

THE USE OF ARTIFICIAL INTELLIGENCE IN DIGITAL FORENSICS: AN INTRODUCTIONPattern recognition systems are essentially classifiers– that is they answer the question: is this piece of data amember of the class X, where X is the type of data theuser is interested in. In order to work successfully,pattern recognition techniques have therefore to try tomatch against all possible pieces of data (or as near asis computationally feasible) which can involve a largeamount of matches, and the patterns have to havesufficient generality to match all positive matches butsufficient specificity to not match any of the negativeexamples. In practice, this is often very hard to achieve,although Machine Learning techniques (for which seebelow) can help with the generality or specificityproblem by allowing patterns to adapt, and in the caseof certain systems, such as Artificial Neural Nets ordecisions trees, can be used to learn the initial patterns.Knowledge discoveryAnother field of AI that might have benefit in theforensic arena is Data Mining and Knowledge Discoveryin Databases (Datasets). Although these termstechnically refer to different things, the two terms arecolloquially used interchangeably to refer to process offinding useful information in a large collection (normallysparse) of data. Data Mining/Knowledge Discovery inDatabases (DM/KDD) is not a single technique but is amixture of AI, statistical analysis and probabilistictechniques used together in an integrated manner toanalyse large collections of data. It can be viewed as aform of pattern recognition, but with a few significantdifferences.First, the sheer size of the data (in some casespetabytes) means that more computationally intensivetechniques cannot be effectively used, therefore any AItechnique involving the use of a complex knowledgerepresentation is unlikely to be used for DM/KDD.Similarly, background knowledge about the domain mayalso not be used, or may only be used in a limitedfashion.Secondly, DM/KDD is often directed by the user.Technically this process is a form of Exploratory DataAnalysis (EDA) where the user asks the system to, forinstance, highlight files with characteristic X, and thesystem uses Data Visualisation (DV) to highlight1638In AI an ‘attribute’ is a dimension of the ‘problemspace’. Although the terms ‘attribute’ and‘dimension’ are sometimes used interchangeablyin AI, the preferred usage is to refer to thedimensions of a problem, rather than the attributeof an object. However, for those readers that mightnot be familiar with the terms used in AI, the morefamiliar term ‘attribute’ is used here rather thanthe more accurate AI term ‘dimension’. Contraryinformation and potential relationships to the user. Thisis particularly useful, because the human perceptualsystem has the ability to distinguish patterns inextremely complex data – even in data with a largenumber of attributes16 – if the data can be representedproperly. Care does, however, have to be taken, becausethe human perceptual system can find patterns that donot, in reality, exist.Thirdly, DM/KDD has the concept of aninterestingness measure (often called a J measure) thathelps to decide whether there are any meaningfulpatterns in the data. This helps avoid the situationwhere a DM/KDD system ‘discovers’ the extremelyobvious, but extremely unhelpful fact, such as that youonly ever find female patients in the maternity ward of ahospital.It is extremely likely then that, given the increase inquantities of data, the forensics community will have torely on DM/KDD techniques to help with the initialassessment. To date they are the best AI method fordealing with large quantities of data, but they are alsopotentially the most likely to miss relevant pieces ofinformation, because the reasoning processes do notnormally use the background knowledge or complexreasoning of more complex AI approaches.AdaptationA system that has a fixed knowledge source is unlikelyto be able to cope well with the change in pace incomputer technology, and therefore it is likely that somemeasure of adaptability will be required for any longterm forensic system. The branch of AI that deals withthe ability of the software of a system to adapt is calledMachine Learning (ML)

Artificial Intelligence (AI) is an important and well established area of modern computer science that can often provide a means of tackling computationally large or complex problems in a realistic time-frame. Digital forensics is an area that is becoming increasingly important in computing and often requires the intelligent analysis of large amounts of complex data. It would therefore seem .

Related Documents:

May 02, 2018 · D. Program Evaluation ͟The organization has provided a description of the framework for how each program will be evaluated. The framework should include all the elements below: ͟The evaluation methods are cost-effective for the organization ͟Quantitative and qualitative data is being collected (at Basics tier, data collection must have begun)

On an exceptional basis, Member States may request UNESCO to provide thé candidates with access to thé platform so they can complète thé form by themselves. Thèse requests must be addressed to esd rize unesco. or by 15 A ril 2021 UNESCO will provide thé nomineewith accessto thé platform via their émail address.

Chính Văn.- Còn đức Thế tôn thì tuệ giác cực kỳ trong sạch 8: hiện hành bất nhị 9, đạt đến vô tướng 10, đứng vào chỗ đứng của các đức Thế tôn 11, thể hiện tính bình đẳng của các Ngài, đến chỗ không còn chướng ngại 12, giáo pháp không thể khuynh đảo, tâm thức không bị cản trở, cái được

Amendments to the Louisiana Constitution of 1974 Article I Article II Article III Article IV Article V Article VI Article VII Article VIII Article IX Article X Article XI Article XII Article XIII Article XIV Article I: Declaration of Rights Election Ballot # Author Bill/Act # Amendment Sec. Votes for % For Votes Against %

Le genou de Lucy. Odile Jacob. 1999. Coppens Y. Pré-textes. L’homme préhistorique en morceaux. Eds Odile Jacob. 2011. Costentin J., Delaveau P. Café, thé, chocolat, les bons effets sur le cerveau et pour le corps. Editions Odile Jacob. 2010. Crawford M., Marsh D. The driving force : food in human evolution and the future.

