Showing papers on "Digital forensics published in 2008"

Identifying Tampered Regions Using Singular Value Decomposition in Digital Image Forensics

Abstract: Detecting tampered regions and proving the authenticity and integrity of a digital image becomes increasingly important in digital forensics and multimedia security. In this paper we propose a novel framework for identifying the location of copy-move image tampering by applying the singular value decomposition(SVD). In the proposed passive techniques, SVD served to produce algebraic and geometric invariant and feature vectors. Experimental results demonstrate the validity of the proposed approach to tampered images undergone some attacks like Gaussian blur filtering, Gaussian white noise contamination, lossy JPEG compression, etc.

Forensics examination of volatile system data using virtual introspection

Abstract: While static examination of computer systems is an important part of many digital forensics investigations, there are often important system properties present only in volatile memory that cannot be effectively recovered using static analysis techniques, such as offline hard disk acquisition and analysis. An alternative approach, involving the live analysis of target systems to uncover this volatile data, presents significant risks and challenges to forensic investigators as observation techniques are generally intrusive and can affect the system being observed. This paper provides a discussion of live digital forensics analysis through virtual introspection and presents a suite of virtual introspection tools developed for Xen (VIX tools). The VIX tools suite can be used for unobtrusive digital forensic examination of volatile system data in virtual machines, and addresses a key research area identified in the virtualization in digital forensics research agenda [22].

Mapping Process of Digital Forensic Investigation Framework

Abstract: Summary Digital forensics is essential for the successful prosecution of digital criminals which involve diverse digital devices such as computer system devices, network devices, mobile devices and storage devices. The digital forensic investigation must be retrieved to obtain the evidence that will be accepted in the court of law. Therefore, for digital forensic investigation to be performed successfully, there are a number of important steps that have to be taken into consideration. The aim of this paper is to produce the mapping process between the processes/activities and output for each phase in Digital Forensic Investigation Framework (DFIF). Existing digital forensic frameworks will be reviewed and then the mapping is constructed. The result from the mapping process will provide a new framework to optimize the whole investigation process.

Detecting Photographic Composites of People

Abstract: The compositing of two or more people into a single image is a common form of manipulation. We describe how such composites can be detected by estimating a camera's intrinsic parameters from the image of a person's eyes. Differences in these parameters across the image are used as evidence of tampering.

When is Digital Evidence Forensically Sound

Abstract: “Forensically sound” is a term used extensively in the digital forensics community to qualify and, in some cases, to justify the use of a particular forensic technology or methodology. Indeed, many practitioners use the term when describing the capabilities of a particular piece of software or when describing a particular forensic analysis approach. Such a wide application of the term can only lead to confusion. This paper examines the various definitions of forensic computing (also called digital forensics) and identifies the common role that admissibility and evidentiary weight play. Using this common theme, the paper explores how the term “forensically sound” has been used and examines the drivers for using such a term. Finally, a definition of “forensically sound” is proposed and four criteria are provided for determining whether or not a digital forensic process may be considered to be “forensically sound.”

The impact of full disk encryption on digital forensics

Abstract: The integration of strong encryption into operating systems is creating challenges for forensic examiners, potentially preventing us from recovering any digital evidence from a computer. Because strong encryption cannot be circumvented without a key or passphrase, forensic examiners may not be able to access data after a computer is shut down, and must decide whether to perform a live forensic acquisition. In addition, with encryption becoming integrated into the operating system, in some cases, virtualization is the most effective approach to performing a forensic examination of a system with FDE. This paper presents the evolution of full disk encryption (FDE) and its impact on digital forensics. Furthermore, by demonstrating how full disk encryption has been dealt with in past investigations, this paper provides forensics examiners with practical techniques for recovering evidence that would otherwise be inaccessible.

