Triage-based automated analysis of evidence in court cases of copyright infringement

Over the past few years, the number of crimes related to the worldwide diffusion of digital devices with large storage and broadband network connections has increased dramatically. In order to better address the problem, law enforcement specialists have developed new ideas and methods for retrieving evidence more effectively. In accordance with this trend, our research aims to add new pieces of information to the automated analysis of evidence according to Machine Learning-based “post mortem” triage. The scope consists of some copyright infringement court cases coming from the Italian Cybercrime Police Unit database. We draw our inspiration from this “low level” crime which is normally sat at the bottom of the forensic analyst´s queue, behind higher priority cases and dealt with the lowest priority. The present work aims to bring order back in the analyst´s queue by providing a method to rank each queued item, e.g. a seized device, before being analyzed in detail. The paper draws the guidelines for drive-under-triage classification (e.g. hard disk drive, thumb drive, solid state drive etc.), according to a list of crime-dependent features such as installed software, file statistics and browser history. The model, inspired by the theory of Data Mining and Machine Learning, is able to classify each exhibit by predicting the problem dependent variable (i.e. the class) according to the aforementioned crime-dependent features. In our research context the “class” variable identifies with the likelihood that a drive image may contain evidence concerning the crime and, thus, the associated item must receive an high (or low) ranking in the list.