Engineering Commons^™

Rapid Android Parser For Investigating Dex Files (Rapid), Xiaolu Zhang, Frank Breitinger, Ibrahim Baggili

Electrical & Computer Engineering and Computer Science Faculty Publications

Android malware is a well-known challenging problem and many researchers/vendors/practitioners have tried to address this issue through application analysis techniques. In order to analyze Android applications, tools decompress APK files and extract relevant data from the Dalvik EXecutable (DEX) files. To acquire the data, investigators either use decompiled intermediate code generated by existing tools, e.g., Baksmali or Dex2jar or write their own parsers/dissemblers. Thus, they either need additional time because of decompiling the application into an intermediate representation and then parsing text files, or they reinvent the wheel by implementing their own parsers. In this article, we present Rapid Android …

A Cyber Forensics Needs Analysis Survey: Revisiting The Domain's Needs A Decade Later, Vikram S. Harichandran, Frank Breitinger, Ibrahim Baggili, Andrew Marrington

Electrical & Computer Engineering and Computer Science Faculty Publications

The number of successful cyber attacks continues to increase, threatening financial and personal security worldwide. Cyber/digital forensics is undergoing a paradigm shift in which evidence is frequently massive in size, demands live acquisition, and may be insufficient to convict a criminal residing in another legal jurisdiction. This paper presents the findings of the first broad needs analysis survey in cyber forensics in nearly a decade, aimed at obtaining an updated consensus of professional attitudes in order to optimize resource allocation and to prioritize problems and possible solutions more efficiently. Results from the 99 respondents gave compelling testimony that the following …

A Method And A Case Study For The Selection Of The Best Available Tool For Mobile Device Forensics Using Decision Analysis, Shahzad Saleem, Oliver Popov, Ibrahim Baggili

Electrical & Computer Engineering and Computer Science Faculty Publications

The omnipresence of mobile devices (or small scale digital devices - SSDD) and more importantly the utility of their associated applications for our daily activities, which range from financial transactions to learning, and from entertainment to distributed social presence, create an abundance of digital evidence for each individual. Some of the evidence may be a result of illegal activities that need to be identified, understood and eventually prevented in the future. There are numerous tools for acquiring and analyzing digital evidence extracted from mobile devices. The diversity of SSDDs, types of evidence generated and the number of tools used to …

Bytewise Approximate Matching: The Good, The Bad, And The Unknown, Vikram S. Harichandran, Frank Breitinger, Ibrahim Baggili

Electrical & Computer Engineering and Computer Science Faculty Publications

Hash functions are established and well-known in digital forensics, where they are commonly used for proving integrity and file identification (i.e., hash all files on a seized device and compare the fingerprints against a reference database). However, with respect to the latter operation, an active adversary can easily overcome this approach because traditional hashes are designed to be sensitive to altering an input; output will significantly change if a single bit is flipped. Therefore, researchers developed approximate matching, which is a rather new, less prominent area but was conceived as a more robust counterpart to traditional hashing. Since the conception …

Towards Syntactic Approximate Matching-A Pre-Processing Experiment, Doowon Jeong, Frank Breitinger, Hari Kang, Sangjin Lee

Electrical & Computer Engineering and Computer Science Faculty Publications

Over the past few years, the popularity of approximate matching algorithms (a.k.a. fuzzy hashing) has increased. Especially within the area of bytewise approximate matching, several algorithms were published, tested, and improved. It has been shown that these algorithms are powerful, however they are sometimes too precise for real world investigations. That is, even very small commonalities (e.g., in the header of a file) can cause a match. While this is a desired property, it may also lead to unwanted results. In this paper, we show that by using simple pre-processing, we significantly can influence the outcome. Although our test set …

Exploring Deviant Hacker Networks (Dhn) On Social Media Platforms, Samer Al-Kateeb, Kevin Conlan, Nitin Agarwal, Ibrahim Baggili, Frank Breitinger

