Showing papers on "Digital forensics published in 2010"

The 'Dresden Image Database' for benchmarking digital image forensics

Abstract: This paper introduces and documents a novel image database specifically built for the purpose of development and bench-marking of camera-based digital forensic techniques. More than 14,000 images of various indoor and outdoor scenes have been acquired under controlled and thus widely comparable conditions from altogether 73 digital cameras. The cameras were drawn from only 25 different models to ensure that device-specific and model-specific characteristics can be disentangled and studied separately, as validated with results in this paper. In addition, auxiliary images for the estimation of device-specific sensor noise pattern were collected for each camera. Another subset of images to study model-specific JPEG compression algorithms has been compiled for each model. The 'Dresden Image Database' will be made freely available for scientific purposes when this accompanying paper is presented. The database is intended to become a useful resource for researchers and forensic investigators. Using a standard database as a benchmark not only makes results more comparable and reproducible, but it is also more economical and avoids potential copyright and privacy issues that go along with self-sampled benchmark sets from public photo communities on the Internet.

The Dresden Image Database for Benchmarking Digital Image Forensics

Abstract: This article introduces and documents a novel image database specifically built for the purpose of development and benchmarking of camera-based digital forensic techniques. More than 14,000 images of various indoor and outdoor scenes have been acquired under controlled and thus widely comparable conditions from altogether 73 digital cameras. The cameras were drawn from only 25 different models to ensure that device-specific and model-specific characteristics can be disentangled and studied separately, as validated with results in this article. In addition, auxiliary images for the estimation of device-specific sensor noise pattern were collected for each camera. Another subset of images to study model-specific JPEG compression algorithms has been compiled for each model. The Dresden Image Database is freely available for scientific purposes. The database is intended to become a useful resource for researchers and forensic investigators. Using a standard database as a benchmark makes results more ...

On detection of median filtering in digital images

Abstract: In digital image forensics, it is generally accepted that intentional manipulations of the image content are most critical and hence numerous forensic methods focus on the detection of such 'malicious' post-processing. However, it is also beneficial to know as much as possible about the general processing history of an image, including content-preserving operations, since they can affect the reliability of forensic methods in various ways. In this paper, we present a simple yet effective technique to detect median filtering in digital images-a widely used denoising and smoothing operator. As a great variety of forensic methods relies on some kind of a linearity assumption, a detection of non-linear median filtering is of particular interest. The effectiveness of our method is backed with experimental evidence on a large image database.

Cloud computing: Forensic challenges for law enforcement

Abstract: Cloud computing is a relatively new concept that offers the potential to deliver scalable elastic services to many. The notion of pay-per use is attractive and in the current global recession hit economy it offers an economic solution to an organizations' IT needs. Computer forensics is a relatively new discipline born out of the increasing use of computing and digital storage devices in criminal acts (both traditional and hi-tech). Computer forensic practices have been around for several decades and early applications of their use can be charted back to law enforcement and military investigations some 30 years ago. In the last decade computer forensics has developed in terms of procedures, practices and tool support to serve the law enforcement community. However, it now faces possibly its greatest challenges in dealing with cloud computing. Through this paper we explore these challenges and suggest some possible solutions.

Solid State Drives: The Beginning of the End for Current Practice in Digital Forensic Recovery?

Abstract: Digital evidence is increasingly relied upon in computer forensic examinations and legal proceedings in the modern courtroom. The primary storage technology used for digital information has remained constant over the last two decades, in the form of the magnetic disc. Consequently, investigative, forensic, and judicial procedures are well-established for magnetic disc storage devices (Carrier, 2005). However, a paradigm shift has taken place in technology storage and complex, transistor-based devices for primary storage are now increasingly common. Most people are aware of the transition from portable magnetic floppy discs to portable USB transistor flash devices, yet the transition from magnetic hard drives to solid-state drives inside modern computers has so far attracted very little attention from the research community. Here we show that it is imprudent and potentially reckless to rely on existing evidence collection processes and procedures, and we demonstrate that conventional assumptions about the behaviour of storage media are no longer valid. In particular, we demonstrate that modern storage devices can operate under their own volition in the absence of computer instructions. Such operations are highly destructive of traditionally recoverable data. This can contaminate evidence; can obfuscate and make validation of digital evidence reports difficult; can complicate the process of live and dead analysis recovery; and can complicate and frustrate the post recovery forensic analysis. Our experimental findings demonstrate that solid-state drives (SSDs) have the capacity to destroy evidence catastrophically under their own volition, in the absence of specific instructions to do so from a computer.

