Ontology-based case study management towards bridging training and actual investigation gaps in digital forensics

Abstract

The training programs in digital forensics have contributed many case study models to guide digital forensic analyses. However, they only account for a small number of real cases and they are usually too abstract while actual cybercrime investigations are more diverse and complex. This gap leads to difficulties in giving immediate and straightforward actions for law enforcement during cybercrime investigations. In this paper, we propose an ontology-based knowledge map model, which is a foundation model for building a case study management system for Digital Forensic Intelligence (DFINT) and Open Source Intelligence (OSINT) in digital forensics. The main idea of this proposed model is to encode specific training cases of cybercrime into knowledge map representations, then the system uses the knowledge from the ontology to provide more information on the context and enrich them to match actual cybercrime scenes. Therefore, this approach can be used to bridge the gap between training case studies and the actual investigation environment. To illustrate our approach, we build a DFOSINT ontology for DFINT and OSINT domain; develop a prototype of the case study management system, and evaluate it in two aspects, ontology validation and case study validation with existing case studies of digital investigations.