Using Hypothesis Generation in Event Profiling for Digital Forensic Investigations

The traditional manual approach to the investigation of digital data is no longer feasible as the amount of data which can be saved on hard drives grows out of control. In addition, it is usually necessary to consider data across extensive networks of devices in order to obtain a realistic picture of an investigation and ensure that no evidence is overlooked. The need for an automated approach to forensic digital investigation has therefore been recognized for some years, and several authors have developed frameworks in this direction. The aim of this paper is to enhance and move beyond current work by focusing on hypothesis generation in the later part of the analysis phase. In doing so, we present, for the first time in this context, a formal definition of the word ‘hypothesis’ and also present an extensive case study to illustrate its usefulness and the method of hypothesis generation and analysis. The scientific approach taken here to hypothesis generation directly supports the investigation procedure and also promotes its acceptance by a court of law.