Showing papers on "Digital evidence published in 2015"

The interface between forensic science and technology: how technology could cause a paradigm shift in the role of forensic institutes in the criminal justice system.

Abstract: In this paper, the importance of modern technology in forensic investigations is discussed. Recent technological developments are creating new possibilities to perform robust scientific measurements and studies outside the controlled laboratory environment. The benefits of real-time, on-site forensic investigations are manifold and such technology has the potential to strongly increase the speed and efficacy of the criminal justice system. However, such benefits are only realized when quality can be guaranteed at all times and findings can be used as forensic evidence in court. At the Netherlands Forensic Institute, innovation efforts are currently undertaken to develop integrated forensic platform solutions that allow for the forensic investigation of human biological traces, the chemical identification of illicit drugs and the study of large amounts of digital evidence. These platforms enable field investigations, yield robust and validated evidence and allow for forensic intelligence and targeted use of expert capacity at the forensic institutes. This technological revolution in forensic science could ultimately lead to a paradigm shift in which a new role of the forensic expert emerges as developer and custodian of integrated forensic platforms.

Digital evidence and the U.S. Criminal Justice System. Identifying technology and other needs to more effectively acquire and utilize digital evidence.

Abstract: With digital devices becoming ubiquitous, digital evidence is increasingly important to the investigation and prosecution of many types of crimes. This report describes results of a research effort to identify and prioritize criminal justice needs related to digital evidence collection, management, analysis, and use.

A Comprehensive and Harmonized Digital Forensic Investigation Process Model.

Abstract: Performing a digital forensic investigation (DFI) requires a standardized and formalized process. There is currently neither an international standard nor does a global, harmonized DFI process (DFIP) exist. The authors studied existing state-of-the-art DFIP models and concluded that there are significant disparities pertaining to the number of processes, the scope, the hierarchical levels, and concepts applied. This paper proposes a comprehensive model that harmonizes existing models. An effort was made to incorporate all types of processes proposed by the existing models, including those aimed at achieving digital forensic readiness. The authors introduce a novel class of processes called concurrent processes. This is a novel contribution that should, together with the rest of the model, enable more efficient and effective DFI, while ensuring admissibility of digital evidence. Ultimately, the proposed model is intended to be used for different types of DFI and should lead to standardization.

VCR: App-Agnostic Recovery of Photographic Evidence from Android Device Memory Images

Abstract: The ubiquity of modern smartphones means that nearly everyone has easy access to a camera at all times In the event of a crime, the photographic evidence that these cameras leave in a smartphone's memory becomes vital pieces of digital evidence, and forensic investigators are tasked with recovering and analyzing this evidence Unfortunately, few existing forensics tools are capable of systematically recovering and inspecting such in-memory photographic evidence produced by smartphone cameras In this paper, we present VCR, a memory forensics technique which aims to fill this void by enabling the recovery of all photographic evidence produced by an Android device's cameras By leveraging key aspects of the Android framework, VCR extends existing memory forensics techniques to improve vendor-customized Android memory image analysis Based on this, VCR targets application-generic artifacts in an input memory image which allow photographic evidence to be collected no matter which application produced it Further, VCR builds upon the Android framework's existing image decoding logic to both automatically recover and render any located evidence Our evaluation with commercially available smartphones shows that VCR is highly effective at recovering all forms of photographic evidence produced by a variety of applications across several different Android platforms

Overview of the Forensic Investigation of Cloud Services

Abstract: Cloud Computing is a commonly used, yet ambiguous term, which can be used to refer to a multitude of differing dynamically allocated services. From a law enforcement and forensic investigation perspective, cloud computing can be thought of as a double edged sword. While on one hand, the gathering of digital evidence from cloud sources can bring with it complicated technical and cross-jurisdictional legal challenges. On the other, the employment of cloud storage and processing capabilities can expedite the forensics process and focus the investigation onto pertinent data earlier in an investigation. This paper examines the state-of-the-art in cloud-focused, digital forensic practises for the collection and analysis of evidence and an overview of the potential use of cloud technologies to provide Digital Forensics as a Service.

