Uncertainty Bounds for Digital Forensic Evidence and Hypotheses Richard E Overill and Jantje A M Silomon Department of Informatics King’s College London London, UK {richard.overill | jantje.a.silomon}@kcl.ac.uk Abstract—It is important to be able to quantify the numerical uncertainty associated with the likelihood of a particular hypothesis. The estimation of typical values required in the calculation of posterior odds using the previously proposed operational complexity model (OCM) is a case in point. It is often is necessary to distinguish between alternative explanations for forensically recovered digital evidential traces. In this study, the uncertainties associated with five common e-crimes and their respective Trojan horse defences have been computed using the OCM. They exhibit some remarkable variations and we discuss the significance of the uncertainties in these posterior odds from both a technical and a judicial standpoint. We conclude that these uncertainties are crucial for the defence and prosecution sides to fully understand each others’ cases. Keywords-operational complexity model; posterior odds; digital forensics; uncertainty propagation; relative plausibility metrics; alternative hypotheses. I. INTRODUCTION The ability to quantify the probabilities (or likelihoods) associated with recovered digital evidential traces and the hypotheses as to how these were formed lends valuable insights into the relative plausibility of alternative narratives that may be advanced by, for example, the prosecution and the defence counsels at a trial. It enables the prosecution and defence sides to view their own and each others’ cases in order to assess their relative strengths and weaknesses. It also assists a prosecution authority in deciding whether or not there is a reasonable prospect of a successful prosecution when it contemplates proceeding to trial. Finally, it aids the expert digital forensic examiner in coming to a view on the probative value of the recovered digital evidence when preparing to give expert testimony in court. The remainder of this paper is organised as follows. Section 2 gives some salient background to the current study. Section 3 provides the requisite theory and methodology for the present work. Section 4 presents our results and discusses their significance. Finally, in section 5, we offer some conclusions and directions for future research. II. BACKGROUND We have attempted to promote the trend towards quantifying digital forensic evidence and hypotheses by developing the Operational Complexity Model (OCM) [1] which aims to link the intrinsic complexity of a given digital process with the probability that the process in question occurred obliviously, as opposed to intentionally (vide infra). By comparing the OCM complexities of several alternative digital processes each of which generates the same set of recoverable digital evidential traces, we can compute the posterior odds of each of the alternative processes corresponding to the alternative narratives. A commonly invoked defence claims that malicious software known as a Trojan horse performed the alleged criminal activity of which the user was oblivious. In order to demonstrate the practical utility of the OCM we applied it to the Trojan horse defence (THD) [3-6] against the five most commonly prosecuted e-crimes in Hong Kong (HK) [2], namely: 2012 Seventh International Conference on Availability, Reliability and Security 978-0-7695-4775-6/12 $26.00 © 2012 IEEE DOI 10.1109/ARES.2012.17 590