Showing papers in "Digital Investigation in 2006"

TL;DR: A new technique is introduced for constructing hash signatures by combining a number of traditional hashes whose boundaries are determined by the context of the input to identify modified versions of known files even if data has been inserted, modified, or deleted in the new files.

TL;DR: This article analyzes the in-memory structures which represent processes and threads and develops search patterns which will then be used to scan the whole memory dump for traces of said objects, independent from the aforementioned lists.

TL;DR: This paper attempts to arrive at a standardized method of addressing anti-forensics by defining the term, categorizing the anti- Forensics techniques and outlining general guidelines to protect forensic integrity.

TL;DR: The fundamental principle of digital forensics investigations (Reconnaissance, Reliability and Relevancy) is highlighted and a new framework - FORZA is composed, which can incorporate legal advisors and prosecutors into a bigger picture of digitalForensics investigation framework.

TL;DR: FFE and CDA are promising techniques for prioritizing work and automatically identifying members of social networks under investigation and are likely to have other uses as well.

TL;DR: FATKit allows analysts to focus on higher-level tasks by providing novel methods for automatically deriving digital object definitions from C source code, extracting those objects from memory images, and visualizing the underlying data in various ways.

TL;DR: Current forensic identification techniques for digital cameras, printers, and RF devices are presented and it is shown how they can fit into a general forensic characterization framework, which can be generalized for use with other devices.

TL;DR: This paper describes how to use JTAG (JTAG: Joint Test Action Group, also called boundary-scan) for producing a forensic image (image: an one-on-one copy of data found on an exhibit) of an embedded system.

TL;DR: A modified circular order circumplex is presented as an alternative method for developing a preliminary hacker taxonomy and the importance of developing an understanding of the hacker community and the various sub-groups is discussed.

TL;DR: This paper focuses on creating an ontological for the purpose of finding the correct layers for specialization, certification, and education within the cyber forensics domain and can also be used to develop curriculum and educational materials.

TL;DR: A novel, XML-based approach towards managing and querying forensic traces extracted from digital evidence by providing the forensic investigator with a rich query environment in which browsing, searching, and predefined query templates are all expressed in terms of XML database queries.

TL;DR: A model based on the history of a computer is used to define categories and classes of analysis techniques that support the existing higher-level frameworks and can be used to more clearly compare the frameworks.

TL;DR: The overall role of the behavioral consultant in insider cases is examined with emphasis on specific forms of support for the investigative team and aid to managers and security personnel with case management of insiders within corporate environments.

TL;DR: The current study confirmed that the four psychometric instruments were reliable for conducting research in the field of criminal/deviant computer behavior and indicated that those individuals self-reporting criminal computer behavior were significantly more introverted than those reporting no criminal/developmental computer behavior.

TL;DR: The methods of hiding data in the NTFS file system are examined and the analysis techniques which can be applied to detect and recover data hidden using each of these methods are discussed.

TL;DR: The sources of the information, along with the methods used and toolsets available for such examinations, and their use for recovering evidence in digital investigations, are identified.

TL;DR: The 'ultimate test' for an intelligent and selective imager approach is defined, and the types of selective imaging that can be performed are defined.

TL;DR: It is shown that a general characterisation of the passage of time may be inferred from an analysis of commonly available browser records, and an approach for inferring the temporal behaviour of a particular computer over a range of time is presented.

TL;DR: This paper presents md5bloom-an actual Bloom filter manipulation tool that can be incorporated into forensic practice, along with example uses and experimental results, and provides a probabilistic framework that allows the interpretation of direct, bitwise comparison of Bloom filters to infer similarity and abnormality.

TL;DR: Whether the techniques used to create file signatures in theNSRL produce unique results is examined-a core characteristic that the NSRL depends on for the majority of its uses.

TL;DR: In this article, the authors demonstrate some methods of proving such a link where the suspect and victim have been in contact on the Yahoo Messenger chat service and demonstrate that the suspect was responsible for that contact rather than a third party who may have taken control of the suspect's chat account.

TL;DR: In this paper, the authors demonstrate some methods of proving such a link where the suspect and victim have been in contact on the Yahoo Messenger chat service and demonstrate that the suspect was responsible for that contact rather than a third party who may have taken control of the suspect's chat account.

TL;DR: The pervasiveness of network technology is causing a shift in the location of digital evidence, which brings additional challenges which need to be addressed and improvements in the methods for the collection of evidence from live network sources are suggested.

TL;DR: Findings from an empirical study are presented to measure and compare the accuracy and effectiveness of a suite of automatic event reconstruction techniques and quantify the rates of false positives and false negatives, and scalability in terms of both computational burden and memory-usage.

TL;DR: Methods of proving a strong evidential link between the victim and the suspect where the suspect and victim have been in contact on the MSN Messenger chat service are demonstrated.

TL;DR: A case study shows the investigative usefulness of trace evidence relating to America Online Instant Messenger (AIM) in finding evidence of communications and other linkages between the two computers related to AIM.

TL;DR: The device offers several modes of operation for different live network evidence collection scenarios involving single network nodes, including the use of promiscuous packet capturing to enhance evidence collection from remote network sources, such as websites or other remote services.

TL;DR: The requirements and test assertions that make up a strategy for testing hardware write block devices are described, based on well-recognized international methodologies for conformance testing and quality testing.

TL;DR: This article will illustrate how a forensic examiner analyzed System Restore points to reveal traces of evidence which ultimately lead to the complete understanding of the computer and subsequent bank account compromises.

TL;DR: This work identifies the peculiar characteristics for the development of a non-destructive automated system for efficiently detecting and fixing the origin of the questioned documents by linking them to the scanner and printer used.