Showing papers on "Digital forensics published in 2011"

Technical Issues of Forensic Investigations in Cloud Computing Environments

Abstract: Cloud Computing is arguably one of the most discussed information technologies today. It presents many promising technological and economical opportunities. However, many customers remain reluctant to move their business IT infrastructure completely to the cloud. One of their main concerns is Cloud Security and the threat of the unknown. Cloud Service Providers (CSP) encourage this perception by not letting their customers see what is behind their virtual curtain. A seldomly discussed, but in this regard highly relevant open issue is the ability to perform digital investigations. This continues to fuel insecurity on the sides of both providers and customers. Cloud Forensics constitutes a new and disruptive challenge for investigators. Due to the decentralized nature of data processing in the cloud, traditional approaches to evidence collection and recovery are no longer practical. This paper focuses on the technical aspects of digital forensics in distributed cloud environments. We contribute by assessing whether it is possible for the customer of cloud computing services to perform a traditional digital investigation from a technical point of view. Furthermore we discuss possible solutions and possible new methodologies helping customers to perform such investigations.

Detection of Region Duplication Forgery in Digital Images Using SURF

Abstract: An Image would yield better impact in convincing someone of something rather than pure description by words Digital images are widely used in various fields like medical imaging, journalism, scientific manipulations and digital forensics However, images are not reliable as it may be Digital images can be easily tampered with image editing tools One of the major problems in image forensics is determining if a particular image is authentic or not Digital image forensic is an emerging field of image processing area Copy-move forgery is one type of image forgery in digital image forensic where various methods have been proposed in the field to detect the forgery In this paper a technique is presented to detect Copy-Move Forgery based on SURF and KD-Tree for multidimensional data matching We demonstrate our method with high resolution images affected by copy-move forgery

Systematic Digital Forensic Investigation Model

Abstract: Law practitioners are in a uninterrupted battle with criminals in the application of digital/computer technologies, and require the development of a proper methodology to systematically search digital devices for significant evidence. Computer fraud and digital crimes are growing day by day and unfortunately less than two percent of the reported cases result in confidence. This paper explores the development of the digital forensics process model, compares digital forensic methodologies, and finally proposes a systematic model of the digital forensic procedure. This model attempts to address some of the shortcomings of previous methodologies, and provides the following advantages: a consistent, standardized and systematic framework for digital forensic investigation process; a framework which work systematically in team according the captured evidence; a mechanism for applying the framework to according the country digital forensic investigation technologies; a generalized methodology that judicial members can use to relate technology to non-technical observers. This paper present a brief overview of previous forensic models and propose a new model inspired from the DRFWS Digital Investigation Model, and finally compares it with other previous model to show relevant of this model. The proposed model in this paper explores the different processes involved in the investigation of cyber crime and cyber fraud in the form of an eleven-stage model. The Systematic digital forensic investigation model (SDFIM) has been developed with the aim of helping forensic practitioners and organizations for setting up appropriate policies and procedures in a systematic manner.

Android Forensics: Investigation, Analysis and Mobile Security for Google Android

Abstract: The open source nature of the platform has not only established a new direction for the industry, but enables a developer or forensic analyst to understand the device at the most fundamental level. Android Forensics covers an open source mobile device platform based on the Linux 2.6 kernel and managed by the Open Handset Alliance. The Android platform is a major source of digital forensic investigation and analysis. This book provides a thorough review of the Android platform including supported hardware devices, the structure of the Android development project and implementation of core services (wireless communication, data storage and other low-level functions). Finally, it will focus on teaching readers how to apply actual forensic techniques to recover data. Named a 2011 Best Digital Forensics Book by InfoSec Reviews Ability to forensically acquire Android devices using the techniques outlined in the book Detailed information about Android applications needed for forensics investigations Important information about SQLite, a file based structured data storage relevant for both Android and many other platforms. Table of Contents Chapter 1. Android and Mobile Forensics Chapter 2. Android Hardware Platforms Chapter 3. Android Software Development Kit and Android Debug Bridge Chapter 4. Android File Systems and Data Structures Chapter 5. Android Device, Data and App Security Chapter 6. Android Forensic Techniques Chapter 7. Android Application and Forensic Analysis

Understanding issues in cloud forensics: two hypothetical case studies

Abstract: The inevitable vulnerabilities and criminal targeting of cloud environments demand an understanding of how digital forensic investigations of the cloud can be accomplished. We present two hypothetical case studies of cloud crimes; child pornography being hosted in the cloud, and a compromised cloudbased website. Our cases highlight shortcomings of current forensic practices and laws. We describe significant challenges with cloud forensics, including forensic acquisition, evidence preservation and chain of custody, and open problems for continued research.

