Computer Engineering Commons^™

Technology Corner Automated Data Extraction Using Facebook, Nick V. Flor

Journal of Digital Forensics, Security and Law

Because of Facebook’s popularity, law enforcement agents often use it as a key source of evidence. But like many user digital trails, there can be a large amount of data to extract for analysis. In this paper, we explore the basics of extracting data programmatically from a user’s Facebook via a Web app. A data extraction app requests data using the Facebook Graph API, and Facebook returns a JSON object containing the data. Before an app can access a user’s Facebook data, the user must log into Facebook and give permission. Thus, this approach is limited to situations where users …

Automatic Crash Recovery: Internet Explorer's Black Box, John Moran, Douglas Orr

Journal of Digital Forensics, Security and Law

A good portion of today's investigations include, at least in part, an examination of the user's web history. Although it has lost ground over the past several years, Microsoft's Internet Explorer still accounts for a large portion of the web browser market share. Most users are now aware that Internet Explorer will save browsing history, user names, passwords and form history. Consequently some users seek to eliminate these artifacts, leaving behind less evidence for examiners to discover during investigations. However, most users, and probably a good portion of examiners are unaware Automatic Crash Recovery can leave a gold mine of …

To License Or Not To License Updated: An Examination Of State Statutes Regarding Private Investigators And Digital Examiners, Thomas Lonardo, Doug White, Alan Rea

Journal of Digital Forensics, Security and Law

In this update to the 2009 year's study, the authors examine statutes that regulate, license, and enforce investigative functions in each US state. After identification and review of Private Investigator licensing requirements, the authors find that very few state statutes explicitly differentiate between Private Investigators and Digital Examiners, but do see a trend of more states making some distinction. The authors contacted all state regulatory agencies where statutory language was not explicit, and as a result, set forth the various state approaches to professional Digital Examiner licensing. As was the case in the previous two iterations of this research, the …

Extraction Of Electronic Evidence From Voip: Identification & Analysis Of Digital Speech, David Irwin, Arek Dadej, Jill Slay

Journal of Digital Forensics, Security and Law

The Voice over Internet Protocol (VoIP) is increasing in popularity as a cost effective and efficient means of making telephone calls via the Internet. However, VoIP may also be an attractive method of communication to criminals as their true identity may be hidden and voice and video communications are encrypted as they are deployed across the Internet. This produces a new set of challenges for forensic analysts compared with traditional wire-tapping of the Public Switched Telephone Network (PSTN) infrastructure, which is not applicable to VoIP. Therefore, other methods of recovering electronic evidence from VoIP are required. This research investigates the …

Book Review: Mastering Windows Network Forensics And Investigation, 2/E, John C. Ebert

Journal of Digital Forensics, Security and Law

The book is available as a paperback and e-book. The e-book versions allow you to preview several chapters at any of a number of online vendors. The e-book prices vary from the same as the soft cover version ($59.99) to about $38.99. Some of the vendor's e-books retain the color illustrations found in the print version, but others produce them in grey scale, so you might want to look out for that. The book is divided into four parts (17 chapters) plus two appendices.

I am compelled to give the book illustrations a highly unfavorable assessment regarding their readability qualities. …

Table Of Contents

Journal of Digital Forensics, Security and Law

No abstract provided.

Digital Evidence Education In Schools Of Law, Aaron Alva, Barbara Endicott-Popovsky

Journal of Digital Forensics, Security and Law

An examination of State of Connecticut v. Julie Amero provides insight into how a general lack of understanding of digital evidence can cause an innocent defendant to be wrongfully convicted. By contrast, the 101-page opinion in Lorraine v. Markel American Insurance Co. provides legal precedence and a detailed consideration for the admission of digital evidence. An analysis of both cases leads the authors to recommend additions to Law School curricula designed to raise the awareness of the legal community to ensure such travesties of justice, as in the Amero case, don’t occur in the future. Work underway at the University …

Identifying Trace Evidence From Target-Specific Data Wiping Application Software, Gregory H. Carlton, Gary C. Kessler

