Showing papers on "Digital evidence published in 2014"

Guidelines on Mobile Device Forensics

Abstract: Mobile device forensics is the science of recovering digital evidence from a mobile device under forensically sound conditions using accepted methods. Mobile device forensics is an evolving specialty in the field of digital forensics. This guide attempts to bridge the gap by providing an indepth look into mobile devices and explaining technologies involved and their relationship to forensic procedures. This document covers mobile devices with features beyond simple voice communication and text messaging capabilities. This guide also discusses procedures for the validation, preservation, acquisition, examination, analysis, and reporting of digital information.

Digital Evidence Challenges in the Internet of Things.

Abstract: The implementation of the Internet of Things will result in the connection of tens of billions of wireless devices to the Internet. These devices will form an intelligent substrate pervading all aspects of life. From intelligent home control to advanced city management systems, devices will sense their environment as well as interconnect and communicate with each other to form intelligent smart spaces. Individually and collectively, these devices produce and consume large amounts of personally sensitive data. This new environment provides a rich set of data sources; when used in conjunction with one another, they can greatly inform a historical situation that may have occurred with little or no reliable human witness evidence. However, this deeply pervasive environment will provide challenges to the various agencies that will need to interact with this new technology.

Data Reduction and Data Mining Framework for Digital Forensic Evidence: Storage, Intelligence, Review and Archive

Abstract: The volume of digital forensic evidence is rapidly increasing, leading to large backlogs. In this paper, a Digital Forensic Data Reduction and Data Mining Framework is proposed. Initial research with sample data from South Australia Police Electronic Crime Section and Digital Corpora Forensic Images using the proposed framework resulted in significant reduction in the storage requirements — the reduced subset is only 0.196 percent and 0.75 percent respectively of the original data volume. The framework outlined is not suggested to replace full analysis, but serves to provide a rapid triage, collection, intelligence analysis, review and storage methodology to support the various stages of digital forensic examinations. Agencies that can undertake rapid assessment of seized data can more effectively target specific criminal matters. The framework may also provide a greater potential intelligence gain from analysis of current and historical data in a timely manner, and the ability to undertake research of trends over time.

A Cloud Forensic Readiness Model Using a Botnet as a Service

Abstract: Cloud forensics has become an inexorable and a transformative discipline in the modern world. The need to share a pool of resources and to extract digital evidence from the same distributed resources to be presented in a court of law, has become a subject of focus. Forensic readiness is a pro-active process that entails digital preparedness that an organisation uses to gather, store and handle incident responsive data with the aim of reducing post-event response by digital forensics investigators. Forensic readiness in the cloud can be achieved by implementing a botnet with nonmalicious code as opposed to malicious code. The botnet still infects instances of virtual computers within the cloud, however, with good intentions as opposed to bad intentions. The botnet is, effectively, implemented as a service that harvests digital information that can be preserved as admissible and submissive potential digital evidence. In this paper, the authors‟ problem is that there are no techniques that exist for gathering information in the cloud for digital forensic readiness purposes as described in international standard for digital forensic investigations (ISO/IEC 27043). The authors proposed a model that allows digital forensic readiness to be achieved by implementing a Botnet as a service (BaaS) in a cloud environment.