Overwriting Hard Drive Data: The Great Wiping Controversy

Abstract: Often we hear controversial opinions in digital forensics on the required or desired number of passes to utilize for properly overwriting, sometimes referred to as wiping or erasing, a modern hard drive. The controversy has caused much misconception, with persons commonly quoting that data can be recovered if it has only been overwritten once or twice. Moreover, referencing that it actually takes up to ten, and even as many as 35 (referred to as the Gutmann scheme because of the 1996 Secure Deletion of Data from Magnetic and Solid-State Memory published paper by Peter Gutmann) passes to securely overwrite the previous data. One of the chief controversies is that if a head positioning system is not exact enough, new data written to a drive may not be written back to the precise location of the original data. We demonstrate that the controversy surrounding this topic is unfounded.

Computer forensics in forensis

Abstract: Different users apply computer forensic systems, models, and terminology in very different ways. They often make incompatible assumptions and reach different conclusions about the validity and accuracy of the methods they use to log, audit, and present forensic data. This is problematic, because these fields are related, and results from one can be meaningful to the others. We present several forensic systems and discuss situations in which they produce valid and accurate conclusions and also situations in which their accuracy is suspect. We also present forensic models and discuss areas in which they are useful and areas in which they could be augmented. Finally, we present some recommendations about how computer scientists, forensic practitioners, lawyers, and judges could build more complete models of forensics that take into account appropriate legal details and lead to scientifically valid forensic analysis.

Mobile Device Analysis

Abstract: —The increased usage and proliferation of small scaledigital devices, like celluar (mobile) phones has led to theemergence of mobile device analysis tools and techniques. Thisfield of digital forensics has grown out of the mainstream practiceof computer forensics. Practitioners are faced with various typesof cellular phone generation technologies, proprietary embeddedfirmware systems, along with a staggering amount of uniquecable connectors for different models of phones within the samemanufacturer brand.This purpose of this paper is to provide foundational conceptsfor the data forensic practitioner. It will outline the commoncell phone technologies, their characteristics, and device han-dling procedures. Further data evidence storage areas are alsoexplained along with data types found in the various storageareas. Specific information is also noted about BlackBerry andiPhone devices.Detailed procedures for data analysis/extraction for mobiledevices and how to use the various toolkits that are availableis beyond the scope of this paper; the staggering numbers of cellphones and the intricacies of the toolkits makes this impossible.However, resources for the reader to further investigate the topicare attached in the appendix.Index Terms—Mobile Device, Cell Phones, BlackBerry, PDA,Smart Phones, Cellular Phone Generation, CDMA, TDMA,GSM, iDen, SIM, IMEI, IMSI, ICCID, ESN, MEID, PIN, PUK,Flash Memory, Memory Cards, Mobile Device Analysis, AnalysisTools, Cell Phone Forensics

SÁDI - Statistical Analysis for Data Type Identification

Abstract: A key task in digital forensic analysis is the location of relevant information within the computer system. Identification of the relevancy of data is often dependent upon the identification of the type of data being examined. Typical file type identification is based upon file extension or magic keys. These typical techniques fail in many typical forensic analysis scenarios such as needing to deal with embedded data, such as with Microsoft Word files, or file fragments. The SADI (Statistical Analysis Data Identification) technique applies statistical analysis of the byte values of the data in such a way that the accuracy of the technique does not rely on the potentially misleading metadata information but rather the values of the data itself. The development of SADI provides the capability to identify what digitally stored data actually represents and will also allow for the selective extraction of portions of the data for additional investigation; i.e., in the case of embedded data. Thus, our research provides a more effective type identification technique that does not fail on file fragments, embedded data types, or with obfuscated data.

Printer profiling for forensics and ballistics

Abstract: We describe a technique for authenticating printed and scanned text documents. This technique works by modeling the degradation in a document caused by printing. The resulting printer profile is then used to detect inconsistencies across a document, and for ballistic purposes - that of linking a document to a printer.

Applying traditional forensic taxonomy to digital forensics

Abstract: Early digital forensic examinations were conducted in toto — every file on the storage media was examined along with the entire file system structure. However, this is no longer practical as operating systems have become extremely complex and storage capacities are growing geometrically. Examiners now perform targeted examinations using forensic tools and databases of known files, selecting specific files and data types for review while ignoring files of irrelevant type and content. Despite the application of sophisticated tools, the forensic process still relies on the examiner’s knowledge of the technical aspects of the specimen and understanding of the case and the law. Indeed, the success of a forensic examination is strongly dependent on how it is designed. This paper discusses the application of traditional forensic taxonomy to digital forensics. The forensic processes of identification, classification/individualization, association and reconstruction are used to develop “forensic questions,” which are applied to objectively design digital forensic examinations.

