Pub Date : 2013-01-01DOI: 10.15394/JDFSL.2013.1144
E. Shaw, Maria Payri, Ilene Shaw
This research uses two recently introduced observer rating scales, (Shaw et al., 2013) for the identification and measurement of negative sentiment (the Scale for Negativity in Text or SNIT) and insider risk (Scale of Indicators of Risk in Digital Communication or SIRDC) in communications to test the performance of psycholinguistic software designed to detect indicators of these risk factors. The psycholinguistic software program, WarmTouch (WT), previously used for investigations, appeared to be an effective means for locating communications scored High or Medium in negative sentiment by the SNIT or High in insider risk by the SIRDC within a randomly selected sample from the Enron archive. WT proved less effective in locating emails Low in negative sentiment on the SNIT and Low in insider risk on the SIRDC. However, WT performed extremely well in identifying communications from actual insiders randomly selected from case files and inserted in this email sample. In addition, it appeared that WT’s measure of perceived Victimization was a significant supplement to using negative sentiment alone, when it came to searching for actual insiders. Previous findings ( Shaw et al., 2013) indicate that this relative weakness in identifying low levels of negative sentiment may not impair WT’s usefulness for identifying communications containing
本研究使用两种最近引入的观察者评级量表(Shaw et al., 2013)来识别和测量负面情绪(文本中的消极情绪量表或SNIT)和内部风险(数字通信中的风险指标量表或SIRDC),以测试用于检测这些风险因素指标的心理语言学软件的性能。以前用于调查的心理语言学软件程序WarmTouch (WT)似乎是一种有效的方法,可以在随机选择的安然档案样本中定位由SNIT评为负面情绪高或中等或由SIRDC评为内幕风险高的通信。WT证明在定位电子邮件方面效果较差,SNIT的负面情绪较低,SIRDC的内部风险较低。然而,WT在识别从案例文件中随机选择并插入此电子邮件样本的实际内部人员的通信方面表现得非常好。此外,当涉及到寻找实际的内部人员时,WT的感知受害测量似乎是单独使用负面情绪的重要补充。先前的研究结果(Shaw et al., 2013)表明,识别低水平负面情绪的相对弱点可能不会损害WT在识别包含的通信中的有用性
{"title":"HOW OFTEN IS EMPLOYEE ANGER AN INSIDER RISK II? DETECTING AND MEASURING NEGATIVE SENTIMENT VERSUS INSIDER RISK IN DIGITAL COMMUNICATIONS-COMPARISON BETWEEN HUMAN RATERS AND PSYCHOLINGUISTIC SOFTWARE","authors":"E. Shaw, Maria Payri, Ilene Shaw","doi":"10.15394/JDFSL.2013.1144","DOIUrl":"https://doi.org/10.15394/JDFSL.2013.1144","url":null,"abstract":"This research uses two recently introduced observer rating scales, (Shaw et al., 2013) for the identification and measurement of negative sentiment (the Scale for Negativity in Text or SNIT) and insider risk (Scale of Indicators of Risk in Digital Communication or SIRDC) in communications to test the performance of psycholinguistic software designed to detect indicators of these risk factors. The psycholinguistic software program, WarmTouch (WT), previously used for investigations, appeared to be an effective means for locating communications scored High or Medium in negative sentiment by the SNIT or High in insider risk by the SIRDC within a randomly selected sample from the Enron archive. WT proved less effective in locating emails Low in negative sentiment on the SNIT and Low in insider risk on the SIRDC. However, WT performed extremely well in identifying communications from actual insiders randomly selected from case files and inserted in this email sample. In addition, it appeared that WT’s measure of perceived Victimization was a significant supplement to using negative sentiment alone, when it came to searching for actual insiders. Previous findings ( Shaw et al., 2013) indicate that this relative weakness in identifying low levels of negative sentiment may not impair WT’s usefulness for identifying communications containing","PeriodicalId":43224,"journal":{"name":"Journal of Digital Forensics Security and Law","volume":null,"pages":null},"PeriodicalIF":0.3,"publicationDate":"2013-01-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"88659539","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2013-01-01DOI: 10.15394/JDFSL.2013.1140
E. Shaw, Maria Payri, Michael Cohn, Ilene Shaw
This research introduced two new scales for the identification and measurement of negative sentiment and insider risk in communications in order to examine the unexplored relationship between these two constructs. The inter-rater reliability and criterion validity of the Scale of Negativity in Texts (SNIT) and the Scale of Insider Risk in Digital Communications (SIRDC) were established with a random sample of email from the Enron archive and criterion measures from established insiders, disgruntled employees, suicidal, depressed, angry, anxious, and other sampled groups. In addition, the sensitivity of the scales to changes over time as the risk of digital attack increased and transitioned to a physical attack was also examined in an actual case study. Inter-rater reliability for the SNIT was extremely high across groups while the SIRDC produced lower, but acceptable levels of agreement. Both measures also significantly distinguished the criterion groups from the overall Enron sample. The scales were then used to measure the frequency of negative sentiment and insider risk indicators in the random Enron sample and the relationship between the two constructs. While low levels of negative sentiment were found in 20% of the sample, moderate and high levels of negative sentiment were extremely rare, occurring in less than 1% of communications. Less than 4% of the sampled emails displayed indicators of insider risk on the SIRDC. Emails containing high levels of insider risk comprised less than one percent or the sample. Of the emails containing negative sentiment in the sample, only 16.3%, also displayed Journal of Digital Forensics, Security and Law, Vol. 8(1) 40 indicators of insider risk. The odds of a communication containing insider risk increased with the level of negative sentiment and only low levels of insider risk were found at low levels of negative sentiment. All of the emails found to contain insider risk indicators on the SIRDC also displayed some level of negative sentiment. The implications of these findings for insider risk detection were then examined.
