Showing papers on "Digital evidence published in 2020"

A Survey on the Internet of Things (IoT) Forensics: Challenges, Approaches, and Open Issues

Abstract: Today is the era of the Internet of Things (IoT). The recent advances in hardware and information technology have accelerated the deployment of billions of interconnected, smart and adaptive devices in critical infrastructures like health, transportation, environmental control, and home automation. Transferring data over a network without requiring any kind of human-to-computer or human-to-human interaction, brings reliability and convenience to consumers, but also opens a new world of opportunity for intruders, and introduces a whole set of unique and complicated questions to the field of Digital Forensics. Although IoT data could be a rich source of evidence, forensics professionals cope with diverse problems, starting from the huge variety of IoT devices and non-standard formats, to the multi-tenant cloud infrastructure and the resulting multi-jurisdictional litigations. A further challenge is the end-to-end encryption which represents a trade-off between users’ right to privacy and the success of the forensics investigation. Due to its volatile nature, digital evidence has to be acquired and analyzed using validated tools and techniques that ensure the maintenance of the Chain of Custody. Therefore, the purpose of this paper is to identify and discuss the main issues involved in the complex process of IoT-based investigations, particularly all legal, privacy and cloud security challenges. Furthermore, this work provides an overview of the past and current theoretical models in the digital forensics science. Special attention is paid to frameworks that aim to extract data in a privacy-preserving manner or secure the evidence integrity using decentralized blockchain-based solutions. In addition, the present paper addresses the ongoing Forensics-as-a-Service (FaaS) paradigm, as well as some promising cross-cutting data reduction and forensics intelligence techniques. Finally, several other research trends and open issues are presented, with emphasis on the need for proactive Forensics Readiness strategies and generally agreed-upon standards.

Interpol review of digital evidence 2016 - 2019.

Abstract: This review paper covers the forensic-relevant literature in digital evidence from 2016 to 2019 as a part of the 19th Interpol International Forensic Science Managers Symposium. The review papers are also available at the Interpol website at: https://www.interpol.int/content/download/14458/file/Interpol Review Papers 2019.pdf

Fintech forensics: Criminal investigation and digital evidence in financial technologies

Abstract: This paper describes an emerging sub-discipline of digital forensics covering financial technologies, or Fintech. The digital transformation of society is introducing new Fintech for payments, funds transfer, and other financial transactions. Criminals are using and abusing financial technologies for fraud, extortion, money laundering, and financing activity in the criminal underground. The investigation of Fintech and digital payment activity needs to be recognized as a new technical sub-discipline of the digital forensics landscape. The digital forensics community is well positioned to provide research for practitioners to enhance investigations involving Fintech and technical financial activity.

Proactive Forensics: Keystroke Logging from the Cloud as Potential Digital Evidence for Forensic Readiness Purposes

Abstract: The relationship between negative and positive connotations with regard to malware in the cloud is rarely investigated according to the prevailing literature. However, there is a significant relationship between the use of positive and negative connotations. A clear distinction between the two emanates when we use the originally considered malicious code, for positive connotation like in the case of capturing keystrokes in a proactive forensic purpose. This is done during the collection of digital evidence for Digital Forensic Readiness (DFR) purposes, in preparation of a Digital Forensic Investigation (DFI) process. The paper explores the problem of having to use the keystrokes for positive reasons as a piece of potential evidence through extraction and digitally preserving it as highlighted in ISO/IEC 27037: 2012 (security approaches) and ISO/IEC 27043: 2015 (legal connotations). In this paper, therefore, the authors present a technique of how DFR can be achieved through the collection of digital information from the originally considered malicious code. This is achieved without modifying the cloud operations or the infrastructure thereof, while preserving the integrity of digital information and possibly maintain the chain of custody at the same time. The paper proposes that the threshold of malicious code intrusion in the cloud can be transformed to an efficacious process of DFR through logical acquisition and digitally preserving keystrokes. The experiment-tested keystrokes have shown a significant approach that could achieve proactive forensics.

A survey exploring open source Intelligence for smarter password cracking

Abstract: From the end of the last century to date, consumers are increasingly living their lives online. In today’s world, the average person spends a significant proportion of their time connecting with people online through multiple platforms. This online activity results in people freely sharing an increasing amount of personal information – as well as having to manage how they share that information. For law enforcement, this corresponds to a slew of new sources of digital evidence valuable for digital forensic investigation. A combination of consumer level encryption becoming default on personal computing and mobile devices and the need to access information stored with third parties has resulted in a need for robust password cracking techniques to progress lawful investigation. However, current password cracking techniques are expensive, time-consuming processes that are not guaranteed to be successful in the time-frames common for investigations. In this paper, the potential for Open Source Intelligence (OSINT) being leveraged for more efficient password cracking is explored. A comprehensive survey of the literature on password strength, password cracking, and OSINT is outlined, and the law enforcement challenges surrounding these topics are discussed. Additionally, an analysis on password structure as well as demographic factors influencing password selection is presented. Finally, the potential impact of OSINT to password cracking by law enforcement is discussed.