Digital Forensic Evidence in the Courtroom: Understanding Content and Quality

Abstract: ¶1 With the widespread permeation of continually advancing technologies into our daily lives, it is inevitable that the product of those technologies, i.e. digital information, makes its way into the courtroom. This has largely occurred in the form of electronic discovery, or "e-discovery," where each party involved in an action provides the relevant information they possess electronically. However, in cases where information is hidden, erased, or otherwise altered, digital forensic analysis is necessary to draw further conclusions about the available evidence.1 Digital forensic analysis is analogous to more traditional forensic analysis. For example, in criminal cases where a firearm was used in the commission of the crime, but the gun is not readily admissible,2 forensic science is necessary to trace the origin of the weapon, perform fingerprint analysis on it, and compare fired bullet casings to ensure the weapon used and the weapon analyzed are one and the same.3¶2 In sum, digital forensics is the preservation and analysis of electronic data.4 These data include the primary substantive data (the gun) and the secondary data attached to the primary data, such as data trails and time/date stamps (the fingerprints).5 These data trails and other metadata markers are often the key to establishing a timeline and correlating important events.6I. A BRIEF HISTORY OF DIGITAL FORENSICS¶3 A forensic report, whether for digital evidence or physical evidence, must have conclusions that are reproducible by independent third parties.7 So, facts discovered and opinions formed need to be documented and referenced to their sources. Why? Ones and zeros do not lie. Therefore, forensic reports that contain opinions based upon properly documented digital sources are much more likely to withstand judicial scrutiny than are opinions based on less reliable sources.8¶4 The reigning case in scientific evidence admission is Daubert v. Merrell Dow Pharmaceuticals Inc.9 The decision in Daubert set forth a five-pronged standard for judges to determine whether scientific evidence is admissible in federal court. The Daubert standard applies to any scientific procedure used to prepare or uncover evidence and comprises the following factors:(1) Testing: Has the scientific procedure been independently tested?(2) Peer Review: Has the scientific procedure been published and subjected to peer review?(3) Error rate: Is there a known error rate, or potential to know the error rate, associated with the use of the scientific procedure?(4) Standards: Are there standards and protocols for the execution of the methodology of the scientific procedure?10(5) Acceptance: Is the scientific procedure generally accepted by the relevant scientific community?¶5 The Daubert standard provides judges with an objective set of guidelines for accepting scientific evidence. Following Daubert, the decision in Kumho Tire v. Carmichael11 extended the Daubert standard to the qualification of expert witnesses by its interpretation of Federal Rule of Evidence ("FRE") 702. FRE 702 provides guidelines for qualifying expert witnesses, stating that the expert can have "scientific, technical, or other specialized knowledge." The Kumho Tire court extended the Daubert standard to apply to experts with technical or specialized knowledge, and not simply those called to testify regarding their scientific knowledge.¶6 The majority of jurisdictions in the country favor the Daubert standard over the "general accepted practices" standard set forth in Frye v. United States, 293 F. 1013 (1923).12 For jurisdictions in which Daubert is followed, there are a number of practical points that both attorneys and judges will benefit from knowing in order to understand and effectuate the guidelines set forth in the Daubert standard. This article's goal is to elucidate those practical high-level points, thereby allowing counsel or judge to review technical expert reports and spot potential weaknesses. …

Digital Forensic Readiness: Are We There Yet?

Abstract: Digital Forensic Readiness is defined as the pre-incident plan that deals with an organization’s ability to maximize digital evidence usage and anticipate litigation. The inadequacy of technical research and legislations and the ever-increasing need for evidence preservation mechanisms has brought the need for a common forensic readiness standard. This article reviews a number of key initiatives in order to point out the directions for future policy making governments and organizations and conducts an investigation of the limitations of those initiatives to reveal the gaps needed to be bridged.

Mobile forensics using the harmonised digital forensic investigation process

Abstract: Mobile technology is among the fastest developing technologies that have changed the way we live our daily lives. Over the past few years, mobile devices have become the most popular form of communication around the world. However, bundled together with the good and advanced capabilities of the mobile technology, mobile devices can also be used to perform various activities that may be of malicious intent or criminal in nature. This makes mobile devices a valuable source of digital evidence. For this reason, the technological evolution of mobile devices has raised the need to develop standardised investigation process models and procedures within the field of digital forensics. This need further supports the fact that forensic examiners and investigators face challenges when performing data acquisition in a forensically sound manner from mobile devices. This paper, therefore, aims at testing the harmonised digital forensic investigation process through a case study of a mobile forensic investigation. More specifically, an experiment was conducted that aims at testing the performance of the harmonised digital forensic investigation process (HDFIP) as stipulated in the ISO/IEC 27043 draft international standard through the extraction of potential digital evidence from mobile devices.

