A Unified Knowledge Graph to Permit Interoperability of Heterogeneous Digital Evidence
Ali Alshumrani, Nathan Clarke, Bogdan Ghita
TL;DR
The paper tackles interoperability challenges in digital forensics posed by heterogeneous evidence across devices and formats. It introduces a Unified Metadata Graph Model (UMGM) that ingests, harmonises, and unifies evidence metadata within a graph database to enable cross-platform analytics. The key contributions include a three-phase UMGM framework, a detailed metadata extraction/mapping/refinement process, and cross-evidence analytics demonstrated via a hypothetical data-leak case. The results suggest improved query efficiency, richer evidence relationships, and streamlined workflows for digital investigations, with future work targeting scalability and integration of machine learning.
Abstract
The modern digital world is highly heterogeneous, encompassing a wide variety of communications, devices, and services. This interconnectedness generates, synchronises, stores, and presents digital information in multidimensional, complex formats, often fragmented across multiple sources. When linked to misuse, this digital information becomes vital digital evidence. Integrating and harmonising these diverse formats into a unified system is crucial for comprehensively understanding evidence and its relationships. However, existing approaches to date have faced challenges limiting investigators' ability to query heterogeneous evidence across large datasets. This paper presents a novel approach in the form of a modern unified data graph. The proposed approach aims to seamlessly integrate, harmonise, and unify evidence data, enabling cross-platform interoperability, efficient data queries, and improved digital investigation performance. To demonstrate its efficacy, a case study is conducted, highlighting the benefits of the proposed approach and showcasing its effectiveness in enabling the interoperability required for advanced analytics in digital investigations.