Standardization of forming and expressing preliminary evaluative opinions on digital evidence

Abstract: The growing number of cases involving overlooked or misinterpreted digital evidence is raising concerns among factfinders and decision-makers about the reliability of digital forensic conclusions. To reduce the risk of mistakes and misinterpretations of forensic observations, including but not limited to digital evidence, there is a pressing need to standardize how evaluative opinions are formed and expressed. Responding to this need, the international community is drafting ISO-21043 and the UK Forensic Science Regulator is drafting an evaluative interpretation standard that promote a likelihood ratio approach. This approach is suitable for fully evaluative opinions in many forensic disciplines, but until more refined methods for evaluating digital evidence are developed, digital forensic practitioners require an interim solution to address immediate needs. More broadly, digital evidence is used in many non-judicial contexts that do not require fully evaluative opinions expressed as a likelihood ratio. This work proposes a standardized approach to formulating and expressing preliminary evaluative opinions in terms of strength of evidence in a manner that employs scientific reasoning within a logical Bayesian framework and can be understood by non-specialist factfinders. Illustrative case examples are presented that involve digital evidence tampering. In addition, this work presents a proof-of-concept database of cases involving tampering of digital evidence that could support assignment of strength of evidence in similar cases.

The Role of Machine Learning in Digital Forensics

Abstract: Digital forensics, as a branch of the forensic sciences, is facing new challenges from the aspect that potential digital evidence is growing and expanding. Rapid development in the fields of computer science and information technology provides innovative techniques for digital investigations. In this paper, the important role of machine learning is explained as an application of artificial intelligence, and how it can be used to analyse large amounts of diverse datasets in order to reveal any criminal behaviour and intent through learning from previous and historical activities to predict criminal behaviours in the future.

Chronological independently verifiable electronic chain of custody ledger using blockchain technology

Abstract: As evidence in digital form becomes more prevalent in all kinds of investigations, there is a pressing need for a trustworthy and transparent way to maintain electronic chain of custody (e-CoC) and integrity information that is independently verifiable. Generally, a hash value of digital evidence is calculated and documented with the acquired data to prove that it has not been altered. However, the hash value alone does not prove that digital evidence is the same as when it was obtained, only that the contents has not been modified since the time when the hash was calculated. This work responds to the need for a chronological independently verifiable e-CoC ledger using blockchain technology. Employing this approach, each e-CoC record is stored in a block, each block being connected to the previous one with the hash value of the block. This e-CoC ledger, the blockchain, can be hosted by a trusted entity and accessed by any party to verify e-CoC details. For privacy reasons, sensitive information is not stored inside the e-CoC record in the blockchain. Moreover, to prove that the e-CoC ledger itself has not been modified, information is periodically sent to a public blockchain, where the integrity is guaranteed by its decentralization and the structure of such a secure ledger. Not all of the blocks are sent into a public blockchain which allows different levels of verification. Proof-of-work examples are provided using AFF4 and dc3dd to demonstrate how this e-CoC ledger can be used by different parties in a legal context, including digital forensic practitioners, attorneys and judges.

Blockchain-based chain of custody: towards real-time tamper-proof evidence management

Abstract: Evidence is a tangible demonstrative artifact that proves a fact and shapes the investigation of various misconduct cases involving for instance corruption, misbehavior, or violation. It is imperative to maintain proper evidence management to guarantee the admissibility of an evidence in a court of law. Chain of custody forms the forensic link of evidence sequence of control, transfer, and analysis to preserve evidence's integrity and to prevent its contamination. Blockchain, a distributed tamper-resistant ledger can be leveraged to offer a decentralized secure digital evidence system. In this paper, we propose a secure chain of custody framework by utilizing the blockchain technology to store evidence metadata while the evidence is stored in a reliable storage medium. The framework is built on top of a private Ethereum blockchain to document every transmission from the moment the evidence is seized, thus ensuring that evidence can only be accessed or possessed by authorized parties. The framework is integrated with the digital evidence system where evidence is physically stored and locked using smart locks. To secure the sequence of evidence submission and retrieval, only an authorized party can possess the key to unlock the evidence. Our proposed framework offers a secure solution that maintains evidence integrity and admissibility among multiple stakeholders such as law enforcement agencies, lawyers, and forensic professionals. The research findings shed light on hidden opportunities for the efficient usage of blockchain in other realms beyond finance and cryptocurrencies.

