Main Article Content
Abstract
In computer forensic examination, hundreds and thousands of files are generally inspected, typically in the interest of figuring out what had happened, when it had happened, how it had happened, and finally who was involved in the crime. This might be done for the purpose of performing a root cause analysis of a computer system that had failed or is not operating in a proper manner as it should, or to figure out who is the primary cause for misuse of computer systems, or perhaps to find out who had committed a crime using a computer system or against a computer system. Ample of the data in those files comprises of text without formal organization or structure and therefore called as unstructured text. The analysis of these types of texts by computer examiners is a hardship to be performed. In this circumstance, automated procedures of examination are of great interest. Especially, documents clustering algorithms can render the disclosure of useful and new knowledge from the documents that are under examination or investigation. We propose an approach that will apply document clustering algorithms to forensic examination of computer systems seized in police investigations. We have illustrated the approach that is proposed by carrying out experimentation with K-ROSE (K- Rough Outlier Set Extraction) and hierarchical agglomerative approach (Single link, Complete Link, Average link) applied to datasets obtained from computers seized in investigations by police department. Experiments were performed with distinct combinations of parameters. Our experiments have shown that the Complete Link and Average Link algorithms produce the optimum results for our application realm. If suitably initialized, partitional KRose algorithm also yields to very good results. Lastly, we also present and discuss the modules that help investigators of forensic computing.