Showing papers on "Digital evidence published in 2005"

File system forensic analysis

Abstract: The Definitive Guide to File System Analysis: Key Concepts and Hands-on TechniquesMost digital evidence is stored within the computer's file system, but understanding how file systems work is one of the most technically challenging concepts for a digital investigator because there exists little documentation. Now, security expert Brian Carrier has written the definitive reference for everyone who wants to understand and be able to testify about how file system analysis is performed.Carrier begins with an overview of investigation and computer foundations and then gives an authoritative, comprehensive, and illustrated overview of contemporary volume and file systems: Crucial information for discovering hidden evidence, recovering deleted data, and validating your tools. Along the way, he describes data structures, analyzes example disk images, provides advanced investigation scenarios, and uses today's most valuable open source file system analysis tools-including tools he personally developed. Coverage includes Preserving the digital crime scene and duplicating hard disks for "dead analysis" Identifying hidden data on a disk's Host Protected Area (HPA) Reading source data: Direct versus BIOS access, dead versus live acquisition, error handling, and more Analyzing DOS, Apple, and GPT partitions; BSD disk labels; and Sun Volume Table of Contents using key concepts, data structures, and specific techniques Analyzing the contents of multiple disk volumes, such as RAID and disk spanning Analyzing FAT, NTFS, Ext2, Ext3, UFS1, and UFS2 file systems using key concepts, data structures, and specific techniques Finding evidence: File metadata, recovery of deleted files, data hiding locations, and more Using The Sleuth Kit (TSK), Autopsy Forensic Browser, and related open source toolsWhen it comes to file system analysis, no other book offers this much detail or expertise. Whether you're a digital forensics specialist, incident response team member, law enforcement officer, corporate security specialist, or auditor, this book will become an indispensable resource for forensic investigations, no matter what analysis tools you use.Brian Carrier has authored several leading computer forensic tools, including The Sleuth Kit (formerly The @stake Sleuth Kit) and the Autopsy Forensic Browser. He has authored several peer-reviewed conference and journal papers and has created publicly available testing images for forensic tools. Currently pursuing a Ph.D. in Computer Science and Digital Forensics at Purdue University, he is also a research assistant at the Center for Education and Research in Information Assurance and Security (CERIAS) there. He formerly served as a research scientist at @stake and as the lead for the @stake Response Team and Digital Forensic Labs. Carrier has taught forensics, incident response, and file systems at SANS, FIRST, the @stake Academy, and SEARCH.Brian Carrier's http://www.digital-evidence.org contains book updates and up-to-date URLs from the book's references.© Copyright Pearson Education. All rights reserved.

Who's At The Keyboard? Authorship Attribution in Digital Evidence Investigations

Abstract: In some investigations of digital crime, the question of who was at the keyboard when incriminating documents were produced can be legitimately raised. Authorship attribution can then contribute to the investigation. Authorship methods which focus on linguistic characteristics currently have accuracy rates ranging from 72% to 89%, within the computational paradigm. This article presents a computational, stylometric method which has obtained 95% accuracy and has been successfully used in investigating and adjudicating several crimes involving digital evidence. The article concludes with a brief review of the current admissibility status of authorship identification techniques.

Unification of digital evidence from disparate sources (Digital Evidence Bags)

Abstract: This paper outlines a new approach to the acquisition and processing of digital evidence obtained from disparate digital devices and sources. To date the capture of digital based evidence has always been in its entirety from the source device and different methods and containers (file types) are used for different types of digital device (e.g. computer, PDA, mobile phone). This paper defines a new approach called a Digital Evidence Bag (DEB) that is a universal container for the capture of digital evidence. Furthermore, the Digital Evidence Bag concept could be used to permit the streamlining of data capture and allow multiple sources of evidence to be processed in a multiprocessor distributed environment and thereby maximizing the use of available processing power. The approach described in this paper allows for the first time the forensic process to be extended beyond the traditional static forensic capture of evidence into the real-time 'live' capture of evidence. In addition to this the Digital Evidence Bag can be used to provide an audit trail of processes performed upon the evidence as well as integrated integrity checking.

