Showing papers on "Digital evidence published in 2006"

Computer Forensics Field Triage Process Model

Abstract: With the proliferation of digital based evidence, the need for the timely identification, analysis and interpretation of digital evidence is becoming more crucial. In many investigations critical information is required while at the scene or within a short period of time - measured in hours as opposed to days. The traditional cyber forensics approach of seizing a system(s)/media, transporting it to the lab, making a forensic image(s), and then searching the entire system for potential evidence, is no longer appropriate in some circumstances. In cases such as child abductions, pedophiles, missing or exploited persons, time is of the essence. In these types of cases, investigators dealing with the suspect or crime scene need investigative leads quickly; in some cases it is the difference between life and death for the victim(s). The Cyber Forensic Field Triage Process Model (CFFTPM) proposes an onsite or field approach for providing the identification, analysis and interpretation of digital evidence in a short time frame, without the requirement of having to take the system(s)/media back to the lab for an in-depth examination or acquiring a complete forensic image(s). The proposed model adheres to commonly held forensic principles, and does not negate the ability that once the initial field triage is concluded, the system(s)/storage media be transported back to a lab environment for a more thorough examination and analysis. The CFFTPM has been successfully used in various real world cases, and its investigative importance and pragmatic approach has been amply demonstrated. Furthermore, the derived evidence from these cases has not been challenged in the court proceedings where it has been introduced. The current article describes the CFFTPM in detail, discusses the model’s forensic soundness, investigative support capabilities and practical considerations.

Cybercrime: Investigating High-Technology Computer Crime

Abstract: This innovative text provides an excellent introduction to technology-assisted crime and the basics of investigating such crime, from the criminal justice perspective. It presents clear, concise explanations for students and professionals, who need not be technically proficient to find the material easy-to-understand and practical. The book begins by identifying and defining the most prevalent and emerging high-technology crimes - and exploring their history, their original methods of commission, and their current methods of commission. Then it delineates the requisite procedural issues associated with investigating technology-assisted crime. In addition, the text provides a basic introduction to computer forensics, explores legal issues in the admission of digital evidence, and then examines the future of high-technology crime, including legal responses. Chapters of this title include review questions, further reading, online resources.

Digital Evidence: Challenging the Presumption of Reliability

Abstract: There is a general tendency among courts to presume that forensic software reliably yields accurate digital evidence. As a judicial construct, this presumption is unjustified in that it is not tailored to separate accurate results from inaccurate ones. The authors illustrate this unfortunate truth by the presentation of two currently uncorrected weaknesses in popular computer forensic tools, methods, and assumptions. Some percentage of these forensic software errors (and ones like them) will necessarily have negative effects on parties, whether in terms of faulty criminal convictions or improper civil judgments. The authors argue that the collective value of these negative effects among parties is far larger than the costs of research and development required to prevent such negative effects. Under a purely rational economic approach to the law, this dynamic constitutes an inefficiency to be corrected through the proper application of rules. The authors advance two approaches to cure current defe...

An Open Architecture for Digital Evidence Integration

Abstract: Recently the need for “digital evidence bags” ‐ a c ommon storage format for digital evidence ‐ has been identified as a key requirement for enabling inter-organisational sharing of digital evidence, and interoperability b etween forensic analysis tools. Recent work has described an ontology based approach to co rrelation of event log based evidence, using semantic web technologies for describing and representing event log based digital evidence. In this paper we apply the representation al approach to the integration of metadata related to digital evidence, and propose a globally unique identification scheme for digital evidence and related metadata. We relat e the representational approach to the digital evidence bags concept identifying a number of shortcomings. We propose an alternative architecture for digital evidence bags, which we call the sealed digital evidence bags architecture. This approach treats bags as imm utable objects, and facilitates the building of a corpus of digital evidence by composi tion and referencing between evidence bags. This architecture facilitates modular forensi c tool development and interoperability between forensics tools.

Discovering Hidden Evidence

Abstract: Over the past decade, the advancement of a myriad of methods, techniques and technologies to conceal digital evidence and covertly communicate have increased at an alarming rate. In addition, new information suggests that the download of an arsenal of software tools that perform these functions further suggests greater interest and usage of such cyber weapons. Steganography is here, and combined with the Internet and peer to peer networking, it provides criminals, gangs and terrorists with a viable and covert method of communication with guaranteed evidence concealment. This article discusses, in detail, the state-of-the-art in the most advanced Steganography tools and techniques available to perpetrators today. We include statistics regarding Steganography expansion, growth and usage, and discuss the specific digital forensic artifacts that help lead to discovery and extraction. All of the image files used to develop this article are available for free download from the publisher's online editio...

