Department of Informatics Using Bayesian Networks to Quantify Digital Forensic Evidence and Hypotheses Richard E Overill Department of Informatics King’s College London richard.overill@kcl.ac.uk

Abstract In what appears to be an increasingly litigious world, courts, legal officials and law enforcement officers in a number of adversarial legal jurisdictions have begun to look for quantitative indications of (i) the probative value (or weight) of individual items of digital evidence connected with a case; and (ii) the relative plausibility of competing hypotheses (or narratives) purporting to explain how the recovered items of digital evidence (traces) were created.  We review the contributions that Bayesian Networks (BNs) are capable of making to the understanding, analysis and evaluation of crimes whose primary items of evidence are digital artefacts, and show how as a consequence they may help to fulfil both of the two above desiderata. 

Acknowledgements Work carried out in collaboration with the Computer Forensics Research Group at the University of Hong Kong, the Hong Kong Police Force Cyber Security & Technology Crime Bureau, and the Hong Kong Customs & Excise Department’s IPR Protection team

Relative Plausibility Likelihood Ratio(LR)= Pr⁡(𝐸|𝐻) Pr⁡(𝐸| 𝐻 ) ≈ Pr⁡(𝐸| 𝐻 𝑝 ) Pr⁡(𝐸| 𝐻 𝑑 ) provided that 𝐻 𝑝 & 𝐻 𝑑 together cover the hypothesis space Build and run Bayesian networks for 𝐻 𝑝 & 𝐻 𝑑 Case Study: HK Online Auction Fraud Conditional Probability Table (CPT) values were elicited from a panel of experienced DF experts; sensitivity analyses were performed

Online Auction Fraud LR

Probative Value Run the Bayesian network twice; once with all items of evidence in place, and once with evidential trace 𝐸 𝑖 removed. The difference in the posterior outputs of the BN is a measure of the probative value of 𝐸 𝑖 Case study: HK illicit P2P uploading of copyright protected material with BitTorrent CPT values were elicited from a panel of experienced DF experts; sensitivity analyses were performed

BitTorrent probative values Results ranked in decreasing order: 𝐸 18 > 𝐸 13 > 𝐸 3 > 𝐸 1 = 𝐸 2 > …. So a cost-effective triage schema would start by attempting to recover 𝐸 18 , then 𝐸 13 , then 𝐸 3 , then 𝐸 1 and 𝐸 2 , etc.

Cost-effective Triage - I Once measures of probative value are known, a cost-effective triage schema can be devised: Rank the expected evidential traces 𝐸 𝑖 in decreasing order of probative value. For traces of equal probative value, sub-rank them in increasing order of cost-benefit ratio where: 𝐶𝐵𝑅= 𝑖𝑛𝑣𝑒𝑠𝑡𝑖𝑔𝑎𝑡𝑜𝑟+𝑒𝑞𝑢𝑖𝑝𝑚𝑒𝑛𝑡 𝑐𝑜𝑠𝑡𝑠 𝑝𝑟𝑜𝑏𝑎𝑡𝑖𝑣𝑒 𝑣𝑎𝑙𝑢𝑒

Cost-effective Triage - II Traces of high probative value are recovered early on. Missing high probative value traces may cause the investigation to be de-prioritised. Traces of low probative value are recovered later. Low probative value traces with a high CBR may be excluded from the investigation.

Summary The application of Bayesian networks to the investigation of commonly occurring digital crimes in HK has permitted two developments: Investigators and prosecution / defence officials can obtain a quantitative measure of the plausibility of their and their opponent’s case Investigators can adopt a cost-effective triage schema which aims to recover ‘low-hanging fruit’ early on and allows for de-prioritisation.

Thank you! Questions or comments?