Showing papers on "Digital forensics published in 2005"

File system forensic analysis

Abstract: The Definitive Guide to File System Analysis: Key Concepts and Hands-on TechniquesMost digital evidence is stored within the computer's file system, but understanding how file systems work is one of the most technically challenging concepts for a digital investigator because there exists little documentation. Now, security expert Brian Carrier has written the definitive reference for everyone who wants to understand and be able to testify about how file system analysis is performed.Carrier begins with an overview of investigation and computer foundations and then gives an authoritative, comprehensive, and illustrated overview of contemporary volume and file systems: Crucial information for discovering hidden evidence, recovering deleted data, and validating your tools. Along the way, he describes data structures, analyzes example disk images, provides advanced investigation scenarios, and uses today's most valuable open source file system analysis tools-including tools he personally developed. Coverage includes Preserving the digital crime scene and duplicating hard disks for "dead analysis" Identifying hidden data on a disk's Host Protected Area (HPA) Reading source data: Direct versus BIOS access, dead versus live acquisition, error handling, and more Analyzing DOS, Apple, and GPT partitions; BSD disk labels; and Sun Volume Table of Contents using key concepts, data structures, and specific techniques Analyzing the contents of multiple disk volumes, such as RAID and disk spanning Analyzing FAT, NTFS, Ext2, Ext3, UFS1, and UFS2 file systems using key concepts, data structures, and specific techniques Finding evidence: File metadata, recovery of deleted files, data hiding locations, and more Using The Sleuth Kit (TSK), Autopsy Forensic Browser, and related open source toolsWhen it comes to file system analysis, no other book offers this much detail or expertise. Whether you're a digital forensics specialist, incident response team member, law enforcement officer, corporate security specialist, or auditor, this book will become an indispensable resource for forensic investigations, no matter what analysis tools you use.Brian Carrier has authored several leading computer forensic tools, including The Sleuth Kit (formerly The @stake Sleuth Kit) and the Autopsy Forensic Browser. He has authored several peer-reviewed conference and journal papers and has created publicly available testing images for forensic tools. Currently pursuing a Ph.D. in Computer Science and Digital Forensics at Purdue University, he is also a research assistant at the Center for Education and Research in Information Assurance and Security (CERIAS) there. He formerly served as a research scientist at @stake and as the lead for the @stake Response Team and Digital Forensic Labs. Carrier has taught forensics, incident response, and file systems at SANS, FIRST, the @stake Academy, and SEARCH.Brian Carrier's http://www.digital-evidence.org contains book updates and up-to-date URLs from the book's references.© Copyright Pearson Education. All rights reserved.

Exposing digital forgeries by detecting inconsistencies in lighting

Abstract: When creating a digital composite of, for example, two people standing side-by-side, it is often difficult to match the lighting conditions from the individual photographs. Lighting inconsistencies can therefore be a useful tool for revealing traces of digital tampering. Borrowing and extending tools from the field of computer vision, we describe how the direction of a point light source can be estimated from only a single image. We show the efficacy of this approach in real-world settings.

Computer forensics

Abstract: The author presents an overview of the processes and problems related to computer forensics. New tools and techniques have increased the reliability and speed with which investigators can conduct examinations, but new technologies will continue to challenge computer forensic specialists and researchers.

Unification of digital evidence from disparate sources (Digital Evidence Bags)

Abstract: This paper outlines a new approach to the acquisition and processing of digital evidence obtained from disparate digital devices and sources. To date the capture of digital based evidence has always been in its entirety from the source device and different methods and containers (file types) are used for different types of digital device (e.g. computer, PDA, mobile phone). This paper defines a new approach called a Digital Evidence Bag (DEB) that is a universal container for the capture of digital evidence. Furthermore, the Digital Evidence Bag concept could be used to permit the streamlining of data capture and allow multiple sources of evidence to be processed in a multiprocessor distributed environment and thereby maximizing the use of available processing power. The approach described in this paper allows for the first time the forensic process to be extended beyond the traditional static forensic capture of evidence into the real-time 'live' capture of evidence. In addition to this the Digital Evidence Bag can be used to provide an audit trail of processes performed upon the evidence as well as integrated integrity checking.

