A comparison of machine learning techniques for file system forensics analysis

With the remarkable increase in computer crimes - particularly Internet related crimes - digital forensics become an urgent and a timely issue to study. Normally, digital forensics investigation aims to preserve any evidence in its most original form by identifying, collecting, and validating the digital information for the purpose of reconstructing past events. Most digital evidence is stored within the computer's file system. This research investigates and evaluates the applicability of several machine learning techniques in identifying incriminating evidence by tracing historical file system activities in order to determine how these files can be manipulated by different application programs. A dataset defined by a matrix/vector of features related to file system activity during a specific period of time has been collected. Such dataset has been used to train several machine learning techniques. Overall, the considered machine learning techniques show good results when they have been evaluated using a testing dataset containing unseen evidence. However, all algorithms encountered an essential obstacle that could be the main reason as why the experimental results were less than expectation that is the overlaps among the file system activities. (C) 2019 Elsevier Ltd. All rights reserved.