Advances in Digital Forensics IV

Abstract: ADVANCES IN DIGITAL FORENSICS IV Edited by:IndrajitRayand Sujeet Shenoi Digital forensics deals with the acquisition, preservation, examination, analysis and presentation of electronic evidence. Networked computing, wireless communications and portable electronic devices have expanded the role of digital forensics beyond traditional computer crime investigations. Practically every crime now involves some aspect of digital evidence; digital forensics provides the techniques and tools to articulate this evidence. Digital forensics also has myriad intelligence applications. Furthermore, it has a vital role in information assurance -- investigations of security breaches yield valuable information that can be used to design more secure systems. Advances in Digital Forensics IV describes original research results and innovative applications in the emerging discipline of digital forensics. In addition, it highlights some of the major technical and legal issues related to digital evidence and electronic crime investigations. The areas of coverage include: - Themes and Issues - Evidence Recovery - Evidence Integrity - Evidence Management - Forensic Techniques - Network Forensics - Portable Electronic Device Forensics - Event Data Recorder Forensics - Novel Investigation Techniques - Forensic Tools This book is thefourth volume in the annual series produced by the International Federation for Information Processing (IFIP) Working Group 11.9 on Digital Forensics, an international community of scientists, engineers and practitioners dedicated to advancing the state of the art of research and practice in digital forensics. The book contains a selection of twenty-eight edited papers from theFourth Annual IFIP WG 11.9 Conference on Digital Forensics, held at Kyoto University,Kyoto, Japanin the spring of 2008. Advances in Digital Forensics IV is an important resource for researchers, faculty members and graduate students, as well as for practitioners and individuals engaged in research and development efforts for the law enforcement and intelligence communities. Indrajit Rayis an Associate Professor of Computer Science at Colorado State University, Fort Collins, Colorado, USA. Sujeet Shenoi is the F.P. Walter Professor of Computer Science and a principal with the Center for Information Security at the University of Tulsa, Tulsa, Oklahoma, USA.

Virtualization and Digital Forensics: A Research and Education Agenda

Abstract: The application of virtualization software and techniques in information technology research and education has provided a foundational environment to advance the state-of-the-art in research and education in many related areas. Commercial and open source virtualization products are being used by researchers and educators to create a wide variety of virtual environments. These virtual environments facilitate systems design and development and product development as well as the testing and modeling of production and preproduction systems. As the capabilities, functionality, and stability of these products have evolved, the use of virtualization has expanded, necessitating the identification of new research areas to investigate the impacts of virtualization on digital forensics. In February 2007, a group of digital forensics researchers, educators, and practitioners gathered at the National Center for Forensic Science at the University of Central Florida for the 2007 Workshop on Virtualization in Digital Forensics to discuss these issues and develop a research and education agenda for virtualization and digital forensics. This article outlines some of the ideas generated and new research categories and areas identified at this meeting.

Computer Forensics: Results of Live Response Inquiry vs. Memory Image Analysis

Abstract: : People responsible for computer security incident response and digital forensic examination need to continually update their skills, tools, and knowledge to keep pace with changing technology. No longer able to simply unplug a computer and evaluate it later, examiners must know how to capture an image of the running memory and perform volatile memory analysis using various tools, such as PsList, ListDLLs, Handle, Netstat, FPort, Userdump, Strings, and PSLoggedOn. This paper presents a live response scenario and compares various approaches and tools used to capture and analyze evidence from computer memory.

Legal Issues Pertaining to the Development of Digital Forensic Tools

Abstract: Developers of new and improved forensic tools need to design them with the end result of their use in court in mind. Law enforcement must be able to show that the forensic tools and techniques produce reliable evidence in order for a court to consider it. Reliability is enhanced by demonstration that the forensic tools conform to the general standards within the forensic community. In addition, forensic tools must have adequate safeguards to protect the privacy of the public. Designing forensic tools so that they produce audit trails may help to verify that the use of forensic tools is limited appropriately to comply with court authorization.

