**5. The significance of machine learning in digital forensic investigations**

MLF is originating from AI to perform the huge amount of data, analyse the data to discover any criminal actions and risk and to segment the data to find criminal activity and behaviour. The intelligence systems which do not have any intelligent part cannot perform true learning capabilities and be a true one. DFI through ML is the latest trend to seize the potential of AI as leading security solutions capabilities.

ML behavioral analytics is the core part of modeling, profiling and prediction in medical, manufacturing, advertising and business intelligence and is recently used in law enforcement mechanism. In order to discover the criminal behaviour, MLF uses the wireless or wired networks via web or cloud computing. Thus MLF aims are to provide the new knowledge and skills and provide organized knowledge structure in order to produce progressive improvements in its own performance.

Originating from AI, ML algorithms can be used to analyze the huge amount of data to identify the risk, segment the data and detect criminal behaviour. ML algorithms enable the investigators to interrogate the vast scattered data sets which are placed in social and wired networks and web or cloud computing. In essence, ML algorithms contain the pattern recognition software that are used to analyse huge amount of data which are used to predict some behaviour. ML algorithms seek to learn from historical perspectives which are then used to predict future behaviour. MLF gains the capability to recognize the patterns of criminal activities through ML algorithms, in order to learn from the historical data about when and where the crime will take place. The malicious activities from extracted data set can be from burglaries, money laundering or intrusion attacks. This task can be achieved by formalizing and analyzing the servers, suspect's devices, wireless devices, the Internet and other kinds of data for visualization, link association, segmentation and predicting criminal activities. Nowadays, the industry is facing more advance cyber threats that cannot be tracked though traditional security measures. Attackers have designed more sophisticated ways to attacks on the system and become complicated over time. System administrator would not be able to detect these attacks each time. On the other hand, human expertise and competences have some limits, and this leads to the fact that industry is lacking in poor speed of incident occurrence, longer delay in detection and prevention of cyber threats and takes more advanced expertise to remove these cyber threats. Therefore, developing more advance machine learning models may help to prevent and protect form these cyber threats. Nowadays, there are many automated software available that can help the human to perform complicated and scientific tasks. In the next step, these automated tools need to be more advanced and should have the capability of AI and ML techniques.

### **6. Discussion and future prospects**

From literature survey, it has been observed that there are many challenges which can be faced by the forensic experts when performing the test.

First of all there is an ultra-exponential growth in the data due to the inexpensive storage devices such as hard drives, CD, USB stick and so on. This makes it almost impossible for the individuals to perform the forensic in a short period of time.

*Digital Forensic Science*

**12**

**Paper title** Automated forensic

analysis of mobile

applications on Android

devices [17]

Automated inference of

past action instances in

digital investigations [18]

An automated timeline

Extracts low-level

Pattern matching to

Automatically analyzed for

Automatically reconstruct high-level

events (e.g. connection of a USB

stick) from this set of low-level

events

Standardized knowledge

Validation of extracted

ontologies and correctness

of the data is a big issue

representations techniques and

automated rule-based systems to

encapsulate expert knowledge for

forensic data

automatically reconstruct

patterns

high-level, human

understandable events.

Automatically derived

Information fusion and

homogenization techniques

are used to reconstruct

social networks

"events" from the base

forensic artifacts

events to a SQLite

backing store

reconstruction approach

for digital forensic

investigations [19]

Automated event

High-level analysis

based on low-level

digital artifacts

and social network

extraction from digital

evidence sources

with ontological

mapping [20]

**Table 3.** *Comparison of literature surveys.*

**Problems addressed**

Inter-component

string propagation,

string operations (e.g.

append) and API

invocation

Detects multiple

Signature-based methods

Integrating time into event

Detected using signature-based

Aligning time stamps from

different systems and

analyzing complex events

with incomplete time

information

Do not cover all aspects of

forensic analysis between

events

methods during a postmortem

digital forensic analysis

reconstruction

instances of a user

action

**Methods used** Inter-component static

analysis on Android APKs

**Proposed solution**

Identifies how the

information is stored by

parsing SQL commands

**Implementation**

Fordroid: builds control flow and

data dependency graphs

**Open problems**

Inter-component string

propagation

Consequently, it is almost impossible for the forensic experts to perform the proper data analysis of each machine individually and also perform the crosscheck on each machine's process. That limits the capability of the human works. In this line of reasoning, a huge amount of data needs to be sent to laboratory for forensic purposes with limited time and available resources. In a real-time digital forensic investigation, it is very difficult to determine in early stages which evidence is more important and relevant for investigating the crime, as an example, if we consider the cybercafé or a network of computers where several computers share the same IP address.

On the other hand, the intelligent tools are the main part of the MLF. However, these tools also show the problem for investigation in the pre-analysis phase. For that reason the lack-ness in the collection of large amount of data from distributed machines is need to be examined. Some of the existing tools are not helpful in solving the problem and even increases the time of investigation. The need is to make more intelligent methods and tools so that the automatic investigation of the suspects machines or malicious activity can be analyzed and determined in accurate time. The data can be stored and placed in any place for destructive purposes. Therefore, MLF techniques are the best sources for storing, evaluating and using this data in a productive way to anticipate and harmful activities. MLF methods can perform the meta-analysis on the meta-knowledge from different sources, and it can simplify the complex tasks into understandable and manageable data formats in a short period of time. MLF can provide the well-formed repository that can contain the well-sanitized data of digital investigation with well-known properties and results.

	- Have data availability to support modeling.
	- Address well-scoped problems and methodology.
	- Explain well the reasoning process.
	- Formally structure the representation of knowledge.
	- Have well-organized performance evaluation.
	- Integrate with current architecture, tools and applications.

**15**

**Author details**

\* and Soltan Abed Alharbi2

\*Address all correspondence to: simbwp@gmail.com

provided the original work is properly cited.

1 Department of Computer Science, COMSATS University Islamabad, Vehari,

2 Department of Electrical and Computer Engineering, University of Jeddah,

© 2019 The Author(s). Licensee IntechOpen. This chapter is distributed under the terms of the Creative Commons Attribution License (http://creativecommons.org/licenses/ by/3.0), which permits unrestricted use, distribution, and reproduction in any medium,

Salman Iqbal1

Saudi Arabia

Pakistan

*Advancing Automation in Digital Forensic Investigations Using Machine Learning Forensics*

*DOI: http://dx.doi.org/10.5772/intechopen.90233*

*Advancing Automation in Digital Forensic Investigations Using Machine Learning Forensics DOI: http://dx.doi.org/10.5772/intechopen.90233*
