Showing papers in "Digital Investigation in 2010"

TL;DR: Current forensic research directions are summarized and it is argued that to move forward the community needs to adopt standardized, modular approaches for data representation and forensic processing.

TL;DR: An exhaustive survey of various network forensic frameworks proposed till date is made and a generic process model for network forensics is proposed which is built on various existing models of digital forensics.

TL;DR: Experiments on a real-life dataset suggest that clustering by writing style is a promising approach for grouping e-mails written by the same author.

TL;DR: The dynamic behavior of the mobile phone's volatile memory is investigated, and the analysis is useful in real-time evidence acquisition analysis of communication based applications and can capture most of the data to facilitate further detailed forensic investigation.

TL;DR: The results indicate that automated mapping can help speed manual and automated analysis activities and can be generalized to incorporate many low-level fragment classification techniques.

TL;DR: Techniques are presented for improved detection of JPEG, MPEG and compressed data; for rapidly classifying the forensic contents of a drive using random sampling; and for carving data based on sector hashes.

TL;DR: The on-scene triage process is formalizes, placing it firmly in the overall forensic handling process and providing guidelines for standardization of on- scene triage, and basic requirements for automated triage tools are outlined.

TL;DR: The results of the study argue that law enforcement is in a dire situation when it comes to dealing with digital crime.

TL;DR: The functionality of two p2p protocols, Gnutella and BitTorrent, are detailed, and an analysis of the protocols focused on the items of particular interest to investigators, such as the value of evidence given its provenance on the network.

TL;DR: Using the debug structures embedded in memory dumps and Microsoft's program database (PDB) files to create a flexible tool that takes an arbitrary memory dump from any of the family of Windows NT operating systems and extract process, configuration, and network activity information is proposed.

TL;DR: This paper focuses on Anti-Forensic techniques applied to mobile devices, presenting some fully automated instances of such techniques to Android devices and testing the effectiveness of these techniques versus both the cursory examination of the device and some acquisition tools.

TL;DR: The NCD algorithm in conjunction with the k-nearest-neighbour as the classification algorithm was applied to a random selection of circa 3000 512-byte file fragments from 28 different file types to determine the type of file fragments to enable later comparison of the results.

TL;DR: Techniques developed to allow automatic adaptation of memory analysis tools to a wide range of kernel versions are described, which include kernel-level malware detection, recovery of processes memory and file mappings, and other areas of forensics interest.

TL;DR: An overview of Windows Mobile Forensics is provided, describing various methods of acquiring and examining data on Windows Mobile devices, including text messages, multimedia, e-mail, Web browsing artifacts, and Registry entries.

TL;DR: The forensic application of freely available tools is introduced and how known methods of Physical Acquisition can be applied to Windows CE devices are described and a method to investigate isolated Windows CE database volume files for both active and deleted data is introduced.

TL;DR: The proposed techniques for speaker identification and verification from encrypted VoIP conversations can correctly identify the actual speaker for 70-75% of the time among a group of 10 potential suspects and achieve more than 10 fold improvement over random guessing in identifying a perpetrator.

TL;DR: The data structures of the command prompt history are dissected and a methodology that can be generalized to extract user-entered data on other versions of Windows is demonstrated.

TL;DR: This paper shows how a balance can be reached between privacy and forensics through the release of private information in a sequential manner through the classification and ordering of information by creating a privacy-preserving object.

TL;DR: Using the new AFF4 forensic file format, a hash based compression scheme is employed to leverage an existing corpus of images, reducing both acquisition time and storage requirements.

TL;DR: The purpose of this paper is not to define any error rates for forensic tools, but identification of some of the basic issues to stimulate discussion and further work on the topic.

TL;DR: This study tends to prove that some smartphones bootloaders can be used to acquire data to preserve the digital evidence integrity and proposes methods to process specific files with specific formats such as registry hives and the cemail.vol file, including the retrieval of deleted data still embedded in this file.

TL;DR: The tests in this paper provide a reasonably solid base for flasher box use without introducing excessive amounts of extra work for the examiner and propose validation tests for this relatively new acquisition method.

TL;DR: It is shown that the kmem_cache contains a wealth of digital evidence, much of which was either previously unavailable or difficult to obtain, requiring ad hoc methods for extraction, and what information is definitively not retrievable from the cache.

TL;DR: The result is the Symbian Memory Imaging Tool (SMIT) which can image the volumes of the internal flash memory and copies the images to a removable memory device and opens the way to retrieve deleted data in a non-intrusive manner.

TL;DR: This paper will look at analyzing the SATA hard disk drive contained in Microsoft's Xbox 360 games console and provide suggested basic guidelines for future investigations to be able to recover stored remnants of information from the drive.

TL;DR: Although the quantity of information found at this point is limited, the possibility to link the position and time of the device can be invaluable in some cases.

TL;DR: The paper describes how a buffer overflow exploit can be used in order to execute custom code written to create an image of the console's memory.

TL;DR: In this paper, the authors presented automatic speaker verification techniques based on hidden Markov and Gaussian mixture models from partially encrypted speech from the perceptually less relevant speech features which are unencrypted.

TL;DR: This paper analyzes IDM activities recorded across multiple files that includes Windows Registry, history and log files from artefacts collection view point to envisage and deduce suspicious activities.

TL;DR: An algorithm is described that can be used to find paging structures for potential processes that were hidden by rootkits or other malware on an x86 platform running either Linux or Windows XP.