Skip to content

A Likelihood Ratio Approach for Detecting Behavioral Changes in Device Usage Over Time

Conference/Workshop:
American Academy of Forensic Sciences
Published: 2023
Primary Author: Rachel Longjohn
Secondary Authors: Padhraic Smyth
Type: Poster
Research Area: Digital

This work focuses on the situation in which investigators have obtained as evidence logs of user-generated activities on a device, such as sending text messages or emails, opening or interacting with mobile apps, or making calls from particular locations. Quantitative methodologies for analyzing this kind of behavioral data from devices could be useful to investigators in a number of situations. For example, if a device is suspected to have not been with the owner during a time period of forensic interest, one could analyze the pattern of events on the device to try to determine if they are consistent with the device owner’s behavior, or if there is evidence of a change in behavior. Inconsistency could, for example, indicate that another person was using the device during this time. A time at which there was a change in the patterns of events on the device is referred to as a changepoint. For this analysis, two different source hypotheses are considered for a given set of user-generated event data: the same-source hypothesis and the different-source hypothesis. The same-source hypothesis assumes that all of the events in the evidence were generated by a single source. Alternatively, the different-source hypothesis posits that the data was generated by two different sources, i.e., a changepoint occurred at some point during the time period over which the device’s event data was obtained. The strength of the evidence in support of these hypotheses is reported through a likelihood ratio, which is a statistical method for quantifying the weight of the evidence and has been used in a variety of forensic applications. To arrive at a likelihood ratio, the data are modeled using a Bayesian statistical framework, in which the sequence of events generated on the device is the observed data and the underlying model parameters and the potential time of the changepoint are considered unobserved. It is shown that the proposed model leads to a straightforward formula for the likelihood ratio. This formula is flexible in that it can incorporate pre-existing knowledge about where a changepoint may have taken place, e.g., investigators may suspect a changepoint in a particular time window or feel that a changepoint is more probable within a particular time window compared to another. This work generalizes prior work to the practical situation in which the time of change (for the different-source hypothesis) is unknown. The potential usefulness of the proposed method is evaluated through experiments across a combination of simulated data and real-world datasets that are relevant to digital forensics.

Related Resources

Forensic Analysis of Android Cloud SDKs

Forensic Analysis of Android Cloud SDKs

This presentation is from the 76th Annual Conference of the American Academy of Forensic Sciences (AAFS), Denver, Colorado, February 19-24, 2024.
The Impact of Multi-Camera Smart Phones on Source Camera Identification

The Impact of Multi-Camera Smart Phones on Source Camera Identification

An investigator has a questioned image from an unknown source and wants to determine whether it came from a camera on a person of interest’s smartphone. This scenario is referred…
Likelihood ratios for changepoints in categorical event data with applications in digital forensics

Likelihood ratios for changepoints in categorical event data with applications in digital forensics

We investigate likelihood ratio models motivated by digital forensics problems involving time-stamped user-generated event data from a device or account. Of specific interest are scenarios where the data may have…
Producing Datasets: Capturing Images on Multi-Camera Smartphones for Source Camera Identification

Producing Datasets: Capturing Images on Multi-Camera Smartphones for Source Camera Identification

This poster introduces the new CSAFE Multi-camera Smartphone Image Database and describes how the image were collected and reviewed.