Electrical & Computer Engineering and Computer Science Faculty Publications

Online Social Networks (OSNs) have grown exponentially over the past decade. The initial use of social media for benign purposes (e.g., to socialize with friends, browse pictures and photographs, and communicate with family members overseas) has now transitioned to include malicious activities (e.g., cybercrime, cyberterrorism, and cyberwarfare). These nefarious uses of OSNs poses a signi_cant threat to society, and thus requires research attention. In this exploratory work, we study activities of one deviant groups: hacker groups on social media, which we term Deviant Hacker Networks (DHN). We investigated the connection between different DHNs on Twitter: how they are connected, identified …

Find Me If You Can: Mobile Gps Mapping Applications Forensic Analysis & Snavp The Open Source, Modular, Extensible Parser, Jason Moore, Ibrahim Baggili, Frank Breitinger

Electrical & Computer Engineering and Computer Science Faculty Publications

The use of smartphones as navigation devices has become more prevalent. The ubiquity of hand-held navigation devices such as Garmins or Toms Toms has been falling whereas the ownership of smartphones and their adoption as GPS devices is growing. This work provides a comprehensive study of the most popular smartphone mapping applications, namely Google Maps, Apple Maps, Waze, MapQuest, Bing, and Scout, on both Android and iOS. It details what data was found, where it was found, and how it was acquired for each application. Based on the findings, the work allowed for the construction of a tool capable of …

Whatsapp Network Forensics: Decrypting And Understanding The Whatsapp Call Signaling Messages, Filip Karpisek, Ibrahim Baggili, Frank Breitinger

Electrical & Computer Engineering and Computer Science Faculty Publications

WhatsApp is a widely adopted mobile messaging application with over 800 million users. Recently, a calling feature was added to the application and no comprehensive digital forensic analysis has been performed with regards to this feature at the time of writing this paper. In this work, we describe how we were able to decrypt the network traffic and obtain forensic artifacts that relate to this new calling feature which included the: a) WhatsApp phone numbers, b) WhatsApp server IPs, c) WhatsApp audio codec (Opus), d) WhatsApp call duration, and e) WhatsApp's call termination. We explain the methods and tools used …

Professor Frank Breitinger's Full Bibliography, Frank Breitinger

Electrical & Computer Engineering and Computer Science Faculty Publications

No abstract provided.

An Empirical Comparison Of Widely Adopted Hash Functions In Digital Forensics: Does The Programming Language And Operating System Make A Difference?, Satyendra Gurjar, Ibrahim Baggili, Frank Breitinger, Alice E. Fischer

Electrical & Computer Engineering and Computer Science Faculty Publications

Hash functions are widespread in computer sciences and have a wide range of applications such as ensuring integrity in cryptographic protocols, structuring database entries (hash tables) or identifying known files in forensic investigations. Besides their cryptographic requirements, a fundamental property of hash functions is efficient and easy computation which is especially important in digital forensics due to the large amount of data that needs to be processed when working on cases. In this paper, we correlate the runtime efficiency of common hashing algorithms (MD5, SHA-family) and their implementation. Our empirical comparison focuses on C-OpenSSL, Python, Ruby, Java on Windows and …

Network And Device Forensic Analysis Of Android Social-Messaging Applications, Daniel Walnycky, Ibrahim Baggili, Andrew Marrington, Jason Moore, Frank Breitinger

Electrical & Computer Engineering and Computer Science Faculty Publications

In this research we forensically acquire and analyze the device-stored data and network traffic of 20 popular instant messaging applications for Android. We were able to reconstruct some or the entire message content from 16 of the 20 applications tested, which reflects poorly on the security and privacy measures employed by these applications but may be construed positively for evidence collection purposes by digital forensic practitioners. This work shows which features of these instant messaging applications leave evidentiary traces allowing for suspect data to be reconstructed or partially reconstructed, and whether network forensics or device forensics permits the reconstruction of …

Preliminary Forensic Analysis Of The Xbox One, Jason Moore, Ibrahim Baggili, Andrew Marrington, Armindo Rodrigues

