Showing papers on "Digital forensics published in 2003"

Higher-order Wavelet Statistics and their Application to Digital Forensics

Abstract: We describe a statistical model for natural images that is built upon a multi-scale wavelet decomposition. The model consists of first- and higher-order statistics that capture certain statistical regularities of natural images. We show how this model can be useful in several digital forensic applications, specifically in detecting various types of digital tampering.

Defining Digital Forensic Examination and Analysis Tool Using Abstraction Layers.

Abstract: This paper uses the theory of abstraction layers to describe the purpose and goals of digital forensic analysis tools. Using abstraction layers, we identify where tools can introduce errors and provide requirements that the tools must follow. Categories of forensic analysis types are also defined based on the abstraction layers. Abstraction layers are not a new concept, but their usage in digital forensic analysis is not well documented. What does it mean to be a Digital Forensic Analysis Tool? How do we categorize the different types of analysis tools? For example, an investigator can view the files and directories of a suspect system by using either specialized forensic software or by using the operating system (OS) of an analysis system and viewing the files by mounting the drive. Both methods allow the investigator to view evidence in allocated files, but only the specialized forensic software allows him to easily view unallocated files. Additional tools are required if he is relying on the OS. Clearly both allow the investigator to find evidence and therefore should be considered forensic tools, but it is unclear how we should compare and categorize them. The high-level process of digital forensics includes the acquisition of data from a source, analysis of the data and extraction of evidence, and preservation and presentation of the evidence. Previous work has been done on the theory and requirements of data acquisition [7] and the preservation of evidence [4]. This paper addresses the tools that are used for the analysis of data and extraction of evidence. This paper examines the nature of tools in digital forensics and proposes definitions and requirements. Current digital forensic tools produce results that have been successfully used in prosecutions, but lack designs that were created with forensic science needs. They provide the investigator with access to evidence, but typically do not provide access to methods for verifying that the evidence is reliable. This is necessary when approaching digital forensics from a scientific point of view and could be a legal requirement in the future. The core concept of this paper is the basic notion of abstraction layers. Abstraction layers exist in all forms of digital data and therefore in the tools used to analyze them. The idea of using tools for layers of abstraction is not new, but a discussion of the definitions, properties, and error types of abstraction layers when used with digital

Computer forensics education

Abstract: The application of science and education to computer-related crime forensics is still largely limited to law enforcement organizations. Building a suitable workforce development program could support the rapidly growing field of computer and network forensics.

Open Source Digital Forensics Tools The Legal Argument 1

Abstract: This paper addresses digital forensic analysis tools and their use in a legal setting. To enter scientific evidence into a United States court, a tool must be reliable and relevant. The reliability of evidence is tested by applying “Daubert” guidelines. To date, there have been few legal challenges to digital evidence, but as the field matures this will likely change. This paper examines the Daubert guidelines and shows that open source tools may more clearly and comprehensively meet the guidelines than closed source tools.

Computer and Intrusion Forensics

Abstract: From the Publisher: A comprehensive and broad introduction to computer and intrusion forensics, this practical book helps you master the tools, techniques and underlying concepts you need to know, covering the areas of law enforcement, national security and corporate fraud The book presents case studies from around the world, and treats key emerging areas such as stego-forensics, image identification, authorship categorization, link discovery and data mining You also learn the principles and processes for effectively handling evidence from digital sources and law enforcement considerations in dealing with computer-related crimes, as well as how the effectiveness of computer forensics procedures may be influenced by organizational security policy The book opens with a comprehensive introduction to computer and intrusion forensics and relates them to computer security in general and computer network security It details the current practice of computer forensics and its role in combating computer crime, and examines the relationship between intrusion detection and intrusion forensics What's more, the book explores the most important new areas for future research in computer forensics This leading-edge resource is an indispensable reference for working professionals and post-graduate students alike

Automated analysis for digital forensic science: semantic integrity checking

Abstract: When computer security violations are detected, computer forensic analysts attempting to determine the relevant causes and effects are forced to perform the tedious tasks of finding and preserving useful clues in large networks of operational machines. To augment a computer crime investigator's efforts, we present an expert system with a decision tree that uses predetermined invariant relationships between redundant digital objects to detect semantic incongruities. By analyzing data from a host or network and searching for violations of known data relationships, particularly when an attacker is attempting to hide his presence, an attacker's unauthorized changes may be automatically identified. Examples of such invariant data relationships are provided, as are techniques to identify new, useful ones. By automatically identifying relevant evidence, experts can focus on the relevant files, users, times and other facts first.