Leveraging Decentralization to Extend the Digital Evidence Acquisition Window: Case Study on Bittorrent Sync

Abstract: 6th International Conference on Digital Forensics and Cyber Crime (ICDF2C 2014), New Haven, Connecticut, United States, 18-20 September 2014

Extended abstract digital forensics model with preservation and protection as umbrella principles

Abstract: In this research, a literature review was conducted where twenty (n=20) frameworks and models highlighting preservation of the integrity of digital evidence and protection of basic human rights during digital forensic investigations were studied. The models not discussing the process at an abstract level were excluded. Therefore, thirteen (n=13) of the studied models were included in our analysis. The results indicated that published abstract models lack preserving the integrity of digital evidence and protecting the basic human rights as explicit overarching umbrella principles. To overcome this problem, we proposed an extension to Reith's abstract digital forensics model explicating preservation of integrity and protection of human rights as the two necessary umbrella principles.

Digital Evidence Cabinets: A Proposed Framework for Handling Digital Chain of Custody

Abstract: Chain of custody is the procedure to do a chronological documentation of evidence, and it is an important procedure in the investigation process. Both physical and digital evidence is an important part in the process of investigation and courtroom. However, handling the chain of custody for digital evidence is more difficult than the handling of physical evidence. Nevertheless, the handling of digital evidence should still have the same procedure with the handling of physical evidence. Until now handling the chain of custody for digital evidence is still an open problem with a number of challenges, including the business model of the interaction of the parties that deal with digital evidence, recording of metadata information as well as issues of access control and security for all the handling digital chain of custody. The solution offered in this research is to build a model of Digital Evidence Cabinets as a new approach in implementing the digital evidence handling and chain of custody. The model is constructed through three approaches: Digital Evidence Management Frameworks, Digital Evidence Bags with Tag Cabinets as well as access control and secure communication. The proposed framework is expected to be a solution for the availability of an environment handling of digital evidence and to improve the integrity and credibility of digital evidence.

Automated Inference of Past Action Instances in Digital Investigations

Abstract: As the amount of digital devices suspected of containing digital evidence increases, case backlogs for digital investigations are also increasing in many organizations. To ensure timely investigation of requests, this work proposes the use of signature-based methods for automated action instance approximation to automatically reconstruct past user activities within a compromised or suspect system. This work specifically explores how multiple instances of a user action may be detected using signature-based methods during a post-mortem digital forensic analysis. A system is formally defined as a set of objects, where a subset of objects may be altered on the occurrence of an action. A novel action-trace update time threshold is proposed that enables objects to be categorized by their respective update patterns over time. By integrating time into event reconstruction, the most recent action instance approximation as well as limited past instances of the action may be differentiated and their time values approximated. After the formal theory if signature-based event reconstruction is defined, a case study is given to evaluate the practicality of the proposed method.

Conceptual forensic readiness framework for infrastructure as a service consumers

Abstract: Cloud computing provides to the consumers basic computing resources that range from storage and computing power to sophisticated applications. When digital forensics is needed for suspected cases involving cloud computing, the provider is responsible for collecting the digital evidence. Limitations of this approach include lack of efficient incident response, and that the consumers may have a little or no choice but to accept electronic evidences made available by the cloud provider. This research investigates whether it is possible to perform consumer-side digital forensics where a consumer independently collects all digital evidences required for a suspected case from Infrastructure as a Service resources (IaaS). In particular, the research contributes to a digital forensics readiness framework that shows how digital evidence collection can be made strongly consumer-centric, so that all the electronic evidences that digital forensic investigation requires for suspected cases can be provided independently by the IaaS consumers.

A digital evidence fusion method in network forensics systems with Dempster-shafer theory

Abstract: Network intrusion forensics is an important extension to present security infrastructure, and is becoming the focus of forensics research field. However, comparison with sophisticated multi-stage attacks and volume of sensor data, current practices in network forensic analysis are to manually examine, an error prone, labor-intensive and time consuming process. To solve these problems, in this paper we propose a digital evidence fusion method for network forensics with Dempster-Shafer theory that can detect efficiently computer crime in networked environments, and fuse digital evidence from different sources such as hosts and sub-networks automatically. In the end, we evaluate the method on well-known KDD Cup 1999 dataset. The results prove our method is very effective for real-time network forensics, and can provide comprehensible messages for a forensic investigators.