本研究引入了两个新的量表来识别和测量沟通中的负面情绪和内部风险,以检验这两个结构之间未被探索的关系。采用安然档案中的随机电子邮件样本和来自已建立的内部人员、不满员工、自杀、抑郁、愤怒、焦虑和其他抽样群体的标准测量,建立了文本否定性量表(SNIT)和数字通信内部人员风险量表(SIRDC)的评分者间信度和标准效度。此外,在实际案例研究中,还研究了随着数字攻击风险增加并过渡到物理攻击时,量表对时间变化的敏感性。SNIT的组间信度极高,而SIRDC的一致性较低,但可以接受。这两项措施也显著地将标准组与整个安然样本区分开来。然后使用量表测量随机安然样本中负面情绪和内幕风险指标的频率以及两者之间的关系。虽然在20%的样本中发现了低水平的负面情绪,但中度和高度的负面情绪极为罕见,出现在不到1%的交流中。在抽样的电子邮件中,显示SIRDC内部风险指标的邮件不到4%。包含高度内幕风险的电子邮件在样本中所占比例不到1%。在样本中包含负面情绪的电子邮件中,只有16.3%还显示了Journal Of Digital Forensics, Security and Law, Vol. 8(1) 40个内部风险指标。沟通中包含内幕风险的几率随着负面情绪水平的增加而增加,只有在低水平的负面情绪中发现了低水平的内幕风险。在SIRDC上发现的所有包含内幕风险指标的电子邮件也显示出一定程度的负面情绪。然后对这些发现对内部风险检测的影响进行了检查。
{"title":"How often is Employee Anger an Insider Risk I? Detecting and Measuring Negative Sentiment versus Insider Risk in Digital Communications","authors":"E. Shaw, Maria Payri, Michael Cohn, Ilene Shaw","doi":"10.15394/JDFSL.2013.1140","DOIUrl":"https://doi.org/10.15394/JDFSL.2013.1140","url":null,"abstract":"This research introduced two new scales for the identification and measurement of negative sentiment and insider risk in communications in order to examine the unexplored relationship between these two constructs. The inter-rater reliability and criterion validity of the Scale of Negativity in Texts (SNIT) and the Scale of Insider Risk in Digital Communications (SIRDC) were established with a random sample of email from the Enron archive and criterion measures from established insiders, disgruntled employees, suicidal, depressed, angry, anxious, and other sampled groups. In addition, the sensitivity of the scales to changes over time as the risk of digital attack increased and transitioned to a physical attack was also examined in an actual case study. Inter-rater reliability for the SNIT was extremely high across groups while the SIRDC produced lower, but acceptable levels of agreement. Both measures also significantly distinguished the criterion groups from the overall Enron sample. The scales were then used to measure the frequency of negative sentiment and insider risk indicators in the random Enron sample and the relationship between the two constructs. While low levels of negative sentiment were found in 20% of the sample, moderate and high levels of negative sentiment were extremely rare, occurring in less than 1% of communications. Less than 4% of the sampled emails displayed indicators of insider risk on the SIRDC. Emails containing high levels of insider risk comprised less than one percent or the sample. Of the emails containing negative sentiment in the sample, only 16.3%, also displayed Journal of Digital Forensics, Security and Law, Vol. 8(1) 40 indicators of insider risk. The odds of a communication containing insider risk increased with the level of negative sentiment and only low levels of insider risk were found at low levels of negative sentiment. All of the emails found to contain insider risk indicators on the SIRDC also displayed some level of negative sentiment. The implications of these findings for insider risk detection were then examined.","PeriodicalId":43224,"journal":{"name":"Journal of Digital Forensics Security and Law","volume":null,"pages":null},"PeriodicalIF":0.3,"publicationDate":"2013-01-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"75773121","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2012-09-30DOI: 10.15394/jdfsl.2012.1113
F. Cohen
In part 1 of this series (Cohen, 2011a), Analysis of digital traces is a foundational process by which the examiner, typically using computer software tools, comes to understand and answer basic questions regarding digital traces. “Input sequences to digital systems produce outputs and state changes as a function of the previous state. To the extent that the state or outputs produce stored and/or captured bit sequences, these form traces of the event sequences that caused them. Thus the definition of a trace may be stated as: "A set of bit sequences produced from the execution of a finite state machine." (see PDF for full column)
{"title":"Column: The Science of Digital Forensics: Analysis of Digital Traces","authors":"F. Cohen","doi":"10.15394/jdfsl.2012.1113","DOIUrl":"https://doi.org/10.15394/jdfsl.2012.1113","url":null,"abstract":"In part 1 of this series (Cohen, 2011a), Analysis of digital traces is a foundational process by which the examiner, typically using computer software tools, comes to understand and answer basic questions regarding digital traces. “Input sequences to digital systems produce outputs and state changes as a function of the previous state. To the extent that the state or outputs produce stored and/or captured bit sequences, these form traces of the event sequences that caused them. Thus the definition of a trace may be stated as: \"A set of bit sequences produced from the execution of a finite state machine.\" (see PDF for full column)","PeriodicalId":43224,"journal":{"name":"Journal of Digital Forensics Security and Law","volume":null,"pages":null},"PeriodicalIF":0.3,"publicationDate":"2012-09-30","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"79115706","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2012-01-01DOI: 10.15394/JDFSL.2012.1132
