Digital Forensics Tool Selection with Multi-armed Bandit Problem

Digital forensics investigation is a long and tedious process for an investigator in general. There are many tools that investigators must consider, both proprietary and open source. Forensics investigators must choose the best tool available on the market for their cases to make sure they do not overlook any evidence resides in suspect device within a reasonable time frame. This is however hard decision to make, since learning and testing all available tools make their job only harder. In this paper, we define the digital forensics tool selection for a specific investigative task as a multi-armed bandit problem assuming that multiple tools are available for an investigator’s use. In addition, we also created set of disk images in order to create a real dataset for experiments. This dataset can be used by digital forensics researchers and tool developers for testing and validation purposes. In this paper, we also simulated multi-armed bandit algorithms to test whether using these algorithms would be more successful than using simple randomization (non-MAB method) during the tool selection process. Our results show that, bandit based strategies successfully analyzed up to 57% more disk images over 1000 simulations. Finally, we also show that our findings satisfy a high level of statistical confidence. This work will help investigators to spend more time on the analysis of evidence than learning and testing different tools to see which one performs better.