Computer Engineering Commons^™

A Forensic Study Of The Effectiveness Of Selected Anti-Virus Products Against Ssdt Hooking Rootkits, Sami Al-Shaheri, Dale Lindskog, Pavol Zavarsky, Ron Ruhl

Annual ADFSL Conference on Digital Forensics, Security and Law

For Microsoft Windows Operating Systems, both anti-virus products and kernel rootkits often hook the System Service Dispatch Table (SSDT). This research paper investigates the interaction between these two in terms of the SSDT. To investigate these matters, we extracted digital evidence from volatile memory, and studied that evidence using the Volatility framework. Due to the diversity in detection techniques used by the anti-virus products, and the diversity of infection techniques used by rootkits, our investigation produced diverse results, results that helped us to understand several SSDT hooking strategies, and the interaction between the selected anti-virus products and the rootkit samples. …

An Ontology-Based Forensic Analysis Tool, Mohammed Alzaabi, Andy Jones, Thomas A. Martin

Annual ADFSL Conference on Digital Forensics, Security and Law

The analysis of forensic investigation results has generally been identified as the most complex phase of a digital forensic investigation. This phase becomes more complicated and time consuming as the storage capacity of digital devices is increasing, while at the same time the prices of those devices are decreasing. Although there are some tools and techniques that assist the investigator in the analysis of digital evidence, they do not adequately address some of the serious challenges, particularly with the time and effort required to conduct such tasks. In this paper, we consider the use of semantic web technologies and in …

First Glance: An Introductory Analysis Of Network Forensics Of Tor, Raymond Hansen

Annual ADFSL Conference on Digital Forensics, Security and Law

The Tor network is a low-latency overlay network for TCP flows that is designed to provide privacy and anonymity to its users. It is currently in use by many as a means to avoid censorship of both information to be shared and information to be retrieved. This paper details the architecture of the Tor network as a platform for evaluating the current state of forensic analysis of the Tor network. Specific attempts to block access to the Tor network are examined to identify (a) the processes utilized to identify Tor nodes, and (b) the resulting exposure of potentially inculpatory evidence. …

A Thematic Review Of User Compliance With Information Security Policies Literature, David Sikolia

Annual ADFSL Conference on Digital Forensics, Security and Law

The adoption of computer and internet technology has greatly improved the way businesses operate. However the risk to the confidentiality, integrity and availability of organizational data and systems has greatly increased too. Information security is an ever present concern for all organizations. Financial estimates of the impact of security breaches to information and technology resources range from hundreds of billions to over one trillion dollars each year worldwide (D'Arcy et al., 2011b). Organizations have therefore developed a combination of technical, administrative, and physical controls to reduce this risk (D'Arcy et al., 2011a). Administrative measures include the development of information security …

Journey Into Windows 8 Recovery Artifacts, W. K. Johnson

Annual ADFSL Conference on Digital Forensics, Security and Law

One of the most difficult processes of digital forensics is to understand how new technology interacts with current technology and how digital forensic analysts can utilize current Digital Forensics technologies and processes to recover and find information hidden. Microsoft has released their new operating system Windows 8, with this new release Microsoft has added some features to the operating system that will present some interesting complications to digital forensics. Since the initial release of the Windows 8 Release Candidates there have been some research released that focus primarily on the new user created artifacts and a few artifacts that have …

An Image Forensic Scheme With Robust And Fragile Watermarking For Business Documents, Sai Ho Kwok

Annual ADFSL Conference on Digital Forensics, Security and Law

This paper proposes an image forensic scheme with both robust and fragile watermarking techniques for business documents. Through a dual watermarking approach, the proposed scheme can achieve image forensics objectives of (a) identification of source; (b) authentication of documents; and (c) locating the tempered areas of documents due to attacks. An example is presented to prove the concepts of the proposed scheme.

Keywords: Image Forensics, Fragile and Robust Watermarking, Business Document.

