Addressing the Increasing Volume and Variety of Digital Evidence Using an Ontology

The field of digital evidence must contend with an increasing number of devices to be examined paralleled with increasing diversity. Examiners face a battle to understand what artefacts may exist on these devices. Further, many current forensic tools look to comprehensively examine sources of digital evidence which can generate large amounts of, often spurious, data with no easy means of correlation. This paper proposes the use of an ontology - the Digital Evidence Semantic Ontology (DESO) - that allows an examiner to quickly discover what artefacts may be available on a device before time-consuming processes are commenced - preventing the generation of data that may have no practical value for an investigation. The ontology is then used to classify this data so that equivalent artefacts across devices can be compared to make connections. It demonstrates how this ontology can be adapted to keep track of changes in technology and how it can be used in a laboratory environment.