Showing papers on "Digital evidence published in 2010"

Solid State Drives: The Beginning of the End for Current Practice in Digital Forensic Recovery?

Abstract: Digital evidence is increasingly relied upon in computer forensic examinations and legal proceedings in the modern courtroom. The primary storage technology used for digital information has remained constant over the last two decades, in the form of the magnetic disc. Consequently, investigative, forensic, and judicial procedures are well-established for magnetic disc storage devices (Carrier, 2005). However, a paradigm shift has taken place in technology storage and complex, transistor-based devices for primary storage are now increasingly common. Most people are aware of the transition from portable magnetic floppy discs to portable USB transistor flash devices, yet the transition from magnetic hard drives to solid-state drives inside modern computers has so far attracted very little attention from the research community. Here we show that it is imprudent and potentially reckless to rely on existing evidence collection processes and procedures, and we demonstrate that conventional assumptions about the behaviour of storage media are no longer valid. In particular, we demonstrate that modern storage devices can operate under their own volition in the absence of computer instructions. Such operations are highly destructive of traditionally recoverable data. This can contaminate evidence; can obfuscate and make validation of digital evidence reports difficult; can complicate the process of live and dead analysis recovery; and can complicate and frustrate the post recovery forensic analysis. Our experimental findings demonstrate that solid-state drives (SSDs) have the capacity to destroy evidence catastrophically under their own volition, in the absence of specific instructions to do so from a computer.

A Framework to Guide the Implementation of Proactive Digital Forensics in Organisations

Abstract: Most organizations underestimate the demand for digital evidence [1]. Often, when evidence is required to prove fraudulent transactions, not enough or trustworthy evidence is available to link the attacker to the incident. It isessential for organizations to prepare themselves for digital Forensic (DF) investigations and ensure that entireorganizational operating environment is prepared for example for an investigation (criminal or internal) or acompliance tests. The accepted literature on DF readinessconcentrates mainly on evidence identification, handling andstorage, first line incident response and training requirements [2]. It does not consider the proactiveapplication of DF tools to enhance the corporate governancestructures (specifically Information Technology (IT) governance). Pro-active DF (ProDF) as defined in this paperwill enable an organization to take the initiative byimplementing adequate measures to become DF ready,demonstrate due diligence for good corporate Governance,specifically IT Governance and provide a mechanism toassess and improve IT Governance frameworks. The purpose of this paper is to define, identify goals, steps, anddeliverables of ProDF, identify dimensions of DF, and propose a theoretical DF management framework to guidethe implementation of ProDF in an organization.

A Multi-component View of Digital Forensics

Abstract: We are living in a world where there is an increasing need for evidence in organizations. Good digital evidence is becoming a business enabler. Very few organizations have the structures (management and infrastructure) in place to enable them to conduct cost effective, low-impact and fficient digital investigations [1]. Digital Forensics (DF) is a vehicle that organizations use to provide good and trustworthy evidence and processes. The current DF models concentrate on reactive investigations, with limited reference to DF readiness and live investigations. However, organizations use DF for other purposes for example compliance testing. The paper proposes that DF consists of three components: Pro-active (ProDF), Active (ActDF) and Re-active (ReDF). ProDF concentrates on DF readiness and the proactive responsible use of DF to demonstrate good governance and enhance governance structures. ActDF considers the gathering of live evidence during an ongoing attack with a limited live investigation element whilst ReDF deals with the traditional DF investigation. The paper discusses each component and the relationship between the components.

