Showing papers on "Digital evidence published in 2012"

Reasoning About Evidence Using Bayesian Networks

Abstract: This paper presents methods for analyzing the topology of a Bayesian belief network created to qualify and quantify the strengths of investigative hypotheses and their supporting digital evidence. The methods, which enable investigators to systematically establish, demonstrate and challenge a Bayesian belief network, help provide a powerful framework for reasoning about digital evidence. The methods are applied to review a Bayesian belief network constructed for a criminal case involving BitTorrent file sharing, and explain the causal effects underlying the legal arguments.

The Challenges Facing Computer Forensics Investigators in Obtaining Information from Mobile Devices for Use in Criminal Investigations

Abstract: The paper deals with the various types of mobile devices that have large storage capacities and the challenges for forensics experts in gathering information from the devices for use in criminal investigations. The paper describes various forensics tools, law challenges for the forensics examiner such as the Fourth Amendment, and chain of custody issues that a forensics expert could endure while gathering information from mobile devices. The reader will learn about the struggles to effectively manage digital evidence obtained from such mobile devices and some of the issues in using some of the more popular tools on the market to conduct forensics. Finally, the reader will conclude the various challenges that could occur for the forensics examiner in conducting investigations until law disputes are resolved and the maturity and standardization of software tools develop.

A conceptual model for digital forensic readiness

Abstract: The ever-growing threats of fraud and security incidents present many challenges to law enforcement and organisations across the globe. This has given rise to the need for organisations to build effective incident management strategies, which will enhance the company's reactive capability to security incidents. The aim of this paper is to propose proactive activities an organisation can undertake in order to increase its ability to respond to security incidents and create a digitally forensic ready workplace environment. The study constitutes exploratory research, with the use of a systematic literature review as a basis to identify activities relating to a digitally forensic ready environment.While much has been written about how organisations can prepare to respond to security incidents, findings show an absence of a digital forensic readiness model. This paper concludes by presenting such a conceptual model. This study contributes to the greater body of knowledge on the design and implementation of a digital forensic readiness programme, aimed at maximising the use of digital evidence in an organisation.

Smartphone Forensics: A Proactive Investigation Scheme for Evidence Acquisition

Abstract: Smartphones constantly interweave into everyday life, as they accompany individuals in different contexts Smartphones include a combination of heterogeneous data sources, which can prove essential when combating crime In this paper we examine potential evidence that may be collected from smartphones We also examine the available connection channels for evidence transfer during a forensic investigation We propose a Proactive Smartphone Investigation Scheme that focuses on ad hoc acquisition of smartphone evidence We also, take into consideration the legal implications of the proposed scheme, as it is essential that the scheme includes prevention mechanisms, so as to protect individuals from misuse by investigators or malicious entities

The Advanced Data Acquisition Model (ADAM): A process model for digital forensic practice

Abstract: Given the pervasive nature of information technology, the nature of evidence presented in court is now less likely to be paper-based and in most instances will be in electronic form . However, evidence relating to computer crime is significantly different from that associated with the more ‘traditional’ crimes for which, in contrast to digital forensics, there are well-established standards, procedures and models to which law courts can refer. The key problem is that, unlike some other areas of forensic practice, digital forensic practitioners work in a number of different environments and existing process models have tended to focus on one particular area, such as law enforcement, and fail to take into account the different needs of those working in other areas such as incident response or ‘commerce’. This thesis makes an original contribution to knowledge in the field of digital forensics by developing a new process model for digital data acquisition that addresses both the practical needs of practitioners working in different areas of the field and the expectation of law courts for a formal description of the process undertaken to acquire digital evidence. The methodology adopted for this research is design science on the basis that it is particularly suited to the task of creating a new process model and an ‘ideal approach’ in the problem domain of digital forensic evidence. The process model employed is the Design Science Research Process (DSRP) (Peffers, Tuunanen, Gengler, Rossi, Hui, Virtanen and Bragge, 2006) that has been widely utilised within information systems research. A review of current process models involving the acquisition of digital data is followed by an assessment of each of the models from a theoretical perspective, by drawing on the work of Carrier and Spafford (2003)1, and from a legal perspective by reference to the Daubert test2. The result of the model assessment is that none provide a description of a generic process for the acquisition of digital data, although a few models contain elements that could be considered for adaptation as part of a new model. Following the identification of key elements for a new model (based on the literature review and model assessment) the outcome of the design stage is a three-stage process model called the Advance Data Acquisition Model (ADAM) that comprises of three UML3 Activity diagrams, overriding Principles and an Operation Guide for each stage. Initial testing of the ADAM (the Demonstration stage from the DSRP) involves a ‘desk check’ using both in-house documentation relating to three digital forensic investigations and four narrative scenarios. The results of this exercise are fed back into the model design stage and alterations made as appropriate. The main testing of the model (the DSRP Evaluation stage) involves independent verification and validation of the ADAM utilising two groups of ‘knowledgeable people’. The first group, the Expert Panel, consists of international ‘subject matter experts’ from the domain of digital forensics. The second group, the Practitioner Panel, consists of peers from around Australia that are digital forensic practitioners and includes a representative from each of the areas of relevance for this research, namely: law enforcement, commerce and incident response. Feedback from the two panels is considered and modifications applied to the ADAM as appropriate. This thesis builds on the work of previous researchers and demonstrates how the UML can be practically applied to produce a generic model of one of the fundamental digital forensic processes, paving the way for future work in this area that could include the creation of models for other activities undertaken by digital forensic practitioners. It also includes the most comprehensive review and critique of process models incorporating the acquisition of digital forensics yet undertaken.

