Engineering Commons^™

Precognition: Automated Digital Forensic Readiness System For Mobile Computing Devices In Enterprises, Jayaprakash Govindaraj, Robin Verma, Gaurav Gupta

Annual ADFSL Conference on Digital Forensics, Security and Law

Enterprises are facing an unprecedented risk of security incidents due to the influx of emerging technologies, like smartphones and wearables. Most of the current Mobile security systems are not maturing in pace with technological advances. They lack the ability to learn and adapt from the past knowledge base. In the case of a security incident, enterprises find themselves underprepared for the lack of evidence and data. The systems are not designed to be forensic ready. There is a need for automated security analysis and forensically ready solution, which can learn and continuously adapt to new challenges, improve efficiency and productivity …

Unmanned Aerial Vehicle Forensic Investigation Process: Dji Phantom 3 Drone As A Case Study, Alan Roder, Kim-Kwang Raymond Choo, Nhien-A Le-Khac

Annual ADFSL Conference on Digital Forensics, Security and Law

Drones (also known as Unmanned Aerial Vehicles – UAVs) are a potential source of evidence in a digital investigation, partly due to their increasing popularity in our society. However, existing UAV/drone forensics generally rely on conventional digital forensic investigation guidelines such as those of ACPO and NIST, which may not be entirely fit-for-purpose. In this paper, we identify the challenges associated with UAV/drone forensics. We then explore and evaluate existing forensic guidelines, in terms of their effectiveness for UAV/drone forensic investigations. Next, we present our set of guidelines for UAV/drone investigations. Finally, we demonstrate how the proposed guidelines can be …

Automated Man-In-The-Middle Attack Against Wi‑Fi Networks, Martin Vondráček, Jan Pluskal, Ondřej Ryšavý

Journal of Digital Forensics, Security and Law

Currently used wireless communication technologies suffer security weaknesses that can be exploited allowing to eavesdrop or to spoof network communication. In this paper, we present a practical tool that can automate the attack on wireless security. The developed package called wifimitm provides functionality for the automation of MitM attacks in the wireless environment. The package combines several existing tools and attack strategies to bypass the wireless security mechanisms, such as WEP, WPA, and WPS. The presented tool can be integrated into a solution for automated penetration testing. Also, a popularization of the fact that such attacks can be easily automated …

Back Matter, Adfsl

Annual ADFSL Conference on Digital Forensics, Security and Law

No abstract provided.

Front Matter, Adfsl

Annual ADFSL Conference on Digital Forensics, Security and Law

No abstract provided.

Contents, Adfsl

Annual ADFSL Conference on Digital Forensics, Security and Law

No abstract provided.

Multiple Content Adaptive Intelligent Watermarking Schemes For The Protection Of Blocks Of A Document Image, Chetan Kr Mr., S Nirmala Dr.

Journal of Digital Forensics, Security and Law

Most of the documents contain different types of information such as white space, static information and dynamic information or mix of static and dynamic information. In this paper, multiple watermarking schemes are proposed for protection of the information content. The proposed approach comprises of three phases. In Phase-1, the edges of the source document image are extracted and the edge image is decomposed into blocks of uniform size. In Phase-2, GLCM features like energy, homogeneity, contrast and correlation are extracted from each block and the blocks are classified as no-information, static, dynamic and mix of static and dynamic information content …

A Data Hiding Scheme Based On Chaotic Map And Pixel Pairs, Sengul Dogan Sd

Journal of Digital Forensics, Security and Law

Information security is one of the most common areas of study today. In the literature, there are many algorithms developed in the information security. The Least Significant Bit (LSB) method is the most known of these algorithms. LSB method is easy to apply however it is not effective on providing data privacy and robustness. In spite of all its disadvantages, LSB is the most frequently used algorithm in literature due to providing high visual quality. In this study, an effective data hiding scheme alternative to LSB, 2LSBs, 3LSBs and 4LSBs algorithms (known as xLSBs), is proposed. In this method, random …

Simple Implementation Of An Elgamal Digital Signature And A Brute Force Attack On It, Valeriia Laryoshyna

Student Works

This study is an attempt to show a basic mathematical usage of the concepts behind digital signatures and to provide a simple approach and understanding to cracking basic digital signatures. The approach takes on simple C programming of the ElGamal digital signature to identify some limits that can be encountered and provide considerations for making more complex code. Additionally, there is a literature review of the ElGamal digital signature and the brute force attack.