A Digital Forensic Readiness framework for South African SME's

Abstract: In this digital age, most business is conducted electronically. This contemporary paradigm creates openings for potentially harmful unanticipated information security incidents of both a criminal or civil nature, with the potential to cause considerable direct and indirect damage to smaller businesses. Electronic evidence is fundamental to the successful handling of such incidents. If an organisation does not prepare proactively for such incidents it is highly likely that important relevant digital evidence will not be available. Not being able to respond effectively could be extremely damaging to smaller companies, as they are unable to absorb losses as easily as larger organisations. In order to prepare smaller businesses for incidents of this nature, the implementation of Digital Forensic Readiness policies and procedures is necessitated. Numerous varying factors such as the perceived high cost, as well as the current lack of forensic skills, make the implementation of Digital Forensic Readiness appear difficult if not infeasible for smaller organisations. In order to solve this problem it is necessary to develop a scalable and flexible framework for the implementation of Digital Forensic Readiness based on the individual risk profile of a small to medium enterprise (SME). This paper aims to determine, from literature, the concepts of Digital Forensic Readiness and how they apply to SMEs. Based on the findings, the aspects of Digital Forensics and organisational characteristics that should be included in such a framework is highlighted.

Recovery of Skype Application Activity Data from Physical Memory

Abstract: The use of Internet based communication technologies has become more prevalent in recent years. Technologies such as Skype provide a highly secure and decentralised method of communication. These technologies may also leave little evidence on static media causing conventional digital forensic processes to be ineffective. This research looks at exploiting physical memory to recover evidence from Internet based communication technologies where conventional methods cannot. The paper first proposes a set of generic target artefacts that defines information that may be targeted for recovery and the meaning that can be inferred from this. A controlled test was then undertaken where Skype was executed and the memory from the target machine collected. The analysis showed that it is feasible to recover the target data as applied to Skype, which would not be otherwise available. As this is the first set of tests of a series, the future direction is also discussed.

The potential of digital evidence to contribute to risk assessment of internet offenders

Abstract: There is a widely held view among the general public and some professionals that individuals convicted or cautioned solely for internet-related offences inevitably present a significant risk of direct harm to children. Insofar as evidence in relation to this exists, it seems to indicate that internet offenders constitute a heterogeneous group, some of whom may present a significant risk of future contact offending, but many of whom, perhaps a majority, do not. It is essential that risk assessment procedures are developed which can discriminate reliably between relatively high-risk and low-risk groups. The sheer volume, complexity and inaccessibility of digital evidence has deterred a systematic analysis of the relationship between downloaded material and potential risk. However, rather than being regarded as an impenetrable confusion of information, it is possible to regard downloaded material as a golden opportunity to analyse unequivocal evidence of sexual and possibly also personality deviance known to be associated with risk. It also offers the potential of informing and validating other assessment procedures, including interview.

Im)proving chain of custody and digital evidence integrity with time stamp

Abstract: The integrity of digital evidence plays an important role in the digital process of forensic investigation Proper chain of custody must include information on how evidence is collected, transported, analyzed, preserved, and handled with There are several adapted methods for evidence digital signing to (im)prove the integrity of digital evidence Most forensic tools and applications use a certain kind of hashing algorithm to allow investigators later to verify the disk or image integrity In this process there is a problem of binding integrity, identity and date and time of access to digital evidence In this paper the authors will present a valid time stamping method to signing a digital evidence in all stages of digital investigation process Time stamp will be obtained from the secure third party (Time Stamp Authority) It will be used to prove the time when the staff access the evidence in any stages of forensic investigation

Do we have full control over integrity in digital evidence life cycle

Abstract: Chain of custody plays an important role in digital forensic investigation. Contact with different variables occurs through a life cycle of digital evidence. To prove chain of custody, investigators must know all details on how the evidence was handled every step of the way. ”Five WS (and one H) “must be applied. Life cycle of digital evidence is very complex, and at each stage there is more impact that can violate a chain of custody. This paper presents a life cycle of digital evidence and problems with implementation of chain of custody in digital investigation. The authors also warn of certain shortcomings in terms of answering specific questions, and give some recommendation for further research. New framework based on Five WS will be presented.

