Data Mining

Is there anyone out there who uses data mining or has considered using data mining to help in a forensic investigation???

I don't see where this would be used in a forensic investigation. Can you explain how it could be helpful in a forensic case?

Data mining is useful where there are large amounts of data - for example in network forensics - it's also been used by auditors to detect fraud. There is a lot of information on Google about the use of data mining in crime detection and forensic investigations. As I said it's a topic I'm interested in and I wondered if anyone here uses it or has considered using it.

I think that "data mining" is such a broad term it is perhaps difficult to quantify. For example when I use dtSearch in a case is that data mining? Or when I use IDEA is that data mining?

My understanding of data mining is that it is more than just statistics although some of the techniques that are classical defined as "data mining" such as CART and CHAID arose from statisticians. Others contend that there is little practical difference between a statistical technique and a classical data mining technique. In the most broad sense, data mining is the process of finding correlations or patterns among dozens of fields in large relational databases.

What many of us consider good investigative technique fit in the broader definition of data mining. Nearest neighbor, linear regression, histograms and many other techniques are used for analysis even perhaps when we do not recognize that is what our software is doing. This is especially the case in the black art of decryption.

However I would say that in most cases data mining is more useful as a predictor of events than an analysis tool of historical events.

It is quite possible to utilize different data mining algorithm in a forensic case. This is a research area which are rapidly developing and I think we will see new tools very soon. In forensic the content retrieval data mining algorithm would be of interest. LTU Image-Seeker is one of these tools which is possible to utilize with EnCase. Also Mathlab have some possibilities.

Furthermore, there is a research project named ANNTS in USA which works with multiple
types of neural networks designed to find files hidden by different, even sophisticated, steganographic techniques.

Give Han and Kambers book Data mining concepts and techniques a shot, and read it with the book Advances in Digital Forensics from IFIP International Conference on Digital Forensics. You will find some interesting articles and idea there.

Data Mining techniques can be useful when the forensic examination requires the collaboration of data between systems.

For this, I have been actively using ETL tools to rapidly bring the content of Enterprise databases together; thus enabling the analysis of patterns/discrepencies etc etc.

Since each engagement/case is unique the power of drag and drop ETL gives the investigator and expert witness ideal control; and speed of response to matters that may take much longer when dealing with discrete systems individually.

I commented on it in a recent paper (1st June 2007), press briefing that I undertook…

Thanks for the replies. I'll check out the books that you mentioned.

I think its time to discuss this subject further in 2008. As I believe datamining will be the advantages and the future in digital forensics since the size of all kind of storage media we already faces both in sivil and criminal cases will need new tools and methodologies to deal with our issues. In academia there is several important and interesting research projects going on, both in USA and Irland(UCD). Several people from this forum could benefit and therefore give advices regarding whats needed, and get these reseachers interesting in challenges and issues most practitioner strugles with every day in this field. Just, start discuss and communicate with them and I am a sure we will discover new potential reseach projects which will develope this still very young field futher.