Showing papers on "Digital evidence published in 2019"

Diverging deep learning cognitive computing techniques into cyber forensics

Abstract: More than ever before, the world is nowadays experiencing increased cyber-attacks in all areas of our daily lives. This situation has made combating cybercrimes a daily struggle for both individuals and organisations. Furthermore, this struggle has been aggravated by the fact that today's cybercriminals have gone a step ahead and are able to employ complicated cyber-attack techniques. Some of those techniques are minuscule and inconspicuous in nature and often camouflage in the facade of authentic requests and commands. In order to combat this menace, especially after a security incident has happened, cyber security professionals as well as digital forensic investigators are always forced to sift through large and complex pools of data also known as Big Data in an effort to unveil Potential Digital Evidence (PDE) that can be used to support litigations. Gathered PDE can then be used to help investigators arrive at particular conclusions and/or decisions. In the case of cyber forensics, what makes the process even tough for investigators is the fact that Big Data often comes from multiple sources and has different file formats. Forensic investigators often have less time and budget to handle the increased demands when it comes to the analysis of these large amounts of complex data for forensic purposes. It is for this reason that the authors in this paper have realised that Deep Learning (DL), which is a subset of Artificial Intelligence (AI), has very distinct use-cases in the domain of cyber forensics, and even if many people might argue that it's not an unrivalled solution, it can help enhance the fight against cybercrime. This paper therefore proposes a generic framework for diverging DL cognitive computing techniques into Cyber Forensics (CF) hereafter referred to as the DLCF Framework. DL uses some machine learning techniques to solve problems through the use of neural networks that simulate human decision-making. Based on these grounds, DL holds the potential to dramatically change the domain of CF in a variety of ways as well as provide solutions to forensic investigators. Such solutions can range from, reducing bias in forensic investigations to challenging what evidence is considered admissible in a court of law or any civil hearing and many more.

Digital Forensics Architecture for Evidence Collection and Provenance Preservation in IaaS Cloud Environment Using SDN and Blockchain Technology

Abstract: Cloud forensics is an intelligent evolution of digital forensics that defends against cyber-crimes. However, centralized evidence collection and preservation minimizes the reliability of digital evidence. To resolve this severe problem, this paper proposes a novel digital forensic architecture using fast-growing Software-Defined Networking (SDN) and Blockchain technology for Infrastructure-as-a-Service (IaaS) cloud. In this proposed forensic architecture, the evidence is collected and preserved in the blockchain that is distributed among multiple peers. To protect the system from unauthorized users, Secure Ring Verification based Authentication (SRVA) scheme is proposed. To strengthen the cloud environment, secret keys are generated optimally by using Harmony Search Optimization (HSO) algorithm. All data are encrypted based on the sensitivity level and stored in the cloud server. For encryption, Sensitivity Aware Deep Elliptic Curve Cryptography (SA-DECC) algorithm is presented. For every data stored in the cloud, a block is created in the SDN controller and the history of data is recorded as metadata. In each block, the Merkle hash tree is built by using Secure Hashing Algorithm-3 (SHA-3). Our system allows users to trace their data by deploying Fuzzy based Smart Contracts (FCS). Finally, evidence analysis is enabled by constructing Logical Graph of Evidence (LGoE) collected from the blockchain. Experiments are conducted in an integrated environment of java (for cloud and blockchain) and network simulator-3.26 (for SDN). The extensive analysis shows that proposed forensic architecture shows promising results in Response time, Evidence insertion time, Evidence verification time, Communication overhead, Hash computation time, Key generation time, Encryption time, Decryption time and total change rate.