Digital Constitutionalism and Constitutional Jurisdiction: A Research Agenda For The Brazilian Case

Abstract: This paper discusses how normative principles from Digital Constitutionalism might guide the Constitutional Courts' judicial review of Internet laws, such as the Brazilian Internet Civil Framework. It argues that effective protection of fundamental rights in cyberspace requires a judicial review framework open to (i) a redefinition of the traditional perspective of horizontal effects of constitutional rights and (ii) a comprehensive understanding of the re-territorialization phenomenon of the Internet. These possibilities are examined from the discussions on the online intermediaries' civil liabilities and the jurisdictional cross-border battles for digital evidence.

A blockchain based solution for the custody of digital files in forensic medicine

Abstract: Despite the benefits that digital forensic medical evidence offers, the custody and sharing of such information remains an ongoing problem. While waiting for an optimal solution, both professionals and institutions must evaluate their options and choose the least disadvantageous among them. This paper proposes resolving the problem through an operational hybrid platform that uses a consensus mechanism to record a transparent history of access and prevent unauthorised users from modifying it. The digital evidence is encrypted and saved in an online file storage system, while the file properties are stored on a private implementation of the Hyperledger Fabric™ blockchain. The blockchain nodes allow access to the data through a dynamic consensus mechanism, and all operations (like uploads, views, or deletions) are continuously and permanently recorded on the blockchain. The network is safe and accessible through a dedicated application. All information is agreed upon and shared between the blockchain nodes to avoid single points of failure, and secure access to digital evidence is assured by combining cryptography and the blockchain consensus mechanism. The result is a secure and complete framework with which to upload, store and share digital forensic medical evidence. Despite some limitations, this proposal offers an implementable solution for the custody of digital evidence in forensic medicine that has been identified through existing and innovative technologies, the implementation of a proof of principle prototype, and benchmarks.

Digital Forensics for Drones: A Study of Tools and Techniques

Abstract: Digital forensics investigation on drones has gained significant popularity during the recent past mainly due to intensifying drone-related cybercrime activities. Collecting valid digital evidence from confiscated drones and to prove a case in the court of law has been a difficult and lengthy process due to various factors including choice of tools. Consequently, to simplify and speed up the investigation process, the most apt forensic investigation tools must be selected to carry out the investigation, accompanied with data mining techniques for data analysis and visualization, ascertains accuracy in reporting. We present our findings on tool selection and intelligent clustering of DJI Mavic Air drone data. The proposed methodology can help forensic investigators identify the most pertinent forensic investigation tools to foster a sound artificial intelligence-based forensic investigation process. Experiments were conducted on sample drone data, with findings reported on the superiority of Airdata.com and Autopsy forensic tools over others.

Windows registry harnesser for incident response and digital forensic analysis

Abstract: The extraction of digital evidence from storage media is a growing concern in digital forensics, due to the time and space complexity in acquiring, preserving and analysing digital evidence. Micros...

Integrating Digital Forensics and Digital Discovery to Improve E-mail Communication Analysis in Organisations

Abstract: In Digital Forensics and Digital Discovery, e-mail communication analysis has become an important part of the litigation process. Integrating these two can improve e-mail communication analysis in organisations and help both legal and technical professionals achieve goals of conducting analysis in a manner that is legally defensible and forensically sound. In this forensic discovery process, digital evidence plays an increasingly vital role in the court to prove or disprove an individual or a group of individual’s actions in order to secure a conviction. However, e-mail investigations are becoming increasingly complex and time consuming due to the multifaceted large data involved, and investigators find themselves unable to explore and conduct analysis in an appropriately efficient and effective manner. This situation has prompted the need for improved e-mail communication analysis that can be capable of handling large and complex investigations to detect suspicious activities. So, our interactive visualisations aims to improve digital forensics discovery ability to search and analyse a vast amount of e-mail information quickly and efficiently.