Electrical & Computer Engineering and Computer Science Faculty Publications

Video game consoles can no longer be viewed as just gaming consoles but rather as full multimedia machines, capable of desktop computer-like performance. The past has shown that game consoles have been used in criminal activities such as extortion, identity theft, and child pornography, but with their ever-increasing capabilities, the likelihood of the expansion of criminal activities conducted on or over the consoles increases. This research aimed to take the initial step of understanding the Xbox One, the most powerful Microsoft console to date. We report the outcome of conducting a forensic examination of the Xbox One, and we provide …

Testing The Forensic Soundness Of Forensic Examination Environments On Bootable Media, Ahmed F.A.L. Mohamed, Andrew Marrington, Farkhund Iqbal, Ibrahim Baggili

Electrical & Computer Engineering and Computer Science Faculty Publications

In this work we experimentally examine the forensic soundness of the use of forensic bootable CD/DVDs as forensic examination environments. Several Linux distributions with bootable CD/DVDs which are marketed as forensic examination environments are used to perform a forensic analysis of a captured computer system. Before and after the bootable CD/DVD examination, the computer system's hard disk is removed and a forensic image acquired by a second system using a hardware write blocker. The images acquired before and after the bootable CD/DVD examination are hashed and the hash values compared. Where the hash values are inconsistent, a differential analysis is …

On The Database Lookup Problem Of Approximate Matching, Frank Breitinger, Harald Baier, Douglas White

Electrical & Computer Engineering and Computer Science Faculty Publications

Investigating seized devices within digital forensics gets more and more difficult due to the increasing amount of data. Hence, a common procedure uses automated file identification which reduces the amount of data an investigator has to look at by hand. Besides identifying exact duplicates, which is mostly solved using cryptographic hash functions, it is also helpful to detect similar data by applying approximate matching.

Let x denote the number of digests in a database, then the lookup for a single similarity digest has the complexity of O(x). In other words, the digest has to be compared against …

Life (Logical Ios Forensics Examiner): An Open Source Ios Backup Forensics Examination Tool, Ibrahim Baggili, Shadi Al Awawdeh, Jason Moore

Electrical & Computer Engineering and Computer Science Faculty Publications

In this paper, we present LiFE (Logical iOS Forensics Examiner), an open source iOS backup forensics examination tool. This tool helps both researchers and practitioners alike in both understanding the backup structures of iOS devices and forensically examining iOS backups. The tool is currently capable of parsing device information, call history, voice messages, GPS locations, conversations, notes, images, address books, calendar entries, SMS messages, Aux locations, facebook data and e-mails. The tool consists of both a manual interface (where the user is able to manually examine the backup structures) and an automated examination interface (where the tool pulls out evidence …

File Detection On Network Traffic Using Approximate Matching, Frank Breitinger, Ibrahim Baggili

Electrical & Computer Engineering and Computer Science Faculty Publications

In recent years, Internet technologies changed enormously and allow faster Internet connections, higher data rates and mobile usage. Hence, it is possible to send huge amounts of data / files easily which is often used by insiders or attackers to steal intellectual property. As a consequence, data leakage prevention systems (DLPS) have been developed which analyze network traffic and alert in case of a data leak. Although the overall concepts of the detection techniques are known, the systems are mostly closed and commercial. Within this paper we present a new technique for network traffic analysis based on approximate matching (a.k.a …

Automated Evaluation Of Approximate Matching Algorithms On Real Data, Frank Breitinger, Vassil Roussev

Electrical & Computer Engineering and Computer Science Faculty Publications

Bytewise approximate matching is a relatively new area within digital forensics, but its importance is growing quickly as practitioners are looking for fast methods to screen and analyze the increasing amounts of data in forensic investigations. The essential idea is to complement the use of cryptographic hash functions to detect data objects with bytewise identical representation with the capability to find objects with bytewise similarrepresentations.