Le genou de Lucy. Odile Jacob. 1999. Coppens Y. Pré-textes. L’homme préhistorique en morceaux. Eds Odile Jacob. 2011. Costentin J., Delaveau P. Café, thé, chocolat, les bons effets sur le cerveau et pour le corps. Editions Odile Jacob. 2010. 3 Crawford M., Marsh D. The driving force : food in human evolution and the future.

MARCH 1973/FIFTY CENTS o 1 u ar CC,, tonics INCLUDING Electronics World UNDERSTANDING NEW FM TUNER SPECS CRYSTALS FOR CB BUILD: 1;: .Á Low Cóst Digital Clock ','Thé Light.Probé *Stage Lighting for thé Amateur s. Po ROCK\ MUSIC AND NOISE POLLUTION HOW WE HEAR THE WAY WE DO TEST REPORTS: - Dynacó FM -51 . ti Whárfedale W60E Speaker System' .

Glossary of Social Security Terms (Vietnamese) Term. Thuật ngữ. Giải thích. Application for a Social Security Card. Đơn xin cấp Thẻ Social Security. Mẫu đơn quý vị cần điền để xin số Social Security hoặc thẻ thay thế. Baptismal Certificate. Giấy chứng nhận rửa tội

More than words-extreme You send me flying -amy winehouse Weather with you -crowded house Moving on and getting over- john mayer Something got me started . Uptown funk-bruno mars Here comes thé sun-the beatles The long And winding road .

Phần II: Văn học phục hưng- Văn học Tây Âu thế kỷ 14- 15-16 Chương I: Khái quát Thời đại phục hưng và phong trào văn hoá phục hưng Trong hai thế kỉ XV và XVI, châu Âu dấy lên cuộc vận động tư tưởng và văn hoá mới rấ

Food outlets which focused on food quality, Service quality, environment and price factors, are thè valuable factors for food outlets to increase thè satisfaction level of customers and it will create a positive impact through word ofmouth. Keyword : Customer satisfaction, food quality, Service quality, physical environment off ood outlets .

Article 27 Article 32 26 37 Journeyman Glazier Wages Article 32, Section A (2) 38 Jurisdiction of Work Article 32, Section L 43 Legality Article 2 3 Mechanical Equipment Article 15, Section B 16 Out-of-Area Employers Article 4, Section B 4 Out-of-Area Work Article 4, Section A 4 Overtime Article 32, Section G 41

Jefferson Starship article 83 Jethro Tull (Ian Anderson) article 78 Steve Marriott article 63, 64 Bill Nelson article 96 Iggy Pop article 81 Ramones article 74 Sparks article 79 Stranglers article 87 Steve Winwood article 61 Roy Wood art

1 ARTICLES CONTENTS Page Article 1 Competition Area. 2 Article 2 Equipment. 4 Article 3 Judo Uniform (Judogi). 6 Article 4 Hygiene. 9 Article 5 Referees and Officials. 9 Article 6 Position and Function of the Referee. 11 Article 7 Position and Function of the Judges. 12 Article 8 Gestures. 14 Article 9 Location (Valid Areas).

and artificial intelligence expert, joined Ernst & Young as the person in charge of its global innovative artificial intelligence team. In recent years, many countries have been competing to carry out research and application of artificial intelli-gence, and the call for he use of artificial

types of vectors can be used to clone large DNA fragments, such as the yeast artificial chromosome (YAC), the bacterial artificial chromosome (BAC) and the artificial bacteriophage P1 chromosome (PAC) [23]. Bacterial artificial chromosomes have recently proven to be invaluable tools in plant genomics.

invents another total artificial heart AbioCor 1998 the 100. th. artificial heart is implanted 2004 FDA approves the SynCardia total artificial heart (formerly CardioWest) for bridge transplantation Currently 2 artificial h

Lời Nói Đầu K inh Bát-Nhã (Prajna) đƣợc lƣu hành rất sớm tại Ấn độ. Khoảng 700 năm sau khi Phật diệt độ (cuối thế kỷ II đầu thế kỷ III Tây lịch), lúc Bồ-tát Long Thọ

UNESCO in consultation with thé National Commission for UNESCO as well as b non- overnmental or anizations NGOs in officiai artnershi with UNESCO. Nominations must focus on a s ecific ESD ro'ect or ro ramme. Each Member State or NGO can make u to three nominations for an édition of thé Pri

1.2. Chương Trình 0% Lãi Suất Ưu Đãi Mua Sắm không áp dụng cho Chủ thẻ Tín Dụng Thương Mại. The Installment Plan With 0% Interest is not applicable for HSBC Business Credit Card. 1.3. Loại tiền tệ được sử dụng trong Chương Trình 0% L