Security Digital Evidence

Abstract: Non-repudiation of digital evidence is required by various use cases in today’s business cases for example in the area of medical products but also in public use cases like congestion charges. These use cases have in common that at a certain time an evidence record is generated to attest for the occurrence of a certain event. To allow for non-repudiation of such an evidence record it is required to provide evidence on the used device itself, its configuration, and the software running at the time of the event. Digital signatures as used today provide authenticity and integrity of the evidence record. However the signature gives no information about the state of the Measurement Instrument at the time of operation. The attestation of the correct operation of the evidence collector is discussed in this paper and an implemented solution is presented.

Judges' awareness, understanding, and application of digital evidence

Abstract: As digital evidence grows in both volume and importance in criminal and civil courts, judges need to fairly and justly evaluate the merits of the offered evidence. To do so, judges need a general understanding of the underlying technologies and applications from which digital evidence is derived. Due to the relative newness of the computer forensics field, there have been few studies on the use of digital forensic evidence and none about judges’ relationship with digital evidence. This study addressed judges’ awareness, knowledge, and perceptions of digital evidence, using grounded theory methods. The interaction of judges with digital evidence has a social aspect that makes a study of this relationship well suited to grounded theory. This study gathered data via a written survey distributed to judges in the American Bar Association and National Judicial College, followed by interviews with judges from Massachusetts and Vermont. The results indicated that judges generally recognize the importance of evidence derived from digital sources, although they are not necessarily aware of all such sources. They believe that digital evidence needs to be authenticated just like any type of evidence and that it is the role of attorneys rather than of judges to mount challenges to that evidence, as appropriate. Judges are appropriately wary of digital evidence, recognizing how easy it is to alter or misinterpret such evidence. Less technically aware judges appear even more wary of digital evidence than their more knowledgeable peers. Judges recognize that they need additional training in computer and Internet technology as the computer forensics process and digital evidence, citing a lack of availability of such training. This training would enable judges to better understand the arguments presented by lawyers, testimony offered by technical witnesses, and judicial opinions forming the basis of decisional law. A framework for such training is provided in this report. This study is the first in the U.S. to analyze judges and digital forensics, thus opening up a new avenue of research. It is the second time that grounded theory has been employed in a digital forensics study, demonstrating the applicability of that methodology to this discipline.

Digital Records Forensics: A New Science and Academic Program for Forensic Readiness

Abstract: This paper introduces the Digital Records Forensics project, a research endeavour located at the University of British Columbia in Canada and aimed at the development of a new science resulting from the integration of digital forensics with diplomatics, archival science, information science and the law of evidence, and of an interdisciplinary graduate degree program, called Digital Records Forensics Studies, directed to professionals working for law enforcement agencies, legal firms, courts, and all kind of institutions and business that require their services. The program anticipates the need for organizations to become “forensically ready,” defined by John Tan as “maximizing the ability of an environment to collect credible digital evidence while minimizing the cost of an incident response (Tan, 2001).” The paper argues the need for such a program, describes its nature and content, and proposes ways of delivering it.

Advanced Framework for Digital Forensic Technologies and Procedures

Abstract: Recent trends in global networks are leading toward service-oriented architectures and sensor networks. On one hand of the spectrum, this means deployment of services from numerous providers to form new service composites, and on the other hand this means emergence of Internet of things. Both these kinds belong to a plethora of realms and can be deployed in many ways, which will pose serious problems in cases of abuse. Consequently, both trends increase the need for new approaches to digital forensics that would furnish admissible evidence for litigation. Because technology alone is clearly not sufficient, it has to be adequately supported by appropriate investigative procedures, which have yet become a subject of an international consensus. This paper therefore provides appropriate a holistic framework to foster an internationally agreed upon approach in digital forensics along with necessary improvements. It is based on a top-down approach, starting with legal, continuing with organizational, and ending with technical issues. More precisely, the paper presents a new architectural technological solution that addresses the core forensic principles at its roots. It deploys so-called leveled message authentication codes and digital signatures to provide data integrity in a way that significantly eases forensic investigations into attacked systems in their operational state. Further, using a top-down approach a conceptual framework for forensics readiness is given, which provides levels of abstraction and procedural guides embellished with a process model that allow investigators perform routine investigations, without becoming overwhelmed by low-level details. As low-level details should not be left out, the framework is further evaluated to include these details to allow organizations to configure their systems for proactive collection and preservation of potential digital evidence in a structured manner. The main reason behind this approach is to stimulate efforts on an internationally agreed "template legislation," similarly to model law in the area of electronic commerce, which would enable harmonized national implementations in the area of digital forensics.