Addressing the Increasing Volume and Variety of Digital Evidence Using an Ontology

Abstract: The field of digital evidence must contend with an increasing number of devices to be examined paralleled with increasing diversity. Examiners face a battle to understand what artefacts may exist on these devices. Further, many current forensic tools look to comprehensively examine sources of digital evidence which can generate large amounts of, often spurious, data with no easy means of correlation. This paper proposes the use of an ontology - the Digital Evidence Semantic Ontology (DESO) - that allows an examiner to quickly discover what artefacts may be available on a device before time-consuming processes are commenced - preventing the generation of data that may have no practical value for an investigation. The ontology is then used to classify this data so that equivalent artefacts across devices can be compared to make connections. It demonstrates how this ontology can be adapted to keep track of changes in technology and how it can be used in a laboratory environment.

A Heuristic Model for Performing Digital Forensics in Cloud Computing Environment

Abstract: Cloud computing is a relatively new model in the computing world after several computing paradigms like personal, ubiquitous, grid, mobile, and utility computing. Cloud computing is synonymous with virtualization which is about creating virtual versions of the hardware platform, the Operating System or the storage devices. Virtualization poses challenges to implementation of security as well as cybercrime investigation in the cloud. Although several researchers have contributed in identifying digital forensic challenges and methods of performing digital forensic analysis in the cloud computing environment, we feel that the requirement of finding the most appropriate methods to evaluate the uncertainty in the digital evidence is a must. This paper emphasizes on the methods of finding and analyzing digital evidence in cloud computing environment with respect to the cloud user as well as the provider. We propose a heuristic model for performing digital forensics in the cloud environment.

DF-C2M2: A Capability Maturity Model for Digital Forensics Organisations

Abstract: The field of digital forensics has emerged as one of the fastest changing and most rapidly developing investigative specialisations in a wide range of criminal and civil cases. Increasingly there is a requirement from the various legal and judicial authorities throughout the world, that any digital evidence presented in criminal and civil cases should meet requirements regarding the acceptance and admissibility of digital evidence, e.g., Daubert or Frye in the US. There is also increasing expectation that digital forensics labs are accredited to ISO 17025 or the US equivalent ASCLD-Lab International requirements. On the one hand, these standards cover general requirements and are not geared specifically towards digital forensics. On the other hand, digital forensics labs are mostly left with costly piece-meal efforts in order to try and address such pressing legal and regulatory requirements. In this paper, we address these issues by proposing DF-C^2M^2, a capability maturity model that enables organisations to evaluate the maturity of their digital forensics capabilities and identify roadmaps for improving it in accordance with business or regulatory requirements. The model has been developed through consultations and interviews with digital forensics experts. The model has been evaluated by using it to assess the digital forensics capability maturity of a lab in a law enforcement agency.

Studies of satellite-based tracking systems for improving law enforcement : comprising investigation data, digital evidence and monitoring of legality

Abstract: Rajamäki, Jyri Studies of satellite-based tracking systems for improving law enforcement: Comprising investigation data, digital evidence and monitoring of legality Jyväskylä: University of Jyväskylä, 2014, 166 p. (+included articles) (Jyväskylä Studies in Computing ISSN 1456-5390; 192) ISBN 978-951-39-5788-9 (nid.) ISBN 978-951-39-5789-6 (PDF) Finnish summary Diss. Law enforcement agencies (LEAs) constantly seeks new technological recording, retrieving and monitoring solutions that would facilitate their combat against organized crime. This dissertation is interested in how new types of satellitebased tracking sensors, mobile monitoring stations and their associated communication channels for LEAs can be understood and designed, taking into account the chain-of-custody and monitoring-of-legality requirements. The empirical data for the eight cases of the dissertation were collected within four research projects from 2007 to 2014. The theoretical framework is built on the systems of systems theory and the normative design theories of information infrastructures and software-intensive systems. Satellite-based sensors and systems benefit LEAs when tracking non-cooperative targets. However, management of numerous electronic tracking devices within many simultaneous crime investigations has proven to be a demanding task for LEAs. Complications have spawned many lawsuits and negative publicity. These episodes have diminished citizens’ trust in a constitutional state. It has been verified by means of participative observations that LEAs have a tendency to create two-level systems: some that work on the streets and others that are valid in the courts of justice. The importance of transparency is emphasized at all EU administrative levels. However, LEAs concentrate only on data acquisition rather than on making their operations transparent throughout. Because of the privacy protection of suspects, investigations and data acquisition cannot be made public. However, these operations could be so transparent that the criticism and control made by citizens is possible to come true. To improve LEAs’ processes, the three main functions (crime investigation, chain-ofcustody and monitoring-of-legality) should be considered together. Combining their separate information systems will avoid tripling the workload. It will also lead to additional benefits, such as transparency of surveillance and a new tool for achieving a balance between surveillance and privacy.