Real Digital Forensics: Computer Security and Incident Response

Abstract: Preface. Acknowledgments. About the Authors. Case Studies. I. LIVE INCIDENT RESPONSE. 1. Windows Live Response. 2. Unix Live Response. II. NETWORK-BASED FORENSICS. 3. Collecting Network-Based Evidence. 4. Analyzing Network-Based Evidence for a Windows Intrusion. 5. Analyzing Network-Based Evidence for a Unix Intrusion. III. ACQUIRING A FORENSIC DUPLICATION. 6. Before You Jump Right In... 7. Commercial-Based Forensic Duplications. 8. Noncommercial-Based Forensic Duplications. IV. FORENSIC ANALYSIS TECHNIQUES. 9. Common Forensic Analysis Techniques. 10. Web Browsing Activity Reconstruction. 11. E-Mail Activity Reconstruction. 12. Microsoft Windows Registry Reconstruction. 13. Forensic Tool Analysis: An Introduction to Using Linux for Analyzing Files of Unknown Origin. 14. Forensic Tool Analysis: A Hands-On Analysis of the Linux File aio. 15. Forensic Tool Analysis: Analyzing Files of Unknown Origin (Windows). V. CREATING A COMPLETE FORENSIC TOOL KIT. 16. Building the Ultimate Response CD. 17. Making Your CD-ROM a Bootable Environment. VI. MOBILEDEVICE FORENSICS. 18. Forensic Duplication and Analysis of Personal Digital Assistants. 19. Forensic Duplication of USB and Compact Flash Memory Devices. 20. Forensic Analysis of USB and Compact Flash Memory Devices. VII. ONELINE-BASED FORENSCIS. 21. Tracing E-Mail. 22. Domain Name Ownership. Appendix: An Introduction to Perl. Index.

Dealing with Terabyte Data Sets in Digital Investigations

Abstract: Investigators and analysts are increasingly experiencing large, even terabyte sized data sets when conducting digital investigations. State-of-the-art digital investigation tools and processes are efficiency constrained from both system and human perspectives, due to their continued reliance on overly simplistic data reduction and mining algorithms. The extension of data mining research to the digital forensic science discipline will have some or all of the following benefits: (i) reduced system and human processing time associated with data analysis; (ii) improved information quality associated with data analysis; and (iii) reduced monetary costs associated with digital investigations. This paper introduces data mining and reviews the limited extant literature pertaining to the application of data mining to digital investigations and forensics. Finally, it provides suggestions for applying data mining research to digital forensics.

Technical challenges and directions for digital forensics

Abstract: Digital forensics is concerned with the investigation of any suspected crime or misbehaviour that may be manifested by digital evidence. The digital evidence may be manifest in various forms. It may be manifest on digital electronic devices or computers that are simply passive repositories of evidence that documents the activity, or it may consist of information or meta-information resident on the devices or computers that have been used to actually facilitate the activity, or that have been targeted by the activity. In each of these three cases, we have recorded digital evidence of the activity. This paper examines some recent advances in digital forensics and some important emerging challenges. It considers the following topics: tools and their evolution; the implications of large volumes of data; the impact of embedded and special-purpose computer systems; corporate governance and its implications for 'forensic readiness'; and the role of forensics in securing the Internet.

Case-Relevance Information Investigation: Binding Computer Intelligence to the Current Computer Forensic Framework

Abstract: Computer Forensics has grown rapidly in recent years. The current computer forensic investigation paradigm is laborious and requires significant expertise on the part of the investigators. This paper proposes a highly automatic and efficient framework to provide the Case-Relevance information, by binding computer intelligence technology to the current computer forensic framework. Computer intelligence is expected to offer more assistance in the investigation procedures and better knowledge reuse and sharing in computer forensics. Background Cybercrime is a mirror of the dark side of human society in the cyberworld. Its countermeasure, Computer Forensics, also referred as Digital Forensic Science, has been explicitly defined as, The use of scientifically derived and proven methods toward the preservation, collection, validation, identification, analysis, interpretation, documentation and presentation of digital evidence derived from digital sources for the purpose of facilitating or furthering the reconstruction of events found to be criminal, or helping to anticipate unauthorized actions shown to be disruptive to planned operations. [14] The process of "identifying, preserving, analyzing, and presenting digital evidence in a manner that is legally acceptable via the application of computer technology to the investigation of computer based crime" is called Forensic Computing [11] or Digital Evidence Investigation. As almost every piece of digital evidence could be challenged, computer forensic investigators are required to follow a rigorous process path. The work of the First Digital Forensics Research Workshop (DFRWS) [14] established a solid ground and allowed

How to Improve Forensic Science

Abstract: Some institutional structures for inquiry produce better approximations to truth than others. The current institutional structure of police forensics gives each lab a monopoly in the analysis of the police evidence it receives. Forensic workers have inadequate incentives to produce reliable analyses of police evidence. Competition would create such incentives. I outline a system of “competitive self regulation” for police forensics. Each jurisdiction would have several competing forensic labs. Evidence would be divided and sent to one, two, or three separate labs. Chance would determine which labs and how many would receive evidence to analyze. Competitive self regulation improves forensics by creating incentives for error detection and reducing incentives to produce biased analyses.

