Showing papers on "Digital forensics published in 2015"

RAISE: a raw images dataset for digital image forensics

Abstract: Digital forensics is a relatively new research area which aims at authenticating digital media by detecting possible digital forgeries. Indeed, the ever increasing availability of multimedia data on the web, coupled with the great advances reached by computer graphical tools, makes the modification of an image and the creation of visually compelling forgeries an easy task for any user. This in turns creates the need of reliable tools to validate the trustworthiness of the represented information. In such a context, we present here RAISE, a large dataset of 8156 high-resolution raw images, depicting various subjects and scenarios, properly annotated and available together with accompanying metadata. Such a wide collection of untouched and diverse data is intended to become a powerful resource for, but not limited to, forensic researchers by providing a common benchmark for a fair comparison, testing and evaluation of existing and next generation forensic algorithms. In this paper we describe how RAISE has been collected and organized, discuss how digital image forensics and many other multimedia research areas may benefit of this new publicly available benchmark dataset and test a very recent forensic technique for JPEG compression detection.

FAIoT: Towards Building a Forensics Aware Eco System for the Internet of Things

Abstract: The Internet of Things (IoT) involves numerous connected smart things with different technologies and communication standards. While IoT opens new opportunities in various fields, it introduces new challenges in the field of digital forensics investigations. The existing tools and procedures of digital forensics cannot meet the highly distributed and heterogeneous infrastructure of the IoT. Forensics investigators will face challenges while identifying necessary pieces of evidence from the IoT environment, and collecting and analyzing those evidence. In this article, we propose the first working definition of IoT forensics and systematically analyze the IoT forensics domain to explore the challenges and issues in this special branch of digital forensics. We propose a Forensics-aware IoT (FAIoT) model for supporting reliable forensics investigations in the IoT environment.

An Overview of Steganography for the Computer Forensics Examiner (Updated Version, February 2015)

Abstract: | Introduction | Null Ciphers| Digital Image and Audio | Digital Carrier Methods Steganography Examples | Detecting Steganography | Steganography Detection Tools | Summary and Conclusions References | Additional Websites | Companion Downloads | Commercial Vendors | Author's Bio

Fog Computing: Issues and Challenges in Security and Forensics

Abstract: Although Fog Computing is defined as the extension of the Cloud Computing paradigm, its distinctive characteristics in the location sensitivity, wireless connectivity, and geographical accessibility create new security and forensics issues and challenges which have not been well studied in Cloud security and Cloud forensics In this paper, through an extensive review of the motivation and advantages of the Fog Computing and its unique features as well as the comparison on various scenarios between the Fog Computing and Cloud Computing, the new issues and challenges in Fog security and Fog forensics are presented and discussed The result of this study will encourage and promote more extensive research in this fascinating field, Fog security and Fog forensics

Internet of Things(IoT) digital forensic investigation model: Top-down forensic approach methodology

Abstract: The Internet of Things (IoT) is the interconnection of uniquely identifiable embedded computing devices within the existing Internet infrastructure. Typically, internet of things (IoT) is expected to offer advanced connectivity of devices, systems, and services that goes beyond machine-to-machine communications (M2M) and covers a variety of protocols, domains, and applications. The interconnection of these embedded devices including smart objects, is expected to usher in automation in nearly all fields, while also enabling advanced applications like a Smart Grid. The main research challenge in Internet of things (IoT) for the forensic investigators is based size of the objects of forensic interest, relevancy, blurry network boundaries and edgeless networks, especially on method for conducting the investigation. The aim of this paper is to identify the best approach by designing a novel model to conduct the investigation situations for digital forensic professionals and experts. There was existing research works which introduce models for identifying the objects of forensics interest in investigations, but there were no rigorous testing for accepting the approach. Currently in this work, an integrated model is designed based on triage model and 1-2-3 zone model for volatile based data preservation.