Official (ISC)2 Guide to the CCFP CBK

Abstract: Cyber forensic knowledge requirements have expanded and evolved just as fast as the nature of digital information hasrequiring cyber forensics professionals to understand far more than just hard drive intrusion analysis. The Certified Cyber Forensics Professional (CCFPSM) designation ensures that certification holders possess the necessary breadth, depth of knowledge, and analytical skills needed to address modern cyber forensics challenges.Official (ISC)2 Guide to the CCFP CBK supplies an authoritative review of the key concepts and requirements of the Certified Cyber Forensics Professional (CCFP) Common Body of Knowledge (CBK). Encompassing all of the knowledge elements needed to demonstrate competency in cyber forensics, it covers the six domains: Legal and Ethical Principles, Investigations, Forensic Science, Digital Forensics, Application Forensics, and Hybrid and Emerging Technologies.Compiled by leading digital forensics experts from around the world, the book provides the practical understanding in forensics techniques and procedures, standards of practice, and legal and ethical principles required to ensure accurate, complete, and reliable digital evidence that is admissible in a court of law.This official guide supplies a global perspective of key topics within the cyber forensics field, including chain of custody, evidence analysis, network forensics, and cloud forensics. It also explains how to apply forensics techniques to other information security disciplines, such as e-discovery, malware analysis, or incident response.Utilize this book as your fundamental study tool for achieving the CCFP certification the first time around. Beyond that, it will serve as a reliable resource for cyber forensics knowledge throughout your career.

A Review on Mobile Device's Digital Forensic Process Models

Abstract: The main purpose of this study is to discuss the different comparative studies on digital forensics process models specially in the field of mobile devices. In order to legally pursue digital criminals, investigation should be conducted in a forensically sound manner so that the acquired evidence would be accepted in the court of law. Digital forensic process models define the important steps that should be followed to assure the investigation is performed successfully. There are a number of digital forensic process models developed by various organizations worldwide, but yet, there is no agreement among forensics investigation and legislative delegation which procedures to adhere to; specially in the case of facing mobile devices with latest technologies. This is vital, as mobile phones and other mobile devices such as PDAs or tablets are becoming ever-present as the main technology platform around the world and people are obtaining and using mobile phones more than ever. In this study we will give a review of the proposed digital forensics process models within last 7 years and to discuss the need for a consensus to follow the same underlying approaches while continually updating digital forensics process models to cover new emerging technologies and devices.

A framework for identifying associations in digital evidence using metadata

Abstract: Digital forensics concerns the analysis of electronic artifacts to reconstruct events such as cyber crimes. This research produced a framework to support forensic analyses by identifying associations in digital evidence using metadata. It showed that metadata based associations can help uncover the inherent relationships between heterogeneous digital artifacts thereby aiding reconstruction of past events by identifying artifact dependencies and time sequencing. It also showed that metadata association based analysis is amenable to automation by virtue of the ubiquitous nature of metadata across forensic disk images, files, system and application logs and network packet captures. The results prove that metadata based associations can be used to extract meaningful relationships between digital artifacts, thus potentially benefiting real-life forensics investigations.

