Showing papers on "Digital forensics published in 2019"

IoT Forensics: Amazon Echo as a Use Case

Abstract: Internet of Things (IoT) are increasingly common in our society, and can be found in civilian settings as well as sensitive applications, such as battlefields and national security. Given the potential of these devices to be targeted by attackers, they are a valuable source in digital forensic investigations. In addition, incriminating evidence may be stored on an IoT device (e.g., Amazon Echo in a home environment and Fitbit worn by the victim or an accused person). In comparison to IoT security and privacy literature, IoT forensics is relatively under-studied. IoT forensics is also challenging in practice, particularly due to the complexity, diversity, and heterogeneity of IoT devices and ecosystems. In this paper, we present an IoT-based forensic model that supports the identification, acquisition, analysis, and presentation of potential artifacts of forensic interest from IoT devices and the underpinning infrastructure. Specifically, we use the popular Amazon Echo as a use case to demonstrate how our proposed model can be used to guide forensics analysis of IoT devices.

Forensics and Deep Learning Mechanisms for Botnets in Internet of Things: A Survey of Challenges and Solutions

Abstract: The constant miniaturization of hardware and an increase in power efficiency, have made possible the integration of intelligence into ordinary devices. This trend of augmenting so-called non-intelligent everyday devices with computational capabilities has led to the emergence of the Internet of Things (IoT) domain. With a wide variety of applications, such as home automation, smart grids/cities, and critical infrastructure management, the IoT systems make compelling targets for cyber-attacks. In order to effectively compromise these systems, adversaries employ different advanced persistent threat (APT) methods, with one such sophisticated method, being botnets. By employing a plethora of infected machines (bots), attackers manage to compromise the IoT systems and exploit them. Prior to the appearance of the IoT domain, specialized digital forensics mechanisms were developed, in order to investigate Botnet activities in small-scale systems. Since IoT enabled botnets are scalable, technologically diverse and make use of current high-speed networks, developing forensic mechanisms capable of investigating the IoT Botnet activities has become an important challenge in the cyber-security field. Various studies have proposed, deep learning as a viable solution for handling the IoT generated data, as it was designed to handle diverse data in large volumes, requiring near real-time processing. In this study, we provide a review of forensics and deep learning mechanisms employed to investigate botnets and their applicability in the IoT environments. We provide a new definition for the IoT, in addition to a taxonomy of network forensic solutions, that were developed for both conventional, as well as, the IoT settings. Furthermore, we investigate the applicability of deep learning in network forensics, the inherent challenges of applying network forensics techniques to the IoT, and provide future direction for research in this field.

A blockchain-based decentralized efficient investigation framework for IoT digital forensics

Abstract: Until now, there has been little research on digital forensics in the IoT (Internet of Things)-based infrastructure. Current digital forensic tools, investigation frameworks, and processes cannot meet the heterogeneity and distribution characteristics of the IoT environment. These characteristics are a challenge for digital forensic investigators and law enforcement agencies. To solve these problems, this paper proposes a digital forensics framework for the IoT environment based on the blockchain technology. In the proposed framework, all communications of IoT devices are stored in the blockchain as transactions, thus making the existing chain of custody process easier and more powerful. By using the blockchain technology, the integrity of the data to be analyzed is ensured and security is strengthened, and the preservation of integrity is made more reliable by a decentralized method of integrity preservation. In addition, since the public distributed ledger is provided, participants in the forensic investigation—such as device users, manufacturers, investigators, and service providers—can confirm the investigation process transparently. We simulated the proposed model to support the proof of concept.

A Systematic Survey on Cloud Forensics Challenges, Solutions, and Future Directions

Abstract: The challenges of cloud forensics have been well-documented by both researchers and government agencies (e.g., U.S. National Institute of Standards and Technology), although many of the challenges remain unresolved. In this article, we perform a comprehensive survey of cloud forensic literature published between January 2007 and December 2018, categorized using a five-step forensic investigation process. We also present a taxonomy of existing cloud forensic solutions, with the aim of better informing both the research and practitioner communities, as well as an in-depth discussion of existing conventional digital forensic tools and cloud-specific forensic investigation tools. Based on the findings from the survey, we present a set of design guidelines to inform future cloud forensic investigation processes, and a summary of digital artifacts that can be obtained from different stakeholders in the cloud computing architecture/ecosystem.