Digital Evidence Certainty Descriptors (DECDs)

Abstract: Whilst many other traditional forensic science disciplines are encouraged to describe the weight of their evidence in some form of quantifiable measurement/expression, this is rarely done in digital forensics. There are calls to rectify this situation, suggesting that the field should begin to develop more robust, scientific methods for evaluating the digital evidence presented by its practitioners. Whilst such a recommendation carries a number of potential benefits, caution must be exercised as at present there are no available satisfactory methods for achieving this. This work suggests that attaining such methods may not actually be possible due to the intricacies of digital data and the difficulties involved with the fine-grained interpretation of events. As a result it is argued that attempts to quantify any uncertainty should be abandoned in favour of methods which reliably describe when uncertainty exists and in what capacity. Here, the Digital Evidence Certainty Descriptors (DECDs) framework is offered as a method for conveying when uncertainty exists in a set of digital findings. The DECDs framework is discussed and applied to working examples to demonstrate the difficulties involved with determining the authenticity of a given hypothesis regarding digital evidence.

Cyber Autopsies: The Integration of Digital Forensics into Medical Contexts

Abstract: The integration of information technology into medical environments introduces a variety of opportunities and challenges for the healthcare community. Medical devices such as ventilators, patient monitors, and infusion pumps, which once operated as standalone devices, now integrate network communication technology. As a result, these modern medical devices produce, store, and transmit large amounts of patient and therapy information. From a digital forensics' perspective, this information could provide a forensic investigator with a treasure trove of potential digital evidence. Hence, the purpose of this paper is to introduce and discuss the potential place and value of digital forensics processes within the context of healthcare providers, through five scenarios. The aim of the paper is twofold. First, it raises incentives for integrating digital forensics into various scenarios involving healthcare providers. Second, it encourages future research to address the adoption of digital forensics tools and techniques to assist stakeholders in the medical domain.

Mapping digital forensic application requirement specification to an international standard

Abstract: A potential security incident may go unsolved if standardized forensic approaches are not applied during lawful investigations. This paper highlights the importance of mapping the digital forensic application requirement specification to an international standard, precisely ISO/IEC 27043. The outcome of this work is projected to contribute to the problem of secure DF tool creation, and in the process address Software Requirements Specification (SRS) as a process of digital evidence admissibility.

Becoming JUDAS: Correlating Users and Devices During a Digital Investigation

Abstract: One of the biggest challenges in IoT-forensics is the analysis and correlation of heterogeneous digital evidence, to enable an effective understanding of complex scenarios. This paper defines a methodology for extracting unique objects (e.g., representing users or devices) from the files of a case, defining the context of the digital investigation and increasing the knowledge progressively, using additional files from the case (e.g. network captures). The solution includes external searches using open source intelligence (OSINT) sources when needed. In order to illustrate this approach, the proposed methodology is implemented in the JSON Users and Devices analysis (JUDAS) tool, which is able to generate the context from JSON files, complete it, and show the whole context using dynamic graphs. The approach is validated using the files in an IoT-Forensic digital investigation where an important set of potential digital evidence extracted from Amazon’s Alexa Cloud is analysed.

Tampering with Digital Evidence is Hard: The Case of Main Memory Images

Abstract: Tampered digital evidence may jeopardize its correct interpretation. To assess the risks in a court of law, it is helpful to quantify the necessary effort to perform a convincing manipulation of digital evidence. Based on a sequence of controlled experiments with graduate students and digital forensics professionals, we study the effort to manipulate copies of main memory taken during a digital investigation. Confirming previous results on hard disc image tampering, manipulating main memory dumps can be considered hard in the sense that most forgeries were successfully detected. However, while the effort to detect a manipulation is generally bounded by the tampering effort, some forgeries fooled the analysts and caused analysis effort that was higher than the manipulation effort. The detection effort by graduate students, however, was generally higher than that of professionals. We study different manipulation and detection approaches and their success. Overall, tampering with main memory dumps appears to be harder than tampering with hard disc images but the probability to fool an analyst is higher too.

A Machine Learning Model to Detect Fake Voice

Abstract: Nowadays, there are different digital tools that permit the editing of digital content as audio files and they are easily accessed in mobile devices and personal computers. Audio forgery detection has been one of the main topics in the forensics field, as it is necessary to have reliable evidence in court. These audio recordings that are used as digital evidence may be forged and methods that are able to detect if they have been forged are required as new ways of generation of fake content continue growing. One method to generate fake content is imitation, in which a speaker can imitate another, using signal processing techniques. In this work, a passive forgery detection approach is proposed by manually extracting the entropy features of original and forged audios created using an imitation method and then using a machine learning model with logistic regression to classify the audio recordings. The results showed an accuracy of 0.98 where all forged audios were successfully detected.

