Cybercriminalistic Task: A Model-Based Approach to Understanding Digital Evidence

252 / BBB

2025-11-04

Dr.-Ing. Jan Gruber

15:45

The quantity and complexity problems of digital evidence present major challenges in both computer-enabled and core cybercrime investigations. The very nature of digital systems renders traditional procedures of evidence collection and examination, such as a meticulous and systematic analysis of each and every potential trace, infeasible. To address this issue, we apply a model-based view to the cybercriminalistic task, conceptualizing it as the search for case-relevant hypotheses and the identification of corresponding traces needed to evaluate them. To this end, we introduce the cyber-traceological model helping to translate investigative questions to "relevant digital evidence" with which investigative hypotheses can be assessed. In this talk, we unpack the model’s components, focusing first on the notions of relevance and expressiveness in digital traces. We then develop evidential concepts within standard linear-time temporal logic (LTL) and demonstrate how these can be applied to the task of forensic event reconstruction using established model-checking tools. When a complete formal system model is available, these concepts allow the direct computation of relevant digital evidence. Even in cases where such a model is incomplete or unavailable, the cyber-traceological framework guides the targeted search for evidence within submodels, as illustrated through a simplified example case. We conclude by discussing the potential of this model-based approach and outlining potential research directions for handling uncertainty of digital evidence.