Adding event reconstruction to a Cloud Forensic Readiness model

Abstract: During post-event response, proactive forensics is of critical importance in any organisation when conducting digital forensic investigations in cloud environments. However, there exist no reliable event reconstruction processes in the cloud that can help in analysis and examination of Digital Evidence (DE) aspects, during Digital Forensic Readiness (DFR) process, as defined in the standard of ISO/IEC 27043:2015. The problem that this paper addresses is the lack of an easy way of performing digital event reconstruction process when the cloud is forensically ready in preparation of a Digital Forensic Investigation (DFI). During DFR approaches, event reconstruction helps in examination and pre-analysis of the characteristics of potential security incidents. As a result, the authors have proposed an Enhanced Cloud Forensic Readiness (ECFR) process model with event reconstruction process that can support future investigative technologies with a degree of certainty. We also propose an algorithm that shows the methodology that is used to reconstruct events in the ECFR. The main focus of this work is to examine the addition of event reconstruction to the initially proposed Cloud Forensic Readiness (CFR) model, by providing a more enhanced and detailed cloud forensic readiness model.

Digital Chain of Custody: State of the Art

Abstract: Digital forensics starts to show its role and contribution in the society as a solution in disclosure of cybercrime. The essential in digital forensics is chain of custody, which is an attempt to preserve the integrity of digital evidence as well as a procedure for performing documentation chronologically toward evidence. The characteristics of digital evidence have caused the handling chain of custody is becoming more complicated and complex. A number of researchers have contributed to provide solutions for the digital chain custody through a different point of views. This paper gives an overview of the extent to which the problem and challenges are faced in the digital chain of custody issue as well as the scope of researches that can be done to contribute in the issue of the digital chain of custody.

Digital forensics investigation methodology applicable for social network services

Abstract: Social network services (SNSs) contain various information such as conversations between users, user location information, personal network, and user psychology. This information can be useful for incident investigation. However, in SNSs, unlike computing services that offer services by saving data on a device, a device that uses a SNS with real-time synchronization generally only saves information that is not effective evidence, such as SNS usage log records. However, if digital evidence can be collected through an appropriate digital forensic process, various information such as a social network user's friend list, conversations, and personal relationships can be collected as digital evidence. Therefore, this paper suggests a digital forensic process for digital devices using SNSs. To analyze digital evidence about SNSs, this proposed method is composed of effective processes, classifying digital devices, collecting digital evidence, and analysis.

Automated inference of past action instances in digital investigations

Abstract: As the amount of digital devices suspected of containing digital evidence increases, case backlogs for digital investigations are also increasing in many organizations. To ensure timely investigation of requests, this work proposes the use of signature-based methods for automated action instance approximation to automatically reconstruct past user activities within a compromised or suspect system. This work specifically explores how multiple instances of a user action may be detected using signature-based methods during a postmortem digital forensic analysis. A system is formally defined as a set of objects, where a subset of objects may be altered on the occurrence of an action. A novel action-trace update time threshold is proposed that enables objects to be categorized by their respective update patterns over time. By integrating time into event reconstruction, the most recent action instance approximation as well as limited past instances of the action may be differentiated and their time values approximated. After the formal theory if signature-based event reconstruction is defined, a case study is given to evaluate the practicality of the proposed method.

Data Sources for Advancing Cyber Forensics: What the Social World has to Offer

Abstract: Cyber forensics is fairly new as a scientific discipline and deals with the acquisition, authentication and analysis of digital evidence. One of the biggest challenges in this domain has thus far been real data sources that are available for experimentation. Only a few data sources exist at the time writing of this paper. The authors in this paper deliberate how social media data sources may impact future directions in cyber forensics, and describe how these data sources may be used as new digital forensic artifacts in future investigations. The authors also deliberate how the scientific community may leverage publically accessible social media data to advance the state of the art in Cyber Forensics.

Integrated Computer Forensics Investigation Process Model (ICFIPM) for Computer Crime Investigations

Abstract: Contrary to traditional crimes for which there exists deep-rooted standards, procedures and models upon which courts of law can rely, there are no formal standards, procedures nor models for digital forensics to which courts can refer. Although there are already a number of various digital investigation process models, these tend to be ad-hoc procedures. In order for the case to prevail in the court of law, the processes followed to acquire digital evidence and terminology utilised must be thorough and generally accepted in the digital forensic community. The proposed novel process model is aimed at addressing both the practical requirements of digital forensic practitioners and the needs of courts for a formal computer investigation process model which can be used to process the digital evidence in a forensically sound manner. Moreover, unlike the existing models which focus on one aspect of process, the proposed model describes the entire lifecycle of a digital forensic investigation.