Evaluating Commercial Counter-Forensic Tools

Abstract: Digital forensic analysts may find their task compl icated by any of more than a dozen commercial software packages designed to irretrieva bly erase files and records of computer activity. These counter-forensic tools hav e been used to eliminate evidence in criminal and civil legal proceedings and represent an area of continuing concern for forensic investigators. In this paper, we review the performance of six cou nter-forensic tools and highlight operational shortfalls that could permit the recove ry of significant evidentiary data. In addition, each tool creates a distinct operational fingerprint that an analyst may use to identify the application used and, thus, guide the search for residual data. These operational fingerprints may also help demonstrate the use of a tool in cases where such action has legal ramifications.

Identification of Legal Issues for Computer Forensics

Abstract: The adoption of computers into every aspect of modern society has been accompanied by the rise of E-crime. the processes and techniques employed by the field of computer forensics offer huge potential for the extraction and presentation of electronic evidence in a court of law. This article analyzes the legal issues that currently or could potentially impact the computer forensics field from the perspective of experts in Australia.

An overview of computer forensics

Abstract: The core goals of computer forensics are fairly straightforward: the preservation, identification, extraction, documentation, and interpretation of computer data. There are several policies and procedures that need to be out-lined and defined with regard to computer forensics are analyzed in this paper. Data must be able to be retrieved and analyzed without it is damaged. The authenticity of the data is also ensured. The widespread usage of computer forensics has resulted from the convergence of two factors: the increasing dependence of law enforcement on computing and the ubiquity of computers that followed from the microcomputer revolution. There is a plethora of hardware and software tools available to assist with the interpretation of forensic data. The AccessData Forensic Toolkit can be used by both law enforcement and the private sector to run complete forensic examinations of a computer.

Design of a digital forensics image mining system

Abstract: Increasing amount of illicit image data transmitted via the internet has triggered the need to develop effective image mining systems for digital forensics purposes. This paper discusses the requirements of digital image forensics which underpin the design of our forensic image mining system. This system can be trained by a hierarchical Support Vector Machine (SVM) to detect objects and scenes which are made up of components under spatial or non-spatial constraints. Forensic investigators can communicate with the system via a grammar which allows object description for training, searching, querying and relevance feedback. In addition, we propose to use a Bayesian networks approach to deal with information uncertainties which are inherent in forensic work. These inference networks will be constructed to model probability interactions between beliefs, adapt to different users' retrieval patterns, and mimic human judgement of semantic content of image patches. An analysis of the performance of the first prototype of the system is also provided.

Forensic Computer Crime Investigation

Abstract: COMPUTER CRIME AND THE ELECTRONIC CRIME SCENE, Thomas A. Johnson THE DIGITAL INVESTIGATIVE UNIT: STAFFING, TRAINING, AND ISSUES, Chris Malinowski CRIMINAL INVESTIGATION ANALYSIS AND BEHAVIOR: CHARACTERISTIC OF COMPUTER CRIMINALS, William L. Tafoya INVESTIGATIVE STRATEGY AND UTILITIES, Deputy Ross E. Mayfield COMPUTER FORENSICS AND INVESTIGATION: THE TRAINING ORGAINIZATION, Fred B. Cotton INTERNET CRIMES AGAINST CHILDREN, Monique Mattei Ferraro, JD, CISSP with Sgt. Joseph Sudol CHALLENGES TO DIGITAL FORENSIC EVIDENCE, Fred Cohen STRATEGIC ASPECTS IN INTERNATIONAL FORENSICS, Dario Forte, CFE, CISM CYBER TERRORISM, Thomas A. Johnson FUTURE PERSPECTIVES, Thomas A. Johnson CONCLUDING REMARKS APPENDICES INDEX

Detecting Hidden Data in Ext2/Ext3 File Systems

Abstract: The use of digital forensic tools by law enforcement agencies has made it difficult for malicious individuals to hide potentially incriminating evidence. To combat this situation, the hacker community has developed anti-forensic tools that remove or hide electronic evidence for the specific purpose of undermining forensic investigations. This paper examines the latest techniques for hiding data in the popular Ext2 and Ext3 file systems. It also describes techniques for detecting hidden data in the reserved portions of these file systems.