On the importance of standardising the process of generating digital forensic reports

Abstract: The ISO/IEC 27043:2015 international standard provides new standardised guidelines for common investigation processes across various investigation scenarios that mostly involve digital evidence. The reporting process is one of the many investigative processes described in the ISO/IEC 27043:2015 standard, but the manner in which the reporting process is presented does not constitute or cover the specificity of the presentation of the entire processes covered in the standard. In this paper, we posit the importance of having the report generation process covering details obtained from all other classes of the digital investigation processes in a standardised format, as well as the need to standardise the process of generating digital forensic reports. Such a standardised process can facilitate future automation and text analytics, sharing of reports and knowledge across jurisdictions, etc. We also identify a number of key factors, such as the use of Blockchain, which should be added to the ISO/IEC 27043 international standard in order to support a standardised digital forensic report generation process.

Blockchain for Modern Digital Forensics: The Chain-of-Custody as a Distributed Ledger

Abstract: Blockchain technology can be incorporated into new systems to facilitate modern Digital Forensics and Incident Response (DFIR). For example, it is widely acknowledged that the Internet-of-Things (IoT) has introduced complexity to the cyberspace, however, incident responders should also realise the advantages presented by these new “Digital Witnesses” (DW) to support their investigation. Logs generated by IoT devices can help in the process of event reconstruction, but their integrity -and therefore admissibility- can be achieved only if a Chain-of-Custody (CoC) is maintained within the wider context of an on-going digital investigation. Likewise, the transition to electronic documentation improves data availability, legibility, the utility of notes, and therefore enhances the communication between stakeholders. However, without a proof of validity, these data could be falsified. For example, in an application area such as eHealth, there is a requirement to maintain various existing (and new) rules and regulations concerning authorship, auditing, and the integrity of medical records. Lacking data control could lead to system abuse, fraud and severe compromise of service quality. These concerns can be resolved by implementing an online CoC. In this paper, we discuss the value and means of utilising Blockchain in modern systems to support DFIR. we demonstrate the value of Blockchain to improve the implementation of Digital Forensic Models and discuss why law enforcement and incident responders need to understand Blockchain technology. Furthermore, the admissibility of a Digital Evidence to a Court of Law requires chronological documentation. Hence, we discuss how the CoC can be sustained based on a distributed ledger. Finally, we provide a practical scenario related to eHealth to demonstrate the value of this approach to introduce forensic readiness to computer systems and enable better Police interventions.

A comparison of machine learning techniques for file system forensics analysis

Abstract: With the remarkable increase in computer crimes – particularly Internet related crimes – digital forensics become an urgent and a timely issue to study. Normally, digital forensics investigation aims to preserve any evidence in its most original form by identifying, collecting, and validating the digital information for the purpose of reconstructing past events. Most digital evidence is stored within the computer's file system. This research investigates and evaluates the applicability of several machine learning techniques in identifying incriminating evidence by tracing historical file system activities in order to determine how these files can be manipulated by different application programs. A dataset defined by a matrix/vector of features related to file system activity during a specific period of time has been collected. Such dataset has been used to train several machine learning techniques. Overall, the considered machine learning techniques show good results when they have been evaluated using a testing dataset containing unseen evidence. However, all algorithms encountered an essential obstacle that could be the main reason as why the experimental results were less than expectation that is the overlaps among the file system activities.

RPAS Forensic Validation Analysis Towards a Technical Investigation Process: A Case Study of Yuneec Typhoon H.

Abstract: The rapid pace of invention in technology and the evolution of network communication has produced a new lifestyle with variety of opportunities and challenges. Remotely Piloted Aerial Systems (RPAS) technology, which includes drones, is one example of a recently invented technology that requires the collection of a solid body of defensible and admissible evidence to help eliminate potential real-world threats posed by their use. With the advent of smartphones, there has been an increase in digital forensic investigation processes developed to assist specialized digital forensic investigators in presenting forensically sound evidence in the courts of law. Therefore, it is necessary to apply digital forensic techniques and procedures to different types of RPASs in order to create a line of defense against new challenges, such as aerial-related incidents, introduced by the use of these technologies. Drone operations by bad actors are rapidly increasing and these actors are constantly developing new approaches. These criminal operations include invasion of privacy, drug smuggling, and terrorist activities. Additionally, drone crashes and incidents raise significant concerns. In this paper, we propose a technical forensic process consisting of ten technical phases for the analysis of RPAS forensic artifacts, which can reduce the complexity of the identification and investigation of drones. Using the proposed technical process, we analyze drone images using the Computer Forensics Reference Datasets (CFReDS) and present results for the Typhoon H aerial vehicle manufactured by Yuneec, Inc. Furthermore, this paper explores the availability and value of digital evidence that would allow a more practical digital investigation to be able to build an evidence-based experience. Therefore, we particularly focus on developing a technical drone investigation process that can be applied to various types of drones.