Behavioural Evidence Analysis Applied to Digital Forensics: An Empirical Analysis of Child Pornography Cases Using P2P Networks

Abstract: The utility of Behavioural Evidence Analysis (BEA) has gained attention in the field of Digital Forensics in recent years. It has been recognized that, along with technical examination of digital evidence, it is important to learn as much as possible about the individuals behind an offence, the victim (s) and the dynamics of a crime. This can assist the investigator in producing a more accurate and complete reconstruction of the crime, in interpreting associated digital evidence, and with the description of investigative findings. Despite these potential benefits, the literature shows limited use of BEA for the investigation of cases of the possession and dissemination of Sexually Exploitative Imagery of Children (SEIC). This paper represents a step towards filling this gap. It reports on the forensic analysis of 15 SEIC cases involving P2P file sharing networks, obtained from the Dubai Police. Results confirmed the predicted benefits and indicate that BEA can assist digital forensic practitioners and prosecutors.

A Proposed Digital Forensics Business Model to Support Cybercrime Investigation in Indonesia

Abstract: Digital forensics will always include at least human as the one who performs activities, digital evidence as the main object, and process as a reference for the activities followed. The existing framework has not provided a description of the interaction between human, interaction between human and digital evidence, as well as interaction between human and the process itself. A business model approach can be done to provide the idea regarding the interaction in question. In this case, what has been generated by the author in the previous study through a business model of the digital chain of custody becomes the first step in constructing a business model of a digital forensics. In principle, the proposed business model already accommodates major components of digital forensics (human, digital evidence, process) and also considers the interactions among the components. The business model suggested has contained several basic principles as described in The Regulation of Chief of Indonesian National Police (Perkap) No 10/2010. This will give support to law enforcement to deal with cybercrime cases that are more frequent and more sophisticated, and can be a reference for each institution and organization to implement digital forensics activities.

Development and Initial User Evaluation of a Virtual Crime Scene Simulator Including Digital Evidence

Abstract: Imagine the following scenario: an inexperienced law enforcement officer enters a crime scene and – on finding a USB key on a potential suspect – inserts it into a nearby Windows desktop computer hoping to find some information which may help an ongoing investigation. The desktop crashes and all data on the USB key and on the Windows desktop has now been potentially compromised. However, the law enforcement officer in question is using a Virtual Crime Scene Simulator and has just learned a valuable lesson. This paper discusses the development and initial user evaluation of a Virtual Crime Scene Simulator that includes the ability to interact with and perform live triage of commonly-found digital devices. Based on our experience of teaching digital evidence handling, we aimed to create a realistic virtual environment that integrates many different aspects of the digital and physical crime scene processing, such as physical search activities, triage of digital devices, note taking and form filling, interaction with suspects at the scene, as well as search team training.

Forensic investigation and analysis on digital evidence discovery through physical acquisition on smartphone

Abstract: Cybercriminals are changing their strategies as users are less concerns on the smartphone and social networks security risks such as spams, that will threaten them as they are more dependent on the smartphone [1]. Thus, there's a need to perform the smartphone forensics analysis to retrieve and analysed the potentially great amounts and extremely valuable information on these devices. This paper investigates a wealth of personal and sensitive data by types of digital information as evidence and conducted forensic analysis on a popular smartphone Samsung Galaxy Note III. The standard approach applied to extract information from smartphone through physical acquisition and analysis using Cellebrite UFED. The results are presented to demonstrate the smartphone as a goldmine for investigators and as sources of digital evidence. Furthermore this research also presents the forensic tool and techniques for acquiring and examining digital evidence on this device. The evidence discovered include files, contacts, events of smartphone and social network data storage and location. The smartphone examined produced abundant user information and in total 98,127 artefacts were recovered. Performing the extraction and analysis of digital evidence over smartphone activities show the possibility of identifying potential suspects that could assist the forensic investigators in crime investigations.