Digital forensics: exploring validation, verification & certification

Abstract: Digital forensic teams and laboratories are now common place within Australia, particularly associated with law enforcement and intelligence agencies The digital forensics discipline is rapidly evolving to become a scientific practice with domain-specific guideline These guidelines are still under discussion in an attempt to progress the discipline so as to become as solid and robust in its scientific underpinnings as other forensic disciplines Influential players, practitioners and observers all agree that rigorous standards need to be adopted to align this science with other forensic sciences How does one assess the scientific nature of digital forensics with so many independent computing and IT elements combined, and what are the outcomes of each assessment method? Solutions are proposed regularly justifying their use but to date no one international or national standard exists This paper does not propose a solution but rather explores the concept of Validation and Verification (V&V) with particular respect to digital forensic tools The paper also explores ISO17025 "General requirements for the competence of testing and calibration laboratories" and develops the testing process to satisfy this standard to allow for Australian digital forensic laboratories to be eligible for certification

Confluence of Digital Evidence and the Law: On the Forensic Soundness of Live-Remote Digital Evidence Collection.

Abstract: This article advocates the formal recognition of an evolved digital evidence acquisition process in light of the changing dynamics of computer searches and seizures. Other articles have argued for changes in legal procedural rules. This article addresses the other side of the coin, namely, that the changing contexts of computer search and seizure and digital forensic investigation demand an evolution in forensic acquisition methodology, and that this evolved methodology can meet the standards for evidence admissibility and reliability. This methodology entails evidence recovery on live systems via a remote connection (hereinafter, "live-remote").

Digital Forensics: Meeting the Challenges of Scientific Evidence

Abstract: This paper explores three admissibility considerations for scientific evidence currently engaged in U.S. courts: reliability, peer review and acceptance within the relevant community. Any tool used in a computer forensic investigation may be compared against these considerations, and if found wanting, evidence derived using the tool may be restricted. The ability to demonstrate the reliability and validity of computer forensic tools based on scientific theory is an important requirement for digital evidence to be admissible. A trusted third party certification model is discussed as an approach for addressing this issue.

Content-Based Image Retrieval for Digital Forensics

Abstract: Digital forensic investigators are often faced with the task of manually examining a large number of (photographic) images to identify potential evidence. The task can be daunting and time-consuming if the target of the investigation is very broad, such as a web hosting service. Current forensic tools are woefully inadequate: they are largely confined to generating pages of thumbnail images and identifying known files through cryptographic hashes. This paper presents a new approach that significantly automates the examination process by relying on image analysis techniques. The strategy is to use previously-identified content (e.g., contraband images) and to perform feature extraction, which captures mathematically the essential properties of the images. Based on this analysis, a feature set database is constructed to facilitate automatic scanning of a target machine for images similar to the ones in the database. An important property of the approach is that it is not possible to recover the original image from the feature set. Therefore, it is possible to build a (potentially very large) database targeting known contraband images that investigators may be barred from collecting directly. The approach can be used to automatically search for case-specific images, contraband or otherwise, and to provide online monitoring of shared storage for early detection of specific images.

Network forensics: towards a classification of traceback mechanisms

Abstract: The traceback problem is one of the hardest in information security and has always been the utmost solution to holding attackers accountable for their actions. This paper presents a brief overview of the traceback problem, while discussing the features of software, network and computer forensics. In the rest of this paper, various traceback mechanisms are examined while categorized according to their features and modes of operation. Finally, we propose a classification schema for all traceback methods in order to assess and combine their benefits so as to provide enough information for digital forensics analyses, thus getting -the right way- one step closer to the actual attacker.

Computer forensics laboratory and tools

Abstract: The pervasiveness and the convenience of information technology tend to make most of society deeply dependent on the availability computers and network systems. As our reliance on such systems grows, so does our exposure to its vulnerabilities. Day after day, computers are being attacked and compromised. These attacks are made to steal personal identities, to bring down an entire network segment, to disable the online presence of businesses, or to completely obliterate sensitive information that is critical for personal or business purposes. It is the responsibility of every organization to establish a reasonably secure system to protect its own interests as well as those of its customers. And as computer crime steadily grows, so does the need for computer security professionals trained in understanding computer crimes, in gathering digital forensic evidence, in applying the necessary security tools, and in collaborating with law enforcement agencies. This paper presents the design and implementation of an experimental Computer Security and Forensic Analysis (CSFA) laboratory and the tools associated with it. The laboratory is envisioned to be a training facility for future computer security professionals.