B. Simpson
Vermont state prosecutors have asked the Vermont Supreme Court to end a state trial judge’s practice of attaching conditions to computer warrants. The Vermont judge’s conditions are drawn from five conditions established in the 2009 decision of the 9 Circuit Court of Appeals in the Comprehensive Drug Testing, Inc. case (CDT II). This is the first time the validity of the “CDT conditions” will be decided by a state court of final jurisdiction in the United States.
{"title":"“Preemptive Suppression” – Judges Claim the Right to Find Digital Evidence Inadmissible Before It Is Even Discovered","authors":"B. Simpson","doi":"10.15394/JDFSL.2012.1132","DOIUrl":"https://doi.org/10.15394/JDFSL.2012.1132","url":null,"abstract":"Vermont state prosecutors have asked the Vermont Supreme Court to end a state trial judge’s practice of attaching conditions to computer warrants. The Vermont judge’s conditions are drawn from five conditions established in the 2009 decision of the 9 Circuit Court of Appeals in the Comprehensive Drug Testing, Inc. case (CDT II). This is the first time the validity of the “CDT conditions” will be decided by a state court of final jurisdiction in the United States.","PeriodicalId":43224,"journal":{"name":"Journal of Digital Forensics Security and Law","volume":null,"pages":null},"PeriodicalIF":0.3,"publicationDate":"2012-01-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"76038061","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2012-01-01DOI: 10.15394/JDFSL.2012.1125
F. Cohen
In cases where the examiner also performed collection, the details of the collection process may also be known, and so forth. The examiner may also rely on statements, paperwork, claims, and all manner of other things to put the bag of bits into context, but at the start of the examination, anything outside of the personal knowledge of the examiner 2 should be treated as speculative and subject to refutation. Analysis is largely about performing computations on the bag of bits and related information to produce analytical products and derived traces. These products are then used to interpret, attribute, reconstruct, present, and otherwise work with the evidence to other examiners, lawyers, triers of fact, etc. But in order to do this, something about the bag of bits must support or refute hypotheses about what it contains.
{"title":"Column: Analysis of Digital Traces","authors":"F. Cohen","doi":"10.15394/JDFSL.2012.1125","DOIUrl":"https://doi.org/10.15394/JDFSL.2012.1125","url":null,"abstract":"In cases where the examiner also performed collection, the details of the collection process may also be known, and so forth. The examiner may also rely on statements, paperwork, claims, and all manner of other things to put the bag of bits into context, but at the start of the examination, anything outside of the personal knowledge of the examiner 2 should be treated as speculative and subject to refutation. Analysis is largely about performing computations on the bag of bits and related information to produce analytical products and derived traces. These products are then used to interpret, attribute, reconstruct, present, and otherwise work with the evidence to other examiners, lawyers, triers of fact, etc. But in order to do this, something about the bag of bits must support or refute hypotheses about what it contains.","PeriodicalId":43224,"journal":{"name":"Journal of Digital Forensics Security and Law","volume":null,"pages":null},"PeriodicalIF":0.3,"publicationDate":"2012-01-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"76806310","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2012-01-01DOI: 10.15394/JDFSL.2012.1127
John Moran, Douglas Orr
A good portion of today's investigations include, at least in part, an examination of the user's web history. Although it has lost ground over the past several years, Microsoft's Internet Explorer still accounts for a large portion of the web browser market share. Most users are now aware that Internet Explorer will save browsing history, user names, passwords and form history. Consequently some users seek to eliminate these artifacts, leaving behind less evidence for examiners to discover during investigations. However, most users, and probably a good portion of examiners are unaware Automatic Crash Recovery can leave a gold mine of recent browsing history in spite of the users attempts to delete historical artifacts. As investigators, we must continually be looking for new sources of evidence; Automatic Crash Recovery is it.