A History of Digital Forensics

Abstract: The field of digital forensics is relatively new. While its history may be chronologically short, it is complex. This paper outlines the early history of digital forensics from the perspective of an early participant. The history is divided into four epochs: pre-history, infancy, childhood and adolescence. Each of these epochs is examined from the perspective of the people involved, the criminal targets, the forensic tools utilized, the organizational structures that supported digital forensic practitioners and how the community formed. This history is, by necessity, incomplete and biased. There is a need for rigorous historical research in this area before all traces of the past are forgotten or obliterated.

A Framework to Guide the Implementation of Proactive Digital Forensics in Organisations

Abstract: Most organizations underestimate the demand for digital evidence [1]. Often, when evidence is required to prove fraudulent transactions, not enough or trustworthy evidence is available to link the attacker to the incident. It isessential for organizations to prepare themselves for digital Forensic (DF) investigations and ensure that entireorganizational operating environment is prepared for example for an investigation (criminal or internal) or acompliance tests. The accepted literature on DF readinessconcentrates mainly on evidence identification, handling andstorage, first line incident response and training requirements [2]. It does not consider the proactiveapplication of DF tools to enhance the corporate governancestructures (specifically Information Technology (IT) governance). Pro-active DF (ProDF) as defined in this paperwill enable an organization to take the initiative byimplementing adequate measures to become DF ready,demonstrate due diligence for good corporate Governance,specifically IT Governance and provide a mechanism toassess and improve IT Governance frameworks. The purpose of this paper is to define, identify goals, steps, anddeliverables of ProDF, identify dimensions of DF, and propose a theoretical DF management framework to guidethe implementation of ProDF in an organization.

A Multi-component View of Digital Forensics

Abstract: We are living in a world where there is an increasing need for evidence in organizations. Good digital evidence is becoming a business enabler. Very few organizations have the structures (management and infrastructure) in place to enable them to conduct cost effective, low-impact and fficient digital investigations [1]. Digital Forensics (DF) is a vehicle that organizations use to provide good and trustworthy evidence and processes. The current DF models concentrate on reactive investigations, with limited reference to DF readiness and live investigations. However, organizations use DF for other purposes for example compliance testing. The paper proposes that DF consists of three components: Pro-active (ProDF), Active (ActDF) and Re-active (ReDF). ProDF concentrates on DF readiness and the proactive responsible use of DF to demonstrate good governance and enhance governance structures. ActDF considers the gathering of live evidence during an ongoing attack with a limited live investigation element whilst ReDF deals with the traditional DF investigation. The paper discusses each component and the relationship between the components.

A Digital Forensic Readiness framework for South African SME's

Abstract: In this digital age, most business is conducted electronically. This contemporary paradigm creates openings for potentially harmful unanticipated information security incidents of both a criminal or civil nature, with the potential to cause considerable direct and indirect damage to smaller businesses. Electronic evidence is fundamental to the successful handling of such incidents. If an organisation does not prepare proactively for such incidents it is highly likely that important relevant digital evidence will not be available. Not being able to respond effectively could be extremely damaging to smaller companies, as they are unable to absorb losses as easily as larger organisations. In order to prepare smaller businesses for incidents of this nature, the implementation of Digital Forensic Readiness policies and procedures is necessitated. Numerous varying factors such as the perceived high cost, as well as the current lack of forensic skills, make the implementation of Digital Forensic Readiness appear difficult if not infeasible for smaller organisations. In order to solve this problem it is necessary to develop a scalable and flexible framework for the implementation of Digital Forensic Readiness based on the individual risk profile of a small to medium enterprise (SME). This paper aims to determine, from literature, the concepts of Digital Forensic Readiness and how they apply to SMEs. Based on the findings, the aspects of Digital Forensics and organisational characteristics that should be included in such a framework is highlighted.