“This isn’t your father’s police force”: Digital evidence in sexual assault investigations:

Abstract: Digital evidence, once regarded as existing only in a portion of criminal cases, in our digitized world commonly appears within all crime categories and is a factor in many (or arguably most) cases...

Digital Forensics and Privacy-by-Design: Example in a Blockchain-Based Dynamic Navigation System

Abstract: This research presents an experimental model and prototype to exploit digital evidence in Internet of Things (IoT). The novelty of this research is to consider new data privacy mechanisms that should be implemented in IoT, in compliance with the GDPR regulation, and their impact on digital forensic processes. The testbed is an innovative project for car navigation [1, 2], GDPR compatible, which offers users the possibility to submit their GPS position into a blockchain for obtaining road traffic information and alternative paths. The vehicles are communicating among themselves through IoTs and circumvent the use of third-party services. We propose a solution for forensic investigations of such a service by building a solid case thanks to the non-repudiable, immutable, identifiable as current and authentic properties of data logged into the blockchain. This solution applies to criminal and insurance cases, where law enforcement and individuals need to prove their claims.

Forensic Analysis using Text Clustering in the Age of Large Volume Data: A Review

Abstract: Exploring digital devices in order to generate digital evidence related to an incident being investigated is essential in modern digital investigation. The emergence of text clustering methods plays an important role in developing effective digital forensics techniques. However, the issue of increasing the number of text sources and the volume of digital devices seized for analysis has been raised significantly over the years. Many studies indicated that this issue should be resolved urgently. In this paper, a comprehensive review of digital forensic analysis using text-clustering methods is presented, investigating the challenges of large volume data on digital forensic techniques. Moreover, a meaningful classification and comparison of the text clustering methods that have been frequently used for forensic analysis are provided. The major challenges with solutions and future research directions are also highlighted to open the door for researchers in the area of digital forensics in the age of large volume data.

Memory Forensics: Recovering Chat Messages and Encryption Master Key

Abstract: In this pervasive digital world, we are witnessing an era where cybercriminals are improving their abilities in taking advantage of wide-spread digital devices to perform various malicious activities. By utilizing anti-forensic techniques, cybercriminals are able to erase or alter digital evidence that can otherwise be used against them in court. One of the most critical sources of digital evidence that forensic investigators examine is the physical memory of a digital device, i.e., Random Access Memory (RAM). RAM is a volatile memory containing data that might be of significant value to forensic investigation. RAM, which stores data about recent activities, stores data only when the device is powered on. Once the device powers off, all the data stored in the RAM is lost permanently. Forensic investigators find great value in RAM data and thus need to preserve such data without harming the integrity of the collected evidence. Many existing tools provide the ability to acquire and analyze images of the data stored in RAM. This paper tackles the fundamental topic of security, privacy, and digital forensics. Specifically, this paper examines memory dumps of 4GB Windows 7 computers with the objective of identifying an instant messaging tool and recovering its chat messages, and recovering master encryption keys of volumes encrypted by BitLocker and TrueCrypt. Throughout this paper, we utilize two widely-used tools, namely Volatility and WinHex, due to their various functionalities designed specifically for memory forensic investigation.