Forensic Analysis of the Windows 7 Registry

Abstract: The recovery of digital evidence of crimes from storage media is an increasingly time consuming process as the capacity of the storage media is in a state of constant growth It is also a difficult and complex task for the forensic investigator to analyse all of the locations in the storage media These two factors, when combined, may result in a delay in bringing a case to court The concept of this paper is to start the initial forensic analysis of the storage media in locations that are most likely to contain digital evidence, the Windows Registry Consequently, the forensic analysis process and the recovery of digital evidence may take less time than would otherwise be required In this paper, the Registry structure of Windows 7 is discussed together with several elements of information within the Registry of Windows 7 that may be valuable to a forensic investigator These elements were categorized into five groups which are system, application, networks, attached devices and the history lists We have discussed the values of identified elements to a forensic investigator Also, a tool was implemented to perform the function of extracting these elements and presents them in usable form to a forensics investigator

A framework to (Im)Prove „Chain of Custody“ in Digital Investigation Process

Abstract: Normal 0 21 false false false BS-LATN-BA X-NONE X-NONE MicrosoftInternetExplorer4 Chain of custody plays very important role in digital forensic investigation process. To prove chain of custody, investigators must know all details on how the evidence was handled every step of the way. „Five WS (and one H) “must be applied. Life cycle of digital evidence is very complex, and at each stage there is more impact that can violate a chain of custody. Proper chain of custody must include information on how evidence is collected, transported, analyzed, preserved, and handled with. In this paper will be presents a framework which can im(prove) chain of custody of digital evidence in all stages of digital investigation process.

Encoding Forensic Multimedia Evidence from MARF Applications as Forensic Lucid Expressions

Abstract: In this work we summarize biometric evidence as well as file type evidence extraction “exported” as formal Forensic Lucid language expression in the form of higher-order intensional contexts for further case analysis by a system that interprets Forensic Lucid expressions for claim verification and event reconstruction The digital evidence is exported from the Modular Audio Recognition Framework (MARF)’s applications runs on a set of data comprising biometric voice recordings for speaker, gender, spoken accent, etc as well as more general file type analysis using signal and pattern recognition processing techniques The focus is in translation aspect of the extracted evidence into formal Forensic Lucid expressions for further analysis

Chapter 2 – Forensic Analysis

Abstract: Publisher Summary This chapter discusses important aspects of analyzing digital evidence to help investigators reconstruct an offense and assess the strength of their conclusions. It demonstrates how digital evidence that is properly interpreted can be used to apprehend offenders, gain an insight into their intent, assess alibis and statements, authenticate documents, by focusing on the use of digital evidence to reconstruct actions taken in furtherance of a crime. A fictional digital forensic investigation scenario is used throughout this chapter to demonstrate key points. Digital evidence can help answer many questions in an investigation ranging from the whereabouts of a victim at a given time, to the state of mind of the offender. Evidence on computers and networks should be included whenever feasible in crime reconstructions. People use technology in creative ways that can complicate the forensic analysis process, particularly when attempts are made to conceal digital evidence. Computers also have many subsystems that interact in ways that can complicate the forensic analysis process. In all cases, given the malleability and multivalent nature of digital evidence, it is necessary to seek corroborating evidence from multiple independent sources. The risk of missing or misinterpreting important details highlights the importance of utilizing the scientific method to reach objective conclusions that are solidly based in the evidence.