Digital evidence bag

Abstract: he process of digital investigation and analysis is complex and arduous at best. The dramatic increase in the capacity of hard drives and the availability of firewire devices in just the past few years has necessitated a new requirement for digital investigation. There is currently a need to capture and analyze transmissions from portable computing devices, and access and investigate high-capacity memory sticks, not only to prosecute dangerous criminals and terrorists, but to attempt to preempt their actions. Today when digital investigators discuss preserving digital evidence they are typically referring to “imaging” the media. As the practicality of using this method becomes obsolete, and live investigation emerges, we must quickly move from the arcane drive image to the next generation, which would be intelligent digital evidence storage. The concept of a digital evidence bag (DEB) to address advanced evidence storage, preservation, and investigation emerged from a research project funded by the U.S. Air Force Research Laboratory. The concept was to develop a digital evidence container that would metaphorically mimic the familiar plastic evidence bag used by crime scene investigators to collect fibers, hair, blood, and other physical crime scene artifacts. Physical evidence containers are trusted because of a well-understood and practiced process called “chain-of-custody.” Simply put, this is a process used to maintain and document the chronological history of the evidence once in possession and secured. How does a digital container differ from a physical container? The most important distinction is that a digital container can be duplicated, copied, shared, and distributed and potentially manipulated unless the container itself is secure. One important advantage, however, is the ability to examine the contents of the digital container without DIGITAL EVIDENCE BAG

Development of A National Repository of Digital Forensic Intelligence

Abstract: Many people do all of their banking online, we and our children communicate with peers through computer systems, and there are many jobs that require near continuous interaction with computer systems. Criminals, however, are also “connected”, and our online interaction provides them a conduit into our information like never before. Our credit card numbers and other fiscal information are at risk, our children's personal information is exposed to the world, and our professional reputations are on the line. The discipline of Digital Forensics in law enforcement agencies around the nation and world has grown to match the increased risk and potential for cyber crimes. Even crimes that are not themselves computer-based, may be solved or prosecuted based on digital evidence left behind by the perpetrator. However, no widely accepted mechanism to facilitate sharing of ideas and methodologies has emerged. Different agencies re-develop approaches that have been tested in other jurisdictions. Even within a single agency, there is often significant redundant work. There is great potential efficiency gain in sharing information from digital forensic investigations. This paper describes an on-going design and development project between Oklahoma State University’s Center for Telecommunications and Network Security and the Defense Cyber Crimes Center to develop a Repository of Digital Forensic Knowledge. In its full implementation, the system has potential to provide exceptional gains in efficiency for examiners and investigators. It provides a better conduit to share relevant information between agencies and a structure through which cases can be cross-referenced to have the most impact on a current investigation.

Google Desktop as a Source of Digital Evidence

Abstract: This paper discusses the emerging trend of Personal Desktop Searching utilities on desktop computers, and how the information cached and stored with these systems can be retrieved and analysed, even after the original document has been removed. Focusing on the free Google Desktop application, this paper first analyses how the program operates, the processes involved, files created and altered, and methods on retrieving this data without corrupting the contents. Whilst some discussion is specific to the Google Desktop application, other discussion is applicable to the several other, similar available applications. The limitations of extracting data from Google Desktop and other desktop searching utilities are also discussed, along with possibilities for future research to ensure that the repositories of information that these programs store may be forensically analysed.

Taxonomy of computer forensics methodologies and procedures for digital evidence seizure

Abstract: The increase risk and incidence of computer misuse has raised awareness in public and private sectors of the need to develop defensive and offensives responses. Such increase in incidence of criminal, illegal and inappropriate computer behavior has resulted in organizations forming specialist teams to investigate these behaviors. There is now widespread recognition of the importance of specialised forensic computing investigation teams that are able to operate. Forensics analysis is the process of accurately documenting and interpreting information more precisely digital evidence for the presentation to an authoritative group and in most cases that group would be a court of law. At the level of practice these investigative skills extend beyond a methodological approach. The scope of this paper will compare the different methodologies and procedures in place for the gathering and acquisition of digital evidence and thus defining which model will be the most appropriate taxonomy for the electronic evidence in the computer forensics analysis phase.

Applying Machine Trust Models to Forensic Investigations

Abstract: Digital forensics involves the identification, preservation, analysis and presentation of electronic evidence for use in legal proceedings. In the presence of contradictory evidence, forensic investigators need a means to determine which evidence can be trusted. This is particularly true in a trust model environment where computerised agents may make trust-based decisions that influence interactions within the system. This paper focuses on the analysis of evidence in trust-based environments and the determination of the degree to which evidence can be trusted. The trust model proposed in this work may be implemented in a tool for conducting trust-based forensic investigations. The model takes into account the trust environment and parameters that influence interactions in a computer network being investigated. Also, it allows for crimes to be reenacted to create more substantial evidentiary proof.