Digital Forensic Investigation of Social Media, Acquisition and Analysis of Digital Evidence

Abstract: Various social networking sites (SNSs), widely referred to as social media, provide services such as email, blogging, instant messaging and photo sharing for social and commercial interactions. SNSs are facilitating new forms of social interaction, dialogue, exchange and collaboration. They allow millions of users and organisations worldwide to exchange ideas, post updates and comments or participate in activities and events, while sharing their wider interests. At the same time, such a phenomenon has led to an upsurge in significant criminal activities by perpetrators who are becoming increasingly sophisticated in their attempts to deploy technology to circumvent detection. Digital forensic Examiners (DFEs) often face serious challenges in relation to data acquisition. Therefore, this article aims to analyse the significance of SNSs in DFIs and challenges that DFEs often encounter when acquiring evidence from SNSs. Furthermore, this article describes the steps of the digital forensic investigation process that must be taken to acquire digital evidence that is both authentic and forensically sound.

Forensic Analysis with Anti-Forensic Case Studies on Amazon Alexa and Google Assistant Build-In Smart Home Speakers

Abstract: People's communication with machines is evolving. The process that started with the buttons has evolved to the touchscreen and now people can command to machines just talking with them. The use of smart home assistants, which allows people to control their smart homes, access mail accounts and even order, is becoming increasingly popular. For this reason, it is possible that they will be found at crime scenes soon and carry the value of digital evidence. In this study, the bestselling products Alexa Echo and Google Home were examined in terms of forensic evidence and the data containing digital evidence were found. Then fake activities were created by changing device name, creating fake routine creation and custom skill development. As a result of the investigations, for the cyber security experts or academics working in this field the information was provided about which kind of digital evidence could be found in smart home assistant's activities. Also, difference between real activity and fake activity were elicited against anti-forensic.

Live forensics of tools on android devices for email forensics

Abstract: Email is one communication technology that can be used to exchange information, data, and etc. The development of email technology not only can be opened using a computer but can be opened using an smartphone. The most widely used smartphone in Indonesian society is Android. Within a row, the development technology of higher cybercrime such as email fraud catching cybercrime offenders need evidence to be submitted to a court, for obtain evidence can use tools like Wireshark and Networkminer to analyzing network traffic on live networks. Opportunity, we will do a comparison of the forensic tools it to acquire digital evidence. The subject of this research focused on Android-based email service to get as much digital evidence as possible on both tools. This process uses National Institute of Standards and Technology method. The results of this research that networkminer managed to get the receiving port, while in Wireshark not found.

Navigating the Digital Health Ecosystem to Bridge the Gap from Innovation to Transformation: A NODE. Health Perspective on Digital Evidence.

Abstract: This article examines the challenges of broad adoption of digital solutions within the healthcare industry and why evidence is so critical for advancement of digital health technologies. It then illustrates how emerging nonprofits are positioned to help the ecosystem overcome these challenges and to catalyze the process of matching the right evidence-based solution to the right clinical challenge.

Digital Forensics: Maintaining Chain of Custody Using Blockchain

Abstract: The fundamental aim of digital forensics is to discover, investigate and protect an evidence, increasing cybercrime enforces digital forensics team to have more accurate evidence handling. This makes digital evidence as an important factor to link individual with criminal activity. In this procedure of forensics investigation, maintaining integrity of the evidence plays an important role. A chain of custody refers to a process of recording and preserving details of digital evidence from collection to presenting in court of law. It becomes a necessary objective to ensure that the evidence provided to the court remains original and authentic without tampering. Aim is to transfer these digital evidences securely using encryption techniques.

Applying distributed ledger technology to digital evidence integrity

Abstract: This paper examines the way in which blockchain technology can be used to improve the verification of integrity of evidence in digital forensics. Some background into digital forensic practices and blockchain technology are discussed to provide necessary context. A particular scalable method of verifying point-in-time existence of a piece of digital evidence, using the OpenTimestamps (OTS) service, is described, and tests are carried out to independently validate the claims made by the service. The results demonstrate that the OTS service is highly reliable with a zero false positive and false negative error rate for timestamp attestations, but that it is not suitable for timesensitive timestamping due to the variance of the accuracy of timestamps induced by block confirmation times in the Bitcoin blockchain.