An Efficient Forensics Architecture in Software-Defined Networking-IoT Using Blockchain Technology

Abstract: A Potential solution for solving forensic is the use of blockchain in software-defined networking (SDN). The blockchain is a distributed peer-to-peer network that can be utilized on SDN-based Internet of Things (IoT) environments for security provisioning. Hence, to meet some challenges in digital forensics such as data integrity, evidence deletion or alteration, blockchain is used. However, some problems such as poor attack detection and slow processing existed in previous works. To address these issues, an efficient forensics architecture is proposed in SDN-IoT that establishes the Chain of Custody (CoC) in blockchain technology. The proposed SDN-based IoT architecture is initiated with flow table rules on switches for the three different traffics Voice over Internet Protocol (VoIP), File Transfer Protocol (FTP), and Hyper Text Transfer Protocol (HTTP). In this work, overloaded switches migrate the packets to nearby switches to balance the packet flow. The packets disobeying flow rules will be discarded by switches. The blockchain-based distributed controller in this forensic architecture is designed to use the Linear Homomorphic Signature (LHS) algorithm for validating users. Each controller is fed with a classifier that uses the Neuro Multi-fuzzy to classify malicious packets based on packet features. The logs of events are used and stored on the blockchain in the proposed SDN-IoT architecture. We evaluated the performance of our forensic architecture and compared it to the existing model using various performance measures. Our evaluation results demonstrate performance improvement by reducing delay, response time and processing time, increasing throughput, accuracy, and security parameters.

Healthcare Data Breaches: Implications for Digital Forensic Readiness

Abstract: While the healthcare industry is undergoing disruptive digital transformation, data breaches involving health information are not usually the result of integration of new technologies. Based on published industry reports, fundamental security safeguards are still considered to be lacking with many documented data breaches occurring as the result of device and equipment theft, human error, hacking, ransomware attacks and misuse. Health information is considered to be one of the most attractive targets for cybercriminals due to its inherent sensitivity, but digital investigations of incidents involving health information are often constrained by the lack of the necessary infrastructure forensic readiness. Following the analysis of healthcare data breach causes and threats, we describe the associated digital forensic readiness challenges in the context of the most significant incident causes. With specific focus on privilege misuse, we present a conceptual architecture for forensic audit logging to assist with capture of the relevant digital artefacts in support of possible future digital investigations.

Blockchain Solutions for Forensic Evidence Preservation in IoT Environments

Abstract: The technological evolution brought by the Internet of things (IoT) comes with new forms of cyber-attacks exploiting the complexity and heterogeneity of IoT networks, as well as, the existence of many vulnerabilities in IoT devices. The detection of compromised devices, as well as the collection and preservation of evidence regarding alleged malicious behavior in IoT networks, emerge as areas of high priority. This paper presents a blockchain-based solution, which is designed for the smart home domain, dealing with the collection and preservation of digital forensic evidence. The system utilizes a private forensic evidence database, where the captured evidence is stored, along with a permissioned blockchain that allows providing security services like integrity, authentication, and non-repudiation, so that the evidence can be used in a court of law. The blockchain stores evidences' metadata, which are critical for providing the aforementioned services, and interacts via smart contracts with the different entities involved in an investigation process, including Internet service providers, law enforcement agencies and prosecutors. A high-level architecture of the blockchain-based solution is presented that allows tackling the unique challenges posed by the need for digitally handling forensic evidence collected from IoT networks.

Blockchain-Based Digital Forensics Investigation Framework in the Internet of Things and Social Systems

Abstract: The decentralized nature of blockchain technologies can well match the needs of integrity and provenances of evidences collecting in digital forensics (DF) across jurisdictional borders. In this paper, a novel blockchain-based DF investigation framework in the Internet of Things (IoT) and social systems environment is proposed, which can provide proof of existence and privacy preservation for evidence items examination. To implement such features, we present a block-enabled forensics framework for IoT, namely, IoT forensic chain (IoTFC), which can offer forensic investigation with good authenticity, immutability, traceability, resilience, and distributed trust between evidential entitles as well as examiners. The IoTFC can deliver a guarantee of traceability and track provenance of evidence items. Details of evidence identification, preservation, analysis, and presentation will be recorded in chains of block. The IoTFC can increase trust of both evidence items and examiners by providing transparency of the audit train. The use case demonstrated the effectiveness of the proposed method.

