In this paper we investigate the application of score-based likelihood ratio techniques to the problem of detecting whether two time-stamped event streams were generated by the same source or by two different sources. We develop score functions for event data streams by building on ideas from the statistical modeling of marked point processes, focusing in particular on the coefficient of segregation and mingling index. The methodology is applied to a data set consisting of logs of computer activity over a 7-day period from 28 different individuals. Experimental results on known same-source and known different-source data sets indicate that the proposed scores have significant discriminative power in this context. The paper concludes with a discussion of the potential benefits and challenges that may arise from the application of statistical analysis to user-event data in digital forensics.
Analyzing User-Event Data Using Score- Based Likelihood Ratios with Marked Point Processes
Journal: Digital Investigation
Published: 2017
Primary Author: Christopher Galbraith
Secondary Authors: Padhraic Smyth
Type: Publication
Research Area: Digital
Related Resources
Source Camera Identification with Multi-Camera Smartphones
An overview of source camera identification on multi-camera smartphones, and introduction to the new CSAFE multi-camera smartphone image database, and a summary of recent results on the iPhone 14 Pro’s.
An Anti-Fuzzing Approach for Android Apps
One of significant mobile app forensic analysis problems is the app evidence extraction from the device. Given the fact that mobile apps could generate more than 19K files in a…
Forensic Analysis of Android Cryptocurrency Wallet Applications
Crypto wallet apps that integrate with various block-chains allow the users to make digital currencies transaction with QR codes. According to reports from financesonline [3], there is over 68 million…
Variations and Extensions of Information Leakage Metrics with Applications to Privacy Problems with Imperfect Statistical Information
The conventional information leakage metrics assume that an adversary has complete knowledge of the distribution of the mechanism used to disclose information correlated with the sensitive attributes of a system.…