Journal of Digital Forensics, Security and Law

One area of particular concern for computer forensics examiners involves situations in which someone utilized software applications to destroy evidence. There are products available in the marketplace that are relatively inexpensive and advertised as being able to destroy targeted portions of data stored within a computer system. This study was undertaken to analyze a subset of these tools in order to identify trace evidence, if any, left behind on disk media after executing these applications. We evaluated five Windows 7 compatible software products whose advertised features include the ability for users to wipe targeted files, folders, or evidence of selected …

Column: The Physics Of Digital Information-Part 2, Fred Cohen

Journal of Digital Forensics, Security and Law

In part 1 of this series (Cohen, 2011a), we discussed some of the basics of building a physics of digital information. Assuming, as we have, that science is about causality and that a scientific theory should require that cause(C) produces effect (E) via mechanism M (written C→ME), we explore that general theory of digital systems from the perspective of attributing effects (i.e., traces of activities in digital systems) to their causes. Full details of the current version of this physics are available online2 , and in this article, we explore a few more of them.

An Overview Of The Jumplist Configuration File In Windows 7, Harjinder S. Lallie, Parmjit S. Bains

Journal of Digital Forensics, Security and Law

The introduction of Jumplists in Windows 7 was an important feature from a forensic examiners viewpoint. Jumplist configuration files can provide the examiner with a wealth of information relating to file access and in particular: dates/times, Volume GUIDs and unique file object IDs relating to those files. Some of the information in the Jumplist could be used to build a more precise timeline relating to system and file usage. In this article, we analyse the structure of a Jumplist configuration file and in particular a record from a Jumplist configuration file and highlight some of the important entries therein.

Comparing Android Applications To Find Copying, Larry Melling, Bob Zeidman

Journal of Digital Forensics, Security and Law

The Android smartphone operating system includes a Java virtual machine that enables rapid development and deployment of a wide variety of applications. The open nature of the platform means that reverse engineering of applications is relatively easy, and many developers are concerned as applications similar to their own show up in the Android marketplace and want to know if these applications are pirated. Fortunately, the same characteristics that make an Android application easy to reverse engineer and copy also provide opportunities for Android developers to compare downloaded applications to their own. This paper describes the process for comparing a developer’s …

Applying The Acpo Principles In Public Cloud Forensic Investigations, Harjinder S. Lallie, Lee Pimlott

Journal of Digital Forensics, Security and Law

The numerous advantages offered by cloud computing has fuelled its growth and has made it one of the most significant of current computing trends. The same advantages have created complex issues for those conducting digital forensic investigations. Digital forensic investigators rely on the ACPO (Association of Chief Police Officers) or similar guidelines when conducting an investigation, however the guidelines make no reference to some of the issues presented by cloud investigations. This study investigates the impact of cloud computing on ACPO’s core principles and asks whether these principles can still be applied in a cloud investigation and the challenges presented …

Column: Factors Affecting Data Decay, Kevin Fairbanks, Simson Garfinkel

Journal of Digital Forensics, Security and Law

In nuclear physics, the phrase decay rate is used to denote the rate that atoms and other particles spontaneously decompose. Uranium-235 famously decays into a variety of daughter isotopes including Thorium and Neptunium, which themselves decay to others. Decay rates are widely observed and wildly different depending on many factors, both internal and external. U-235 has a half-life of 703,800,000 years, for example, while free neutrons have a half-life of 611 seconds and neutrons in an atomic nucleus are stable.

Dns In Computer Forensics, Neil F. Wright

Journal of Digital Forensics, Security and Law

The Domain Name Service (DNS) is a critical core component of the global Internet and integral to the majority of corporate intranets. It provides resolution services between the human-readable name-based system addresses and the machine operable Internet Protocol (IP) based addresses required for creating network level connections. Whilst structured as a globally dispersed resilient tree data structure, from the Global and Country Code Top Level Domains (gTLD/ccTLD) down to the individual site and system leaf nodes, it is highly resilient although vulnerable to various attacks, exploits and systematic failures.