{"title":"Automatic Crash Recovery: Internet Explorer's black box","authors":"John Moran, Douglas Orr","doi":"10.15394/JDFSL.2012.1127","DOIUrl":"https://doi.org/10.15394/JDFSL.2012.1127","url":null,"abstract":"A good portion of today's investigations include, at least in part, an examination of the user's web history. Although it has lost ground over the past several years, Microsoft's Internet Explorer still accounts for a large portion of the web browser market share. Most users are now aware that Internet Explorer will save browsing history, user names, passwords and form history. Consequently some users seek to eliminate these artifacts, leaving behind less evidence for examiners to discover during investigations. However, most users, and probably a good portion of examiners are unaware Automatic Crash Recovery can leave a gold mine of recent browsing history in spite of the users attempts to delete historical artifacts. As investigators, we must continually be looking for new sources of evidence; Automatic Crash Recovery is it.","PeriodicalId":43224,"journal":{"name":"Journal of Digital Forensics Security and Law","volume":null,"pages":null},"PeriodicalIF":0.3,"publicationDate":"2012-01-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"86074933","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2010-03-31DOI: 10.15394/JDFSL.2010.1071
A. Byrski, Wojciech Stryjewski, Bartłomiej Czechowicz
Based on existing software aimed at investigation support in the analysis of computer data storage overtaken during investigation (PyFlag), an extension is proposed involving the introduction of dedicated components for data identification and filtering. Hash codes for popular software contained in NIST/NSRL database are considered in order to avoid unwanted files while searching and to classify them into several categories. The extension allows for further analysis, e.g. using artificial intelligence methods. The considerations are illustrated by the overview of the system's design.
{"title":"Adaptation of PyFlag to Efficient Analysis of Overtaken Computer Data Storage","authors":"A. Byrski, Wojciech Stryjewski, Bartłomiej Czechowicz","doi":"10.15394/JDFSL.2010.1071","DOIUrl":"https://doi.org/10.15394/JDFSL.2010.1071","url":null,"abstract":"Based on existing software aimed at investigation support in the analysis of computer data storage overtaken during investigation (PyFlag), an extension is proposed involving the introduction of dedicated components for data identification and filtering. Hash codes for popular software contained in NIST/NSRL database are considered in order to avoid unwanted files while searching and to classify them into several categories. The extension allows for further analysis, e.g. using artificial intelligence methods. The considerations are illustrated by the overview of the system's design.","PeriodicalId":43224,"journal":{"name":"Journal of Digital Forensics Security and Law","volume":null,"pages":null},"PeriodicalIF":0.3,"publicationDate":"2010-03-31","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"89258791","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 1900-01-01DOI: 10.15394/JDFSL.2019.1603
Gary Cantrell, Joan Runs Through
Data carving is a technique used in data recovery to isolate and extract files based on file content without any file system guidance. It is an important part of data recovery and digital forensics. However, it is also useful in teaching computer science students about file structure and the binary encoding of information, especially within a digital forensics program. This work demonstrates how the authors teach data carving using a real-world problem they encounter in digital forensics evidence processing involving the extracting of text messages from unstructured small device binary extractions. The authors have used this problem for instruction in digital forensics courses and other computer science courses.
{"title":"Teaching Data Carving Using The Real World Problem of Text Message Extraction From Unstructured Mobile Device Data Dumps","authors":"Gary Cantrell, Joan Runs Through","doi":"10.15394/JDFSL.2019.1603","DOIUrl":"https://doi.org/10.15394/JDFSL.2019.1603","url":null,"abstract":"Data carving is a technique used in data recovery to isolate and extract files based on file content without any file system guidance. It is an important part of data recovery and digital forensics. However, it is also useful in teaching computer science students about file structure and the binary encoding of information, especially within a digital forensics program. This work demonstrates how the authors teach data carving using a real-world problem they encounter in digital forensics evidence processing involving the extracting of text messages from unstructured small device binary extractions. The authors have used this problem for instruction in digital forensics courses and other computer science courses.","PeriodicalId":43224,"journal":{"name":"Journal of Digital Forensics Security and Law","volume":null,"pages":null},"PeriodicalIF":0.3,"publicationDate":"1900-01-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"78583463","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
京公网安备 11010802042870号
京ICP备2023020795号-1
扫码关注我们
求助内容:
应助结果提醒方式: