Showing papers on "Digital forensics published in 2009"

Digital image forensics

Abstract: The article explains how photo-response nonuniformity (PRNU) of imaging sensors can be used for a variety of important digital forensic tasks, such as device identification, device linking, recovery of processing history, and detection of digital forgeries. The PRNU is an intrinsic property of all digital imaging sensors due to slight variations among individual pixels in their ability to convert photons to electrons. Consequently, every sensor casts a weak noise-like pattern onto every image it takes. This pattern, which plays the role of a sensor fingerprint, is essentially an unintentional stochastic spread-spectrum watermark that survives processing, such as lossy compression or filtering. This tutorial explains how this fingerprint can be estimated from images taken by the camera and later detected in a given image to establish image origin and integrity. Various forensic tasks are formulated as a two-channel hypothesis testing problem approached using the generalized likelihood ratio test. The performance of the introduced forensic methods is briefly illustrated on examples to give the reader a sense of the performance.

Handbook of Digital Forensics and Investigation

Abstract: The Handbook of Digital Forensics and Investigation builds on the success of the Handbook of Computer Crime Investigation, bringing together renowned experts in all areas of digital forensics and investigation to provide the consummate resource for practitioners in the field.This unique collection details how to conduct digital investigations in both criminal and civil contexts, and how to locate and utilize digital evidence on computers, networks, and embedded systems. Specifically, the Investigative Methodology section of the Handbook provides expert guidance in the three main areas of practice: Forensic Analysis, Electronic Discovery and Intrusion Investigation. The Technology section is extended and updated to reflect the state of the art in each area of specialization. The main areas of focus in the Technology section are forensic analysis of Windows, Unix, Macintosh, and embedded systems (including cellular telephones and other mobile devices), and investigations involving networks (including enterprise environments and mobile telecommunications technology).The Handbook of Digital Forensics and Investigation is an essential technical reference and on-the-job guide that IT professionals, forensic practitioners, law enforcement, and attorneys will rely on when confronted with computer related crime and digital evidence of any kind. *Provides methodologies proven in practice for conducting digital investigations of all kinds*Demonstrates how to locate and interpret a wide variety of digital evidence, and how it can be useful in investigations *Presents tools in the context of the investigative process, including EnCase, FTK, ProDiscover, foremost, XACT, Network Miner, Splunk, flow-tools, and many other specialized utilities and analysis platforms*Case examples in every chapter give readers a practical understanding of the technical, logistical, and legal challenges that arise in real investigations

Digital forensic research: the good, the bad and the unaddressed

Abstract: Digital forensics is a relatively new scientific discipline, but one that has matured greatly over the past decade. In any field of human endeavor, it is important to periodically pause and review the state of the discipline. This paper examines where the discipline of digital forensics is at this point in time and what has been accomplished in order to critically analyze what has been done well and what ought to be done better. The paper also takes stock of what is known, what is not known and what needs to be known. It is a compilation of the author’s opinion and the viewpoints of twenty-one other practitioners and researchers, many of whom are leaders in the field. In synthesizing these professional opinions, several consensus views emerge that provide valuable insights into the “state of the discipline.”

Digital Forensics

Abstract: This issue is one of a pair of coordinated special issues on digital forensics by IEEE Security & Privacy and IEEE Signal Processing Magazine. S&P's special issue has articles debating the effectiveness of forensics, on capturing live forensics analysis of computers, on the new Microsoft Office file formats and their implications on forensics, on licensing issues for digital forensics investigators, and finally a review article on the use of hashing in forensics.

Digital Forensic Model Based On Malaysian Investigation Process

Abstract: Summary With the proliferation of the digital crime around the world, numerous digital forensic investigation models already being develop .In fact many of the digital forensic investigation model focus on technical implementation of the investigation process as most of it develop by traditional forensic expert and technologist. As an outcome of this problem most of the digital forensic practitioners focus on technical aspect and forget the core concept of digital forensic investigation model .In this paper we are introducing a new digital forensic model which will be capture a full scope of an investigation process based on Malaysia Cyber Law .The proposed model is also compared with the existing model which currently available and being apply in the investigation process.

Digital forensic analysis using empirical privilege profiling (epp) for filtering collected data

Abstract: A forensic device allows a user to remotely interrogate a target computing device in order to collect and analyze computer evidence that may be stored on the target computing device. The forensic device acquires the computer evidence from the target computing device and filters the computer evidence using an application-specific system-level privilege profile that describes the aggregate exercise of system-level privileges by a plurality of software application instances executing throughout an enterprise. The forensic device presents a user interface through which the remote user views the filtered computer evidence acquired from the target computing device. In this manner, forensic device allows the user to filter the collected computer evidence to data that is likely to have forensic relevance.