Modelling based approach for reconstructing evidence of VoIP malicious attacks

Abstract: Voice over Internet Protocol (VoIP) is a new communication technology that uses internet protocol in providing phone services. VoIP provides various forms of benefits such as low monthly fee and cheaper rate in terms of long distance and international calls. However, VoIP is accompanied with novel security threats. Criminals often take advantages of such security threats and commit illicit activities. These activities require digital forensic experts to acquire, analyses, reconstruct and provide digital evidence. Meanwhile, there are various methodologies and models proposed in detecting, analysing and providing digital evidence in VoIP forensic. However, at the time of writing this paper, there is no model formalized for the reconstruction of VoIP malicious attacks. Reconstruction of attack scenario is an important technique in exposing the unknown criminal acts. Hence, this paper will strive in addressing that gap. We propose a model for reconstructing VoIP malicious attacks. To achieve that, a formal logic approach called Secure Temporal Logic of Action(S-TLA+ ) was adopted in rebuilding the attack scenario. The expected result of this model is to generate additional related evidences and their consistency with the existing evidences can be determined by means of S-TLA+ model checker.

Resource-Based Event Reconstruction of Digital Crime Scenes

Abstract: To ensure that the potential evidence is readily available in an acceptable form when an incident or a crime occurs, we propose a resource-based event reconstruction prototype that corresponds to different phases of digital forensics framework, and demonstrate its feasibility by assessing the applicability of existing open-source applications to the proposed prototype. The feasibility study results show that the proposed prototype can enhance the capability of an organization for collecting, preserving, protecting, and analysing digital evidence by regarding system resources as an evidence source and system calls as digital events.

A Digital Forensics Profiling Methodology for the Cyberstalker

Abstract: Cyberstalking has many new manifestations with the opportunities offered by modern technology. It is a growing issue that presents significant distress to its victims. This type of crime presents difficulty to computer forensic investigators in large amounts of digital evidence accumulated over time and in offender apprehension. There is currently little research in the profiling the cyberstalker through a digital investigation. However, techniques employed for dead-end offline investigations, including criminal profiling are also be applied to cybercrime. This research focuses on developing a profiling methodology for profiling the cyberstalker. We adopted the Behavioural Evidence Analysis methodology to the digital investigation process and attempted to construct our profiling methodology. The methodology was evaluated by using a simulation of stalking behaviours to produce a technical, as well as a criminal profile. The aim of this work is to provide a starting point on the profiling of the cyberstalker. The investigators could then proceed with informed assumptions about the offender, according to his digital traces and also achieve reduced time for the digital investigation.

Relating Admissibility Standards for Digital Evidence to Attack Scenario Reconstruction

Abstract: Attackers tend to use complex techniques such as combining multi-step, multi-stage attack with anti-forensic tools to make it difficult to find incriminating evidence and reconstruct attack scenarios that can stand up to the expected level of evidence admissibility in a court of law. As a solution, we propose to integrate the legal aspects of evidence correlation into a Prolog based reasoner to address the admissibility requirements by creating most probable attack scenarios that satisfy admissibility standards for substantiating evidence. Using a prototype implementation, we show how evidence extracted by using forensic tools can be integrated with legal reasoning to reconstruct network attack scenarios. Our experiment shows this implemented reasoner can provide pre-estimate of admissibility on a digital crime towards an attacked network.

A Comparison of Forensic Acquisition Techniques for Android Devices: A Case Study Investigation of Orweb Browsing Sessions

Abstract: The issue of whether to "root" a small scale digital device in order to be able to execute acquisition tools with kernel-level privileges is a vexing one. In the early research literature about Android forensics, and in the commercial forensic tools alike, the common wisdom was that "rooting" the device modified its memory only minimally, and enabled more complete acquisition of digital evidence, and thus was, on balance, an acceptable procedure. This wisdom has been subsequently challenged, and alternative approaches to complete acquisition without "rooting" the device have been proposed. In this work, we address the issue of forensic acquisition techniques for Android devices through a case study we conducted to reconstruct browser sessions carried out using the Orweb private web browser. Orweb is an Android browser which uses Onion Routing to anonymize web traffic, and which records no browsing history. Physical and logical examinations were performed on both rooted and non-rooted Samsung Galaxy S2 smartphones running Android 4.1.1. The results indicate that for investigations of Orweb browsing history, there is no advantage to rooting the device. We conclude that, at least for similar investigations, rooting the device is unnecessary and thus should be avoided.