Technical challenges and directions for digital forensics

Abstract: Digital forensics is concerned with the investigation of any suspected crime or misbehaviour that may be manifested by digital evidence. The digital evidence may be manifest in various forms. It may be manifest on digital electronic devices or computers that are simply passive repositories of evidence that documents the activity, or it may consist of information or meta-information resident on the devices or computers that have been used to actually facilitate the activity, or that have been targeted by the activity. In each of these three cases, we have recorded digital evidence of the activity. This paper examines some recent advances in digital forensics and some important emerging challenges. It considers the following topics: tools and their evolution; the implications of large volumes of data; the impact of embedded and special-purpose computer systems; corporate governance and its implications for 'forensic readiness'; and the role of forensics in securing the Internet.

Risk sensitive digital evidence collection

Abstract: Over the past decade or so, well-understood procedures and methodologies have evolved within computer forensics digital evidence collection. Correspondingly, many organizations such as the HTCIA (High Technology Criminal Investigators Association) and IACIS (International Association of Computer Investigative Specialists) have emphasized disk imaging procedures which ensure reliability, completeness, accuracy, and verifiability of computer disk evidence. The rapidly increasing and changing volume of data within corporate network information systems and personal computers are driving the need to revisit current evidence collection methodologies. These methodologies must evolve to maintain the balance between electronic environmental pressures and legal standards. This paper posits that the current methodology which focuses on collecting entire bit-stream images of original evidence disk is increasing legal and financial risks. The first section frames the debate and change drivers for a Risk Sensitive approach to digital evidence collection, which is followed by the current methods of evidence collection along with a cost-benefit analysis. Then the methodology components of the Risk Sensitive approach to collection, and then concludes with a legal and resource risk assessment of this approach. Anticipated legal arguments are explored and countered, as well. The authors suggest an evolved evidence collection methodology which is more responsive to voluminous data cases while balancing the legal requirements for reliability, completeness, accuracy, and verifiability of evidence.

Case-Relevance Information Investigation: Binding Computer Intelligence to the Current Computer Forensic Framework

Abstract: Computer Forensics has grown rapidly in recent years. The current computer forensic investigation paradigm is laborious and requires significant expertise on the part of the investigators. This paper proposes a highly automatic and efficient framework to provide the Case-Relevance information, by binding computer intelligence technology to the current computer forensic framework. Computer intelligence is expected to offer more assistance in the investigation procedures and better knowledge reuse and sharing in computer forensics. Background Cybercrime is a mirror of the dark side of human society in the cyberworld. Its countermeasure, Computer Forensics, also referred as Digital Forensic Science, has been explicitly defined as, The use of scientifically derived and proven methods toward the preservation, collection, validation, identification, analysis, interpretation, documentation and presentation of digital evidence derived from digital sources for the purpose of facilitating or furthering the reconstruction of events found to be criminal, or helping to anticipate unauthorized actions shown to be disruptive to planned operations. [14] The process of "identifying, preserving, analyzing, and presenting digital evidence in a manner that is legally acceptable via the application of computer technology to the investigation of computer based crime" is called Forensic Computing [11] or Digital Evidence Investigation. As almost every piece of digital evidence could be challenged, computer forensic investigators are required to follow a rigorous process path. The work of the First Digital Forensics Research Workshop (DFRWS) [14] established a solid ground and allowed

Searches and Seizures in a Digital World

Abstract: The new frontier of the Fourth Amendment is the search and seizure of computer data. Created to regulate entering homes and seizing physical evidence, the Fourth Amendment's prohibition on unreasonable searches and seizures is now called on to regulate a very different process: retrieval of digital evidence from electronic storage devices. While obvious analogies exist between searching computers and searching physical spaces, important differences between them will force courts to rethink the basic meaning of the Fourth Amendment's key concepts. What does it mean to search computer data? When is computer data seized? When is a computer search or seizure reasonable? This article offers a normative framework for applying the Fourth Amendment to searches of computer data. It begins by exploring the basic differences between physical searches of physical property and electronic searches of digital evidence. It then proposes an exposure theory of Fourth Amendment searches: any exposure of data to an output device such as a monitor should be a search of that data, and only that data. The exposure approach is then matched with a rule for computer seizures: while copying data should not be deemed a seizure of that data, searches of copies should be treated the same as searches of the original. In the final section, the article proposes a rethinking of the plain view exception in computer searches to reflect the new dynamic of digital evidence investigations. The plain view exception should be narrowed or even eliminated in digital evidence cases to ensure that digital warrants that are narrow in theory do not devolve into general warrants in practice. Tailoring the doctrine in light of the new realities of computer investigations will protect the function of existing Fourth Amendment rules in the new world of digital evidence.