Unlike cryptographic hash functions, which have been studied and tested for a long time, approximate matching ones are still in their early development stages and evaluation methodology is still evolving. Broadly, prior approaches have …

An Efficient Similarity Digests Database Lookup -- A Logarithmic Divide And Conquer Approach, Frank Breitinger, Christian Rathgeb, Harald Baier

Electrical & Computer Engineering and Computer Science Faculty Publications

Investigating seized devices within digital forensics represents a challenging task due to the increasing amount of data. Common procedures utilize automated file identification, which reduces the amount of data an investigator has to examine manually. In the past years the research field of approximate matching arises to detect similar data. However, if n denotes the number of similarity digests in a database, then the lookup for a single similarity digest is of complexity of O(n). This paper presents a concept to extend existing approximate matching algorithms, which reduces the lookup complexity from O(n) to O(log(n)). Our proposed approach is based …

Quantifying Relevance Of Mobile Digital Evidence As They Relate To Case Types: A Survey And A Guide For Best Practices, Shahzad Saleem, Ibrahim Baggili, Oliver Popov

Electrical & Computer Engineering and Computer Science Faculty Publications

In this work, a survey was conducted to help quantify the relevance of nineteen types of evidence (such as SMS) to seven types of digital investigations associated with mobile devices (MD) (such as child pornography). 97 % of the respondents agreed that every type of digital evidence has a different level of relevance to further or solve a particular investigation. From 55 serious participants, a data set of 5,772 responses regarding the relevance of nineteen types of digital evidence for all the seven types of digital investigations was obtained. The results showed that (i) SMS belongs to the most relevant …

Efficient Routing For Wireless Mesh Networks Using A Backup Path, Amir Esmailpour, Nidal Nasser, Jehad Al Dallal

Electrical & Computer Engineering and Computer Science Faculty Publications

Wireless Mesh Network (WMN) has a proven record in providing viable solutions for some of the fundamental issues in wireless networks such as capacity and range limitations. WMN infrastructure includes clusters of Mobile Ad-Hoc Networks (MANETs) connected through a fixed backbone of mesh routers. The mesh network can be constrained severely due to various reasons, which could result in performance degradation such as a drop in throughput or long delays. Solutions to this problem often focus on multipath or multichannel extensions to the existing ad- hoc routing protocols. In this paper, we propose a novel solution by introducing an alternative …

Forensic Analysis Of Social Networking Applications On Mobile Devices, Noora Al Mutawa, Ibrahim Baggili, Andrew Marrington

Electrical & Computer Engineering and Computer Science Faculty Publications

The increased use of social networking applications on smartphones makes these devices a goldmine for forensic investigators. Potential evidence can be held on these devices and recovered with the right tools and examination methods. This paper focuses on conducting forensic analyses on three widely used social networking applications on smartphones: Facebook, Twitter, and MySpace. The tests were conducted on three popular smartphones: BlackBerrys, iPhones, and Android phones. The tests consisted of installing the social networking applications on each device, conducting common user activities through each application, acquiring a forensically sound logical image of each device, and performing manual forensic analysis …

Ipad2 Logical Acquisition: Automated Or Manual Examination?, Somaya Ali, Sumaya Alhosani, Farah Alzarooni, Ibrahim Baggili

Electrical & Computer Engineering and Computer Science Faculty Publications

Due to their usage increase worldwide, iPads are on the path of becoming key sources of digital evidence in criminal investigations. This research investigated the logical backup acquisition and examination of the iPad2 device using the Apple iTunes backup utility while manually examining the backup data (manual examination) and automatically parsing the backup data (Lantern software-automated examination).The results indicate that a manual examination of the logical backup structure from iTunes reveals more digital evidence, especially if installed application data is required for an investigation. However, the researchers note that if a quick triage is needed of an iOS device, then …

Cat Detect (Computer Activity Timeline Detection): A Tool For Detecting Inconsistency In Computer Activity Timelines, Andrew Marrington, Ibrahim Baggili, George Mohay, Andrew Clark