Diverging deep learning cognitive computing techniques into cyber forensics

Abstract: More than ever before, the world is nowadays experiencing increased cyber-attacks in all areas of our daily lives. This situation has made combating cybercrimes a daily struggle for both individuals and organisations. Furthermore, this struggle has been aggravated by the fact that today's cybercriminals have gone a step ahead and are able to employ complicated cyber-attack techniques. Some of those techniques are minuscule and inconspicuous in nature and often camouflage in the facade of authentic requests and commands. In order to combat this menace, especially after a security incident has happened, cyber security professionals as well as digital forensic investigators are always forced to sift through large and complex pools of data also known as Big Data in an effort to unveil Potential Digital Evidence (PDE) that can be used to support litigations. Gathered PDE can then be used to help investigators arrive at particular conclusions and/or decisions. In the case of cyber forensics, what makes the process even tough for investigators is the fact that Big Data often comes from multiple sources and has different file formats. Forensic investigators often have less time and budget to handle the increased demands when it comes to the analysis of these large amounts of complex data for forensic purposes. It is for this reason that the authors in this paper have realised that Deep Learning (DL), which is a subset of Artificial Intelligence (AI), has very distinct use-cases in the domain of cyber forensics, and even if many people might argue that it's not an unrivalled solution, it can help enhance the fight against cybercrime. This paper therefore proposes a generic framework for diverging DL cognitive computing techniques into Cyber Forensics (CF) hereafter referred to as the DLCF Framework. DL uses some machine learning techniques to solve problems through the use of neural networks that simulate human decision-making. Based on these grounds, DL holds the potential to dramatically change the domain of CF in a variety of ways as well as provide solutions to forensic investigators. Such solutions can range from, reducing bias in forensic investigations to challenging what evidence is considered admissible in a court of law or any civil hearing and many more.

Digital Forensics Architecture for Evidence Collection and Provenance Preservation in IaaS Cloud Environment Using SDN and Blockchain Technology

Abstract: Cloud forensics is an intelligent evolution of digital forensics that defends against cyber-crimes. However, centralized evidence collection and preservation minimizes the reliability of digital evidence. To resolve this severe problem, this paper proposes a novel digital forensic architecture using fast-growing Software-Defined Networking (SDN) and Blockchain technology for Infrastructure-as-a-Service (IaaS) cloud. In this proposed forensic architecture, the evidence is collected and preserved in the blockchain that is distributed among multiple peers. To protect the system from unauthorized users, Secure Ring Verification based Authentication (SRVA) scheme is proposed. To strengthen the cloud environment, secret keys are generated optimally by using Harmony Search Optimization (HSO) algorithm. All data are encrypted based on the sensitivity level and stored in the cloud server. For encryption, Sensitivity Aware Deep Elliptic Curve Cryptography (SA-DECC) algorithm is presented. For every data stored in the cloud, a block is created in the SDN controller and the history of data is recorded as metadata. In each block, the Merkle hash tree is built by using Secure Hashing Algorithm-3 (SHA-3). Our system allows users to trace their data by deploying Fuzzy based Smart Contracts (FCS). Finally, evidence analysis is enabled by constructing Logical Graph of Evidence (LGoE) collected from the blockchain. Experiments are conducted in an integrated environment of java (for cloud and blockchain) and network simulator-3.26 (for SDN). The extensive analysis shows that proposed forensic architecture shows promising results in Response time, Evidence insertion time, Evidence verification time, Communication overhead, Hash computation time, Key generation time, Encryption time, Decryption time and total change rate.

The chequered past and risky future of digital forensics

Abstract: There is weak integration of digital forensics and forensic science, despite over a decade of effort to break down the borders between them. As more criminal investigations involve digital traces i...