Digital Forensics and Cyber Crime Datamining

Abstract: Digital forensics is the science of identifying, extracting, analyzing and presenting the digital evidence that has been stored in the digital devices. Various digital tools and techniques are being used to achieve this. Our paper explains forensic analysis steps in the storage media, hidden data analysis in the file system, network forensic methods and cyber crime data mining. This paper proposes a new tool which is the combination of digital forensic investigation and crime data mining. The proposed system is designed for finding motive, pattern of cyber attacks and counts of attacks types happened during a period. Hence the proposed tool enables the system administrators to minimize the system vulnerability.

iPhone social networking for evidence investigations using iTunes forensics

Abstract: The smart phone, like a small computer, providing not only the functions of normal phones and wireless Internet access, but also all kinds of application tools, serves as a platform of the sources of real-time information, information sharing and information exchange in our daily lives. As a result, the extract the crucial digital evidence in the smart phone, it has now become a challenge in the technology time. In particular, it is for when the smart phone applications are committed as the illegal contacts. In this paper, we discuss the most five popular mobile social networking applications in iPhone usages. The backup files of social networking applications could offer us the crucial evidence in this paper study. The relative information of social networking applications operated in iPhone is able to be accessed if necessary, even though iPhone has been destructed or encrypted by the suspect. It could help the investigators to exactly reconstruct the crime venue and find the truth.

Mining Criminal Networks from Chat Log

Abstract: Cyber criminals exploit opportunities for anonymity and masquerade in web-based communication to conduct illegal activities such as phishing, spamming, cyber predation, cyber threatening, blackmail, and drug trafficking. One way to fight cyber crime is to collect digital evidence from online documents and to prosecute cyber criminals in the court of law. In this paper, we propose a unified framework using data mining and natural language processing techniques to analyze online messages for the purpose of crime investigation. Our framework takes the chat log from a confiscated computer as input, extracts the social networks from the log, summarizes chat conversations into topics, identifies the information relevant to crime investigation, and visualizes the knowledge for an investigator. To ensure that the implemented framework meets the needs of law enforcement officers in real-life investigation, we closely collaborate with the cyber crime unit of a law enforcement agency in Canada. Both the feedback from the law enforcement officers and experimental results suggest that the proposed chat log mining framework is effective for crime investigation.

Digital Evidence for Database Tamper Detection

Abstract: Most secure database is the one you know the most Tamper detection compares the past and present status of the system and produces digital evidence for forensic analysis Our focus is on different methods or identification of different locations in an oracle database for collecting the digital evidence for database tamper detection Starting with the basics of oracle architecture, continuing with the basic steps of forensic analysis the paper elaborates the extraction of suspicious locations in oracle As a forensic examiner, collecting digital evidence in a database is a key factor Planned and a modelled way of examination will lead to a valid detection Based on the literature survey conducted on different aspects of collecting digital evidence for database tamper detection, the paper proposes a block diagram which may guide a database forensic examiner to obtain the evidences

