Digital evidence

About: Digital evidence is a research topic. Over the lifetime, 1621 publications have been published within this topic receiving 18476 citations.

A Transductive Scheme Based Inference Techniques for Network Forensic Analysis

Abstract: Network forensics is a security infrastructure,and becomes the research focus of forensic investigation.However many challenges still exist in conducting network forensics:network has produced large amounts of data;the comprehensibility of evidence extracting from collected data;the efficiency of evidence analysis methods,etc.To solve these problems,in this paper we develop a network intrusion forensics system based on transductive scheme that can detect and analyze efficiently computer crime in networked environments,and extract digital evidence automatically.At the end of the paper,we evaluate our method on a series of experiments on KDD Cup 1999 dataset.The results demonstrate that our methods are actually effective for real-time network forensics,and can provide comprehensible aid for a forensic expert.

Anti-Forensics: A Practitioner Perspective

Abstract: With the increase in cybercrime, digital evidence is becoming an integral part of the judicial system. Digital evidence is to be found everywhere from computers, to mobile phones, ATMs and surveillance cameras, and it is hard to imagine a crime that does not contain any element of digital evidence. It is however not simple to extract such evidence and present it to court in such a way that there is no uncertainty that it was not changed in any way. Thus the responsibility placed on a Digital Forensics (DF) practitioner to present usable evidence to a court is increasing fast. In some respects, however, it is relatively easy to get rid of digital evidence or to hide it. Many tools exist for cybercrime criminals to prevent DF practitioners from getting their hands on information of probative value. Such tools and methods known as AntiForensics (AF). The purpose of this study is to identify the abilities of DF practitioners to identify the use of AF in their active investigations. The research model used, attempts to identify all the factors and constructs of AF that impacts on investigations. This model was then used to develop a survey instrument to gather empirical data from South African DFs. The research has shown that whilst South African DF practitioners perceive DF as having an impact on their investigations, they also perceive electronic evidence as forming only part of the evidence presented to court, and that even if most of the usable evidence of lost, some will generally remain. It was also found that while most DF practitioners in South Africa are well versed only in the more commonly known AF techniques. They do not rate their abilities on more complex techniques well. Finally, most DF practitioners appear not to actively attempt to identify AF techniques as part of their investigations. This combined with a lack of understanding of more complex AF techniques could leave South African DF practitioners exposed by missing important evidence due to lack of technical proficiency.

Forensic Analysis of the Sony Playstation Portable

Abstract: The Sony PlayStation Portable (PSP) is a popular portable gaming device with features such as wireless Internet access and image, music and movie playback. As with most systems built around a processor and storage, the PSP can be used for purposes other than it was originally intended – legal as well as illegal. This paper discusses the features of the PSP browser and suggests best practices for extracting digital evidence.

EviHunter: Identifying Digital Evidence in the Permanent Storage of Android Devices via Static Analysis.

Abstract: Crimes, both physical and cyber, increasingly involve smartphones due to their ubiquity. Therefore, digital evidence on smartphones plays an increasingly important role in crime investigations. Digital evidence could reside in the memory and permanent storage of a smartphone. While we have witnessed significant progresses on memory forensics recently, identifying evidence in the permanent storage is still an underdeveloped research area. Most existing studies on permanent-storage forensics rely on manual analysis or keyword-based scanning of the permanent storage. Manual analysis is costly, while keyword matching often misses the evidentiary data that do not have interesting keywords. In this work, we develop a tool called EviHunter to automatically identify evidentiary data in the permanent storage of an Android device. There could be thousands of files on the permanent storage of a smartphone. A basic question a forensic investigator often faces is which files could store evidentiary data. EviHunter aims to answer this question. Our intuition is that the evidentiary data were produced by apps; and an app's code has rich information about the types of data the app may write to a permanent storage and the files the data are written to. Therefore, EviHunter first pre-computes an App Evidence Database (AED) via static analysis of a large number of apps. The AED includes the types of evidentiary data and files that store them for each app. Then, EviHunter matches the files on a smartphone's permanent storage against the AED to identify the files that could store evidentiary data. We evaluate EviHunter on benchmark apps and 8,690 real-world apps. Our results show that EviHunter can precisely identify both the types of evidentiary data and the files that store them.