The research component of this project provides a list of possible ways to crack the basic implementations and classifies the different approaches that could be taken …

Understanding Deleted File Decay On Removable Media Using Differential Analysis, James H. Jones Jr, Anurag Srivastava, Josh Mosier, Connor Anderson, Seth Buenafe

Annual ADFSL Conference on Digital Forensics, Security and Law

Digital content created by picture recording devices is often stored internally on the source device, on either embedded or removable media. Such storage media is typically limited in capacity and meant primarily for interim storage of the most recent image files, and these devices are frequently configured to delete older files as necessary to make room for new files. When investigations involve such devices and media, it is sometimes these older deleted files that would be of interest. It is an established fact that deleted file content may persist in part or in its entirety after deletion, and identifying the …

Harnessing Predictive Models For Assisting Network Forensic Investigations Of Dns Tunnels, Irvin Homem, Panagiotis Papapetrou

Annual ADFSL Conference on Digital Forensics, Security and Law

In recent times, DNS tunneling techniques have been used for malicious purposes, however network security mechanisms struggle to detect them. Network forensic analysis has been proven effective, but is slow and effort intensive as Network Forensics Analysis Tools struggle to deal with undocumented or new network tunneling techniques. In this paper, we present a machine learning approach, based on feature subsets of network traffic evidence, to aid forensic analysis through automating the inference of protocols carried within DNS tunneling techniques. We explore four network protocols, namely, HTTP, HTTPS, FTP, and POP3. Three features are extracted from the DNS tunneled traffic: …

An Accidental Discovery Of Iot Botnets And A Method For Investigating Them With A Custom Lua Dissector, Max Gannon, Gary Warner, Arsh Arora

Annual ADFSL Conference on Digital Forensics, Security and Law

This paper presents a case study that occurred while observing peer-to-peer network communications on a botnet monitoring station and shares how tools were developed to discover what ultimately was identified as Mirai and many related IoT DDOS Botnets. The paper explains how researchers developed a customized protocol dissector in Wireshark using the Lua coding language, and how this enabled them to quickly identify new DDOS variants over a five month period of study.

A Forensic Email Analysis Tool Using Dynamic Visualization, Johannes Stadlinger, Andreas Dewald

Journal of Digital Forensics, Security and Law

Communication between people counts to the most important information of today’s business. As a result, in case of forensic investigations in big companies, analysis of communication data in general and especially email, as the still most widely used business communication platform with an immense and still growing volume, is a typical task in digital forensics. One of the challenges is to identify the relevant communication partners and structures in the suspects surrounding as quickly as possible in order to react appropriately and identify further targets of evaluation. Due to the amount of emails in typical inboxes, reading through all the …

Find Me If You Can: Mobile Gps Mapping Applications Forensic Analysis & Snavp The Open Source, Modular, Extensible Parser, Jason Moore, Ibrahim Baggili, Frank Breitinger

Journal of Digital Forensics, Security and Law

The use of smartphones as navigation devices has become more prevalent. The ubiquity of hand-held navigation devices such as Garmins or Toms Toms has been falling whereas the ownership of smartphones and their adoption as GPS devices is growing. This work provides a comprehensive study of the most popular smartphone mapping applications, namely Google Maps, Apple Maps, Waze, MapQuest, Bing, and Scout, on both Android and iOS. It details what data was found, where it was found, and how it was acquired for each application. Based on the findings, the work allowed for the construction of a tool capable of …

Compression Of Virtual-Machine Memory In Dynamic Malware Analysis, James E. Fowler Ph.D.

Journal of Digital Forensics, Security and Law

Lossless compression of memory dumps from virtual machines that run malware samples is considered with the goal of significantly reducing archival costs in dynamic-malware-analysis applications. Given that, in such dynamic-analysis scenarios, malware samples are typically run in virtual machines just long enough to activate any self-decryption or other detection- avoidance maneuvers, the virtual-machine memory typically changes little from that of the baseline state, with the difference being attributable in large degree to the loading of additional executables and libraries. Consequently, delta coding is proposed to compress the current virtual-machine memory dump by coding its differences with respect to a predicted …

Table Of Contents

Journal of Digital Forensics, Security and Law

No abstract provided.