A review and future research directions of secure and trustworthy mobile agent-based e-marketplace systems

Abstract: Purpose – There is a need to provide secure and safe information security systems through the use of firewalls, intrusion detection and prevention systems, encryption, authentication, and other hardware and software solutions. The purpose of this paper is therefore to propose a framework which includes safe, secure, trusted, and auditable services, as well as forensic mechanisms to provide audit trails for digital evidence of transactions and protection against malicious and illegal activities.Design/methodology/approach – The paper reviews the literature as the foundation and knowledge base for the proposed framework and system of secure and trustworthy mobile agent (MA)‐based e‐marketplaces. It consists of the current state of the art taxonomy for the classified MA‐based frameworks for e‐marketplace trading, underlying supporting systems, e‐payment systems, and the essential issues related to auditable and digital forensic services.Findings – The current knowledge shows that there is a serious lack of a...

An Analysis of the Digital Forensic Examination of Mobile Phones

Abstract: Digital evidence is proving increasingly pivotal in criminal investigations whether it is an arrest for a minor offence or a more serious activity. As people rely on mobile phones and their many functions, the digital trail of evidence continues to grow. The forensic examination of mobile phones is a relatively new discipline and research activity into the forensic analysis of these types of phones, and the information they may contain, is limited when compared to the exponential increase in ownership of these types of phones. The amount of ubiquitous information stored on mobile phones will continue to grow as their processing power and storage capacity increases and the phones incorporate more functionality and applications. Guidelines, publications and research into the more traditional digital forensic examination of computer hard disks are well documented, whereas for mobile phones, the publications and research are not that established. The aim of this paper is to examine the current methods involved in the forensic examination of mobile phones and to identify those areas of mobile phone examination where the current United Kingdom ACPO guidelines and the United States of America NIST guidelines are unclear or insubstantial.

Adopting Hadith Verification Techniques in to Digital Evidence Authentication

Abstract: Problem statement: The needs of computer forensics investigators have been directly influenced by the increasing number of crimes performed using computers. It is the responsibility of the investigator to ascertain the authenticity of the collected digital evidence. Without proper classification of digital evidence, the computer forensics investigator may ended up investigating using untrusted digital evidence and ultimately cannot be use to implicate the suspected criminal. Approach: The historical methods of verifying the authenticity of a hadith were studied. The similarities between hadith authentication and digital evidence authentication were identified. Based on the similarities of the identified processes, a new method of authenticating digital evidence was proposed, together with the trust calculation algorithm and evidence classification. Results: The new investigation processes and an algorithm to calculate the trust value of given digital evidence was proposed. Furthermore, a simple classification of evidence, based on the calculated trust values was also proposed. Conclusion/Recommendations: We had successfully extracted the methods to authenticate hadith and mapped it into the digital evidence authentication processes. The trust values of digital evidence were able to be calculated and the evidence can be further classified based on the different level of trust values. The ability to classify evidence based on trust levels can offer great assistance to the computer forensics investigator to plan their works and focus on the evidence that would give them a better chance of catching the criminals.

Research and Review on Computer Forensics

Abstract: With the development of Internet and information technology, the digital crimes are also on the rise. Computer forensics is an emerging research area that applies computer investigation and analysis techniques to help detection of these crimes and gathering of digital evidence suitable for presentation in courts. This paper provides foundational concept of computer forensics, outlines various principles of computer forensics, discusses the model of computer forensics and presents a proposed model.

Cyber Crime and Security: A New Model of Law Enforcement Investigation

Abstract: As the Internet continues to evolve and present the motivated cybercriminal with a vast range of opportunities to commit both crime and other undesirable behaviours, then mainstream law enforcement must equally have the capability to react. This paper identifies that cybercrime investigation is much more than just low-level technology examination or digital evidence recovery and requires the specific inclusion of a wide range of technical and non-technical professional disciplines and investigative skills. This paper draws on the author’s earlier research alongside the current challenges and issues of cybercrime and examines the many cybercrime investigation models and frameworks found throughout the literature to identify six guiding research objectives. This paper then presents the development of a new Cybercrime Investigation Framework that uniquely integrates and consolidates the technical complexity of investigating the Internet and networked technology with the investigation principles and procedures of mainstream law enforcement.