A New Approach of Digital Forensic Model for Digital Forensic Investigation

Abstract: The research introduces a structured and consistent approach for digital forensic investigation. Digital forensic science provides tools, techniques and scientifically proven methods that can be used to acquire and analyze digital evidence. The digital forensic investigation must be retrieved to obtain the evidence that will be accepted in the court. This research focuses on a structured and consistent approach to digital forensic investigation. This research aims at identifying activities that facilitate and improves digital forensic investigation process. Existing digital forensic framework will be reviewed and then the analysis will be compiled. The result from the evaluation will produce a new model to improve the whole investigation process.

The Proactive and Reactive Digital Forensics Investigation Process: A Systematic Literature Review

Abstract: Recent papers have urged the need for new forensic techniques and tools able to investigate anti-forensics methods, and have promoted automation of live investigation Such techniques and tools are called proactive forensic approaches, ie, approaches that can deal with digitally investigating an incident while it occurs To come up with such an approach, a Systematic Literature Review (SLR) was undertaken to identify and map the processes in digital forensics investigation that exist in literature According to the review, there is only one process that explicitly supports proactive forensics, the multicomponent process [1] However, this is a very high-level process and cannot be used to introduce automation and to build a proactive forensics system As a result of our SLR, a derived functional process that can support the implementation of a proactive forensics system is proposed

Social snapshots: digital forensics for online social networks

Abstract: Recently, academia and law enforcement alike have shown a strong demand for data that is collected from online social networks. In this work, we present a novel method for harvesting such data from social networking websites. Our approach uses a hybrid system that is based on a custom add-on for social networks in combination with a web crawling component. The datasets that our tool collects contain profile information (user data, private messages, photos, etc.) and associated meta-data (internal timestamps and unique identifiers). These social snapshots are significant for security research and in the field of digital forensics. We implemented a prototype for Facebook and evaluated our system on a number of human volunteers. We show the feasibility and efficiency of our approach and its advantages in contrast to traditional techniques that rely on application-specific web crawling and parsing. Furthermore, we investigate different use-cases of our tool that include consensual application and the use of sniffed authentication cookies. Finally, we contribute to the research community by publishing our implementation as an open-source project.

Erratum to “Defending Against Fingerprint-Copy Attack in Sensor-Based Camera Identification” [Mar 11 227-236]

Abstract: Due to a production error, the above titled paper (ibid., vol. 6, no. 1, pp. 227-236, Mar. 11), was published as a correspondence in the March 2011 issue of IEEE Transactions on Information Forensics and Security. This paper was actually accepted as a Regular Paper and should have been published as such.

Digital Forensics with Open Source Tools

Abstract: Digital Forensics with Open Source Tools is the definitive book on investigating and analyzing computer systems and media using open source tools. The book is a technical procedural guide, and explains the use of these tools on Linux and Windows systems as a platform for performing computer forensics. Both well known and novel forensic methods are demonstrated using command-line and graphical open source computer forensic tools for examining a wide range of target systems and artifacts. Written by world-renowned forensic practitioners Details core concepts and techniques of forensic file system analysis Covers analysis of artifacts from the Windows, Mac, and Linux operating systems

Isolating a cloud instance for a digital forensic investigation.

Abstract: Cloud Computing is gaining acceptance and increasing in popularity. Organizations often rely on Cloud resources to effectively replace their in house computer systems. In a Cloud environment an instance is typically accepted to be a virtual system resource established within that Cloud. Multiple instances can be contained a single node. The Cloud itself consists of multiple nodes. The Cloud structure has no predefined or fixed boundaries. Digital Forensics (DFs) can be considered the science of finding a root cause of a particular incident. Isolating the incident environment is generally accepted within the Forensic Community to be an integral part of a Forensic process. We consider this isolation is also needed in a Digital Forensic Investigations (DFIs). The isolation prevents any further contamination or tampering of possible evidence. In order to isolate the incident the Cloud instance is isolated. The node instance is effectively placed in a controlled environment to enable a controlled DF investigation to be conducted. This paper will introduce possible techniques to isolate these Cloud instances to facilitate an investigation. The techniques include, but are not limited to Instance Relocation, Server Farming, Address Relocation, Failover, Sandboxing, Man in the Middle (MITM) and Let’s Hope for the Best (LHFTB). A discussion of each of these techniques will be given. This discussion will include a description of each techniques, the advantages and disadvantages of using the techniques and the visibility of the techniques.

Survey on Cloud Forensics and Critical Criteria for Cloud Forensic Capability: A Preliminary Analysis

Abstract: In this paper we present the current results and analysis of the survey “Cloud forensics and critical criteria for cloud forensic capability” carried out towards digital forensic experts and practitioners. This survey was created in order to gain a better understanding on some of the key questions of the new field - cloud forensics - before further research and development. We aim to understand concepts such as its definition, the most challenging issues, most valuable research directions, and the critical criteria for cloud forensic capability.

Digital Forensics for Eucalyptus

Abstract: Cloud computing is a computing paradigm that shifts drastically from traditional computing architecture. Although this new computing paradigm brings many advantages like utility computing model but the design in not flawless and hence suffers from not only many known computer vulnerabilities but also introduces unique information confidentiality, integrity and availability risks as well due its inherent design paradigm. As a result the digital forensics, which relies heavily on physical access to computing devices and applications logs, has become a biggest challenge in cloud environments due to the non-availability of physical access to computing devices and applications logs. As we will see this paper highlights many of the digital forensics issues in the cloud environments and tries to address some of these forensics issues by identifying possible Syslog or Snort logs that can help in detecting cloud attacks or conducting digital forensics in cloud environments by analyzing logs generated by an open source cloud computing Eucalyptus software. As we will see in the paper we neither had access to Eucalyptus logs dataset nor it was known that any such dataset exist that could be analyzed offline for digital forensics purposes. Thus we generated our own dataset by attacking Eucalyptus with many of the known cloud attacks and then analyzing the resultant dataset to identify possible log entries that could identify cloud attacks or help in conducting digital forensics in cloud environments.

Leveraging Forensic Tools for Virtual Machine Introspection

Abstract: Virtual machine introspection (VMI) has formed the basis of a number of novel approaches to security in recent years. Although the isolation provided by a virtualized environment provides improved security, software that makes use of VMI must overcome the semantic gap, reconstructing high-level state information from low-level data sources such as physical memory. The digital forensics community has likewise grappled with semantic gap problems in the field of forensic memory analysis (FMA), which seeks to extract forensically relevant information from dumps of physical memory. In this paper, we will show that work done by the forensic community is directly applicable to the VMI problem, and that by providing an interface between the two worlds, the difficulty of developing new virtualization security solutions can be significantly reduced.

A Novel Anti-forensics Technique for the Android OS

Abstract: In recent years traditional mobile-phones, used only to make calls and send text messages, have evolved into even more versatile and powerful devices (smart phones, tablets, etc.). These devices use a NAND flash memory type to store data, due to it being a memory that has been optimized for the fast updating of data. These flash memory drives usually contain sensitive data that could be a possible danger to the user's privacy. This paper proposes a new anti-forensics technique for mobile devices with the Android OS. The technique makes it possible to modify and erase, securely and selectively, the digital evidence on an Android device without having to use any cryptographic primitives or make any file system changes. While the use of cryptographic primitives or changes to the file system create considerable suspicion in a forensic analysis, the proposed technique uses simple software tools commonly used in *nix-like OSes such as the Android OS.

