Digital evidence

About: Digital evidence is a research topic. Over the lifetime, 1621 publications have been published within this topic receiving 18476 citations.

Exploiting digital evidence artefacts : finding and joining digital dots

Abstract: As digital evidence becomes increasingly significant to criminal investigations, so does the importance of adopting the most effective approach to examining it. An ineffective examination can result in evidence not being identified. Even if evidence is noted, connections may not be made between the disparate values. This thesis proposes a new classification system to gauge, select and compare digital evidence from a variety of sources. It performs this using a type of model called an ontology. This is used to map the potential location of evidence on digital devices applying a code to each piece that is identified. The codes are then used for selection of the artefacts that are most appropriate to enquiries based on the investigative Who, What, When, Where, How and Why questions. Any evidence with the same code can be compared. In applying this ontology it is demonstrated how investigations are made more effective, and the reliability of any recovered evidence can be more easily understood.

Catch Me If You Can: A Taxonomically Structured Approach to Cybercrime

Abstract: Introduction Jurisdiction and physical presence of a perpetrator and evidence form the basis of the majority of existing legal structures that address criminal issues. Tangible, physical evidence is the foundation on which most successfully prosecuted crimes rest. Digital evidence obtained from a cybercrime intrusion is volatile, difficult to obtain or present in court, and requires a certain amount of adaptation in order to be acceptable to most courts. These difficulties of application may be illustrated in more detail by examining specific comparisons of cybercrime incidents to existing laws, as well as procedural difficulties arising from determination of jurisdiction over a networked environment. Axelrod and Jay (1999, p. 14) give an example of suitable application to computer crime of an existing law. If a stolen password is used to gain unauthorized, local entry into a computer, this can be prosecuted as unauthorized use of a computer under New York State Computer Law [NYSCL], [section] 156.05 (1998). A different example described by Axelrod and Jay (1999, p. 14) is that of a distributed denial of service attack. A distributed denial of service attack [DDoS] occurs when a multitude of networked systems direct a massive quantity of network traffic (in the form of "packets") toward a single victim system. The deluge of packets can cause access to the victimized system to become unavailable to legitimate users. The use of computer trespass (NYSCL, [section] 156.10, 1998) would be realistically impossible to support in court, due to the untraceable nature of a DDoS attack. Computer tampering (NYSCL, [section] 156.20, 1998) would also be unlikely to help establish a case because, technically speaking, the intruder has not intentionally altered or destroyed computer data belonging to another person. When Axelrod and Jay's (1999) examples are examined, it can be seen that the "fit" between traditional law and applicability to the various network-related crimes are distinguished by the characteristic of remote connection; that is to say, the networked environment in which the crime takes place. As illustrated by Axelrod and Jay, unauthorized local physical access to a computer bears enough resemblance to the traditional laws governing trespass to allow prosecution. When certain characteristics inherently exclusive to the networked environment are introduced as in the case of a DDoS attack, laws crafted for a traditional, physical environment may prove to be difficult to apply when prosecuting the perpetrators even should the perpetrators be identified. Traditional law in the United States has yet to precisely define jurisdiction involving cybercrime. There is little precedent concerning determination of jurisdiction over actions which are performed remotely using the Internet as the medium for conveyance. In those cases where the United States justice system has adjudicated, "long-arm" statutes, which allow a state to extend jurisdiction to individuals or organizations not residing in that state, and local jurisdictional principals have been applied toward making decisions. Due to the paucity of jurisdiction cases involving cybercrime, there is currently a limited amount of law for policy makers or enforcement officers to reference. Berman (2004, p. 1821) argues that "territorially-based conceptions of legal jurisdiction may no longer be adequate" in pursuing offences committed in the virtual, global environment of the Internet and proposes a pluralistic concept of jurisdiction. Berman notes a selection of cybercrime cases in which United States judges have ruled according to United States law, assuming that because United States law may apply that it should apply. Berman's (2004) pluralist view detaches the jurisdiction process from territorial nation-states and places jurisdiction into the virtual state occupied by networked entities represented through the Internet. …

Self Alteration Detectable Image Log File for Web Forensics

Abstract: Nowadays log file plays vital role in web forensic as digital evidence. Hence security of log file is a major topic of apprehension. In this paper a model of image logging server having alteration detectable capability, is proposed. According to this approach we first convert a text log file into image log file with the help of bit encoding technique and tamper detection capability is achieved by self embedding fragile watermark scheme. If any alteration is done on image log file then due to nature of fragile watermark, one can easily locate that tampered region. Proposed model is also able to ensure all security requirements like Authenticity, Integrity and confidentiality. General Terms Digital Forensics Keywords Web forensic, Cyber forensic, fragile watermark, self embedding, Log file, Image logging server. 1. INTRODUCTION We Today people absolutely rely on digital media. Since technology is advancing with burgeoning rate hence a new opportunity is opened for Business Company and legal agencies to deploy those technologies. It is very beneficial for worldwide users, but on the other hand, due to some loop holes of those technologies, malicious use for committing crime has also been increased. That‟s why it is very essential to prevent the criminals and their succession of committing crime to smooth the progress of the secure utilization of new technological services. Thus, for the analysis of law enforcement and database table storage, the transaction log, indexes, and other cyber crime, Cyber Forensic [1][2][3][4] came into picture. The primary ambition of cyber forensic examination is to recognize digital evidence for an investigation. Cyber forensic evidence must fulfill some security requirements [3] like Accuracy, Integrity, Authenticity and confidentiality. Digital evidence must be unquestionable, accurate, absolute and acceptable by juries as well as Permissible with common law and legislative rules. Cyber forensic can be widely categorized into four classes [1] viz. computer forensic, network forensic, web forensic and mobile forensic as shown in figure 1. The concept of web forensic deals with the process of monitoring access logs, detection of any alteration in log files as well as recovery of those alterations. The significance of web forensic is to investigate web attacks and prevent those in future, using analysis of log files. In order to carry out a systematic analysis of the hacking Attempt[5], it is advised that the Investigator must investigate all four type of logs namely web server logs, Any 3rd. party installed software logs, Operating system logs and client side logs[6][7]. Now we can assume the importance of log files in web forensic. There are many web attacks which are used to alter the integrity of log files like user to root (U2R) attack, in which The intruder exploits some vulnerability associated with the operating system and web server environment of the server machine under attack to perform the conversion from user to root level [8]. After getting the root privileges, the intruder has full control and access on the server machine to get backdoor entries for future misuse and change system logs[9]. Jianhui