Practical Privacy-Preserving MapReduce Based K-Means Clustering Over Large-Scale Dataset

Abstract: Clustering techniques have been widely adopted in many real world data analysis applications, such as customer behavior analysis, targeted marketing, digital forensics, etc. With the explosion of data in today's big data era, a major trend to handle a clustering over large-scale datasets is outsourcing it to public cloud platforms. This is because cloud computing offers not only reliable services with performance guarantees, but also savings on in-house IT infrastructures. However, as datasets used for clustering may contain sensitive information, e.g., patient health information, commercial data, and behavioral data, etc, directly outsourcing them to public cloud servers inevitably raise privacy concerns. In this paper, we propose a practical privacy-preserving K-means clustering scheme that can be efficiently outsourced to cloud servers. Our scheme allows cloud servers to perform clustering directly over encrypted datasets, while achieving comparable computational complexity and accuracy compared with clusterings over unencrypted ones. We also investigate secure integration of MapReduce into our scheme, which makes our scheme extremely suitable for cloud computing environment. Thorough security analysis and numerical analysis carry out the performance of our scheme in terms of security and efficiency. Experimental evaluation over a 5 million objects dataset further validates the practical performance of our scheme.

On the importance of standardising the process of generating digital forensic reports

Abstract: The ISO/IEC 27043:2015 international standard provides new standardised guidelines for common investigation processes across various investigation scenarios that mostly involve digital evidence. The reporting process is one of the many investigative processes described in the ISO/IEC 27043:2015 standard, but the manner in which the reporting process is presented does not constitute or cover the specificity of the presentation of the entire processes covered in the standard. In this paper, we posit the importance of having the report generation process covering details obtained from all other classes of the digital investigation processes in a standardised format, as well as the need to standardise the process of generating digital forensic reports. Such a standardised process can facilitate future automation and text analytics, sharing of reports and knowledge across jurisdictions, etc. We also identify a number of key factors, such as the use of Blockchain, which should be added to the ISO/IEC 27043 international standard in order to support a standardised digital forensic report generation process.

Let the robots do it! – Taking a look at Robotic Process Automation and its potential application in digital forensics

Abstract: The challenges of tackling increasing caseloads, large volumes of digital data and maintaining examination efficiency in order to adhere to tight criminal justice system deadlines persist. As the field looks towards techniques for improving efficiency, forms of automation are both simultaneously touted as a potential solution, whilst also attracting criticism. The potential for techniques which mechanise parts of the digital forensic examination process, and do it reliably, is great, however developing the capability to do this remains a challenge. This work provides an introductory discussion to Robotic Process Automation, a form of service task automation. Its potential application is debated and two case studies are offered demonstrating potential areas of applicability. An objective evaluation is offered, debating whether technology has a place in improving efficiency in this field.

Blockchain for Modern Digital Forensics: The Chain-of-Custody as a Distributed Ledger

Abstract: Blockchain technology can be incorporated into new systems to facilitate modern Digital Forensics and Incident Response (DFIR). For example, it is widely acknowledged that the Internet-of-Things (IoT) has introduced complexity to the cyberspace, however, incident responders should also realise the advantages presented by these new “Digital Witnesses” (DW) to support their investigation. Logs generated by IoT devices can help in the process of event reconstruction, but their integrity -and therefore admissibility- can be achieved only if a Chain-of-Custody (CoC) is maintained within the wider context of an on-going digital investigation. Likewise, the transition to electronic documentation improves data availability, legibility, the utility of notes, and therefore enhances the communication between stakeholders. However, without a proof of validity, these data could be falsified. For example, in an application area such as eHealth, there is a requirement to maintain various existing (and new) rules and regulations concerning authorship, auditing, and the integrity of medical records. Lacking data control could lead to system abuse, fraud and severe compromise of service quality. These concerns can be resolved by implementing an online CoC. In this paper, we discuss the value and means of utilising Blockchain in modern systems to support DFIR. we demonstrate the value of Blockchain to improve the implementation of Digital Forensic Models and discuss why law enforcement and incident responders need to understand Blockchain technology. Furthermore, the admissibility of a Digital Evidence to a Court of Law requires chronological documentation. Hence, we discuss how the CoC can be sustained based on a distributed ledger. Finally, we provide a practical scenario related to eHealth to demonstrate the value of this approach to introduce forensic readiness to computer systems and enable better Police interventions.