Part 1:- quality assurance mechanisms for digital forensic investigations: Introducing the Verification of Digital Evidence (VODE) framework

Abstract: Quality assurance measures in the field of digital forensics play a vital role for upholding and developing investigatory standards. Coupled with the fast pace of technology, practitioners in this discipline are often faced with the challenge of interpreting previously unseen or undocmented forms of potentially evidential digital data, content which may be crucial to a current case under investigation. Mechanisms to support this interpretative process offer support for the practitioner, helping to guide them through this task and the steps involved in ensuring any reported information is accurate. This work presents the Verification of Digital Evidence (VODE) framework, designed to support digital forensic practitioners when testing and verifying their interpretation of digital data. The stages of VODE are discussed and its application placed in context.

A Novel Approach for Generating Synthetic Datasets for Digital Forensics

Abstract: Increases in the quantity and complexity of digital evidence necessitate the development and application of advanced, accurate and efficient digital forensic tools. Digital forensic tool testing helps assure the veracity of digital evidence, but it requires appropriate validation datasets. The datasets are crucial to evaluating reproducibility and improving the state of the art. Datasets can be real-world or synthetic. While real-world datasets have the advantage of relevance, the interpretation of results can be difficult because reliable ground truth may not exist. In contrast, ground truth is easily established for synthetic datasets.

Digital Forensic Analysis of Files Using Deep Learning

Abstract: Digital forensic experts are responsible for assisting law enforcement in extracting evidence from electronic devices. Identifying a file type within digital evidence is an essential part of the forensic practice. This paper investigated the existing forensic approaches to identify the file type and developed a new approach based on deep learning and overcome previous approaches' limitations. This paper also highlighted the difference between modern and traditional methods to conduct such an analysis. Whereas, most traditional techniques have been identified to have challenges emanating from the approach structure, which influences how file types are identified, which has prompted researchers in the field to look for new systems that will address this gap. Thus, a new methodology is proposed, which will utilize deep learning techniques to provide a model able to predict corrupted files.

Browser Forensic Investigations of WhatsApp Web Utilizing IndexedDB Persistent Storage

Abstract: Digital Evidence is becoming an indispensable factor in most legal cases. However, technological advancements that lead to artifact complexity, are forcing investigators to create sophisticated connections between the findings and the suspects for admissibility of evidence in court. This paper scrutinizes whether IndexedDB, an emerging browser technology, can be a source of digital evidence to provide additional and correlating support for traditional investigation methods. It particularly focuses on the artifacts of the worldwide popular application, WhatsApp. A single case pretest–posttest quasi experiment is applied with WhatsApp Messenger and Web Application to populate and investigate artifacts in IndexedDB storage of Google Chrome. The findings are characterized and presented with their potential to be utilized in forensic investigation verifications. The storage locations of the artifacts are laid out and operations of extraction, conversion and presentation are systematized. Additionally, a proof of concept tool is developed for demonstration. The results show that WhatsApp Web IndexedDB storage can be employed for time frame analysis, demonstrating its value in evidence verification.

Blockchain Based Digital Evidence Chain of Custody

Abstract: With the development of technology, the preservation of digital evidence becomes increasingly important in case investigations. To maintain the authenticity of an evidence, its entire lifecycle has to be recorded. In addition, traditional database technologies are not able to maintain the integrity and authenticity of digital evidence. In order to achieve authentication and integrity, as well as confidentiality, of digital evidence, we propose a protocol for digital evidence chain of custody based on revocable ciphertextpolicy attribute-based encryption, BLS signature, and blockchain technology. In our protocol, attribute-based encryption is used to achieve fine-grained access control and BLS signature is used to verify digital evidence. Besides, we use blockchain technology to ensure the integrity and traceability of digital evidence. Analysis and experimental results show that the proposed protocol, which well balances the privacy and the traceability, guarantees the integrity and validity of evidence.

Structuring the Evaluation of Location-Related Mobile Device Evidence

Abstract: Location-related mobile device evidence is increasingly used to address forensic questions in criminal investigations. Evaluating this form of evidence, and expressing evaluative conclusions in this forensic discipline, are challenging because of the broad range of technological subtleties that can interact with circumstantial features of cases in complex ways. These challenges make this type of digital evidence prone to misinterpretations by both forensic practitioners and legal decision-makers. To mitigate the risk of misleading digital forensic findings, it is crucial to follow a structured approach to evaluation of location-related mobile device evidence. This work presents an evaluation framework widely used in forensic science that employs scientific reasoning within a logical Bayesian framework to clearly distinguish between, on the one hand, what has been observed (i.e., what data are available) and, on the other hand, how those data shed light on uncertain target propositions. This paper provides case examples to illustrate the advantages and difficulties of applying this approach to location-based mobile device evidence. This work helps digital forensic practitioners follow the principles of balanced evaluation and convey location-related mobile device evidence in a way that allows decision-makers to properly understand the relative strength of, and limitations in, digital forensic results.