Computer Evidence: Collection and Preservation

Abstract: As computers and data systems continue to evolve, they expand into every facet of our personal and business lives. Never before has our society been so information and technology driven. Because computers, data communications, and data storage devices have become ubiquitous, few crimes or civil disputes do not involve them in some way. This book teaches law enforcement, system administrators, information technology security professionals, legal professionals, and students of computer forensics how to identify, collect, and maintain digital artifacts to preserve their reliability for admission as evidence. It has been updated to take into account changes in federal rules of evidence and case law that directly address digital evidence, as well as to expand upon portable device collection.

Automated Digital Evidence Target Definition Using Outlier Analysis and Existing Evidence.

Abstract: Searching for digital evidence is a time consuming and error-prone process. In this paper, we introduce techniques to automate the searching process by suggesting what searches could be helpful. We also use data mining techniques to find files and directories created during the incident. The results from using these techniques on a compromised honeypot system are given and show that the data mining techniques detect a higher percentage of files than a random sampling would, but there are still many false positives. More research into the error rates of manual searches is needed to fully understand the impact of automated techniques.

Finite State Machine Analysis of a Blackmail Investigation

Abstract: This paper gives informal introduction into the finite state machine approach to analysis of digital evidence and explores its use as a defence tool – for finding weaknesses in the forensic analysis performed by the opposing party. The key concepts of the finite state machine approach are reviewed, and an example analysis of a published case study is performed. It is shown how the described approach can be used to generate alternative scenarios of the incident.

Searches and Seizures in a Digital World

Abstract: How does the Fourth Amendment apply to the search and seizure of computer data? The Fourth Amendment was created to regulate entering homes and seizing physical evidence, but its prohibition of unreasonable searches and seizures is now being called on to regulate a very different process: retrieval of digital evidence from electronic storage devices. Although obvious analogies exist between searching physical spaces and searching computers, important differences between them will force courts to rethink the key concepts of the Fourth Amendment. What does it mean to "search" computer data? When is computer data "seized"? When is a computer search or seizure "reasonable"? This Article offers a normative framework for applying the Fourth Amendment to searches of computer hard drives and other storage devices. It begins by exploring the basic differences between physical searches of tangible property and electronic searches of digital evidence. It then considers how the Fourth Amendment should apply when a government investigator retrieves evidence from a person's computer, and concludes that exposing data to an output device such as a monitor should be a Fourth Amendment "search" ordinarily requiring a warrant. Although copying data should not be deemed a "seizure" of that data, imaging a computer should be regulated by the Fourth Amendment and searches of copies should be treated the same as searches of the original. In the final section, the Article considers ways to limit the scope of computer searches. The plain view exception may need to be narrowed or even eliminated in digital evidence cases to ensure that digital warrants that are narrow in theory do not devolve into general warrants in practice. Tailoring the doctrine to the realities of computer investigations will protect the function of existing Fourth Amendment rules in the new environment of digital evidence. INTRODUCTION In the last decade, personal computers have become an increasingly important source of evidence in criminal cases. Computers record and store a remarkable amount of information about what users write, see, hear, and do. In a growing number of cases, searching the suspect's personal computer is an essential step in the investigation. The thorny issue for the courts--and the fascinating issue for scholars--is how the Fourth Amendment should regulate the process. How does the Fourth Amendment govern the steps that an investigator takes when retrieving evidence from a personal computer? At present, the answer is surprisingly unclear. (1) Lower courts have just begun to grapple with the question, resulting in a series of tentative and often contradictory opinions that leaves many answers unresolved. (2) The problem is difficult because important differences exist between the mechanisms of physical and digital evidence collection. The Fourth Amendment was drafted to regulate searches of homes and physical property, and the courts have developed clear rules to regulate the enter-and-retrieve mechanism of traditional physical searches. (3) Computer searches offer a very different dynamic: electric heads pass over billions of magnetized spots on metal disks, transforming those spots into data that is processed and directed to users via monitors. How can the old rules fit the new facts? For example, what does it mean to "search" computer data? When is computer data "seized"? When is a search or seizure of computer data "reasonable"? These questions are particularly difficult because computers challenge several of the basic assumptions underlying Fourth Amendment doctrine. Computers are like containers in a physical sense, homes in a virtual sense, and vast warehouses in an informational sense. Which insights should govern? This Article develops a normative framework for applying the Fourth Amendment to searches of computer hard drives and other electronic storage devices. (4) It explores the various ways that the Fourth Amendment could apply to the retrieval of evidence from computers and charts out a recommended path. …