Investigation Delayed Is Justice Denied: Proposals for Expediting Forensic Examinations of Digital Evidence*

Abstract: There is an urgent need to reduce the growing backlog of forensic examinations in Digital Forensics Laboratories (DFLs). Currently, DFLs routinely create forensic duplicates and perform in-depth forensic examinations of all submitted media. This approach is rapidly becoming untenable as more cases involve increasing quantities of digital evidence. A more efficient and effective three-tiered strategy for performing forensic examinations will enable DFLs to produce useful results in a timely manner at different phases of an investigation, and will reduce unnecessary expenditure of resources on less serious matters. The three levels of forensic examination are described along with practical examples and suitable tools. Realizing that this is not simply a technical problem, we address the need to update training and establish thresholds in DFLs. Threshold considerations include the likelihood of missing exculpatory evidence and seriousness of the offense. We conclude with the implications of scaling forensic examinations to the investigation.

Digital Forensics: Defining a Research Agenda

Abstract: While many fields have well-defined research agendas, evolution of the field of digital forensics has been largely driven by practitioners in the field. As a result, the majority of the tools and practice have been developed in response to a diverse set of specific threats or scenarios, rather than as the result of a research and development plan. In June, 2008 a group of digital forensics researchers, educators and practitioners met as a working group at the Colloquium for Information Systems Security Education (CISSE 2008) to brainstorm ideas for the development of a research, education, and outreach agenda for Digital Forensics. This paper outlines some of the ideas generated and new research categories and areas identified at this meeting, as well as a plan for future development of a formalized research agenda.

Digital Forensic Evidence Examination

Abstract: This book is about the examination of digital forensic evidence in legal settings. When a legal action involving the formalisms of a court system are involved, and that action involves evidence consisting of 1s and 0s (the binary digits), there are specific concerns that have to be addressed in order to provide accurate facts to those who have to make judgements based on facts. This book provides the scientific basis for examination of digital forensic evidence in a legal context.

Live Analysis: Progress and Challenges

Abstract: As computer technologies become increasingly ubiquitous, so must supporting digital forensics tools and techniques for efficiently and effectively analyzing associated systems' behavior. Live analysis is a logical and challenging step forward in this area and a method that has recently received increased R&D focus. This article describes some live analysis approaches as well as tools and techniques for live analysis on real and virtual machines. The discussion includes research challenges and open problems.

Copy-Move Forgery Detection Based on SVD in Digital Image

Abstract: Identifying the authenticity and integrity of digital images becomes increasingly important in digital forensics. In this paper, we propose an effective method for detecting Copy- Move forgery. This method is implemented by first extracting SV features, which are invariant to algebraic, geometric changes, and some disturbances. Due to similar texture characteristic between copied and pasted regions, each SV feature vector is represented as a query and is then matched to its nearest neighbors in image. Experiments are provided to demonstrate the efficiency of presented method on different forgeries and evaluate its robustness and sensitivity to tampered images with some post image processing.

Hashing and Data Fingerprinting in Digital Forensics

Abstract: Hashing is a primary, yet under appreciated, tool in digital forensic investigations. Recent R&D has demonstrated that, with clever design, we can construct robust fingerprinting and similarity hashes that can significantly speed up an investigation.

Combining static and live digital forensic analysis in virtual environment

Abstract: Traditional digital forensics is performed through static analysis of data preserved on permanent storage media. Not all data needed to understand the state of examined system exists in nonvolatile memory. Live analysis uses running system to obtain volatile data for deeper understanding of events going on. Sampling running system might irreversibly change its state making collected evidence invalid. This paper proposes combination of static and live analysis. Virtualization is used to bring static data to life. Volatile memory dump is used to enable offline analysis of live data. Using data from memory dump, virtual machine created from static data can be adjusted to provide better picture of the live system at the time when the dump was made. Investigator can have interactive session with virtual machine without violating evidence integrity. Tests with sample system confirm viability of proposed approach.

Multimedia Forensics Is Not Computer Forensics

Abstract: The recent popularity of research on topics of multimedia forensics justifies reflections on the definition of the field. This paper devises an ontology that structures forensic disciplines by their primary domain of evidence. In this sense, both multimedia forensics and computer forensics belong to the class of digital forensics, but they differ notably in the underlying observer model that defines the forensic investigator's view on (parts of) reality, which itself is not fully cognizable. Important consequences on the reliability of probative facts emerge with regard to available counter-forensic techniques: while perfect concealment of traces is possible for computer forensics, this level of certainty cannot be expected for manipulations of sensor data. We cite concrete examples and refer to established techniques to support our arguments.

Seeing is not believing

Abstract: Altering digital imagery is now ubiquitous. People have come to expect it in the fashion and entertainment world, where airbrushing blemishes and wrinkles away is routine. And anyone surfing the Web is routinely subjected to crude photographic mashups like the Palin hoax, whose creators clearly aren't interested in realism but in whatever titillation or outrage they can generate. Even as experts continue to develop techniques for exposing photographic frauds, new techniques for creating better and harder-to-detect fakes are also evolving. As in the battle against spam and computer viruses, it seems inevitable that the arms race between the forger and the forensic analyst will continue to escalate, with no clear victor. Improved image forensics will never be able to eradicate or prevent digital tampering, but these techniques can make it more time-consuming and difficult for forgers to ply their trade. Tomorrow's technology will almost certainly enable digital manipulations that today seem unimaginable, and the science of digital forensics will have to work hard to keep pace. It is my hope that these new techniques, along with a greater awareness of the technological possibilities and sensible updates in policy and law, will help the media, the courts, and the public contend with the exciting but often baffling events of our digital age.

