Digital forensics

About: Digital forensics is a research topic. Over the lifetime, 4270 publications have been published within this topic receiving 49676 citations. The topic is also known as: digital forensic science & Digital forensics.

Forensics Investigation of Web Application Security Attacks

Abstract: Nowadays, web applications are popular targets for security attackers. Using specific security mechanisms, we can prevent or detect a security attack on a web application, but we cannot find out the criminal who has carried out the security attack. Being unable to trace back an attack, encourages hackers to launch new attacks on the same system. Web application forensics aims to trace back and attribute a web application security attack to its originator. This may significantly reduce the security attacks targeting a web application every day, and hence improve its security. The aim of this paper is to carry out a detailed overview about the web application forensics. First, we define the web applications forensics, and we present a taxonomic structure of the digital forensics. Then, we present the methodology of a web application forensics investigation. After that, we illustrate the forensics supportive tools for a web application forensics investigation. After that, we present a detailed presentation of a set of the main considered web application forensics tools. Finally, we provide a comparison of the main considered web application forensics tools.

A survey on digital camera identification methods

Abstract: Digital forensics is a topic that has attracted many attention. One of the most common tasks in digital forensics is imaging sensor identification. It may be understood as recognizing devices origin based on subject that this device produced. Therefore, areas that match digital forensics include among others: digital camera, flatbed scanner or printer identification. In this paper we survey methods and algorithms for digital camera identification. The goal of digital camera identification algorithm is to identify and distinct camera's sensor based on produced images. This topic is especially popular in forensics' community since last years. The paper discusses two concepts for camera identification: individual source camera identification (ISCI) and source camera model identification (SCMI). The ISCI aims to distinguish a certain camera among cameras of both the same and the different camera models, while the SCMI distinguishes a certain camera model among others but cannot distinguish a certain camera among the same camera models. We investigate methods dealing with these concepts that include: camera's photo response non uniformity (PRNU) identification, statistical methods, analysis of camera's optical defects, machine learning and deep models which include convolutional neural networks. We also provide a description of popular image datasets that can be used for camera identification algorithms evaluation.

Exploring The Use Of PLC Debugging Tools For Digital Forensic Investigations On SCADA Systems

Abstract: The Stuxnet malware attack has provided strong evidence for the development of a forensic capability to aid in thorough post-incident investigations. Current live forensic tools are typically used to acquire and examine memory from computers running either Windows or Unix. This makes them incompatible with embedded devices found on SCADA systems that have their own bespoke operating system. Currently, only a limited number of forensics tools have been developed for SCADA systems, with no development of tools to acquire the program code from PLCs. In this paper, we explore this problem with two main hypotheses in mind. Our first hypothesis was that the program code is an important forensic artefact that can be used to determine an attacker's intentions. Our second hypothesis was that PLC debugging tools can be used for forensics to facilitate the acquisition and analysis of the program code from PLCs. With direct access to the memory addresses of the PLC, PLC debugging tools have promising functionalities as a forensic tool, such as the "Snapshot" function that allows users to directly take values from the memory addresses of the PLC, without vendor specific software. As a case example we will focus on PLC Logger as a forensic tool to acquire and analyse the program code on a PLC. Using these two hypotheses we developed two experiments. The results from Experiment 1 provided evidence to indicate that it is possible to acquire the program code using PLC Logger and to identify the attacker's intention, therefore our hypothesis was accepted. In Experiment 2, we used an existing Computer Forensics Tool Testing (CFTT) framework by NIST to test PLC Logger's suitability as a forensic tool to analyse and acquire the program code. Based on the experiment's results, this hypothesis was rejected as PLC Logger had failed half of the tests. This suggests that PLC Logger in its current state has limited suitability as a forensic tool, unless the shortcomings are addressed.