Forensics Investigations of Multimedia Data: A Review of the State-of-the-Art

Abstract: Digital forensics is one of the cornerstones to investigate criminal activities such as fraud, computer security breaches or the distribution of illegal content. The importance and relevance of this research fields attracted various research institutes leading to substantial progress in the area of digital investigations. One essential piece of evidence is multimedia data. For this reason this paper provides an overview of the state-of-the-art in the forensic investigation of multimedia data, the relationship between the various research fields and further potential research activities.

iPhone and iOS Forensics: Investigation, Analysis and Mobile Security for Apple iPhone, iPad and iOS Devices

Abstract: As sales and usage of iPhones increase so does the demand on organizations that conduct examinations on this device. iPhone and iOS Forensics takes an in-depth look at methods and processes that analyze the iPhone/iPod in an official legal manner. All of the methods and procedures outlined in the book can be taken into any court room. This book details the iPhone with information data sets that are new and evolving, with official hardware knowledge from Apple itself to help aid investigators. iPhone market share has increased to 50% of worldwide mobile phone usageEmployment in digital forensics is projected to grow by 30% over the next 5 years with the US Federal Government looking for 10K qualified pros in 2009 alone

A Quantitative Approach to Triaging in Mobile Forensics

Abstract: Forensic study of mobile devices is a relatively new field, dating from the early 2000s. The proliferation of phones (particularly smart phones) on the consumer market has caused a growing demand for forensic examination of the devices, which could not be met by existing Computer Forensics techniques. As a matter of fact, Law enforcement are much more likely to encounter a suspect with a mobile device in his possession than a PC or laptop and so the growth of demand for analysis of mobiles has increased exponentially in the last decade. Early investigations, moreover, consisted of live analysis of mobile devices by examining phone contents directly via the screen and photographing it with the risk of modifying the device content, as well as leaving many parts of the proprietary operating system inaccessible. The recent development of Mobile Forensics, a branch of Digital Forensics, is the answer to the demand of forensically sound examination procedures of gathering, retrieving, identifying, storing and documenting evidence of any digital device that has both internal memory and communication ability [1]. Over time commercial tools appeared which allowed analysts to recover phone content with minimal interference and examine it separately. By means of such toolkits, moreover, it is now possible to think of a new approach to Mobile Forensics which takes also advantage of "Data Mining" and "Machine Learning" theory. This paper is the result of study concerning cell phones classification in a real case of pedophilia. Based on Mobile Forensics "Triaging" concept and the adoption of self-knowledge algorithms for classifying mobile devices, we focused our attention on a viable way to predict phone usage's classifications. Based on a set of real sized phones, the research has been extensively discussed with Italian law enforcement cyber crime specialists in order to find a viable methodology to determine the likelihood that a mobile phone has been used to commit the specific crime of pedophilia, which could be very relevant during a forensic investigation.

Live Data Mining Concerning Social Networking Forensics Based on a Facebook Session Through Aggregation of Social Data

Abstract: Social Networking Service (SNS) emerges to be one of the most promising directions of web applications regarding the next generation of Internet technology evolutions. Substantively, innumerable global on-line community members share common interests with each other via the User Generated Content (UGC) platforms. Facebook is one of them and it facilitates the social networking participants to deliver the digital contents to authorized consumers or specific groups. As cybercrimes mushroom in recent years, more and more digital crime investigations have strong relations to Facebook. Unarguably, Facebook has been exploited via global perpetrators. Consequently, we spotlight on live data acquisition within the RAM of the desktop PC with emphasis on some distinct strings that could be found in order to reconstruct the previous Facebook session, which plays an extremely precious role for the associate digital forensics investigators to incubate additional thoughtful decisions concerning the discovery of breadcrumb digital evidences in this unparalleled cybercrime incidents era.