Two-Dimensional Evidence Reliability Amplification Process Model for Digital Forensics

Abstract: Being related to law and state-of-the-art technology, digital forensics needs more discipline than traditional forensics. The variety of types of crimes, distribution of networks and complexity of information and communication technology, add to the complexity of the process of digital investigations. A rigorous and flexible process model is needed to overcome challenges and obstacles in this area. In this paper we propose a digital forensics process, called "two-dimensional evidence reliability amplification process model", which presents a detailed digital forensic process model in five main phases and different roles to perform it. At the same time, this iterative process addresses four essential tasks as the umbrella activities that are applicable across all phases and sub-phases. We have also developed a hypothetical solution based on intersection of events and exploit mathematical operations and symbols for making an algorithm to increase the reliability of evidence. This process model is detailed enough to describe the investigation process so that it could possibly provide a guideline that investigators can take advantage of it during a forensics investigation process.

New Digital Forensics Investigation Procedure Model

Abstract: In this paper, we presented a new digital forensics investigation procedure model which is as follows: investigation preparation, classifying cyber crime and deciding investigation priority, investigating damaged (victim) digital crime scene, criminal profiling consultant and analysis, tracking suspects, investigating injurer digital crime scene, summoning suspect, additional investigation, writing criminal profiling, writing report.

UML Modelling of Digital Forensic Process Models (DFPMs).

Abstract: A number of forensic processes have been used successfully in the field of Digital Forensics. The aim of this paper is to model some of these processes by using the Unified Modeling Language (UML) specifically the behavioural Use Cases and Activity diagrams. This modelling gives a clear indication of the limitations of these processes. A UML-based comparison is made of two prominent DFPMs that are currently available in the literature. This is followed by a newly proposed DFPM as developed by the authors.

Digital Forensics: Digital Evidence in Criminal Investigations

Abstract: The vast majority of modern criminal investigations involve some element of digital evidence, from mobile phones, computers, CCTV and other devices. Digital Forensics: Digital Evidence in Criminal Investigations provides the reader with a better understanding of how digital evidence complements traditional scientific evidence and examines how it can be used more effectively and efficiently in a range of investigations. Taking a new approach to the topic, this book presents digital evidence as an adjunct to other types of evidence and discusses how it can be deployed effectively in support of investigations. The book provides investigators/SSMs/other managers with sufficient contextual and technical information to be able to make more effective use of digital evidence sources in support of a range of investigations. In particular, it considers the roles played by digital devices in society and hence in criminal activities. From this, it examines the role and nature of evidential data which may be recoverable from a range of devices, considering issues relating to reliability and usefulness of those data. Includes worked case examples, test questions and review quizzes to enhance student understanding Solutions provided in an accompanying website Includes numerous case studies throughout to highlight how digital evidence is handled at the crime scene and what can happen when procedures are carried out incorrectly Considers digital evidence in a broader context alongside other scientific evidence Discusses the role of digital devices in criminal activities and provides methods for the evaluation and prioritizing of evidence sources Includes discussion of the issues surrounding modern digital evidence examinations, for example; volume of material and its complexity Clear overview of all types of digital evidence Digital Forensics: Digital Evidence in Criminal Investigations is an invaluable text for undergraduate students taking either general forensic science courses where digital forensics may be a module or a dedicated computer/digital forensics degree course. The book is also a useful overview of the subject for postgraduate students and forensic practitioners.

Adapting Existing Technologies for Digitally Archiving Personal Lives Digital Forensics, Ancestral Computing, and Evolutionary Perspectives and Tools

Abstract: The adoption of existing technologies for digital curation, most especially digital capture, is outlined in the context of personal digital archives and the Digital Manuscripts Project at the British Library. Technologies derived from computer forensics, data conversion and classic computing, and evolutionary computing are considered. The practical imperative of moving information to modern and fresh media as soon as possible is highlighted, as is the need to retain the potential for researchers of the future to experience the original look and feel of personal digital objects. The importance of not relying on any single technology is also emphasised.