Electrical & Computer Engineering and Computer Science Faculty Publications

The construction of timelines of computer activity is a part of many digital investigations. These timelines of events are composed of traces of historical activity drawn from system logs and potentially from evidence of events found in the computer file system. A potential problem with the use of such information is that some of it may be inconsistent and contradictory thus compromising its value. This work introduces a software tool (CAT Detect) for the detection of inconsistency within timelines of computer activity. We examine the impact of deliberate tampering through experiments conducted with our prototype software tool. Based on the …

Survey On Cloud Forensics And Critical Criteria For Cloud Forensic Capability: A Preliminary Analysis, Keyun Ruan, Ibrahim Baggili, Joe Carthy, Tahar Kechadi

Electrical & Computer Engineering and Computer Science Faculty Publications

In this paper we present the current results and analysis of the survey “Cloud forensics and critical criteria for cloud forensic capability” carried out towards digital forensic experts and practitioners. This survey was created in order to gain a better understanding on some of the key questions of the new field - cloud forensics - before further research and development. We aim to understand concepts such as its definition, the most challenging issues, most valuable research directions, and the critical criteria for cloud forensic capability.

Iphone 3gs Forensics: Logical Analysis Using Apple Itunes Backup Utility, Mona Bader, Ibrahim Baggili

Electrical & Computer Engineering and Computer Science Faculty Publications

The iPhone mobile is used worldwide due to its enhanced computing capabilities, increased storage capacity as well as its attractive touch interface. These characteristics made the iPhone a popular smart phone device. The increased use of the iPhone lead it to become a potential source of digital evidence in criminal investigations. Therefore, iPhone forensics turned into an essential practice for forensic and security practitioners today. This research aimed at investigating and examining the logical backup acquisition of the iPhone 3GS mobile device using the Apple iTunes backup utility. It was found that significant data of forensic value such as e-mail …

Generating System Requirements For A Mobile Digital Evidence Collection System: A Preliminary Step Towards Enhancing The Forensic Collection Of Digital Devices, Ibrahim Baggili

Electrical & Computer Engineering and Computer Science Faculty Publications

Collecting digital devices in a forensically sound manner is becoming more critical since 80% of all cases have some sort of digital evidence involved in them (Rogers, 2006, p. 1) .The process of documenting and tagging digital devices is cumbersome and involves details that might not apply to other types of evidence, since each evidence item has unique physical characteristics (Hesitis & Wilbon, 2005, p. 17). The process becomes less manageable when a large number of digital devices are seized. This paper examines the information and issues investigators should be aware of when collecting digital devices at crime scenes. Furthermore, …

Self-Reported Cyber Crime: An Analysis On The Effects Of Anonymity And Pre-Employment Integrity, Ibrahim Baggili, Marcus Rogers

Electrical & Computer Engineering and Computer Science Faculty Publications

A key issue facing today’s society is the increase in cyber crimes. Cyber crimes pose threats to nations, organizations and individuals across the globe. Much of the research in cyber crime has risen from computer science-centric programs, and little experimental research has been performed on the psychology of cyber crime. This has caused a knowledge gap in the study of cyber crime. To this end, this research focuses on understanding psychological concepts related to cyber crime. Through an experimental design, participants were randomly assigned to three groups with varying degrees of anonymity. After each treatment, participants were asked to self-report …

An Ad Hoc Adaptive Hashing Technique For Non-Uniformly Distributed Ip Address Lookup In Computer Networks, Christopher Martinez, Wei-Ming Lin

Electrical & Computer Engineering and Computer Science Faculty Publications

Hashing algorithms have been widely adopted for fast address look-up, which involves a search through a database to find a record associated with a given key. Hashing algorithms transforms a key into a hash value hoping that the hashing renders the database a uniform distribution with respect to the hash value. The closer to uniform hash values, the less search time required for a query. When the database is key-wise uniformly distributed, any regular hashing algorithm (bit-extraction, bit-group XOR, etc.) leads to a statistically perfect uniform hash distribution. When the database has keys with a non-uniform distribution, performance of regular …