Evidential Relevance and Expressiveness of Digital Traces: An Investigative Perspective

Document Type
Doctoral Thesis
Granting Institution
Friedrich-Alexander-Universität Erlangen-Nürnberg (FAU), Technische Fakultät
Issue Date
Gruber, Jan

In this day and age, almost any criminal investigation deals with some pieces of digital evidence. Given the wealth of digital data stored on both end-user devices and cloud infrastructure, a tremendous challenge for investigators and prosecutors is to determine the relevant pieces to solve the case; however, given an investigative question, there exists no straightforward method to find "sufficient digital evidence" to do so. Thus, the present thesis leaps to improve the understanding and interpretation of digital traces for criminal investigations on a foundational level. As a unifying result, we propose the Cyber-traceological Model, which provides a general way to translate investigative hypotheses to relevant traces - both in idealized and real-world scenarios. The model is grounded in formal definitions of when traces are generally relevant and how they can be expressive on a conceptual level. Building up on these concepts, we are able to define an investigative knowledge base in a precise manner. For digital systems, we then show how relevance can be determined to fill the knowledge base by calculating necessary and sufficient evidence in state machine representations. We use these concepts to refer to rigorous notions of different classes of reconstructability that investigators can use to uncover and comprehend past events. We expressed the concepts of necessity and sufficiency of digital traces in temporal logic and employed a model checker to calculate traces of those classes based on a model of the system under investigation to demonstrate practical feasibility. Since this necessitates the availability of a representation of the system under investigation as a transition system, which is often hard to achieve in real-world scenarios, we additionally investigate ways of collecting, representing, and using phenomenon-specific knowledge of criminal phenomena to establish a notion of evidential relevance from a more holistic and realistic perspective. Using cognitive maps as a particular form to express node-link relationships, we show how this phenomenon-specific knowledge can build a bridge from abstract process models to case-specific concretizations by constituting a meso-level abstraction supporting the quest to find relevant traces more pragmatically. We vividly illustrate the construction of an instance of such a phenomenon-specific knowledge base and its applicability in the example of botnet crime. Lastly, we study how expressiveness of digital traces could be hampered by undetected contamination effects. Here, we provide a novelly universal definition of evidence contamination - applicable both for physical and digital evidence - and aim to substantiate and validate the proposed definition by presenting examples, counterexamples, and edge cases of contamination of digital evidence to build the grounds for future research improving the understanding of contamination. In essence, the results of this dissertation are aggregated in the proposed Cyber-traceological Model, which systematically sketches out how to translate case-related hypotheses into relevant traces. It aims to span the arc from abstract considerations to concrete investigative work, thus hinting at the potential to solidify the practical application by insights gained from theoretical considerations of fundamental attributes of digital evidence.

Faculties & Collections