Network security approach for digital forensics analysis

Abstract: Advances in Digital Technology have presented new challenges to both Industry and Law. Technology security experts are enhancing platforms security to protect enterprise and government from intrusions, whereas legal experts are adopting new techniques to investigate ldquoillegalrdquo breaches to systems and networks. This paper provides an overview of Digital Forensics methodologies, computer and network vulnerabilities and security measures, forensics tracking mechanisms to detect and deter intruders. A case study for tracing a Distributed DoS attack is also presented.

Digital forensics and the legal system: A dilemma of our times

Abstract: Computers have become an important part of our lives and are becoming fundamental to activities in the home and workplace. Individuals use computer technology to send emails, access banking information, pay taxes, purchase products, surf the internet and so on. Business also use computers and the Internet to perform accounting tasks, manage customer information, store trade secrets, and develop new products and services. State, Federal and Local government agencies use the computer and Internet to create and access information. Similarly, digital systems have become the mainstay of criminal activity. Legal proceedings have always been influenced by tradition and court decisions. These legal traditions and decisions have necessitated the development of complex sets of rules that are used to assess forensic evidence in legal matters. Information and communication technology has impacted enterprise investigation and associated legal matters by requiring electronic evidence to be considered. However, not all evidence presented by digital forensic investigators in legal proceedings has been admissible. The digital forensics investigator must adopt procedures that adhere to the standards of admissibility for evidence in a court of law; proper content inspection of a computer system, proper analysis documentation and professional court representation to ensure a successful outcome. This paper presents an overview of issues in the discipline of digital forensics and explores some areas in the legal system where digital forensics evidence is most likely to be questioned. These include case jurisdiction, search and seizure, spoliation of evidence and issues of “good faith”, evidence preservation, investigation and analysis.

Software issues in digital forensics

Abstract: Whether we accept it or not, computer systems and the operating systems that direct them are at the heart of major forms of malicious activity. Criminals can use computers as the actual target of their malicious activity (stealing funds electronically from a bank) or use them to support the conduct of criminal activity in general (using a spreadsheet to track drug shipments). In either case, law enforcement needs the ability (when required) to collect evidence from such platforms in a reliable manner that preserves the fingerprints of criminal activity. Though such discussion touches on privacy issues and rules of legal veracity, we focus purely on technological support in this paper. Specifically, we examine and set forth principles of operating system (OS) design that may significantly increase the success of (future) forensic collection efforts. We lay out several OS design attributes that synergistically enhance forensics activities. Specifically, we pose the use of circuit encryption techniques to provide an additional layer of protection above hardware-enforced approaches. We conclude by providing an overarching framework to incorporate these enhancements within the context of OS design.

Building a Digital Forensic Laboratory

Abstract: The need to professionally and successfully conduct computer forensic investigations of incidents and crimes has never been greater. This has caused an increased requirement for information about the creation and management of computer forensic laboratories and the investigations themselves. This includes a great need for information on how to cost-effectively establish and manage a computer forensics laboratory. This book meets that need: a clearly written, non-technical book on the topic of computer forensics with emphasis on the establishment and management of a computer forensics laboratory and its subsequent support to successfully conducting computer-related crime investigations.* Provides guidance on creating and managing a computer forensics lab* Covers the regulatory and legislative environment in the US and Europe* Meets the needs of IT professionals and law enforcement as well as consultants

Wi-Fi Network Signals as a Source of Digital Evidence: Wireless Network Forensics

Abstract: 802.11-based wireless networking has significantly altered the networking means and topology for cities, offices, homes and coffee shops over the last five years. A second generation of wireless devices has extended what was once a computer-to-computer protocol into the area of embedded functional devices. Accompanying this widespread usage is the presence of crime; the more popular technology, the more opportunity exists for its misuse. This work studies the 802.11-based wireless networking environment from a forensic computing perspective. It seeks to understand the current state of wireless misuse: present misuses; potential forms of misuse involving 802.11-based wireless networks; and current tools and techniques used in its identification, containment and analysis. The research highlights the lack of current tools and procedures for forensic computing investigations that are able to effectively handle the presence of wireless devices and networks, and that there are forms of misuse that may escape detection by forensic investigation teams.