Investigating and Prosecuting Cyber Crime: Forensic Dependencies and Barriers to Justice

Abstract: The primary goal of this paper is to raise awareness regarding legal loopholes and enabling technologies, which facilitate acts of cyber crime In perusing these avenues of inquiry, the author seeks to identify systemic impediments which obstruct police investigations, prosecutions, and digital forensics interrogations Existing academic research on this topic has tended to highlight theoretical perspectives when attempting to explain technology aided crime, rather than presenting practical insights from those actually tasked with working cyber crime cases The author offers a grounded, pragmatic approach based on the in-depth experience gained serving with police task-forces, government agencies, private sector, and international organizations The secondary objective of this research encourages policy makers to reevaluate strategies for combating the ubiquitous and evolving threat posed by cyber- criminality Research in this paper has been guided by the firsthand global accounts (via the author's core involvement in the preparation of the Comprehensive Study on Cybercrime (United Nations Office on Drugs and Crime, 2013) and is keenly focused on core issues of concern, as voiced by the international community Further, a fictional case study is used as a vehicle to stimulate thinking and exemplify key points of reference In this way, the author invites the reader to contemplate the reality of a cyber crime inquiry and the practical limits of the criminal justice process

Cybercrime and Digital Forensics: An Introduction

Abstract: 1. Technology and Cybercrime 2. Computer Hackers and Hacking 3. Malware and Automated Computer Attacks 4. Digital Piracy and Intellectual Property Theft 5. Economic Crimes and On-Line Fraud 6. Pornography, Prostitution, and Sex Crimes 7. Cyberbullying, On-Line Harassment, and Cyberstalking 8. On-line Extremism, Cyberterror, and Cyber Warfare 9. Cybercrime and Criminological Theories 10. Evolution of Digital Forensics 11. Acquisition and Examination of Forensic Evidence 12. Legal Challenges in Digital Forensic Investigations 13. The Future of Cybercrime, Terror, and Policy.

Taxonomy of Challenges for Digital Forensics.

Abstract: Since its inception, over a decade ago, the field of digital forensics has faced numerous challenges. Despite different researchers and digital forensic practitioners having studied and analysed various known digital forensic challenges, as of 2013, there still exists a need for a formal classification of these challenges. This article therefore reviews existing research literature and highlights the various challenges that digital forensics has faced for the last 10 years. In conducting this research study, however, it was difficult for the authors to review all the existing research literature in the digital forensic domain; hence, sampling and randomization techniques were employed to facilitate the review of the gathered literature. Taxonomy of the various challenges is subsequently proposed in this paper based on our review of the literature. The taxonomy classifies the large number of digital forensic challenges into four well-defined and easily understood categories. The proposed taxonomy can be useful, for example, in future developments of automated digital forensic tools by explicitly describing processes and procedures that focus on addressing specific challenges identified in this paper. However, it should also be noted that the purpose of this paper was not to propose any solutions to the individual challenges that digital forensics face, but to serve as a survey of the state of the art of the research area.

Image Noise and Digital Image Forensics

Abstract: Noise is an intrinsic specificity of all forms of imaging, and can be found in various forms in all domains of digital imagery. This paper offers an overall review of digital image noise, from its causes and models to the degradations it suffers along the image acquisition pipeline. We show that by the end of the pipeline, the noise may have widely different characteristics compared to the raw image, and consider the consequences in forensic and counter-forensic imagery.

GUITAR: Piecing Together Android App GUIs from Memory Images

Abstract: An Android app's graphical user interface (GUI) displays rich semantic and contextual information about the smartphone's owner and app's execution. Such information provides vital clues to the investigation of crimes in both cyber and physical spaces. In real-world digital forensics however, once an electronic device becomes evidence most manual interactions with it are prohibited by criminal investigation protocols. Hence investigators must resort to "image-and-analyze" memory forensics (instead of browsing through the subject phone) to recover the apps' GUIs. Unfortunately, GUI reconstruction is still largely impossible with state-of-the-art memory forensics techniques, which tend to focus only on individual in-memory data structures. An Android GUI, however, displays diverse visual elements each built from numerous data structure instances. Furthermore, whenever an app is sent to the background, its GUI structure will be explicitly deallocated and disintegrated by the Android framework. In this paper, we present GUITAR, an app-independent technique which automatically reassembles and redraws all apps' GUIs from the multitude of GUI data elements found in a smartphone's memory image. To do so, GUITAR involves the reconstruction of (1) GUI tree topology, (2) drawing operation mapping, and (3) runtime environment for redrawing. Our evaluation shows that GUITAR is highly accurate (80-95% similar to original screenshots) at reconstructing GUIs from memory images taken from a variety of Android apps on popular phones. Moreover, GUITAR is robust in reconstructing meaningful GUIs even when facing GUI data loss.

Cloud Forensics: A Review of Challenges, Solutions and Open Problems

Abstract: Cloud computing is a promising next generation computing paradigm which offers significant economic benefits to both commercial and public entities. Due to the unique combination of characteristics that cloud computing introduce, including; on-demand self-service, broad network access, resource pooling, rapid elasticity and measured service, digital investigations face various technical, legal and organizational challenges to keep up with current developments in the field of cloud computing. There are plenty of issues that need to be resolved in order to perform a proper digital investigation in the cloud environment. This paper examines the challenges in cloud forensics that are identified in the current research literature. Furthermore it explores the current research proposals and technical solutions addressed in the respective research. Ultimately, it highlights the open problems that need further efforts to be tackled.

A Comprehensive and Harmonized Digital Forensic Investigation Process Model.

Abstract: Performing a digital forensic investigation (DFI) requires a standardized and formalized process. There is currently neither an international standard nor does a global, harmonized DFI process (DFIP) exist. The authors studied existing state-of-the-art DFIP models and concluded that there are significant disparities pertaining to the number of processes, the scope, the hierarchical levels, and concepts applied. This paper proposes a comprehensive model that harmonizes existing models. An effort was made to incorporate all types of processes proposed by the existing models, including those aimed at achieving digital forensic readiness. The authors introduce a novel class of processes called concurrent processes. This is a novel contribution that should, together with the rest of the model, enable more efficient and effective DFI, while ensuring admissibility of digital evidence. Ultimately, the proposed model is intended to be used for different types of DFI and should lead to standardization.

VCR: App-Agnostic Recovery of Photographic Evidence from Android Device Memory Images

Abstract: The ubiquity of modern smartphones means that nearly everyone has easy access to a camera at all times In the event of a crime, the photographic evidence that these cameras leave in a smartphone's memory becomes vital pieces of digital evidence, and forensic investigators are tasked with recovering and analyzing this evidence Unfortunately, few existing forensics tools are capable of systematically recovering and inspecting such in-memory photographic evidence produced by smartphone cameras In this paper, we present VCR, a memory forensics technique which aims to fill this void by enabling the recovery of all photographic evidence produced by an Android device's cameras By leveraging key aspects of the Android framework, VCR extends existing memory forensics techniques to improve vendor-customized Android memory image analysis Based on this, VCR targets application-generic artifacts in an input memory image which allow photographic evidence to be collected no matter which application produced it Further, VCR builds upon the Android framework's existing image decoding logic to both automatically recover and render any located evidence Our evaluation with commercially available smartphones shows that VCR is highly effective at recovering all forms of photographic evidence produced by a variety of applications across several different Android platforms

Overview of the Forensic Investigation of Cloud Services

Abstract: Cloud Computing is a commonly used, yet ambiguous term, which can be used to refer to a multitude of differing dynamically allocated services. From a law enforcement and forensic investigation perspective, cloud computing can be thought of as a double edged sword. While on one hand, the gathering of digital evidence from cloud sources can bring with it complicated technical and cross-jurisdictional legal challenges. On the other, the employment of cloud storage and processing capabilities can expedite the forensics process and focus the investigation onto pertinent data earlier in an investigation. This paper examines the state-of-the-art in cloud-focused, digital forensic practises for the collection and analysis of evidence and an overview of the potential use of cloud technologies to provide Digital Forensics as a Service.

Smartphone image clustering

Abstract: Every day the use of images from mobile devices as evidence in legal proceedings is more usual and common.Image source acquisition identification is a branch of digital forensic analysis.We use a combination of hierarchical and flat clustering and the use of Sensor Pattern Noise for source identification.We make a series of experiments which emulate similar situations to those that may occur in reality. Every day the use of images from mobile devices as evidence in legal proceedings is more usual and common. Therefore, forensic analysis of mobile device images takes on special importance. This paper explores the branch of forensic analysis which is based on the identification of the source, specifically on the grouping or clustering of images according to their source acquisition. In contrast with other state of the art techniques for source identification, hierarchical clustering does not involve a priori knowledge of the number of images or devices to be identified or training data for a future classification stage. That is, a grouping by classes with all the input images is performed. The proposal is based on the combination of hierarchical and flat clustering and the use of Sensor Pattern Noise (SPN). There has been a series of experiments which emulate similar situations to those that may occur in reality to test the robustness and reliability of the results of the technique. The results are satisfactory in all the experiments, obtaining high rates of success.