Toward Alignment Between Communities Of Practice And Knowledge-Based Decision Support, Jason Nichols, David Biros, Mark Weiser

Journal of Digital Forensics, Security and Law

The National Repository of Digital Forensics Information (NRDFI) is a knowledge repository for law enforcement digital forensics investigators (LEDFI). Over six years, the NRDFI has undertaken significant design revisions in order to more closely align the architecture of the system with theory addressing motivation to share knowledge and communication within ego-centric groups and communities of practice. These revisions have been met with minimal change in usage patterns by LEDFI community members, calling into question the applicability of relevant theory when the domain for knowledge sharing activities expands beyond the confines of an individual organization to a community of practice. When …

Book Review: System Forensics, Investigation, And Response, Nate Keith

Journal of Digital Forensics, Security and Law

I recently expressed an interest to a respected colleague in finding a way to “give back” to the forensic community. He suggested writing a review for a text he recently received and provide feedback to the community. It is my intent to present an objective analysis of System Forensics, Investigation, and Response.

Column: Analysis Of Digital Traces, Fred Cohen

Journal of Digital Forensics, Security and Law

In part 1 of this series (Cohen, 2011a), Analysis of digital traces is a foundational process by which the examiner, typically using computer software tools, comes to understand and answer basic questions regarding digital traces.

On The Development Of A Digital Forensics Curriculum, Manghui Tu, Dianxiang Xu, Samsuddin Wira, Cristian Balan, Kyle Cronin

Journal of Digital Forensics, Security and Law

Computer Crime and computer related incidents continue their prevalence and frequency, resulting in losses approaching billions of dollars. To fight against these crimes and frauds, it is urgent to develop digital forensics education programs to train a suitable workforce that can effectively investigate computer crimes and incidents. There is presently no standard to guide the design of digital forensics curriculum for an academic program. In this research, previous work on digital forensics curriculum design and existing education programs are thoroughly investigated. Both digital forensics educators and practitioners were surveyed and results were analyzed to determine the industry and law enforcement …

Book Review: Dispute Resolution And E-Discovery, Milton Luoma

Journal of Digital Forensics, Security and Law

As is apparent from its title, this book tackles two very current and difficult legal issues – electronic discovery and dispute resolution. The authors tie the two legal concepts together in an effort to provide litigants and practitioners a less expensive and less time consuming alternative than is typically the case with traditional litigation and court proceedings. By including electronic discovery in the discussions, the authors recognize the importance and significance of electronic discovery in mediation and arbitration as it is in traditional litigation.

Table Of Contents

Journal of Digital Forensics, Security and Law

No abstract provided.

The Science Of Digital Forensics: Recovery Of Data From Overwritten Areas Of Magnetic Media, Fred Cohen

Journal of Digital Forensics, Security and Law

The first time I encountered data loss and recovery effects of magnetic memory was as a night and weekend computer operator for the computer science department of Carnegie-Mellon University in the 1973-1974 time frame. Part of my job involved dealing directly with outages and failures associated with magnetic memory components used in what, at the time, were large computer systems. On occasions, portions of magnetic core memory or disk drives would encounter various failure modes and the systems using these devices would have to be reconfigured to operate without the failed components until repair personnel could come in to repair …

“Preemptive Suppression” – Judges Claim The Right To Find Digital Evidence Inadmissible Before It Is Even Discovered, Bob Simpson

Journal of Digital Forensics, Security and Law

Vermont state prosecutors have asked the Vermont Supreme Court to end a state trial judge’s practice of attaching conditions to computer warrants. The Vermont judge’s conditions are drawn from five conditions established in the 2009 decision of the 9th Circuit Court of Appeals in the Comprehensive Drug Testing, Inc. case (CDT II). This is the first time the validity of the “CDT conditions” will be decided by a state court of final jurisdiction in the United States

An Australian Perspective On The Challenges For Computer And Network Security For Novice Endusers, Patryk Szewczyk

Journal of Digital Forensics, Security and Law

It is common for end-users to have difficulty in using computer or network security appropriately and thus have often been ridiculed when misinterpreting instructions or procedures. This discussion paper details the outcomes of research undertaken over the past six years on why security is overly complex for endusers. The results indicate that multiple issues may render end-users vulnerable to security threats and that there is no single solution to address these problems. Studies on a small group of senior citizens has shown that educational seminars can be beneficial in ensuring that simple security aspects are understood and used appropriately.