Communication Privacy Management and Digital Evidence in an Intimate Partner Violence Case

Abstract: This article uses a case study of an intimate partner violence criminal case to examine the relationship among communication privacy management, evidence acquisition and retrieval, and the use of digital evidence in criminal court. We followed the case of Krista and Alex (pseudonyms) for a period of four months from August 2017 to November 2017. Data were collected from observations in two locations: the digital forensics laboratory of the public defender who handled the case and the courtroom in which the trial took place. Findings indicate that the couple engaged in preemptive and after-the-fact privacy management strategies, which complicated the process of acquiring digital evidence and had implications for how the evidence was used at trial. The case study joins communication privacy management and legal research to show why digital evidence falls short as a “model witness” and may expose female complainants to greater privacy turbulence than male defendants.

Research on Forensic Model of Online Social Network

Abstract: With the excessive use of online social network, criminals can get enough information about person or organization. Law enforcing agencies to get digital evidence against criminals could use the data from online social network. This paper proposes a forensic model of online social network that provides the functions of evidence acquisition and solidification, evidence document verification, and evidence analysis. This model is illustrated the feasibility with Sina microblog examples of text analysis, hotword frequency analysis, physical location analysis.

Next Generation of Evidence Collecting: The Need for Digital Forensics in Criminal Justice Education

Abstract: Digital forensics poses significant challenges to law enforcement as the information found in a computer system is often present at most crime scenes in the form of computer data and cell phones. Digital evidence contained on common devices, such as cell phones and laptops, includes information that can be pertinent to the investigation of crimes. Law enforcement is increasingly identifying the need to be able to process their evidence internally warranting the exploration of the need for digital forensics training as part of a broader study of criminal justice for future law enforcement practitioners. This paper uses telephone surveys of police agencies in the North Texas area to explore their capabilities and need for trained digital forensic examiners (n=42). Findings suggest that digital forensic education is needed as most police examiners are trained first as police officers and secondly as digital forensics examiners. Future education challenges and policy implications are discussed.

Forensic Readiness within the Maritime Sector

Abstract: Forensic investigation is an essential response strategy following a cyber-related incident, and forensic readiness is the capability to gather critical digital information and maximize its use as evidence. The effectiveness of this data is highly dependent on the readiness, quality, and trustworthiness of the data itself. Far from a passive post-analysis tool, there have been many instances where an organization has benefited from gathering, and using, digital evidence to improve their cyber-security and mitigate future incidents. This article examines the forensic readiness of the maritime sector, a core component of global trade and a unique combination of information/operational technology and people, to understand its investigation and mitigation capabilities. Once the readiness of maritime forensic investigation has been better understood, by comparing it to other sectors and using risk scenarios, this paper proposes actions toward improvement. These steps are built from established attempts to increase investigation capabilities and improve maritime cyber-security, but address the maritime sector specifically.

Live Forensics Analysis of Line App on Proprietary Operating System

Abstract: The development of computer technology is increasing rapidly. This has positive and negative effects. One of the negative effects that occurred was the use of Line applications to conduct online shop fraud. Line is one of the instant messenger applications that can be used on computers, especially on Windows 8.1 operating system computers. Applications that run on the computer leave traces of data on Random Access Memory (RAM). Data left in RAM can be obtained using digital forensic techniques, namely live forensics which is used when the computer is running and connected to the internet. This study aims to find digital evidence regarding cases of online shop fraud using the National Institute of Standards and Technology (NIST) method. Digital evidence can be obtained using forensic tools, namely RamCapturer, FTK Imager and Winhex. RamCapturer is used to acquire data in RAM, FTK Imager is used for imaging and Winhex is used to analyze data that has been taken. The results obtained in this study were conversational recordings consisting of conversation time, conversation content and conversation status which could be digital evidence in uncovering the online shop fraud crime that occurred.