Guidelines on Cell Phone Forensics: Recommendations of the National Institute of Standards and Technology

Abstract: (NIST) promotes the U.S. economy and public welfare by providing technical leadership for the Nation's measurement and standards infrastructure. ITL develops tests, test methods, reference data, proof of concept implementations, and technical analysis to advance the development and productive use of information technology. ITL's responsibilities include the development of technical, physical, administrative, and management standards and guidelines for the cost-effective security and privacy of sensitive unclassified information in Federal computer systems. This Special Publication 800-series reports on ITL's research, guidance, and outreach efforts in computer security, and its collaborative activities with industry, government, and academic organizations. Certain commercial entities, equipment, or materials may be identified in this document in order to describe an experimental procedure or concept adequately. Such identification is not intended to imply recommendation or endorsement by the National Institute of Standards and Technology, nor is it intended to imply that the entities, materials, or equipment are necessarily the best available for the purpose. This document provides guidelines for Federal organizations' acquisition and use of security-related Information Technology (IT) products. These guidelines provide advice to agencies for sensitive (i.e., non-national security) unclassified systems. NIST's advice is given in the context of larger recommendations regarding computer systems security. These guidelines are for use by Federal organizations that process sensitive information. 1 They are consistent with the requirements of OMB Circular A-130, Appendix III. The guidelines herein are not mandatory and binding standards. This document may be used voluntarily by non-governmental organizations. It is not subject to copyright. Nothing in this document should be taken to contradict standards and guidelines made mandatory and binding upon Federal agencies by the Secretary of Commerce under his statutory authority. Nor should these guidelines be interpreted as altering or superseding the existing authorities of the Secretary of Commerce, the Director of the Office of Management and Budget, or any other Federal official. 1 The Computer Security Act provides a broad definition of the term " sensitive information, " namely " any information, the loss, misuse, or unauthorized access to or modification of which could adversely affect the national interest or the conduct of federal programs, or the privacy to which individuals are entitled under section 552a of title 5, United States Code (the Privacy Act), but which has not been specifically authorized under criteria established by an Executive Order or an Act of Congress to be kept secret in the interest of national defense …

VoIP evidence model: A new forensic method for investigating VoIP malicious attacks

Abstract: Although the invention of Voice over Internet Protocol (VoIP) in communication technology created significant attractive services for its users, it also brings new security threats. Criminals exploit these security threats to perform illegal activities such as VoIP malicious attacks, this will require digital forensic investigators to detect and provide digital evidence. Finding digital evidence in VoIP malicious attacks is the most difficult task, due to its associated features with converged network. In this paper, a Model of investigating VoIP malicious attacks is proposed for forensic analysis. The model formalizes hypotheses through information gathering and adopt a Secure Temporal Logic of Action(S-TLA+) in the process of reconstructing potential attack scenario. Through this processes, investigators can uncover unknown attack scenario executed in the process of attack. Subsequently, it is expected that the findings of this paper will provide clear description of attacks as well as generation of more specified evidences.

Chain of Custody and Life Cycle of Digital Evidence

Abstract: Life cycle and chain of digital evidence are very important parts of digital investigation process. It is very difficult to maintain and prove chain of custody. Investigators and expert witness must know all details on how the evidence was handled every step of the way. At each stage in life cycle of digital evidence, there is more impact (human, technical and natural) that can violate digital evidence. This paper presents a basic concept of "chain of custody of digital evidence" and "life cycle of digital evidence". It will address a phase in life cycle in digital archiving. The authors also warn of certain shortcomings in terms of answering specific questions, and gives same basic definition.

A Review and Comparative Study of Digital Forensic Investigation Models

Abstract: In this paper we present a review and comparative study of existing digital forensic investigation models and propose an enhanced model based on Systematic Digital Forensic Investigation Model. One significant drawback in digital forensic investigation is that they often do not place enough emphasis on potential admissibility of gathered evidence. Digital forensic investigation must adhere to the standard of evidence and its admissibility for successful prosecution. Therefore, the techno-legal nature of this proposed model coupled with the incorporation of best practices of existing models makes it unique. The model is not a waterfall model, but iterative in nature helping in successful investigation and prosecution. The result of the study is expected to improve the whole investigation process including possible litigation.