Digital Forensics for Network, Internet, and Cloud Computing: A Forensic Evidence Guide for Moving Targets and Data

Abstract: Network forensics is an evolution of typical digital forensics, where evidence is gathered and analyzed from network traffic This book will help security and network forensics professionals, as well as network administrators, understand the challenges faced by organizations and individuals investigating network-based criminal cases The authors not only present various tools used to examine network traffic but also introduce different investigative methodologies With the explosive growth in Internet-based technology (eg, social networks, cloud computing, telecommuting), computer and network forensics investigators are among the fastest areas of growth Specifically, in the area of cybercrime and digital forensics, the federal government is conducting a talent search for 10K qualified specialists Key network forensics skills and tools are discussed-for example, capturing network traffic, using Snort for network-based forensics, using NetWitness Investigator for network traffic analysis, and deciphering TCP/IPThe current and future states of network forensics analysis tools are addressedThe admissibility of network-based traffic is covered as well as the typical life cycle of a network forensics investigation

Digital Forensics and Born-Digital Content in Cultural Heritage Collections

Abstract: Digital Forensics and Born-Digital Content in Cultural Heritage Collections examines digital forensics and its relevance for contemporary research. The applicability of digital forensics to archivists, curators, and others working within our cultural heritage is not necessarily intuitive. When the shared interests of digital forensics and responsibilities associated with securing and maintaining our cultural legacy are identified—preservation, extraction, documentation, and interpretation, as this report details—the correspondence between these fields of study becomes logical and compelling.

Steganography and Visual Cryptography in Computer Forensics

Abstract: — Recently, numerous novel algorithms have been proposed in the fields of steganography and visual cryptography with the goals of improving security, reliability, and efficiency. This paper discusses and compares the two methodologies. Some similarities and differences are presented, in addition to discussing some of the best known algorithms for each. Lastly, an idea for a possible algorithm which combines the use of both steganography and visual cryptography is suggested. There are several ways of hiding data in files of different formats, leaving various signs of hidden data. Can data hidden in an original image be detected after it undergoes visual cryptography? Would that be a scenario which computer forensic investigators and forensic software developers have to account for?

Judges' awareness, understanding, and application of digital evidence

Abstract: As digital evidence grows in both volume and importance in criminal and civil courts, judges need to fairly and justly evaluate the merits of the offered evidence. To do so, judges need a general understanding of the underlying technologies and applications from which digital evidence is derived. Due to the relative newness of the computer forensics field, there have been few studies on the use of digital forensic evidence and none about judges’ relationship with digital evidence. This study addressed judges’ awareness, knowledge, and perceptions of digital evidence, using grounded theory methods. The interaction of judges with digital evidence has a social aspect that makes a study of this relationship well suited to grounded theory. This study gathered data via a written survey distributed to judges in the American Bar Association and National Judicial College, followed by interviews with judges from Massachusetts and Vermont. The results indicated that judges generally recognize the importance of evidence derived from digital sources, although they are not necessarily aware of all such sources. They believe that digital evidence needs to be authenticated just like any type of evidence and that it is the role of attorneys rather than of judges to mount challenges to that evidence, as appropriate. Judges are appropriately wary of digital evidence, recognizing how easy it is to alter or misinterpret such evidence. Less technically aware judges appear even more wary of digital evidence than their more knowledgeable peers. Judges recognize that they need additional training in computer and Internet technology as the computer forensics process and digital evidence, citing a lack of availability of such training. This training would enable judges to better understand the arguments presented by lawyers, testimony offered by technical witnesses, and judicial opinions forming the basis of decisional law. A framework for such training is provided in this report. This study is the first in the U.S. to analyze judges and digital forensics, thus opening up a new avenue of research. It is the second time that grounded theory has been employed in a digital forensics study, demonstrating the applicability of that methodology to this discipline.

Toward a science of digital forensic evidence examination

Abstract: Digital forensic evidence examination is not a normal science at this time. This paper discusses the important issue of moving toward a science of digital forensic evidence examination. It highlights key areas in which progress has to be made in order for digital forensic evidence examination to become a normal science.