Using yin’s approach to case studies as a paradigm for conducting examinations

Abstract: At the heart of any forensic science discipline is the need to ensure that a method applied in the discipline is based on a factual foundation or valid scientific method. In digital forensics, the aim of an examination is to make consistent inferences about events with high certainty. The highest state of inference is a determination of causality. Two scientific methods that can be applied in digital forensic examinations to determine causality are experimentation and case studies. Experimentation has been used in a range of scientific studies, but there are situations where it is not always possible to conduct experiments. In these cases, the only option is to carry out case studies. A case study approach is not widely used in the natural sciences, but it has been accepted as a valid method that can produce insightful results in digital forensic examinations. This chapter focuses on conducting digital evidence examinations using Yin’s approach to case studies as a paradigm. The goal is to show that Yin’s case study approach can be applied suitably and that it is useful in digital forensic settings.

Data Warehousing Based Computer Forensics Investigation Framework

Abstract: In this paper, we have proposed the design of an efficient computer forensics investigation framework The proposed framework improves the investigation efficiency using Data Warehouse (DW) concept, which provides a selective evidence identification, collection and analysis So, only relevant data is investigated instead of investigating the entire user data The proposed framework consists of a Data Warehouse Engine (DWE) to selectively identify, collect and analyze digital evidences from multiple digital resources A Digital Evidence Preservation (DEP) mechanism is also introduced for preservation of the collected digital evidences whose authenticity is ensured using cryptographic techniques An access control mechanism is implemented to allow only authorized investigator to access the preserved digital evidences The DEP mechanism provides court of law with a Secure Forensic Audit Trial (SFAT) that helps in tracking happened activities on the collected evidences for ensuring the authenticity and reliability of the presented digital evidence

Design and Implementation of a Cloud Based Computer Forensic Tool

Abstract: Nowadays, Cloud computing is receiving more and more attention from the information and communication technology industry recently. Thus, From the demand of cloud users digital forensics in cloud computing are a raw expanse of study linked to the increasing use of information processing governance, internet and digital computer storage devices in numerous criminal actions in both traditional and Hi-Tech. The digital forensics, including handle, conduct of, study, and document digital evidence in a court of law. Digital Forensic tool in a cloud computing environment is a big demand from forensic investigator. Thus, in the process of digital forensics, it is needed to create an image of the original digital data without damage and to show that the computer evidence existed at the specific time. The evidences are then analyzed by the forensic investigator. After the proof is examined, it is obliged to make a report to embrace it as legitimately successful confirmation in the law court. To give an advanced crime scene investigation benefit on cloud environment, a cloud based computer forensic tool is proposed in this paper. To probe the evidence multiple features are provided in this tool like data recovery, sorting, indexing, hex viewer, data bookmarking.

Distributed Network Forensics Framework: A Systematic Review

Abstract: Network forensics is a branch of digital forensics, which applies to network security. It is used to relate monitoring and analysis of the computer network traffic, that helps us in collecting information and digital evidence, for the protection of network that can use as firewall and IDS. Firewalls and IDS can’t always prevent and find out the unauthorized access within a network. This paper presents an extensive survey of several forensic frameworks. There is a demand of a system which not only detects the complex attack, but also it should be able to understand what had happened. Here it talks about the concept of the distributed network forensics. The concept of the Distributed network forensics is based on the distributed techniques, which are useful for providing an integrated platform for the automatic forensic evidence gathering and important data storage, valuable support and an attack attribution graph generation mechanism to depict hacking events.

Mobile Device Forensics: Extracting and Analysing Data from an Android-Based Smartphone

Abstract: The advancement of wireless technology and mobile devices have change our life tremendously. The number of smartphone users increases and majority people rely on it for communication and business related matters. While smartphones are used for positive aspects of our life, it is also used by criminals as medium for their modus operandi. Therefore, there are potential information stored in smartphones that can be used for digital evidence as part of an investigation. However, investigators may face challenges in extracting crucial information and the vital data stored in the smartphone. In this paper, we share on how we studied and experimented several methods on how data in smartphones can be extracted and analysed using the Sleuth Kit Autopsy. The aim of this work is to discover methods of extracting and analysing data from an Android based smartphone. We managed to obtain email, contact, messages, calendar, and images data that can be of used as digital evidence in an investigation.