Challenges in forensic computing

Abstract: The ever-changing nature of technology contributes to the problems encountered by experts when collecting and preparing digital evidence for courtroom presentation.

Digital Evidence and the New Criminal Procedure

Abstract: This essay shows how existing rules of criminal procedure are poorly equipped to regulate the collection of digital evidence. It predicts that new rules of criminal procedure will evolve to regulate digital evidence investigations, and offers preliminary thoughts on what those rules should look like and what institutions should generate them. Digital evidence will trigger new rules of criminal procedure because computer-related crimes feature new facts that will demand new law. The law of criminal procedure has evolved to regulate the mechanisms common to the investigation of physical crime, namely the collection of physical evidence and eyewitness testimony. Existing law is naturally tailored to the law enforcement needs and privacy threats they raise. Computers have recently introduced a new form of evidence: digital evidence, consisting of zeros and ones of electricity. Digital evidence is collected in different ways than eyewitness testimony or physical evidence. The new ways of collecting evidence are so different that the rules developed for the old investigations often no longer make sense for the new. Rules that balance privacy and public safety when applied to the facts of physical crime investigations often lead to astonishing results when applied to the facts of computer crime investigations. They permit extraordinarily invasive government powers to go unregulated in some contexts, and yet allow phantom privacy threats to shut down legitimate investigations in others.This Essay explores the dynamics of computer crime investigations and the new methods of collecting electronic evidence. It contends that the new dynamics demonstrate the need for procedural doctrines designed specifically to regulate digital evidence collection. The rules should impose some new restrictions on police conduct and repeal other limits with an eye to the new social and technological practices that are common to how we use and misuse computers. Further, the Essay suggests that we should look beyond the judiciary and the Fourth Amendment for the source of these new rules. While some changes can and likely will come from the courts, many more can come from legislatures and executive agencies that can offer new and creative approaches not tied directly to our constitutional traditions. Indeed, a number of new rules are beginning to emerge from Congress and the Courts already. In the last five years, a number of courts have started to interpret the Fourth Amendment differently in computer crime cases. They have quietly rejected traditional rules and created new ones to respond to new facts of how computers operate. At a legislative level, Congress has enacted computer-specific statutes to address other new threats to privacy. The changes are modest ones so far. Taken together, however, the new constitutional and statutory rules may be seen as the beginning of a new subfield of criminal procedure that regulates the collection of digital evidence.This Essay will proceed in three parts. Part One compares the basic mechanisms of traditional crimes and computer-related crimes. It explains how the switch from physical to electronic crimes brings a switch from physical evidence and eyewitness testimony to digital evidence, and how investigators tends to use very different methods of collecting the two types of evidence. Part Two turns from the facts to the governing law, focusing on the Fourth Amendment's prohibition on unreasonable searches and seizures. It shows that existing Fourth Amendment doctrine is naturally tailored to the facts of physical crimes, but that a number of difficulties arise when that doctrine is applied to the facts of computer crime investigations. Part Three argues that new rules are needed to govern digital evidence collection, and offers preliminary thoughts on what those rules might look like and what institutions should generate them. It also shows that courts and Congress already have begun responding to the problem of digital evidence with a number of computer-specific rules.