Autonomic Agent-Based Self-Managed Intrusion Detection and Prevention System.

Abstract: Over the last fifteen years the world has experienced a wide variety of computer threats and general computer security problems. As communication advances and information management systems become more and more powerful and distributed, organizations are becoming increasingly vulnerable to potential security threats such as intrusions at all levels of Information Communication Technology (ICT). There is an urgency to provide secure and safe information security system through the use of firewalls, Intrusion Detection Systems (IDSs), Intrusion Prevention Systems (IPSs), encryption, authentication, and other hardware and software solutions. Many intrusion detection and prevention systems have been designed, but still there are significant drawbacks. Some of these drawbacks are low detection efficiency, inaccurate prevention schemes and high false alarm rates. Since IDSs and IPSs have become necessary security tools for detecting and preventing attacks on ICT resources, it is essential to upgrade the previous designs, techniques and methods to overcome flaws. Anomaly detection is an essential component of the detection mechanism against unknown attacks but this requires advanced techniques to be better and more effective. In this paper we put forward a new agent-based self-managed approach of anomaly intrusion prevention system based on risk assessment and managed by the principles of the Autonomic Computing (AC) concept, which has all the flavors of self-management. Applying AC will open up new frontiers, and enhance and improve the intrusion detection mechanism by not only protecting the system’s information and assets but also to stop and prevent the breach before it happens. It can also assist in digital forensics and investigations.

Digital Records Forensics: A New Science and Academic Program for Forensic Readiness

Abstract: This paper introduces the Digital Records Forensics project, a research endeavour located at the University of British Columbia in Canada and aimed at the development of a new science resulting from the integration of digital forensics with diplomatics, archival science, information science and the law of evidence, and of an interdisciplinary graduate degree program, called Digital Records Forensics Studies, directed to professionals working for law enforcement agencies, legal firms, courts, and all kind of institutions and business that require their services. The program anticipates the need for organizations to become “forensically ready,” defined by John Tan as “maximizing the ability of an environment to collect credible digital evidence while minimizing the cost of an incident response (Tan, 2001).” The paper argues the need for such a program, describes its nature and content, and proposes ways of delivering it.

Towards More Trustable Log Files for Digital Forensics by Means of Trusted Computing

Abstract: Trustable log data is essential in digital forensic investigations in order to allow reliable reconstruction of events. Existing solutions do not provide adequate protection, exposing the log-producing application to software-based attacks. In this paper we provide a solution based on Trusted Computing using a Trusted Platform Module (TPM) and AMD’s Secure Virtual Machine technology (SVM). While current solutions only protect against manipulation of existing logs, we go one step further by establishing hardware-based trust in the log producing application. Our solution ensures confidentiality, integrity and non-repudiation during creation, storage and transmission of log data.

Digital Forensics: Defining an Education Agenda

Abstract: While many fields have well-defined education agendas, this is not the case for digital forensics. A unique characteristic of the evolution of digital forensics is that it has been largely driven by practitioners in the field. As a result, the majority of the educational experiences have been developed in response to identified weaknesses in the system or to train individuals on the use of a specific tool or technique, rather than as a result of educational needs assessments based on an accepted common body of knowledge. In June, 2008 a group of digital forensics researchers, educators and practitioners met as a working group at the Colloquium for Information Systems Security Education (CISSE 2008) to brainstorm ideas for the development of a research, education, and outreach agenda for Digital Forensics. This paper presents the research in education needs that the group identified associated with the development of a digital forensics education agenda.

Practical investigations of digital forensics tools for mobile devices

Abstract: With the continued growth of the mobile device market, the possibility of their use in criminal activity will only continue to increase. While the mobile device market provides a great variety of manufactures and models causing a strong diversity. It becomes difficult for a professional investigator to choose the proper forensics tools for seizing internal data from mobile devices. Through this paper, we will give a comprehensive perspective of each popular digital forensic tool and offer an inside view for investigators to choose their free sources or commercial tools. In addition, a summary for the future direction for forensics tools in mobile devices.