Digital Forensics in the Age of Big Data: Challenges, Approaches, and Opportunities

Abstract: The age of big data opens new opportunities in various fields. While the availability of a big dataset can be helpful in some scenarios, it introduces new challenges in digital forensics investigations. The existing tools and infrastructures cannot meet the expected response time when we investigate on a big dataset. Forensics investigators will face challenges while identifying necessary pieces of evidence from a big dataset, and collecting and analyzing those evidence. In this article, we propose the first working definition of big data forensics and systematically analyze the big data forensics domain to explore the challenges and issues in this forensics paradigm. We propose a conceptual model for supporting big data forensics investigations and present several use cases, where big data forensics can provide new insights to determine facts about criminal incidents.

Adding event reconstruction to a Cloud Forensic Readiness model

Abstract: During post-event response, proactive forensics is of critical importance in any organisation when conducting digital forensic investigations in cloud environments. However, there exist no reliable event reconstruction processes in the cloud that can help in analysis and examination of Digital Evidence (DE) aspects, during Digital Forensic Readiness (DFR) process, as defined in the standard of ISO/IEC 27043:2015. The problem that this paper addresses is the lack of an easy way of performing digital event reconstruction process when the cloud is forensically ready in preparation of a Digital Forensic Investigation (DFI). During DFR approaches, event reconstruction helps in examination and pre-analysis of the characteristics of potential security incidents. As a result, the authors have proposed an Enhanced Cloud Forensic Readiness (ECFR) process model with event reconstruction process that can support future investigative technologies with a degree of certainty. We also propose an algorithm that shows the methodology that is used to reconstruct events in the ECFR. The main focus of this work is to examine the addition of event reconstruction to the initially proposed Cloud Forensic Readiness (CFR) model, by providing a more enhanced and detailed cloud forensic readiness model.

Digital Chain of Custody: State of the Art

Abstract: Digital forensics starts to show its role and contribution in the society as a solution in disclosure of cybercrime. The essential in digital forensics is chain of custody, which is an attempt to preserve the integrity of digital evidence as well as a procedure for performing documentation chronologically toward evidence. The characteristics of digital evidence have caused the handling chain of custody is becoming more complicated and complex. A number of researchers have contributed to provide solutions for the digital chain custody through a different point of views. This paper gives an overview of the extent to which the problem and challenges are faced in the digital chain of custody issue as well as the scope of researches that can be done to contribute in the issue of the digital chain of custody.

OCF: An Open Cloud Forensics Model for Reliable Digital Forensics

Abstract: The rise of cloud computing has changed the way computing services and resources are used. However, existing digital forensics science cannot cope with the black-box nature of clouds nor with multi-tenant cloud models. Because of the fundamental characteristics of clouds, many assumptions of digital forensics are invalidated in clouds. In the digital forensics process involving clouds, the role of cloud service providers (CSP) is utterly important, a role which needs to be considered in the science of cloud forensics. In this paper, we define cloud forensics considering the role of the CSP and propose the Open Cloud Forensics (OCF) model. Based on this OCF model, we propose a cloud computing architecture and validate our proposed model using a case study, which is inspired from an actual civil lawsuit.

Ubuntu One investigation : detecting evidences on client machines

Abstract: STorage as a Service (STaaS) cloud services have been adopted by both individuals and businesses as a dominant technology worldwide. Similar to other technologies, this widely accepted service can be misused by criminals. Investigating cloud platforms is becoming a standard component of contemporary digital investigation cases. Hence, digital forensic investigators need to have a working knowledge of the potential evidence that might be stored on cloud services. In this chapter, we conducted a number of experiments to locate data remnants of users' activities when utilizing the Ubuntu One cloud service. We undertook experiments based on common activities performed by users on cloud platforms including downloading, uploading, viewing, and deleting files. We then examined the resulting digital artifacts on a range of client devices, namely, Windows 8.1, Apple Mac OS X, and Apple iOS. Our examination extracted a variety of potentially evidential items ranging from Ubuntu One databases and log files on persistent storage to remnants of user activities in device memory and network traffic.