Reproducibility of digital evidence in forensic investigations

Abstract: We present a three-component model of a digital investigation which comprises: determination of input-output layers, assignment of read and write operations associated with use of forensic tools, and time-stamping of read and write operations. This builds on work of several authors, culminating in the new model presented here which is generic, scalable and compatible with all functions in the system, and which is guaranteed to produce a high quality of reproducibility.

Confluence of Digital Evidence and the Law: On the Forensic Soundness of Live-Remote Digital Evidence Collection.

Abstract: This article advocates the formal recognition of an evolved digital evidence acquisition process in light of the changing dynamics of computer searches and seizures. Other articles have argued for changes in legal procedural rules. This article addresses the other side of the coin, namely, that the changing contexts of computer search and seizure and digital forensic investigation demand an evolution in forensic acquisition methodology, and that this evolved methodology can meet the standards for evidence admissibility and reliability. This methodology entails evidence recovery on live systems via a remote connection (hereinafter, "live-remote").

Gates of global perception: forensic graphics for evidence presentation

Abstract: The admissibility of the inevitably increasing amount of digital evidence to the world's courtrooms may be one of the keys to the preservation of global justice. Digital evidence can take many forms, this paper will concentrate on both graphical evidence presentation technologies currently in use (such as forensic animations and interactive environments) and potential future applications (e.g. the introduction of more pervasive computer devices). Technologies utilising Computer Graphics (CG) and Virtual Reality (VR) for evidence presentation can have great persuasive powers. These can be perceived as a benefit in increasing the understanding of complicated technical information to a generic audience, or as a threat to justice introducing potential bias and prejudice.This paper describes some cases where CG and VR evidence has been previously admitted to courtrooms. It goes on to discuss the various factors affecting the admissibility of current digital evidence forms on a global scale and concludes by introducing new technologies which may have worldwide potential in the field of forensic evidence presentation.

Digital Forensics: Meeting the Challenges of Scientific Evidence

Abstract: This paper explores three admissibility considerations for scientific evidence currently engaged in U.S. courts: reliability, peer review and acceptance within the relevant community. Any tool used in a computer forensic investigation may be compared against these considerations, and if found wanting, evidence derived using the tool may be restricted. The ability to demonstrate the reliability and validity of computer forensic tools based on scientific theory is an important requirement for digital evidence to be admissible. A trusted third party certification model is discussed as an approach for addressing this issue.

Digital evidence collection process in integrity and memory information gathering

Abstract: In this paper, we inspect general digital evidence collection process which is according to RFC3227 document, and establish specific steps for guaranteeing integrity of digital evidence and memory information collection. EnCase/spl trade/ which was used globally has a weakness that MDC value of digital evidence can be modified, hence we propose MDC public system, MAC system and public authentication system with PKI as a countermeasure. And we explain detail of each system. Besides, we include memory dump process to existing digital evidence collection process, and examine privacy information through dumping real user's memory and collecting pagefile which is part of virtual memory system.

A Network-Based Architecture for Storing Digital Evidence

Abstract: The storage and handling of digital evidence are creating significant challenges for federal, state and local law enforcement agencies. The problems include acquiring and processing massive amounts of digital evidence, maintaining the integrity of the evidence, and storing digital evidence for extended periods of time. This paper describes a network-based storage architecture that helps address these issues. The architecture also supports collaborative efforts by examiners and investigators located at geographically dispersed sites.

Computer forensics: a critical need in computer science programs

Abstract: The number of computer security incidents is growing exponentially and society's collective ability to respond to this crisis is constrained by the lack of trained professionals. The field of computer forensics is relatively new and this paper describes the discipline, its development, and critical issues associated with its practice. The increased use of the Internal and computer technology to commit crimes indicates an abuse of new developments that requires a response by those involved in law enforcement. Cyber crimes and many child-related sex crimes leave clear digital evidence that must be investigated by those who are trained in computer forensics. University computer science programs are perfectly suited to respond to this crisis. With minor changes, computer science programs can address the growing demand for forensics professionals.

IT Forensics: the collection of and presentation of digital evidence.