Advanced Framework for Digital Forensic Technologies and Procedures

Abstract: Recent trends in global networks are leading toward service-oriented architectures and sensor networks. On one hand of the spectrum, this means deployment of services from numerous providers to form new service composites, and on the other hand this means emergence of Internet of things. Both these kinds belong to a plethora of realms and can be deployed in many ways, which will pose serious problems in cases of abuse. Consequently, both trends increase the need for new approaches to digital forensics that would furnish admissible evidence for litigation. Because technology alone is clearly not sufficient, it has to be adequately supported by appropriate investigative procedures, which have yet become a subject of an international consensus. This paper therefore provides appropriate a holistic framework to foster an internationally agreed upon approach in digital forensics along with necessary improvements. It is based on a top-down approach, starting with legal, continuing with organizational, and ending with technical issues. More precisely, the paper presents a new architectural technological solution that addresses the core forensic principles at its roots. It deploys so-called leveled message authentication codes and digital signatures to provide data integrity in a way that significantly eases forensic investigations into attacked systems in their operational state. Further, using a top-down approach a conceptual framework for forensics readiness is given, which provides levels of abstraction and procedural guides embellished with a process model that allow investigators perform routine investigations, without becoming overwhelmed by low-level details. As low-level details should not be left out, the framework is further evaluated to include these details to allow organizations to configure their systems for proactive collection and preservation of potential digital evidence in a structured manner. The main reason behind this approach is to stimulate efforts on an internationally agreed "template legislation," similarly to model law in the area of electronic commerce, which would enable harmonized national implementations in the area of digital forensics.

A Data Mining Approach for Data Generation and Analysis for Digital Forensic Application

Abstract: With the rapid advancements in information and communication technology in the world, crimes committed are becoming technically intensive. When crimes committed use digital devices, forensic examiners have to adopt practical frameworks and methods to recover data for analysis which can pose as evidence. Data Generation, Data Warehousing and Data Mining, are the three essential features involved in the investigation process. This paper proposes a unique way of generating, storing and analyzing data, retrieved from digital devices which pose as evidence in forensic analysis. A statistical approach is used in validating the reliability of the pre-processed data. This work proposes a practical framework for digital forensics on flash drives.

Digital Triage Forensics: Processing the Digital Crime Scene

Abstract: Digital triage forensics (DTF) is a procedural model for the investigation of digital crime scenes including both traditional crime scenes and the more complex battlefield crime scenes. The U.S. Army and other traditional police agencies use this model for current digital forensic applications. The tool, training, and techniques from this practice are being brought to the public in this book for the first time. Now corporations, law enforcement, and consultants can benefit from the unique perspectives of the experts who coined Digital Triage Forensics. Includes coverage on collecting digital media Outlines pre- and post-blast investigations Features content on collecting data from cellular devices and SIM cards Table of Contents Chapter 1. New Age of Warfare: How Digital Forensics is Reshaping Today's Military Chapter 2. Digital Triage Forensics and Battlefield Forensics Chapter 3. Conducting Pre/Post Blast Investigations Chapter 4. Using the DTF Model to Process Digital Media Chapter 5. Using the DTF Model to Collect and Process Cell Phones and SIM Cards Chapter 6. The Changing Role of a Digital Forensic Investigator Glossary

Notice of Violation of IEEE Publication Principles Mobile Phone Forensics: Challenges, Analysis and Tools Classification

Abstract: — Mobile phones and other handheld devices are everywhere now a day. Cell phones andcellular devices can be involved in a crime or other incident. Digital forensic specialists will requirespecialized tools for forensics examination of mobile phones for proper recovery and speedy analysisof data present on mobile phones. Based on the various extraction methods different levels ofanalysis can be logically grouped for evidence acquisition from mobile phones. Based on these levels(Manual, Logical, Hex-Dump, Chip-Off and Micro Read) a pyramid of forensic tools available ininternational market can be sketched. Scope of this paper is to excavate into challenges associatedwhile carrying forensic analysis of mobile phones, elaborate various analysis techniques and depict apyramid of forensic techniques and tools.