The Forensic Analysis of a False Digital Alibi

Abstract: In recent years the relevance of digital evidence in Courts disputes is growing up and many cases have been solved thanks to digital traces that addressed investigations on the right way. Actually in some cases digital evidence represented the only proof of the innocence of the accused. In such a case this information constitutes a digital alibi. It usually consists of a set of local and Internet activities performed through a digital device. It has been recently shown how it is possible to setup a common PC in order to produce digital evidence in an automatic and systematic manner. Such traces are indistinguishable upon a forensic post-mortem analysis from those left by human activity, thus being exploitable to forge a digital alibi. In this paper we verify the undetectability of a false digital alibi by setting up a challenge. An alibi maker team set up a script which simulated some human activities as well as a procedure to remove all the traces of the automation including itself. The verification team received the script and executed it on its own PCs. The verification team could perform not only a usual post-mortem analysis but also a deeper forensic analysis. Indeed, they knew all the details of the script and the original state of the PC before running it. The verification confirmed that a well-constructed false digital alibi is indistinguishable from an alibi based on human activities.

Combining Digital Forensic Practices and Database Analysis as an Anti-Money Laundering Strategy for Financial Institutions

Abstract: Digital forensics is the science that identify, preserve, collect, validate, analyse, interpret, and report digital evidence that may be relevant in court to solve criminal investigations. Conversely, money launderingis a form of crime that is compromising the internal policies in financial institutions, which is investigated by analysing large amount of transactional financial data. However, the majority of financial institutions have adopted ineffective detection procedures and extensive reporting tasks to detect money laundering without incorporating digital forensic practices to handle evidence. Thus, in this article, we propose an anti-money laundering model by combining digital forensics practices along with database tools and database analysis methodologies. As consequence, admissible Suspicious Activity Reports (SARs) can be generated, based on evidence obtained from forensically analysing database financial logs in compliance with Know-Your-Customer policies for money laundering detection.

Forensics data acquisition methods for mobile phones

Abstract: Today mobile phone devices are everywhere and they hold a great deal of information about the owner and their activities As a result of the widespread adoption of these devices into every aspect of our lives, they will be involved in almost any crime that occurs The aim of the digital forensics of mobile phones is to recover potential digital evidence in a forensically sound manner so that it can be presented and accepted in court There are several methods to acquire evidence from mobile phones In this paper, we have conducted a survey on the current data acquisition methods Then, we provide a comparative analysis between the current data acquisition methods

A novel method of iDevice (iPhone, iPad, iPod) forensics without jailbreaking

Abstract: With boom in mobility technology sector, a new generation of computing devices such as iPhone/iPad/iPod have emerged and immersed itself in the lives of millions and millions of people. With its widespread its fair to say that the use of these devices has created a new source of digital evidence and a need for a fast and trusted method to image and analyze the data has emerged. In this paper we will discuss a novel method that we have developed to create an image of the iDevice (iPhone, iPad, iPod) in a secure and fast manner within 30 minutes or less without jailbreaking compared to the fastest current method which takes up to 20 hours.

A Framework of TPM, SVM and Boot Control for Securing Forensic Logs

Abstract: Computer logs files contain the crucial information that is stored and can be an important forensics evidence of attacks and actions of a system. Cyber forensics can be one of the important solutions to systematically gather, process, interpret and utilize digital evidence and log of the activities and events of a system is one of the most important resources of analyzing the evidence for researchers, therefore a secure storage of forensic log is our main focus. In this paper, we propose a Trusted Module Platform (TPM)-based solution along with using Secure Virtual Machines (SVM) to secure the storage of forensic logs of the system for cyber forensics investigation. Since TPM provides protection before system boot process, it heavily limits the number of attacks that may bypass. Also SVM provide a secure environment to test software before installing on the client-machine. To ensure a secure logging system, our model will be using a smart combination of TPM, SVM and secure boot control to provide maximum log protection.

