Digital forensics

About: Digital forensics is a research topic. Over the lifetime, 4270 publications have been published within this topic receiving 49676 citations. The topic is also known as: digital forensic science & Digital forensics.

Investigating the Implications of Virtual Machine Introspection for Digital Forensics

Abstract: Researchers and practitioners in computer forensics currently must base their analysis on information that is either incomplete or produced by tools that may themselves be compromised as a result of the intrusion. Complicating these issues are the techniques employed by the investigators themselves. If the system is quiescent when examined, most of the information in memory has been lost. If the system is active, the kernel and programs used by the forensic investigators are likely to influence the results and as such are themselves suspect. Using virtual machines and a technique called virtual machine introspection can help overcome these limits, but it introduces its own research challenges. Recent developments in virtual machine introspection have led to the identification of four initial priority research areas in virtual machine introspection including virtual machine introspection tool development, applications of virtual machine introspection to non-quiescent virtual machines, virtual machine introspection covert operations, and virtual machine introspection detection.

GUITAR: Piecing Together Android App GUIs from Memory Images

Abstract: An Android app's graphical user interface (GUI) displays rich semantic and contextual information about the smartphone's owner and app's execution. Such information provides vital clues to the investigation of crimes in both cyber and physical spaces. In real-world digital forensics however, once an electronic device becomes evidence most manual interactions with it are prohibited by criminal investigation protocols. Hence investigators must resort to "image-and-analyze" memory forensics (instead of browsing through the subject phone) to recover the apps' GUIs. Unfortunately, GUI reconstruction is still largely impossible with state-of-the-art memory forensics techniques, which tend to focus only on individual in-memory data structures. An Android GUI, however, displays diverse visual elements each built from numerous data structure instances. Furthermore, whenever an app is sent to the background, its GUI structure will be explicitly deallocated and disintegrated by the Android framework. In this paper, we present GUITAR, an app-independent technique which automatically reassembles and redraws all apps' GUIs from the multitude of GUI data elements found in a smartphone's memory image. To do so, GUITAR involves the reconstruction of (1) GUI tree topology, (2) drawing operation mapping, and (3) runtime environment for redrawing. Our evaluation shows that GUITAR is highly accurate (80-95% similar to original screenshots) at reconstructing GUIs from memory images taken from a variety of Android apps on popular phones. Moreover, GUITAR is robust in reconstructing meaningful GUIs even when facing GUI data loss.

Digital Forensics and Born-Digital Content in Cultural Heritage Collections

Abstract: Digital Forensics and Born-Digital Content in Cultural Heritage Collections examines digital forensics and its relevance for contemporary research. The applicability of digital forensics to archivists, curators, and others working within our cultural heritage is not necessarily intuitive. When the shared interests of digital forensics and responsibilities associated with securing and maintaining our cultural legacy are identified—preservation, extraction, documentation, and interpretation, as this report details—the correspondence between these fields of study becomes logical and compelling.

IoT Device Forensics and Data Reduction

Abstract: The growth in the prevalence of the plethora of digital devices has resulted in growing volumes of disparate data, with potential relevance to criminal and civil investigations. With the increase in data volume, there is an opportunity to build greater case-related knowledge and discover evidence, with implications at all stages of the digital forensic analysis process. The growth in digital devices will potentially further contribute to the growth in big digital forensic data, with a need for practitioners to consider a wider range of data and devices that may be relevant to an investigation. A process of data reduction by selective imaging and quick analysis, coupled with automated data extraction, gives potential to undertake the analysis of the growing volume of data in a timely manner. In this paper, we outline a process of bulk digital forensic data analysis including disparate device data. We research the process with a research data corpus and apply our process to real-world data. The challenges of the growing volume of devices and data will require forensic practitioners to expand their ability to undertake research into newly developed data structures, and be able to explain this to the court, judge, jury, and investigators.