Computer forensics: a critical need in computer science programs

Abstract: The number of computer security incidents is growing exponentially and society's collective ability to respond to this crisis is constrained by the lack of trained professionals. The field of computer forensics is relatively new and this paper describes the discipline, its development, and critical issues associated with its practice. The increased use of the Internal and computer technology to commit crimes indicates an abuse of new developments that requires a response by those involved in law enforcement. Cyber crimes and many child-related sex crimes leave clear digital evidence that must be investigated by those who are trained in computer forensics. University computer science programs are perfectly suited to respond to this crisis. With minor changes, computer science programs can address the growing demand for forensics professionals.

Forensics For System Administrators

Abstract: The words "forensic analysis" conjure up images of Sherlock Holmes, or scientists adorned with lab coast, hunched over corpses. But in this article I will lead you through steps that you can take to analyze compromised computer systems. While forensics carries with it legal connotations, requirements for evidence collection, and analysis at a level unattainable by most system administrators, my focus is on what you can do without years of experience. In this article we will walk through a pair of real, recent intrusions to help non-professional analyst understand how to accomplish common forensic goals.

Recovering Digital Evidence From Linux Systems

Abstract: As Linux-kernel-based operating systems proliferate there will be an inevitable increase in Linux systems that law enforcement agents must process in criminal investigations. The skills and expertise required to recover evidence from Microsoft-Windows-based systems do not necessarily translate to Linux systems. This paper discusses digital forensic procedures for recovering evidence from Linux systems. In particular, it presents methods for identifying and recovering deleted files from disk and volatile memory, identifying notable and Trojan files, finding hidden files, and finding files with renamed extensions. All the procedures are accomplished using Linux command line utilities and require no special or commercial tools.

Honeynet based distributed adaptive network forensics and active real time investigation

Abstract: Network forensics and honeynet systems have the same features of collecting information about the computer misuses. Honeynet system can lure attackers and gain information about new types of intrusions. Network forensics system can analysis and reconstruct the attack behaviors. These two systems integrating together can help to build an active self-learning and response system to profile the intrusion behavior features and investigate the attack original source. In this paper, we present a design of honeynet based active network intrusion response system. The features of our system are distributed adaptive network forensics and active real time network investigation.

The law of possession of digital objects: dominion and control issues for digital forensics investigations and prosecutions

Abstract: The possession of digital objects defines rights and liabilities of the possessor The nature of digital data, networked systems and data security suggest review of the fundamental concept as applied to digital objects Possession of digital objects may be separate and distinct from physical possession of storage media and systems Failure to address this risks error based on misleading evidence as to possession

Systems and methods for enterprise-wide data identification data sharing and management

Abstract: A method of automatically identifying relevant or suspect data during a digital forensic investigation is described. Software accepts as input raw data which are extracted from various digital data sources. The software or digital forensic and data identification application determines to which one or more identification modules the unknown raw data should be delivered to for processing. This determination is based on the type of data in the extracted raw data coming into the application. Suspect or relevant data that are identified includes that data that are identical to or similar to the extracted unknown raw data. If there are suspect data, the application transmits a message or alert to interested parties or stores the findings/report on an a storage device. In this manner, the suspect data are identified automatically, without intervention by a human being. The identification modules are invoked in a search markup language interpreter and the one or more identification modules are expressed in a search markup language specifically for digital forensics and receives parameters from the search language for processing.

A DCT quantization-based image authentication system for digital forensics

Abstract: With the advent of digital times, the digital data has gradually taken the place of the original analog data. However, the authenticity of digital data faces a great challenge due to the fact that the digital edit software is ubiquitous. It has aroused the suspicion on the reliability of digital data especially when the digital data renders to the court as the digital evidence. We propose an integrated image authentication system for digital forensics and improve the detection problems of a DCT quantization-based image authentication scheme. The improved detection schemes effectively solve the detection problems and, at the same time, take into account the reliability, the security, and the practicability of the system. It is expected to reduce the wrong detection probability of the digital evidence. Finally, the improved image authentication schemes are implemented. If the digital evidence presented to the court is under suspicions, the system is expected to provide accurate information to help the judiciary to make the verdict right and objective.