Information Foraging Theory and Application to Computer Forensics

Computer Forensics involves analysis of a digital artifact to look for evidence associated with an illegal activity. With the growing role of electronic media in our daily lives, most crimes involve the use of electronic media in the process and hence Computer Forensics has become a vital aspect of Crime Investigation Units. There is a variety of Computer Forensic tools (e.g. FTK, EnCase etc.) available to help the experts, but these tools only help in categorizing the information. Examples of categorization include, searching for key words, looking for the deleted files, showing the directory structure etc. Thus to help the decision making process Computer Forensics completely depends on the knowledge, skill and expertise of the Forensic Expert. There is no tool available that can help the forensic experts in the decision making process. The goal of this project is to present a computational cognitive model which simulates the behavior of a computer forensic analyst. Mainly two types of decision making are involved in the computer analysis process: Which path to follow when there are a number of options? When is it the right time to leave one patch of information and look for evidence somewhere else? The presented cognitive model simulates both kinds of decision making. This project proposes the use of "Information Foraging Theory" to achieve the purpose. Information Foraging Theory is an approach to understanding how strategies and technologies for information seeking, gathering, and consumption are adapted to the flux of information in the environment. This theory assumes that people, when needed, will modify their foraging strategies or the structure of the environment to maximize their rate of gaining valuable information. The computational cognitive model of a foraging system (to perform Computer Forensics) presented in this project embodies a built-in cognitive process, which makes use of the information foraging techniques. The presented model forms the basis for future development of an intelligent computer forensic system, which can potentially reduce the dependency of the computer forensic process on the experience and skills of forensic expert, though it cannot be completely removed.