A workflow to support forensic database analysis

Abstract: Governments and private organisations are increasingly aware that vital information stored in their databases is no longer safe behind perimeter firewalls, intrusion prevention systems and other edge protections. Databases store a broad range of private and important information, making them a prime target for exploitation by wrongdoers wishing to breach confidentiality, damage the integrity of the data or make it unavailable to its users. The intricate nature and the non-stoppable critical services running in databases makes forensic examination of database difficult and challenges the forensics recovery and examination processes. The research presented in this thesis discusses the feasibility of developing an enhanced workflow that provides insight into the challenging complexities of examining and using database evidence. It lays the foundation for the development and establishment of standards in database forensic analysis and forensic case management. The major contribution of this research is a literature review that summarises the state-of-the-art in database forensics. It argues for the need for more in-depth research in this field and highlights limited availability of forensic data. To improve this, the research presents the design of a generic workflow of database forensic examination. This is evaluated using a qualitative and case study based evaluation and highlights the various limitations and drawback of the workflow. In summary, the research in this thesis proposes a system that allows a forensic examiner to focus on what is relevant to a case in a systematic way that can be proved in court. The workflow also acts as a case management tool by aiding the forensic examiner to apply established standards and procedures to identify best-case result by systematically, thoroughly and efficiently collecting and validating digital evidence.

Online Acquisition of Digital Forensic Evidence

Abstract: Providing the ability to any law enforcement officer to remotely transfer an image from any suspect computer directly to a forensic laboratory for analysis, can only help to greatly reduce the time wasted by forensic investigators in conducting on-site collection of computer equipment. RAFT (Remote Acquisition Forensic Tool) is a system designed to facilitate forensic investigators by remotely gathering digital evidence. This is achieved through the implementation of a secure, verifiable client/server imaging architecture. The RAFT system is designed to be relatively easy to use, requiring minimal technical knowledge on behalf of the user. One of the key focuses of RAFT is to ensure that the evidence it gathers remotely is court admissible. This is achieved by ensuring that the image taken using RAFT is verified to be identical to the original evidence on a suspect computer.

A Model for Hybrid Evidence Investigation

Abstract: With the advent of Information and Communication Technologies, the means of committing a crime and the crime itself are constantly evolved. In addition, the boundaries between traditional crime and cybercrime are vague: a crime may not have a defined traditional or digital form since digital and physical evidence may coexist in a crime scene. Furthermore, various items found in a crime scene may worth be examined as both physical and digital evidence, which the authors consider as hybrid evidence. In this paper, a model for investigating such crime scenes with hybrid evidence is proposed. Their model unifies the procedures related to digital and physical evidence collection and examination, taking into consideration the unique characteristics of each form of evidence. The authors' model can also be implemented in cases where only digital or physical evidence exist in a crime scene.

On the Creation of Reliable Digital Evidence

Abstract: Traditional approaches to digital forensics deal with the reconstruction of events within digital devices that were often not built for the creation of evidence. This paper focuses on incorporating requirements for forensic readiness – designing in features and characteristics that support the use of the data produced by digital devices as evidence. The legal requirements that such evidence must meet are explored in developing technical requirements for the design of digital devices. The resulting approach can be used to develop digital devices and establish processes for creating digital evidence. Incorporating the legal view early in device design and implementation can help ensure the probative value of the evidence produced the devices.

The Partial Digital Evidence Disclosure in Respect to the Instant Messaging Embedded in Viber Application Regarding an Android Smart Phone

Abstract: As Android Operating System (OS) for smart phones become pervasive, more and more end users are taking advantage of the contemporary Instant Messaging (IM) tools with high availability and agile mobility. Unfortunately, the cyber criminals or hacktivists are abusing this state-of-the-art mobile communication gadget to fulfill illegal conspiracies. The content with regard to the IM is a critical success factor in cracking some complicated cyber crime cases in a timely manner. The paper significantly contributes to the research arena of Digital Forensics (DF) practitioners and researchers respecting partial digital evidence disclosure in a generic Viber session in Android mobile OS due to the commonness of IM under contemporary ubiquitous on-demand computing infrastructures. Being accumulated with sophisticated researches both in Android smart phones and the Viber Application Program (AP), this paper is capable of utilizing some specific search string in regard to the image of the Random Access Memory (RAM) in order to disclose the digital breadcrumb in terms of the received IM and the cellular phone number in previous Viber sessions as probative evidenced in a court of law.

Update on the state of the science of digital evidence examination

Abstract: This paper updates previous work on the level of consensus in foundational elements of digital evidence examination. Significant consensus is found present only after definitions are made explicit, suggesting that, while there is a scientific agreement around some of the basic notions identified, the use of a common language is lacking.