Digital evidence bag

Abstract: Data structures, methods, programs for computers, apparatus and systems for capturing, and analysing digital data, especially in the context of digital evidence gathering and analysis. Digital evidence is captured in digital evidence bags having an index file and one or more evidence units, the evidence units each comprising an index file and an evidence file. The evidence files contain copies of raw captured data whilst the associated index files contain text details of the contents and structure of the evidence files. The tag file contains data descriptive of the source and/or provenance of the evidence units and/or the digital evidence bag as a whole. Index information and evidence data may be in the same or distinct files.

Some Challenges in Digital Forensics

Abstract: This essay discusses some of the principal challenges facing the emerging discipline of digital forensics. Most of the challenges have a scientific basis—understanding the needs and limitations caused by changes in the scope and pace of information technology. Others are engineering in nature, requiring the construction of new software and hardware to enable the collection, retention and examination of potential digital evidence. All of the challenges have administrative and legal frameworks within which they must be addressed, and the limits and structures imposed by these frameworks must evolve and be shaped by science, engineering and practice.

To Catch A Thief II: Computer Forensics in the Classroom

Abstract: The subject of computer forensics is still new and both challenging and intriguing for students. Cal Poly Pomona has offered this course since September of 2004. The course involves both the technical and legal aspects of investigative procedures as applied to digital evidence. For the instructor, it can involve challenges not found in other areas of information systems. This paper discusses some of the triumphs and pitfalls of including computer forensics as part of an undergraduate information assurance curriculum.

File System Support for Digital Evidence Bags

Abstract: Digital Evidence Bags (DEBs) are a mechanism for bundling digital evidence, associated metadata and audit logs into a single structure. DEB-compliant applications can update a DEB’s audit log as evidence is introduced into the bag and as data in the bag is processed. This paper investigates native file system support for DEBs, which has a number of benefits over ad hoc modification of digital evidence bags. The paper also describes an API for DEB-enabled applications and methods for providing DEB access to legacy applications through a DEB-aware file system. The paper addresses an urgent need for digital-forensics-aware operating system components that can enhance the consistency, security and performance of investigations.

A Study of Memory Information Collection and Analysis in a view of Digital Forensic in Window System

Abstract: In this paper, we examine general digital evidence collection process which is according to RFC3227 document[l], and establish specific steps for memory information collection. Besides, we include memory dump process to existing digital evidence collection process, and examine privacy information through dumping real user's memory and collecting pagefile which is part of virtual memory system. Especially, we discovered sensitive data which is like password and userID that exist in the half of pagefiles. Moreover, we suggest each analysis technique and computer forensic process for memory information and virtual memory.

A Digital forensic practitioner's guide to giving evidence in a court of law

Abstract: An expert in IT forensics can discover significant and damning evidence that may convict a suspect. However, no matter how momentous the evidence or how clever you may have been at recovering it, if you can’t present the evidence in a coherent and understandable way to the court the case may be lost. This paper will attempt to provide you with some translation tools and methods to assist the IT professional in giving comprehensible forensic evidence in a criminal prosecution or at Industrial Relations Commissions to jurors and the judiciary about highly complex IT concepts and recovery methodology. By using these methods, you will have an increased likelihood of your evidence being accepted and understood.

A Study on the Chain of Custody for Securing the Faultlessness of Forensic Data

Abstract: Computer Forensics functions by defending the effects and extracting the evidence of the side effects for production at the court. Has the faultlessness of the digital evidence been compromised during the investigation, a critical evidence may be denied or not even be presented at the trial. The presented monograph will deliberate the faultlessness-establishing chain procedures in disk forensics, system forensics, network forensics, mobile forensics and database forensics. Once the faultlessness is established by the methods proposed, the products of investigation will be adopted as a leading evidence. Moreover, the issues and alternatives in the reality of digital investigation are presented along with the actual computer forensics cases, hopefully contributing to the advances in computer digital forensics and the field research of information security.

Digital evidence integrality preserving method based on computer evidence

Abstract: The invention discloses a method for keeping the integration of data evidence based on computer evidence obtaining, which can solve the problem that present technique can not real-time protect the integration of evidence information. Wherein, when the i-th information mi is generated, copying, signing and safely storing (mi'), to attain the digital signs ri and si of mi via the computer system S; when completing signing, S sends the signs ri and si, the information record mi', the record serial number I and the record generated time ti to the safe storage object M, and transfers the safety hash algorism to process information summary on the mi'||i||ti||SHA(i-1), to complete the storage process. The invention can real-time protect the evidence when in invaded, or before invaded, to avoid being destroyed.