Significance Of Semantic Reconciliation In Digital Forensics, Nickson M. Karie, H. S. Venter

Annual ADFSL Conference on Digital Forensics, Security and Law

Digital forensics (DF) is a growing field that is gaining popularity among many computer professionals, law enforcement agencies and other stakeholders who must always cooperate in this profession. Unfortunately, this has created an environment replete with semantic disparities within the domain that needs to be resolved and/or eliminated. For the purpose of this study, semantic disparity refers to disagreements about the meaning, interpretation, descriptions and the intended use of the same or related data and terminologies. If semantic disparity is not detected and resolved, it may lead to misunderstandings. Even worse, since the people involved may not be from the …

System-Generated Digital Forensic Evidence In Graphic Design Applications, Enos Mabuto, Hein Venter

Annual ADFSL Conference on Digital Forensics, Security and Law

Graphic design applications are often used for the editing and design of digital art. The same applications can be used for creating counterfeit documents such as identity documents (IDs), driver’s licences, passports, etc. However, the use of any graphic design application leaves behind traces of digital information that can be used during a digital forensic investigation. Current digital forensic tools examine a system to find digital evidence, but they do not examine a system specifically for the creating of counterfeit documents created through the use of graphic design applications. The paper in hand reviews the system-generated digital forensic evidence gathered …

Money Laundering Detection Framework To Link The Disparate And Evolving Schemes, Murad Mehmet, Duminda Wijesekera, Miguel F. Buchholtz

Annual ADFSL Conference on Digital Forensics, Security and Law

Money launderers hide traces of their transactions with the involvement of entities that participate in sophisticated schemes. Money laundering detection requires unraveling concealed connections among multiple but seemingly unrelated human money laundering networks, ties among actors of those schemes, and amounts of funds transferred among those entities. The link among small networks, either financial or social, is the primary factor that facilitates money laundering. Hence, the analysis of relations among money laundering networks is required to present the full structure of complex schemes. We propose a framework that uses sequence matching, case-based analysis, social network analysis, and complex event processing …

Identifying Peer-To-Peer Traffic On Shared Wireless Networks, Simon Piel, Ej Jung

Annual ADFSL Conference on Digital Forensics, Security and Law

Tracing contraband downloads leads investigators to an IP address, and in turn Internet Service Providers (ISP) can provide a physical location using this IP address. However, most homes and offices share this IP address among many computers using wireless networks. In other words, there needs to be another investigation to find out which computer was responsible for contraband downloads. To make matters worse, these shared wireless networks often have vulnerabilities in access control such as using WEP or using weak passwords. In such cases, any computer in range, not necessarily at the given physical address, could be responsible. We use …

On Resolving The Cloud Forensics Conundrum, John Bagby

Annual ADFSL Conference on Digital Forensics, Security and Law

The “cloud” is idiom for an ill-defined set of online services. The cloud simultaneously offers IT savings and promises advances in functionality (e.g., ubiquity). However, the cloud also imposes poorly understood burdens on security and it may provoke injustice. Thus, the cloud presents a durable and seemingly irreconcilable conundrum for the digital forensics communit(ies). First, cloud proponents make efficiency promises for cloud services (SaaS, IaaS, PaaS). These translate well into the digital forensics domain. Indeed, the cloud may enable crowd sourcing of investigatory data vastly lowering costs of dispute resolution. For example, cloud-based litigation war rooms may reduce electronic discovery …

Cybercrime And Punishment: An Analysis Of The Deontological And Utilitarian Functions Of Punishment In The Information Age, Karim Jetha

Annual ADFSL Conference on Digital Forensics, Security and Law

This conceptual piece analyzes the role of criminal punishment and the nature of cyber crime to investigate whether the current punishment schemes are appropriate given the deontological and utilitarian goals of punishment: retribution, deterrence, incapacitation, and rehabilitation. The research has implications for policymaking in cybercriminal law.

Keywords: cybercrime, criminal law, punishment, retribution, deterrence, information economics

The Development Of Computer Forensic Legal System In China, Yonghao Mai, K. P. Chow, Rongsheng Xu, Gang Zhou, Fei Xu, Jun Zhang

Annual ADFSL Conference on Digital Forensics, Security and Law

The computer forensic discipline was established around 2000 in China, which was further developed along with Chinese judicial appraisal system in 2005. The new criminal and civil procedure laws of the People’s Republic of China was enacted on 1 Jan 2013. The new laws specified electronic data is legal evidence and has great impact on the current practice on handling electronic evidence. This paper introduces the electronic data and electronic evidence examination procedure in mainland China, the general concept of computer forensic legal system, the management of computer judicial experts, the management of computer judicial expertise institutions.

Keywords: China legal …