EviCheck: Digital Evidence for Android

Abstract: We present EviCheck, a tool for the verification, certification and generation of lightweight fine-grained security policies for Android. It applies static analysis to check the conformance between an application and a given policy. A distinguishing feature of EviCheck is its ability to generate digital evidence: a certificate for the analysis algorithm asserting the conformance between the application and the policy. This certificate can be independently checked by another component (tool) to validate or refute the result of the analysis. The checking process is generally very efficient compared to certificate generation as experiments on 20,000 real-world applications show.

Surveillance, Criminal Law and Sovereignty

Abstract: Seeking better understanding of the relationship between criminal law and surveillance demands investigating the evolving nature of sovereignty in an era of transnational digital information flows. While territorial boundaries determine the limits of police investigative and surveillance powers under the criminal law, several recent United States (US) examples demonstrate how new forms of extraterritorial surveillance that enable police to access online communications by foreign citizens and digital information stored in offshore locations are authorized by US courts. This discussion outlines how the processes of mutual legal assistance that ordinarily govern the search, seizure and transfer of digital evidence from one jurisdiction to another are increasingly considered to undermine police efficiency, even though they protect the due process rights afforded to crime suspects under established principles of sovereignty (Palmer and Warren 2013).

Applying Semantic Technologies to Fight Online Banking Fraud

Abstract: Cybercrime tackling is a major challenge for Law Enforcement Agencies (LEAs). Traditional digital forensics and investigation procedures are not coping with the sheer amount of data to analyse, which is stored in multiple devices seized from distinct, possibly-related cases. Moreover, inefficient information representation and exchange hampers evidence recovery and relationship discovery. Aiming at a better balance between human reasoning skills and computer processing capabilities, this paper discusses how semantic technologies could make cybercrime investigation more efficient. It takes the example of online banking fraud to propose an ontology aimed at mapping criminal organisations and identifying malware developers. Although still on early stage of development, it reviews concepts to extend from well-established ontologies and proposes novel abstractions that could enhance relationship discovery. Finally, it suggests inference rules based on empirical knowledge which could better address the needs of the human analyst.

A Framework for Integrating Multimodal Biometrics with Digital Forensics

Abstract: Multimodal biometrics represents various categories of morphological and intrinsic aspects with two or more computerized biological characteristics such as facial structure, retina, keystrokes dynamics, voice print, retinal scans, and patterns for iris, facial recognition, vein structure, scent, hand geometry, and signature recognition. The objectives of Digital Forensics (DF), on the other hand, is to inspect digital media in a forensically sound manner with the essence of identifying, discovering, recovering, analysing the artifacts and presenting facts and suggestions about the discovered information to any court of law or civil proceedings. Because the accuracy of biometric indicators may rarely be investigated during a digital forensic investigation processes, integrating digital forensics with multimodal biometrics can enable effective digital forensic investigations on multiple captured physiological and behavioural characteristics. This paper, therefore, presents a self-adaptive approach for integrating digital forensics with multimodal biometrics. This is motivated by the fact that, as of the time of writing this paper, there is lack of effective and standardised methods for performing digital investigation across multimodal biometric indicators. In addition, there are also no proper digital forensic biometric management strategies in place. For this reason, to enable effective digital investigations on multiple captured physiological and behavioural characteristics, this paper aims at proposing a framework that is meant to facilitate the integration of DF and multimodal biometrics. The framework is also meant to enhance the analysis of potential digital evidence during investigations. Integrating multimodal biometrics and digital forensics using the proposed framework gives a promising approach to add value especially in enforcing security measures in different systems as well as a restricting factor to unauthorized access key discoveries. The integration of digital forensics with multimodal biometrics is the main focus of this paper.

Proof of Concept of the Online Neighbourhood Watch System

Abstract: Potential digital evidence captured by an onlooker at a crime scene when stored in a repository can be used during criminal investigations, or as admissible evidence in a court of law. However, to employ the captured and stored potential digital evidence (PDE) some challenges are required to be dealt with, such as, retaining the forensic soundness of the captured PDE, adequate measures to secure the PDE and measures to protect the privacy rights of the PDE uploader (citizens).