Forensic Evidence Identification And Modeling For Attacks Against A Simulated Online Business Information System, Manghui Tu, Dianxiang Xu, Eugene Butler, Amanda Schwartz

Journal of Digital Forensics, Security and Law

Forensic readiness of business information systems can support future forensics investigation or auditing on external/internal attacks, internal sabotage and espionage, and business fraud. To establish forensics readiness, it is essential for an organization to identify which fingerprints are relevant and where they can be located, to determine whether they are logged in a forensically sound way and whether all the needed fingerprints are available to reconstruct the events successfully. Also, a fingerprint identification and locating mechanism should be provided to guide potential forensics investigation in the future. Furthermore, mechanisms should be established to automate the security incident tracking and reconstruction …

Implementing The Automated Phases Of The Partially-Automated Digital Triage Process Model, Gary Cantrell, David A. Dampier

Journal of Digital Forensics, Security and Law

Digital triage is a pre-digital-forensic phase that sometimes takes place as a way of gathering quick intelligence. Although effort has been undertaken to model the digital forensics process, little has been done to-date to model digital triage. This work discusses the further development of a model that attempts to address digital triage, the Partially-automated Crime Specific Digital Triage Process model. The model itself will be presented along with a description of how its automated functionality was implemented to facilitate model testing.

Technology Corner: A Regular Expression Training App, Nick V. Flor

Journal of Digital Forensics, Security and Law

Regular expressions enable digital forensic analysts to find information in files. The best way for an analyst to become proficient in writing regular expressions is to practice. This paper presents the code for an app that allows an analyst to practice writing regular expressions.

Table Of Contents

Journal of Digital Forensics, Security and Law

No abstract provided.

Effects Of Visual Interaction Methods On Simulated Unmanned Aircraft Operator Situational Awareness, Brent A. Terwilliger

Publications

The limited field of view of static egocentric visual displays employed in unmanned aircraft controls introduces the soda straw effect on operators, which significantly affects their ability to capture and maintain situational awareness by not depicting peripheral visual data. The problem with insufficient operator situational awareness is the resulting increased potential for error and oversight during operation of unmanned aircraft, leading to accidents and mishaps costing United States taxpayers between $4 million to $54 million per year. The purpose of this quantitative experimental completely randomized design study was to examine and compare use of dynamic eyepoint to static visual interaction …

Ios Mobile Device Forensics: Initial Analysis, Rita M. Barrios, Michael R. Lehrfeld

Annual ADFSL Conference on Digital Forensics, Security and Law

The ability to recover forensic artifacts from mobile devices is proving to be an ever-increasing challenge for investigators. Coupling this with the ubiquity of mobile devices and the increasing complexity and processing power they contain results in a reliance on them by suspects. In investigating Apple’s iOS devices -- namely the iPhone and iPad -- an investigator’s challenges are increased due to the closed nature of the platforms. What is left is an extremely powerful and complex mobile tool that is inexpensive, small, and can be used in suspect activities. Little is known about the internal data structures of the …

Forensic Analysis Of Smartphones: The Android Data Extractor Lite (Adel), Felix Freiling, Michael Spreitzenbarth, Sven Schmitt

Annual ADFSL Conference on Digital Forensics, Security and Law

Due to the ubiquitous use of smartphones, these devices become an increasingly important source of digital evidence in forensic investigations. Thus, the recovery of digital traces from smartphones often plays an essential role for the examination and clarification of the facts in a case. Although some tools already exist regarding the examination of smartphone data, there is still a strong demand to develop further methods and tools for forensic extraction and analysis of data that is stored on smartphones. In this paper we describe specifications of smartphones running Android. We further introduce a newly developed tool – called ADEL – …