Computer Forensics and Cyber Crime: An Introduction

Abstract: From the Publisher: This book fully defines computer-related crime and the legal issues involved in its investigation. It provides a framework for the development of a computer crime unit. This book is the only comprehensive examination of computer-related crime and its investigation on the market. It includes an exhaustive discussion of legal and social issues, fully defines computer crime, and provides specific examples of criminal activities involving computers, while discussing the phenomenon in the context of the criminal justice system. Computer Forensics and Cyber Crime provides a comprehensive analysis of current case law, constitutional challenges, and government legislation. For computer crime investigators, police chiefs, sheriffs, district attorneys, public defenders, and defense attorneys.

Forensic course development

Abstract: In recent years, digital technology has experienced dramatic growth. Many of these advances have also provided malicious users with the ability to conceal their activities and destroy evidence of their actions. This has raised the need of developing specialists in computer digital forensics -- the preservation, identification, extraction and documentation of evidence stored in the form of digitally encoded information (data).In this paper, we present the procedures and rationale used in the development of forensic courses at both the undergraduate and the graduate levels. We also demonstrate our decision making process of selecting topics included in each course.

MFP: The Mobile Forensic Platform

Abstract: Digital forensics experts perform investigations of machines for “triage” to see if there is a problem, as well as to gather evidence and run analyses When the machines to be examined are geographically distributed, an investigator could benefit greatly if he could conduct the investigation, or even its initial stages, remotely The Mobile Forensic Platform (MFP) is a tool for performing remote network forensics With it, investigators can gather evidence on a remote running system, maintain a copy of the original evidence (protected by a cryptographic hash), and run various analyses on the data to determine the next steps in the investigation (eg, seize the machine, run tests, look elsewhere) The MFP maintains audit logs on all tasks it performs ATC-NY (formerly Odyssey Research Associates) has designed the framework for, and implemented a prototype of, the MFP We have modeled the investigative process to define the tasks investigators perform The framework defines the interface for each modular component in the process The prototype serves as a proof-of-concept to demonstrate how the different components of the system will function together We implemented the MFP on a laptop computer with a platform-independent web interface serving as the GUI The investigator runs a web browser on his desktop computer, connecting remotely to the MFP's web server to perform the investigative tasks The preliminary version of the MFP supports a small set of analysis tools that illustrate the potential of the MFP In particular, we created 3 sample logfile analysis tools They detect if the data in a log file has been tampered, and also served to define how the analysis tools fit into the overall MFP framework We describe each of the tools

Digital "evidence" and reasonable doubt

Abstract: Unlike conventional analog data, such as a witness's subjective recollection, digital data seems, to the average person, to be endowed with intrinsic and unassailable truth. (Perhaps this is because it takes only one of two unambiguous values.) The truth, in fact, is quite the opposite. Using the right equipment, experts can generally detect tampering with conventional analog data and evidence. Digital data, on the other hand, can be manipulated at will, and depending on the manipulator's sophistication, the alteration can be undetectable, regardless of digital forensics experts' competence and equipment.

Mastering computer forensics

Abstract: This paper discusses the importance of computer forensics to both business and law enforcement environments and describes the passage along the path from act of crime to the court. It highlights the need for computer forensic training and education and gives an overview of the computer forensic course taught in a Masters degree at Curtin University.

Digital Forensics: Principles of digital evidence collection

Abstract: The collection of digital evidence must follow certain basic steps in order to be effective. This article introduces the main principles.

Legal Issues for Computer Forensics

Abstract: The adoption of computers into every aspect of modern society has been accompanied by the rise of e-crime. The processes and techniques employed by the field of computer forensics offer huge potential for the extraction and presentation of electronic evidence in a court of law. Yet, the current research that has been conducted in this field is minimal. In this study, current and potential IS legal issues that impact on the computer forensic field are analysed. Due to the field being comprised with aspects of both law and computers this causes much conflict, mainly due to the law’s inability to adapt and evolve as quickly as the computing environment.

A Structured Approach to Incident Postmortems

Abstract: Investigators of digital incidents generally think in terms of using digital forensics and the digital investigative process for the purpose of identifying the perpetrator of the incident. Today, however, many organizations are more concerned with finding out what weaknesses allowed the attack to be successful and identifying effective countermeasures for the future.