Digital forensics [From the Guest Editors]

Abstract: This special issue provides a comprehensive overview of recent developments and open problems in digital forensics that are amenable to signal processing techniques.

Investigating the Implications of Virtual Machine Introspection for Digital Forensics

Abstract: Researchers and practitioners in computer forensics currently must base their analysis on information that is either incomplete or produced by tools that may themselves be compromised as a result of the intrusion. Complicating these issues are the techniques employed by the investigators themselves. If the system is quiescent when examined, most of the information in memory has been lost. If the system is active, the kernel and programs used by the forensic investigators are likely to influence the results and as such are themselves suspect. Using virtual machines and a technique called virtual machine introspection can help overcome these limits, but it introduces its own research challenges. Recent developments in virtual machine introspection have led to the identification of four initial priority research areas in virtual machine introspection including virtual machine introspection tool development, applications of virtual machine introspection to non-quiescent virtual machines, virtual machine introspection covert operations, and virtual machine introspection detection.

Text Clustering for Digital Forensics Analysis

Abstract: In the last decades digital forensics have become a prominent activity in modern investigations Indeed, an important data source is often constituted by information contained in devices on which investigational activity is performed Due to the complexity of this inquiring activity, the digital tools used for investigation constitute a central concern In this paper a clustering-based text mining technique is introduced for investigational purposes The proposed methodology is experimentally applied to the publicly available Enron dataset that well fits a plausible forensics analysis context

Effective digital forensic analysis of the NTFS disk image

Abstract: Forensic analysis of the Windows NT File System (NTFS) could provide useful information lea ding towards malware detection and presentation of digital evidence for the court of law. Since NTFS records every event of the system, forensic tools are required to process an enormous amount of information related to user / kernel environment, buffer overflows, trace conditions, network stack, etc. This has led to imperfect forensic tools that are practical for implementation and hence become popular, but are not comprehensive and effective. Many existing techniques have failed to identify malicious code in hidden data of the NTFS disk image. This research discusses the analysis technique we have adopted to successfully detect maliciousness in hidden data, by investigating the NTFS boot sector. We have conducted experimental studies with some of the existing popular forensics tools and have identified their limitations. Further, through our proposed three-stage forensic analysis process, our experimental investigation attempts to unearth the vulnerabilities of NTFS disk image and the weaknesses of the current forensic techniques.

Network forensics: Notions and challenges

Abstract: Network forensics is an extension of the network security model which traditionally emphasizes prevention and detection of network attacks. It addresses the need for dedicated investigative capabilities in the current model to allow investigating malicious behavior in networks. It helps organizations in investigating outside and inside network attacks. It is also important for law enforcement investigations. In this paper, various aspects of network forensics are reviewed as well as related technologies and their limitations. Also, challenges in deploying a network forensics infrastructure are highlighted.

New XML-Based Files Implications for Forensics

Abstract: Two new office document file formats (Office Open XML and OpenDocument Format) make it easier to glean time stamps and unique document identifiers while also improving opportunities for file carving and data recovery.

FIA: An open forensic integration architecture for composing digital evidence

Abstract: The analysis and value of digital evidence in an investigation has been the domain of discourse in the digital forensic community for several years. While many works have considered different approaches to model digital evidence, a comprehensive understanding of the process of merging different evidence items recovered during a forensic analysis is still a distant dream. With the advent of modern technologies, pro-active measures are integral to keeping abreast of all forms of cyber crimes and attacks. This paper motivates the need to formalize the process of analyzing digital evidence from multiple sources simultaneously. In this paper, we present the forensic integration architecture (FIA) which provides a framework for abstracting the evidence source and storage format information from digital evidence and explores the concept of integrating evidence information from multiple sources. The FIA architecture identifies evidence information from multiple sources that enables an investigator to build theories to reconstruct the past. FIA is hierarchically composed of multiple layers and adopts a technology independent approach. FIA is also open and extensible making it simple to adapt to technological changes. We present a case study using a hypothetical car theft case to demonstrate the concepts and illustrate the value it brings into the field.

Forensics Is So "Yesterday"

Abstract: Computer forensics' presumed usefulness against anyone with computer savvy is minimal because such persons can readily defeat forensics techniques. Because computer forensics can't show who put the data where forensics found it, it can be evidence of nothing.

Digital Forensics Works

Abstract: In response to another article in this special issue, "Forensics Is So 'Yesterday,'" the author proposes that although digital forensics does face challenges, it works, so digital investigations shouldn't stop as long as they follow the law