Intrusion Investigations with Data-Hiding for Computer Log-File Forensics

Abstract: In most of companies or organizations, logs play important role in information security. However, the common security mechanism only backup logs, it is not able to find out traces of intruders because the hacker who is able to intrudes the security mechanism of organization would try to alter logs or destroy important intrusion evidences making it impossible to preserve evidence using traditional log security strategies. Thus, logs are not considered as evidence to prove the damage. In that case, digital evidence lacks in terms of completeness which makes it difficult to perform computer forensics operations. In order to maintain the completeness and reliability of evidence for later forensic procedures and intrusion detection, the study applies concepts of steganography to logs forensics, for which even intrusion altered records will be kept as well. Comparing to traditional security strategies, this study proposes a better logging mechanism to ensure the completeness of logs. Furthermore, the study will assist in intrusion detection through alteration behavior, and help in forensic operations.

Apparatus, method and system for collecting and utilizing digital evidence

Abstract: A handy, low cost, tamper-evident evidence recording device is disclosed. A method and system for utilizing evidence recording devices in improving various business processes such as insurance claims processing, car and equipment rentals, and property leases disputes, is disclosed.

Organizational Handling of Digital Evidence

Abstract: There are a number of factors that impact a digital forensics investigation. These factors include: the digital media in question, implemented processes and methodologies, the legal aspects, and the individuals involved in the investigation. This paper presents the initial idea that Digital Forensic Practice (DFP) recommendations can potentially improve how organizations handle digital evidence. The recommendations are derived from an in-depth survey conducted with practitioners in both commercial organizations and law enforcement along with supporting literature. The recommendations presented in this paper can be used to assess an organization’s existing digital forensics practices and a guide to Digital Forensics Improvement Initiatives.

Methods for Efficient Digital Evidences Collecting of Business Proceses and Users Activity in eLearning Enviroments

Abstract: Contemporary information systems such as: eLearning, eUnivesity, eVoting, eHealth, etc., are frequently used and misused for irregular data changes (data tampering). Those facts force us to reconsider our security measures and find a way to improve them. Proving a computer crime act require very complicated processes which are based on digital evidence collecting, forensic analysis and investigation process. Forensic analysis of database systems is very specific and demanding task and therefore presents main inspiration for our research. In this paper we present the fact that classical methods of collecting digital evidence are not appropriate and efficient. In order to improve efficiency we propose combination of well know technology independent methods from database world and their application in field of forensic science. Also we are proposed some new research direction in this area.

Fast Deployment of Computer Forensics with USBs

Abstract: As popularity of the Internet continues to grow, it changes the way of computer crime. Number of computer crime increases dramatically in recent years and investigators have been facing the difficulty of admissibility of digital evidence. To solve this problem, we must collect evidence by digital forensics techniques and analyze the digital data, or recover the damaged data. In this research, we integrate several open source digital forensics tools and create a graphic user interface to develop a user-friendly environment for investigators. To avoid evidence loss due to shutdown of target hosts, we use the live analysis technique to collect volatile data with executing commands from an external USB. We also create a live USB so that target hosts can boot from the USB which contains a functional operating system with tools for forensic discovery.

Digital forensics tools

Abstract: Computer forensics is a scientific discipline dealing with acquiring, collecting, storing and presenting data that are electronically processed and stored on computer media. Although a relatively new discipline, it has the potential to significantly influence the specific types of investigations and prosecutions. Computer forensics is significantly different than traditional forensic disciplines. First of all, tools and techniques that this discipline demands are relatively easily available to anyone who wants to conduct forensic analysis. Contrary to traditional forensic analysis, computer investigators need to conduct testing that is not always carried out in controlled conditions. Collecting digital evidence begins when information and/or physical objects are collected or stored in anticipation of testing. The term 'evidence' implies that the person who has collected it is recognized by the Court, so as the process of collecting evidence. Data or physical objects become evidence only when they are collected by an authorized person.