Showing papers in "Digital Investigation in 2014"

TL;DR: It is concluded that there remains a need for further research with a focus on real world applicability of a method or methods to address the digital forensic data volume challenge.

TL;DR: In this article, a forensic analysis of the artifacts left on Android devices by WhatsApp Messenger, the client of the WhatsApp instant messaging system, is presented, which can be correlated together to infer various types of information that cannot be obtained by considering each one of them in isolation.

TL;DR: This paper conducts an in-depth forensic experiment on XtreemFS, a Contrail EU-funded project, as a case study for distributed filesystem forensics, and proposes a process for the collection of evidential data from distributed filesystems.

TL;DR: This paper explores the current implementation of the digital forensic process and analyze factors that impact the efficiency of this process and explains how in the Netherlands a Digital Forensics as a Service implementation reduced case backlogs and freed up digital investigators to help detectives better understand the digital material.

TL;DR: It is demonstrated that many “unique” features selected using this method are clearly unrelated to the authors’ programming styles, for example, unique IDs or random but unique function names generated by the compiler; furthermore, the overall accuracy is generally unsatisfactory.

TL;DR: Two common region-level inpainting methods for object removal, temporal copy-and-paste and exemplar-based texture synthesis are investigated, and a new approach based on spatio-temporal coherence analysis for detection and localization of tampered regions is proposed.

TL;DR: The proposed approach is based on a model which integrates knowledge of experts from the fields of digital forensics and software development to allow a semantically rich representation of events related to the incident to allow the analysis of these events in an automatic and efficient way.

TL;DR: Experimental results based on the selection of SPAM (Subtractive Pixel Adjacency Matrix) features in spatial-domain steganalysis and CC-PEV (Cartesian Calibrated feature extracted by PEVný) features by the proposed steganalytic feature selection method show that the proposed method can not only reduce the dimensionality of the features efficiently while maintaining the accuracy of the Steganalysis, but also greatly improve the detection efficiency.

TL;DR: The concepts and internals of the Cloud Data Imager Library are described, a mediation layer that offers a read only access to files and metadata of selected remote folders and currently supports access to Dropbox, Google Drive and Microsoft Skydrive storage facilities.

TL;DR: This paper is meant to be a crash course on control systems and their forensic opportunities, focussing on the differences compared to regular IT systems.

TL;DR: This paper uses customized parsers to extract all file format structures of videos from overall 19 digital camera models, 14 mobile phone models, and 6 video editing toolboxes and reports considerable differences in the choice of container formats, audio and video compression algorithms, acquisition parameters, and internal file structure.

TL;DR: This paper identifies several services and mechanisms that can be abused by a government agency or malicious party to extract intelligence on a subject, including services that may in fact be back doors introduced by the manufacturer.

TL;DR: The client application, its detected network traffic and identifies artefacts that may be of value as evidence for future digital investigations are outlined.

TL;DR: The case study will provide an in-depth look at Silk Road from an Australian perspective and in light of the continuing popularity of illicit drug use in Australia.

TL;DR: A case study is presented where the timezone on the Android device was set incorrectly, while the clock was set to correspond to the time zone where the device was actually located, and a method to detect clock skew based on the mmssms.db database is demonstrated.

TL;DR: This research examined files acquired from the iCloud service via the native Mac OS X system synchronization with the service to determine the operating system locations of iCloud-synched files and if the file hash values match those of the original files and whether file metadata, particularly timestamps, are altered.

TL;DR: The curriculum was designed with the express intent of distributing it as a self-contained curriculum package with everything needed to teach the course, and the revisions made based on this experience and feedback from students are described.

TL;DR: This work introduces a computationally efficient LCS approximation and uses it to obtain ground truth on the t5 set and evaluates three existing approximate matching schemes relative to LCS and analyzes their performance.

TL;DR: This work is a first attempt ever to comprehend the machinery of such unique event and it is hoped that the community could consider it as a building block for auxiliary analysis and investigation.

TL;DR: Experimental results suggest that the proposed framework is able to identify key-terms, key-users,Key-sessions, and user-groups from chat logs data, all of which are crucial for cyber-crime investigation.

TL;DR: This paper presents a novel technique to safely load a pre-compiled kernel module for acquisition on a wide range of Linux kernel versions and configuration, which injects a minimal acquisition module into another valid kernel module (host) already found on the target system.

TL;DR: This paper presents and evaluates a concept to extend existing approximate matching algorithms, which reduces the lookup complexity from O(x) to O(1), and demonstrates that a single, huge Bloom filter has a far better performance.

TL;DR: This research compares regular expression search techniques and LDA using the Real Data Corpus (RDC), a set of over 2400 disks from real users, and indicates that, while LDA search should not be used as a replacement toregular expression search, it does offer benefits.

TL;DR: In this paper, a forensic-aware database management system using transaction-and replication sources is presented, which is invariant to retroactive malicious modifications by an attacker, and can be used to reconstruct evidence during a forensic investigation.

TL;DR: It is concluded that there is a time window between the private browsing session and the next use of the browser in which browsing records may be carved from database log files, after which it is necessary to carve from other areas of disk.

TL;DR: This work presents and evaluates two indexing strategies for robust image hashes created by the ForBild tool, based on generic indexing approaches for Hamming spaces, i.e. spaces of bit vectors equipped with the Hamming distance.

TL;DR: The difficulty of analyzing swap files in more detail is discussed, the compressed RAM facilities in Mac OS X and Linux, and the new tools for analysis of compressed RAM are integrated into the open-source Volatility framework.

TL;DR: If the authors are missing potential sources of forensic data and to what degree they are ready to process these systems as part of an investigation, this paper explores this as a future forensic need.

TL;DR: This research proposed an initial set of relevancy ranking features, executed a 36-term query across four disks in a synthetic case, and obtained very promising empirical results.

TL;DR: The design and application of a tool, OpenLV, that not only meets the needs for speedy initial triage, but also can facilitate the review of digital evidence at later stages of investigation.