Next-Generation Digital Forensics: Challenges and Future Paradigms

Abstract: In recent years, Information and Communications Technology (ICT) has rapidly advanced, bringing numerous benefits to the lives of many individuals and organisations. Technologies such as Internet of Things (loT) solutions, Cloud-Based Services (CBSs), Cyber-Physical Systems (CPSs) and mobile devices have brought many benefits to technologically-advanced societies. As a result, commercial transactions and governmental services have rapidly grown, revolutionising the life styles of many individuals living in these societies. While technological advancements undoubtedly present many advantages, at the same time they pose new security threats. As a result, the number of cases that necessitate Digital Forensic Investigations (DFIs) are on the rise, culminating in the creation of a backlog of cases for law enforcement agencies (LEAs) worldwide. Therefore, it is of paramount importance that new research approaches be adopted to deal with these security threats. To this end, this paper evaluates the existing set of circumstances surrounding the field of Digital Forensics (DF). Our research study makes two important contributions to the field of DF. First, it analyses the most difficult technical challenges that need to be considered by both LEAs and Digital Forensic Experts (DFEs). Second, it proposes important specific future research directions, the undertaking of which can assist both LEAs and DFEs in adopting a new approach to combating cyber-attacks.

How Do I Share My IoT Forensic Experience With the Broader Community? An Automated Knowledge Sharing IoT Forensic Platform

Abstract: It is challenging for digital forensic practitioners to maintain skillset currency, for example knowing where and how to extract digital artifacts relevant to investigations from newer, emerging devices (e.g., due to the increased variety of data storage schemas across manufacturers and constantly changing models). This paper presents a knowledge sharing platform, developed and validated using an Internet of Things dataset released in the DFRWS 2017–2018 forensic challenge. Specifically, we present an automated knowledge-sharing forensic platform that automatically suggests forensic artifact schemas, derived from case data, but does not include any sensitive data in the final (shared) schema. Such artifact schemas are then stored in a schema pool and the platform presents candidate schemas for use in new cases based on the data presented. In this way, investigators need not learn the forensic profile of a new device from scratch, nor do they have to manually anonymize and share forensic knowledge obtained during the course of an investigation.

Video-Based Evidence Analysis and Extraction in Digital Forensic Investigation

Abstract: As a result of the popularity of smart mobile devices and the low cost of surveillance systems, visual data are increasingly being used in digital forensic investigation. Digital videos have been widely used as key evidence sources in evidence identification, analysis, presentation, and report. The main goal of this paper is to develop advanced forensic video analysis techniques to assist the forensic investigation. We first propose a forensic video analysis framework that employs an efficient video/image enhancing algorithm for the low quality of footage analysis. An adaptive video enhancement algorithm based on contrast limited adaptive histogram equalization (CLAHE) is introduced to improve the closed-circuit television (CCTV) footage quality for the use of digital forensic investigation. To assist the video-based forensic analysis, a deep-learning-based object detection and tracking algorithm are proposed that can detect and identify potential suspects and tools from footages.

Blockchain-Based Distributed Cloud Storage Digital Forensics: Where's the Beef?

Abstract: The current state of the art in digital forensics has primarily focused on the acquisition of data from cloud storage. Here, we present a new challenge in digital forensics: blockchain-based distributed cloud storage, using STORJ as a technology example.

Digital forensics and investigations meet artificial intelligence

Abstract: In the frame of Digital Forensic (DF) and Digital Investigations (DI), the “Evidence Analysis” phase has the aim to provide objective data, and to perform suitable elaboration of these data so as to help in the formation of possible hypotheses, which could later be presented as elements of proof in court. The aim of our research is to explore the applicability of Artificial Intelligence (AI) along with computational logic tools – and in particular the Answer Set Programming (ASP) approach — to the automation of evidence analysis. We will show how significant complex investigations, hardly solvable for human experts, can be expressed as optimization problems belonging in many cases to the $\mathbb {P}$ or $\mathbb {N}\mathbb {P}$ complexity classes. All these problems can be expressed in ASP. As a proof of concept, in this paper we present the formalization of realistic investigative cases via simple ASP programs, and show how such a methodology can lead to the formulation of tangible investigative hypotheses. We also sketch a design for a feasible Decision Support System (DSS) especially meant for investigators, based on artificial intelligence tools.