Digital forensics

About: Digital forensics is a research topic. Over the lifetime, 4270 publications have been published within this topic receiving 49676 citations. The topic is also known as: digital forensic science & Digital forensics.

Evidence and Cloud Computing: The Virtual Machine Introspection Approach.

Abstract: Cloud forensics refers to digital forensics investigations performed in cloud computing environments. Nowadays digital investigators face various technical, legal, and organizational challenges to keep up with current developments in the field of cloud computing. But, due to its dynamic nature, cloud computing also offers several opportunities to improve digital investigations in cloud environments. The enormous available computing power can be leveraged to process massive amounts of information in order to extract relevant evidence. In the first part of this paper we focus on the current state-ofthe-art of affected fields of cloud forensics. The benefit for the reader of this paper is therefore a clear overview of the challenges and opportunities for scientific developments in the field of cloud forensics. As this paper represents an extended version of our paper presented at the ARES 2012 conference, we describe digital forensics investigations at the hypervisor level of virtualized environments in greater detail. cloud computing setups typically consist of several virtualized computer systems. Therefore we introduce the reader to the topic of evidence correlation within cloud computing infrastructures.

The Advanced Data Acquisition Model (ADAM): A process model for digital forensic practice

Abstract: Given the pervasive nature of information technology, the nature of evidence presented in court is now less likely to be paper-based and in most instances will be in electronic form . However, evidence relating to computer crime is significantly different from that associated with the more ‘traditional’ crimes for which, in contrast to digital forensics, there are well-established standards, procedures and models to which law courts can refer. The key problem is that, unlike some other areas of forensic practice, digital forensic practitioners work in a number of different environments and existing process models have tended to focus on one particular area, such as law enforcement, and fail to take into account the different needs of those working in other areas such as incident response or ‘commerce’. This thesis makes an original contribution to knowledge in the field of digital forensics by developing a new process model for digital data acquisition that addresses both the practical needs of practitioners working in different areas of the field and the expectation of law courts for a formal description of the process undertaken to acquire digital evidence. The methodology adopted for this research is design science on the basis that it is particularly suited to the task of creating a new process model and an ‘ideal approach’ in the problem domain of digital forensic evidence. The process model employed is the Design Science Research Process (DSRP) (Peffers, Tuunanen, Gengler, Rossi, Hui, Virtanen and Bragge, 2006) that has been widely utilised within information systems research. A review of current process models involving the acquisition of digital data is followed by an assessment of each of the models from a theoretical perspective, by drawing on the work of Carrier and Spafford (2003)1, and from a legal perspective by reference to the Daubert test2. The result of the model assessment is that none provide a description of a generic process for the acquisition of digital data, although a few models contain elements that could be considered for adaptation as part of a new model. Following the identification of key elements for a new model (based on the literature review and model assessment) the outcome of the design stage is a three-stage process model called the Advance Data Acquisition Model (ADAM) that comprises of three UML3 Activity diagrams, overriding Principles and an Operation Guide for each stage. Initial testing of the ADAM (the Demonstration stage from the DSRP) involves a ‘desk check’ using both in-house documentation relating to three digital forensic investigations and four narrative scenarios. The results of this exercise are fed back into the model design stage and alterations made as appropriate. The main testing of the model (the DSRP Evaluation stage) involves independent verification and validation of the ADAM utilising two groups of ‘knowledgeable people’. The first group, the Expert Panel, consists of international ‘subject matter experts’ from the domain of digital forensics. The second group, the Practitioner Panel, consists of peers from around Australia that are digital forensic practitioners and includes a representative from each of the areas of relevance for this research, namely: law enforcement, commerce and incident response. Feedback from the two panels is considered and modifications applied to the ADAM as appropriate. This thesis builds on the work of previous researchers and demonstrates how the UML can be practically applied to produce a generic model of one of the fundamental digital forensic processes, paving the way for future work in this area that could include the creation of models for other activities undertaken by digital forensic practitioners. It also includes the most comprehensive review and critique of process models incorporating the acquisition of digital forensics yet undertaken.

Windows Registry Forensics: Advanced Digital Forensic Analysis of the Windows Registry

Abstract: Harlan Carvey brings readers an advanced book on Windows Registry. The first book of its kind EVER -- Windows Registry Forensics provides the background of the Registry to help develop an understanding of the binary structure of Registry hive files. Approaches to live response and analysis are included, and tools and techniques for postmortem analysis are discussed at length. Tools and techniques will be presented that take the analyst beyond the current use of viewers and into real analysis of data contained in the Registry. Packed with real-world examples using freely available open source tools Deep explanation and understanding of the Windows Registry - the most difficult part of Windows to analyze forensically Includes a CD containing code and author-created tools discussed in the book

Internet of Things Forensics: The Need, Process Models, and Open Issues

Abstract: The Internet of Things (IoT) brings a set of unique and complex challenges to the field of digital forensics. To take advantage of the volume and variety of data captured by and stored in ubiquitous IoT services, forensic investigators need to draw upon evidence-acquisition methods and techniques from all areas of digital forensics and possibly create new IoT-specific investigation processes. Although a number of conceptual process models have been developed to address the unique characteristics of the IoT, many challenges remain unresolved.