Comparative Analysis of Volatile Memory Forensics: Live Response vs. Memory Imaging

Abstract: Traditionally, incident responders and digital forensic examiners have predominantly relied on live response for volatile data acquisition While this approach is popular, memory capacity has rapidly changed, making memory a valuable resource for digital investigation, by revealing not only running tasks, but also terminated and cached processes This research presents the impact and the limitations of the conventional volatile forensic method, live response, in comparison to the alternative method, memory image analysis The experiment's results demonstrate and we discuss the forensic effects of executing a live response toolkit, which alters the volatile data environment significantly in some cases and can overwrite potential evidence Memory image analysis is also leveraged as an alternative approach that helps mitigate the risk of losing volatile evidence such as terminated and cashed processes, which are ignored during live response This comparative analysis calls attention the capabilities of both methods in retrieving and recovering volatile data

Usability of Forensics Tools: A User Study

Abstract: Digital forensics has become a critical part of almost every investigation, and users of digital forensics tools are becoming more diverse in their backgrounds and interests. As a result, usability is an important aspect of these tools. This paper examines the usability aspect of forensics tools through interviews and surveys designed to obtain feedback from professionals using these tools as part of their regularly assigned duties. The study results highlight a number of usability issues that need to be taken into consideration when designing and implementing digital forensics tools.

Windows Registry Forensics: Advanced Digital Forensic Analysis of the Windows Registry

Abstract: Harlan Carvey brings readers an advanced book on Windows Registry. The first book of its kind EVER -- Windows Registry Forensics provides the background of the Registry to help develop an understanding of the binary structure of Registry hive files. Approaches to live response and analysis are included, and tools and techniques for postmortem analysis are discussed at length. Tools and techniques will be presented that take the analyst beyond the current use of viewers and into real analysis of data contained in the Registry. Packed with real-world examples using freely available open source tools Deep explanation and understanding of the Windows Registry - the most difficult part of Windows to analyze forensically Includes a CD containing code and author-created tools discussed in the book

Advanced File Carving Approaches for Multimedia Files.

Abstract: File carving is a recovery technique that recovers files based on information about their structure and content without matching file system information. As files can be recovered from their content and/or file structure this technique is indispensable during digital forensics investigations. So far many approaches for the recovery of digital images have been proposed. The main contribution of this paper is a discussion of existing and new approaches for the recovery of multimedia files. After a short discussion of relevant multimedia file formats we present an overview of the current state-of-the-art in file carving. In the main part we focus on the implementation of a file carver for fragmented multimedia files. Finally, we summarize our findings and give an outlook with regard to post-processing files that have been recovered successfully.

An Ontological Approach to Study and Manage Digital Chain of Custody of Digital Evidence

Abstract: Chain of custody of digital evidence in digital forensic field are today essential part of digital investigation process. In order the evidence to be accepted by the court as valid, chain of custody for digital evidence must be kept, or it must be known who exactly, when, where, why and how came into contact with evidence in each stage of the digital investigations process. This paper deals with digital evidence and chain of custody of digital evidence. Authors definetaxonomy and use an ontological approach to manage chain of custody of digital evidence. The aim of this paper was to develop ontology to provide a new approach to study and better understand chain of custody of digital evidence . Additionally, developed ontology can be used as a method to further develop a set of standard and procedures for secure management with digital evidence.

Post-retrieval search hit clustering to improve information retrieval effectiveness: Two digital forensics case studies

Abstract: This research extends text mining and information retrieval research to the digital forensic text string search process. Specifically, we used a self-organizing neural network (a Kohonen Self-Organizing Map) to conceptually cluster search hits retrieved during a real-world digital forensic investigation. We measured information retrieval effectiveness (e.g., precision, recall, and overhead) of the new approach and compared them against the current approach. The empirical results indicate that the clustering process significantly reduces information retrieval overhead of the digital forensic text string search process, which is currently a very burdensome endeavor.

Digital forensic acquisition kit and methods of use thereof

Abstract: Disclosed are compositions, methods, and kits, for issuing and conducting automated imaging and preservation for obtaining digital forensic data from active (i.e., powered-on) and non-active (i.e., powered-off) computer systems. In certain embodiments, the invention further encompasses providing a customer base a preliminary report of data. In other embodiments, the invention encompasses the option to receive a virtual machine file set of the acquired information for additional viewing and examination by the customer. The invention further encompasses methods and systems for implementing the embodiments of the invention. The invention also encompasses methods, apparatuses, and systems for secure forensic investigation of a target machine.