Digital evidence

About: Digital evidence is a research topic. Over the lifetime, 1621 publications have been published within this topic receiving 18476 citations.

Information Warfare: Assuring Digital Intelligence Collection

Abstract: : The advent of the digital age has made it inevitable that troops in contact will fall upon computers and related equipment valuable for the information they can provide about the enemy. In this paper, Dr. William G. Perry provides some guidelines about processing computer equipment for transfer to information and intelligence professionals who might wring out from digital storage media the critical information needed to penetrate the enemy's decision matrix. In addition, captured computer gear may often need to be protected by a chain of custody to support legal actions against illegal combatants/criminals. The digital age meshes with the 21st century irregular warfare environment in which nonstate actors, armed groups, terrorists, and criminals confront established governments. Today's Special Operations Forces (SOF) are most likely to confront these opponents while on counterinsurgency, foreign internal defense, and counterterrorism missions. From the moment of tactical discovery until its presentation in the courtroom, digital evidence will need to be safeguarded and a valid chain of custody maintained so that the host nation (or U.S. Government) might successfully bring criminals to justice. This will fall on the shoulders of the SOF operators at the tip of the spear who must add yet another skill set to their already full rucksacks. Particularly in direct action missions, the need to properly capture and bag-up enemy digital material can be critical to mission success, both for intelligence and legal purposes. Every strike team that descends upon the target will consider employing a "forensics team" that can rapidly identify sources of valuable digital information, document the findings, and secure computers and storage media.

Quality assurance for evidence collection in network forensics

Abstract: Network forensic involves the process of identifying, collecting, analyzing and examining the digital evidence extracted from network traffics and network security element logs. One of the most challenging tasks for network forensic is how to collect enough information in order to reconstruct the attack scenarios. Capturing and storing data packets from networks consume a lot of resources: CPU power and storage capacity. The emphasis of this paper is on the development of evidence collection control mechanism that produces solutions close to optimal with reasonable forensic service requests acceptance ratio with tolerable data capture losses. In this paper, we propose two evidence collection models, Non-QA and QA, with preferential treatments for network forensics. They are modeled as the Continuous Time Markov Chain (CTMC) and are solved by LINGO. Performance metrics in terms of the forensic service blocking rate, the storage utilization and trade-off cost are assessed in details. This study has confirmed that Non-QA and QA evidence collection models meet the cost-effective requirements and provide a practical solution to guarantee a certain level of quality of assurance for network forensics.

Identification of Forensic Artifacts in VMWare Virtualized Computing

Abstract: With popularity of virtualized computing continuing to grow, it is crucial that digital forensic knowledge keeps pace. This research sought out to identify the forensic artifacts and their locations that may be recovered from a VMware Workstation virtual machine running Windows 7 x64. Several common forensic tools were used to conduct this research, namely AccessData’s Forensic Toolkit (FTK), FTK Imager, and FTK Registry Viewer. This research verified the processes required to gather digital evidence from a virtual machine disk (VMDK) file, creation of a forensic image, and mounting of evidence into these forensic tools. This research then proceeded to document recovered artifacts and their locations related to system configuration, internet usage, file creation and deletion, user administration, and more.

Online investigation: Using the internet for investigative policing practice

Abstract: Digital technology continues to advance with devices such as smart phones, tablet devices and personal computers containing a growing number of features and applications that facilitate both interpersonal and mass communication. The internet has become an important part of global culture in the 21st century (Witkowski, 2002) and provides additional options for how messages are generated and received (Day, 2013). This rapid development of technology has impacted upon how law enforcement agencies collate digital evidence (Nelson, Phillips and Steuart, 2010). The training of police officers in the use of digital and online investigative techniques appears to be restricted to police officers in specialised units. The purpose of this paper is to present some examples of basic online investigative tools which utilise freely available methods that are accessible to anyone with an internet connection. The methods that are discussed below may assist police officers with their investigations. This paper is an introductory guide and serves as an approach as opposed to a rule book or manual. By understanding an approach to online tools, it becomes easier to extrapolate suitable methods of inquiry when required. This paper does not cover techniques which gain unauthorised access to data in a system or any other activities that would require a court order or warrant to execute. Further, it is important to note that the process or procedures in gathering digital evidence has a direct influence on the outcome of an investigation (Yusoff, Ismail and Hassan, 2011). Therefore it is recommended that the methods explained in this paper are rigorously documented if used in an investigation and that advice from specialists is sought during all stages of the investigation.