Quality assurance for evidence collection in network forensics

Abstract: Network forensic involves the process of identifying, collecting, analyzing and examining the digital evidence extracted from network traffics and network security element logs. One of the most challenging tasks for network forensic is how to collect enough information in order to reconstruct the attack scenarios. Capturing and storing data packets from networks consume a lot of resources: CPU power and storage capacity. The emphasis of this paper is on the development of evidence collection control mechanism that produces solutions close to optimal with reasonable forensic service requests acceptance ratio with tolerable data capture losses. In this paper, we propose two evidence collection models, Non-QA and QA, with preferential treatments for network forensics. They are modeled as the Continuous Time Markov Chain (CTMC) and are solved by LINGO. Performance metrics in terms of the forensic service blocking rate, the storage utilization and trade-off cost are assessed in details. This study has confirmed that Non-QA and QA evidence collection models meet the cost-effective requirements and provide a practical solution to guarantee a certain level of quality of assurance for network forensics.

Hiding the Inaccessible Truth: Amending the Federal Rules to Accommodate Electronic Discovery

Abstract: I. INTRODUCTION At its June 2005 meeting, the Standing Committee on the Federal Rules approved amendments to the Federal Rules of Civil Procedure ("Rules")1 in large part to accommodate the increasingly important, and often under-utilized, discovery method referred to as electronic discovery.2 The proposed changes amend Rule 26(b)(2)(B)3-(C)4 to construct a two-tiered process for electronic discovery production requests.5 The first tier requires responding parties to produce all relevant accessible data6 stored on their digital storage systems along with a description by category and location of all relevant not reasonably accessible data that may be on their systems.7 Data that is "not reasonably accessible" is presumptively outside the scope of discovery unless the requesting party can show "good cause,"8 which is an ambiguous standard because the phrase "good cause" is undefined. Litigants enter the second tier of the ediscovery process when the requesting party establishes "good cause,"9 permitting the court to hear arguments from both litigants and to weigh the cost of production against the purported need.10 Pursuant to the new Rules, even if the requesting party agrees to pay the discovery costs, a court can nevertheless prohibit data discovery if the producing party's burden in reviewing the information for relevance and privilege exceeds the purported need.11 In addition, Rule 37(f), adopted in conjunction with the Rule 26(b)(2) amendments, removes the threat of judicially imposed sanctions absent "exceptional circumstances" for data lost because of the routine, good-faith operation of an electronic information system.12 Under the proposed Rules, producing parties will no longer be obligated to produce all relevant, non-privileged documents,13 and will arguably be allowed to destroy incriminating documents under a document retention policy without the threat of courtimposed sanctions.14 The Standing Committee on the Federal Rules' solution represents an equitable compromise between escalating discovery costs and enforcing compliance with broad discovery requests to facilitate discovery of facts relevant to a particular litigation.15 This burden has largely been driven by declining electronic document storage device costs coupled with sizable increases in the amount of digitally stored data, resulting in a larger document pool and generally increasing the costs of retrieving and reviewing electronic documents.16 Arguably, the Advisory Committee's proposals do not reach a proper balance between cost management and the judicial doctrine of broad discovery. If adopted, the proposed Rules may enable litigants to engage in discovery abuse by hiding or destroying incriminating digital evidence. The proposed Rules also provide greater protection to data that is not reasonably accessible and restrict the judiciary's ability to impose sanctions on litigants. By providing greater protection for data that is not reasonably accessible, the proposed Rules encourage both software programmers and system architects17 to design and develop software storage solutions that render data "not reasonably accessible" by making access to the data fiscally or technically impractical. By recharacterizing18 accessible data as "not reasonably accessible," these parties obviate their production duties pursuant to the proposed Rules. These litigants would store data on inefficient storage systems, making it unduly burdensome or expensive to (1) search for data, (2) restore data, or (3) change the data's format, therefore, making discovery more difficult.19 Additionally, producing parties may obstruct the operation of the two-tiered e-discovery process by failing to disclose adequate descriptions of data categories, descriptors,20 or designs containing relevant accessible or inaccessible data stored on the litigants' systems.21 Finally, the proposed Rule amendments may frustrate the doctrine of broad discovery by shifting costs to requesting parties, forcing them to endure additional rounds of e-discovery motion practice. …

Corporate management of computer forensics evidence

Abstract: Computer forensics is a new and emerging field in information security that requires specialized skills in order to collect and preserve data on systems that have been breeched by a hacker, either internal or external to the company. Collecting and processing a digital crime scene can be a difficult, time consuming, and time sensitive task. This paper looks at the various aspects of computer forensics evidence management, from the initial crime and collecting and processing the evidence, through handing the case over to the proper authorities.