Front Matter

Journal of Digital Forensics, Security and Law

No abstract provided.

Special Issue Of Best Papers From The 11th International Conference On Systematic Approaches To Digital Forensic Engineering (Sadfe 2016)

Journal of Digital Forensics, Security and Law

The SADFE series feature the different editions of the International Conference on Systematic Approaches to Digital Forensics Engineering. Now in its eleventh edition, SADFE has established itself as the premier conference for researchers and practitioners working in Systematic Approaches to Digital Forensics Engineering.

SADFE 2016, the eleventh international conference on Systematic Approaches to Digital Forensic Engineering was held in Kyoto, Japan, September 20 - 22, 2016.

Digital forensics engineering and the curation of digital collections in cultural institutions face pressing and overlapping challenges related to provenance, chain of custody, authenticity, integrity, and identity. The generation, analysis and sustainability of digital …

Trustworthiness Requirements For Manufacturing Cyber-Physical Systems, Radu F. Babiceanu, Remzi Seker

Publications

Distributed manufacturing operations include cyber-physical systems vulnerable to cyber-attacks. Long time not considered a priority, cybersecurity jumped to the forefront of manufacturing concerns due to the need to network together legacy, newer equipment, and entire operation centers. This paper proposes trustworthiness solutions for integrated manufacturing physical-cyber worlds, where trustworthiness is defined to complement system dependability requirements with cybersecurity requirements, such that the resulting manufacturing cyber-physical system delivers services that can justifiably be trusted. Acknowledging the inevitability of cyber-attacks, the paper models the cybersecurity component using the resilient systems framework, where system resilience is viewed as preservation of a required state …

Bloom Filters Optimized Wu-Manber For Intrusion Detection, Monther Aldwairi, Koloud Al-Khamaiseh, Fatima Alharbi, Babar Shah

Journal of Digital Forensics, Security and Law

With increasing number and severity of attacks, monitoring ingress and egress network traffic is becoming essential everyday task. Intrusion detection systems are the main tools for capturing and searching network traffic for potential harm. Signature-based intrusion detection systems are the most widely used, and they simply use a pattern matching algorithms to locate attack signatures in intercepted network traffic. Pattern matching algorithms are very expensive in terms of running time and memory usage, leaving intrusion detection systems unable to detect attacks in real-time. We propose a Bloom filters optimized Wu-Manber pattern matching algorithm to speed up intrusion detection. The Bloom …

The Impact Of Md5 File Hash Collisions On Digital Forensic Imaging, Gary C. Kessler

Journal of Digital Forensics, Security and Law

The Message Digest 5 (MD5) hash is commonly used as for integrity verification in the forensic imaging process. The ability to force MD5 hash collisions has been a reality for more than a decade, although there is a general consensus that hash collisions are of minimal impact to the practice of computer forensics. This paper describes an experiment to determine the results of imaging two disks that are identical except for one file, the two versions of which have different content but otherwise occupy the same byte positions on the disk, are the same size, and have the same hash …

Leveraging The Windows Amcache.Hve File In Forensic Investigations, Bhupendra Singh, Upasna Singh

Journal of Digital Forensics, Security and Law

The Amcache.hve is a registry hive file that is created by Microsoft® Windows® to store the information related to execution of programs. This paper highlights the evidential potential of Amcache.hve file and its application in the area of user activity analysis. The study uncovers numerous artifacts retained in Amcache.hve file when a user performs certain actions such as running host-based applications, installation of new applications, or running portable applications from external devices. The results of experiments demonstrate that Amcache.hve file stores intriguing artifacts related to applications such as timestamps of creation and last modification of any application; name, description, publisher …

The 2016 Analysis Of Information Remaining On Computer Hard Disks Offered For Sale On The Second Hand Market In The Uae, Thomas Martin, Andy Jones, Mohammed Alzaabi

Journal of Digital Forensics, Security and Law

This research describes our survey of data remaining on computer hard disks sold on the second hand market in the United Arab Emirates (UAE). This is a repetition of the first survey conducted in 2012 (Jones, Martin, & Alzaabi, 2012). Similar studies have been carried over the last ten years in the United Kingdom, Australia, USA, Germany and France: (Jones, Mee, Meyler, & Gooch, 2005), (Jones, Valli, Sutherland, & Thomas, 2006), (Jones, Valli, Dardick, & Sutherland, 2008), (Jones, Valli, Dardick, & Sutherland, 2009). This research was undertaken to gain insight into the volumes of data found on second-hand disks purchased …