Abstract: This paper deals with the following concepts: Digital evidence, IT forensics, the nature of digital evidence, the relevance of digital evidence, the digital audit trail, digital evidence and forensic science, the hearsay nature of digital evidence, documentary evidence and digital evidence, the best evidence rule, the role of digital evidence, the investigative framework, authorization to collect digital evidence, the acquisition of digital evidence, the analysis of digital evidence, reporting on digital evidence, the presentation of testimony relating to digital evidence.

The use of Levenshtein distance in computer forensics

Abstract: Computer technology is gaining widespread use, and is becoming an increasingly important factor in our everyday lives. This technology opens up new possibilities, but may also be used as a tool of crime. To counter this, computer forensics professionals analyse data in memory and hard drives for clues and evidence of such criminal activities. This work has previously included a significant amount of manual labour, where a computer forensics investigator manually inspected the data. As technology progresses, however, these investigators are faced with a steadily increasing amount of data to process, while available time for investigations remains relatively constant. This may result in less thorough searches, in order to meet a strict deadline, with possible loss of evidence as a result. In this thesis a closer look into the problem of handling the increasing data amounts present in modern computer systems in a computer forensics context has been taken. We further suggest an alternative way to process large amounts of raw data, with the use of an approximate search algorithm to help focusing on interesting areas of a digital media. These areas may then subsequently be searched and inspected by more precise algorithms in order to pin-point digital evidence more efficiently.

Recovering Digital Evidence From Linux Systems

Abstract: As Linux-kernel-based operating systems proliferate there will be an inevitable increase in Linux systems that law enforcement agents must process in criminal investigations. The skills and expertise required to recover evidence from Microsoft-Windows-based systems do not necessarily translate to Linux systems. This paper discusses digital forensic procedures for recovering evidence from Linux systems. In particular, it presents methods for identifying and recovering deleted files from disk and volatile memory, identifying notable and Trojan files, finding hidden files, and finding files with renamed extensions. All the procedures are accomplished using Linux command line utilities and require no special or commercial tools.

SIMbrush: an open source tool for GSM and UMTS forensics analysis

Abstract: The aim of this paper is to describe a new open source tool, usable on Windows and Linux platform, for digital evidence extraction from SIMs and USIMs card. Nowadays, closed-source or confidential tools are used for this purpose and this is contrary to Daubert's test, because, it is not possible to gain the high degree of acceptability from scientific community required by the test itself. This tool is being proposed, therefore, as a platform for the exchange of ideas, to constitute, free from the logic of copyright, a wide agreement. Security features of SIMs hamper in many ways the possibility to dump a bit for bit internal memory image. As a consequence, this tool interfaces itself to SIM cards in the standard way. Data is acquired in raw format (binary data) and represents digital evidence; interpretation of these raw data at a higher level of abstraction could be the purpose of an extension of this tool aimed at examination of the digital evidence.

Digital evidence search kit

Abstract: With the rapid development of electronic commerce and Internet technology, cyber crimes have become more and more common. There is a great need for automated software systems that can assist law enforcement agencies in cyber crime evidence collection. This paper describes a cyber crime evidence collection tool called DESK (digital evidence search kit), which is the product of several years of cumulative efforts of our center together with the Hong Kong Police Force and several other law enforcement agencies of the Hong Kong Special Administrative Region. We use DESK to illustrate some of the desirable features of an effective cyber crime evidence collection tool.

A DCT quantization-based image authentication system for digital forensics

Abstract: With the advent of digital times, the digital data has gradually taken the place of the original analog data. However, the authenticity of digital data faces a great challenge due to the fact that the digital edit software is ubiquitous. It has aroused the suspicion on the reliability of digital data especially when the digital data renders to the court as the digital evidence. We propose an integrated image authentication system for digital forensics and improve the detection problems of a DCT quantization-based image authentication scheme. The improved detection schemes effectively solve the detection problems and, at the same time, take into account the reliability, the security, and the practicability of the system. It is expected to reduce the wrong detection probability of the digital evidence. Finally, the improved image authentication schemes are implemented. If the digital evidence presented to the court is under suspicions, the system is expected to provide accurate information to help the judiciary to make the verdict right and objective.