A New Distributed Chinese Wall Security Policy Model, Saad Fehis, Omar Nouali, Mohand-Tahar Kechadi

Journal of Digital Forensics, Security and Law

The application of the Chinese wall security policy model (CWSPM) to control the information flows between two or more competing and/or conflicting companies in cloud computing (Multi-tenancy) or in the social network, is a very interesting solution. The main goal of the Chinese Wall Security Policy is to build a wall between the datasets of competing companies, and among the system subjects. This is done by the applying to the subjects mandatory rules, in order to control the information flow caused between them. This problem is one of the hottest topics in the area of cloud computing (as a distributed …

The Impact Of Sha-1 File Hash Collisions On Digital Forensic Imaging: A Follow-Up Experiment, Gary C. Kessler

Journal of Digital Forensics, Security and Law

A previous paper described an experiment showing that Message Digest 5 (MD5) hash collisions of files have no impact on integrity verification in the forensic imaging process. This paper describes a similar experiment applied when two files have a Secure Hash Algorithm (SHA-1) collision.

A Survey Of Social Network Forensics, Umit Karabiyik, Muhammed Abdullah Canbaz, Ahmet Aksoy, Tayfun Tuna, Esra Akbas, Bilal Gonen, Ramazan S. Aygun

Journal of Digital Forensics, Security and Law

Social networks in any form, specifically online social networks (OSNs), are becoming a part of our everyday life in this new millennium especially with the advanced and simple communication technologies through easily accessible devices such as smartphones and tablets. The data generated through the use of these technologies need to be analyzed for forensic purposes when criminal and terrorist activities are involved. In order to deal with the forensic implications of social networks, current research on both digital forensics and social networks need to be incorporated and understood. This will help digital forensics investigators to predict, detect and even prevent …

Table Of Contents

Journal of Digital Forensics, Security and Law

No abstract provided.

Designing Laboratories For Small Scale Digital Device Forensics, Richard P. Mislan, Tim Wedge

Annual ADFSL Conference on Digital Forensics, Security and Law

The ubiquity of small scale digital devices (SSDD), the public’s ever increasing societal dependence on SSDD, and the continual presence of SSDD at all types of crime scenes, including non-technical and violent crimes, demand a formalized curriculum for the education and training of future cyber forensic examiners. This paper presents the various SSDD forensics labs currently in use and under development for future use at the Purdue University Cyber Forensics Laboratory. The primary objective of each module is to provide specific real-world cases for the learning, comprehension, and understanding of hands-on investigative techniques and methodologies. The purpose of this paper …

Network Forensic Investigation Of Internal Misuse/Crime In Saudi Arabia: A Hacking Case, Abdulrazaq Al-Murjan, Konstantinos Xynos

Annual ADFSL Conference on Digital Forensics, Security and Law

There are ad-hoc guidelines and a limited policy on computer incident response that does not include computer forensic preparation procedures (e.g. logging incidents). In addition, these guidelines do not consider the requirement of Islamic law for admissible evidence at an organisational level in Saudi Arabia. Network forensic investigation might breach the Saudi law if they follow ad-hoc or international digital forensic standards such as Association of Chief Police Officers (ACPO) guidelines. This might put the organisation in a costly situation when a malicious employee sues an Islamic court. This is because the law of Saudi Arabia is complying with Islamic …

Paper Session Ii: Computer Forensics Field Triage Process Model, Marcus K. Rogers, James Goldman, Rick Mislan, Timothy Wedge, Steve Debrota

Annual ADFSL Conference on Digital Forensics, Security and Law

With the proliferation of digital based evidence, the need for the timely identification, analysis and interpretation of digital evidence is becoming more crucial. In many investigations critical information is required while at the scene or within a short period of time - measured in hours as opposed to days. The traditional cyber forensics approach of seizing a system(s)/media, transporting it to the lab, making a forensic image(s), and then searching the entire system for potential evidence, is no longer appropriate in some circumstances. In cases such as child abductions, pedophiles, missing or exploited persons, time is of the essence. In …