Computer Engineering Commons^™

Social Networking: A Boon To Criminals, Tejashree D. Datar, Richard Mislan

Annual ADFSL Conference on Digital Forensics, Security and Law

With the world getting more and more digitized, social networking has also found a place in the cyber world. These social networking sites (SNSs) which enable people to socialize, and build and maintain relationships are attracting attention of all kinds of people such as teens, adults, sports persons, and even businesses. But these SNSs are also getting unwanted attention from people like sexual predators, spammers, and people involved in criminal and illegal activities. This paper talks about SNSs and how these sites are exploited for criminal or illegal activity. The SNSs are discussed in detail with respect to user profiles, …

Organizational Handling Of Digital Evidence, Sheona A. Hoolachan, William B. Glisson

Annual ADFSL Conference on Digital Forensics, Security and Law

There are a number of factors that impact a digital forensics investigation. These factors include: the digital media in question, implemented processes and methodologies, the legal aspects, and the individuals involved in the investigation. This paper presents the initial idea that Digital Forensic Practice (DFP) recommendations can potentially improve how organizations handle digital evidence. The recommendations are derived from an in-depth survey conducted with practitioners in both commercial organizations and law enforcement along with supporting literature. The recommendations presented in this paper can be used to assess an organization’s existing digital forensics practices and a guide to Digital Forensics Improvement …

A Framework To Integrate The Data Of Interview Investigation And Digital Evidence, Fahad Alshathry

Annual ADFSL Conference on Digital Forensics, Security and Law

The physical interview process in crime investigation produces an extremely large amount of data, particularly in big cases. In comparison, examiners of digital evidence have enormous amounts of data to search through whilst looking for data relating to the investigation. However, the links between their results are limited. Whilst investigators need to refute or support their hypothesis throughout, digital evidence examiners often use search based keywords. These keywords are usually created from evidence taken from the physical investigation reports and this basic method has been found to have many shortcomings and limitations. This paper proposes a highly automatic framework to …

Higate (High Grade Anti‐Tamper Equipment) Prototype And Application To E‐Discovery, Yui Sakurai, Yuki Ashino, Tetsutaro Uehara, Hiroshi Yoshiura, Ryoichi Sasaki

Annual ADFSL Conference on Digital Forensics, Security and Law

These days, most data is digitized and processed in various ways by computers. In the past, computer owners were free to process data as desired and to observe the inputted data as well as the interim results. However, the unrestricted processing of data and accessing of interim results even by computer users is associated with an increasing number of adverse events. These adverse events often occur when sensitive data such as personal or confidential business information must be handled by two or more parties, such as in the case of e-Discovery, used in legal proceedings, or epidemiologic studies. To solve …

Developing Voip Honeypots: A Preliminary Investigation Into Malfeasant Activity, Craig Valli

Annual ADFSL Conference on Digital Forensics, Security and Law

30 years ago PABX systems were compromised by hackers wanting to make long distance calls at some other entities expense. This activity faded as telephony became cheaper and PABX systems had countermeasures installed to overcome attacks. Now the world has moved onto the provision of telephony via broadband enabled Voice over Internet Protocol (VoIP) with this service now being provided as a replacement for conventional fixed wire telephony by major telecommunication providers worldwide. Due to increasing bandwidth it is possible for systems to support multiple voice connections simultaneously. The networked nature of the Internet allows for attackers of these VoIP …

Developing A Baccalaureate Digital Forensics Major, John H. Riley

Annual ADFSL Conference on Digital Forensics, Security and Law

As colleges and universities consider instituting a bachelor’s degree in digital forensics or computer forensics, there are numerous questions to be addressed. While some of these normally occur in the development of any new major, there are aspects of digital forensics which do not often (if ever) occur in other majors. We discuss the issues that should be resolved in the development of a baccalaureate degree program in digital forensics.

Keywords: Digital forensics major. Computer forensics major.

Cybercrime And The 2012 London Olympics, Denis Edgar-Nevill

Annual ADFSL Conference on Digital Forensics, Security and Law

The London 2012 Olympics is just three years away and the clock is ticking to put in place plans get it right. The potential for cybercrime to cause harm during this event is very great; harm to national reputation, harm to the reputation to the Olympic movement, and harm to individuals competing, watching or officiating. This paper considers the need to address these risks by taking a look at what has happened in the past at sporting events and the rising wave of electronic security threats and fraud facilitated by computers at recent Olympics. The problems for law enforcement are …

Methodology For Investigating Individuals Online Social Networking Persona, Jonathan T. Rajewski

Annual ADFSL Conference on Digital Forensics, Security and Law

When investigators from either the private or public sector review digital data surrounding a case for evidentiary value, they typically conduct a systematic categorization process to identify the relevant digital devices. Armed with the proper methodology to accomplish this task, investigators can quickly recognize the appropriate digital devices for forensic processing and review. This paper purposes a methodology for investigating an individual’s online social networking persona.

Keywords: Social Networking, Web 2.0, Internet Investigations, Online Social Networking Community

Bluetooth Hacking: A Case Study, Dennis Browning, Gary C. Kessler

Annual ADFSL Conference on Digital Forensics, Security and Law

This paper describes a student project examining mechanisms with which to attack Bluetooth-enabled devices. The paper briefly describes the protocol architecture of Bluetooth and the Java interface that programmers can use to connect to Bluetooth communication services. Several types of attacks are described, along with a detailed example of two attack tools, Bloover II and BT Info.

Keywords: Bluetooth hacking, mobile phone hacking, wireless hacking

Concerning File Slack, Stephen P. Larson

Annual ADFSL Conference on Digital Forensics, Security and Law

In this paper we discuss the phenomena known as file slack. File slack is created each time a file is created on a hard disk, and can contain private or confidential data. Unfortunately, the methods used by Microsoft Windows operating systems to organize and save files require file slack, and users have no control over what data is saved in file slack. This document will help create awareness about the security issue of file slack and discuss research results concerning file slack.

Keywords : Computer Forensics, File Slack, Ram Slack, Disk Slack

The Computer Fraud And Abuse Act And The Law Of Unintended Consequences, Milton Luoma, Vicki Luoma

Annual ADFSL Conference on Digital Forensics, Security and Law

One of the most unanticipated results of the Computer Fraud and Abuse Act arose from the law of unintended consequences. The CFAA was originally enacted in 1984 to protect federal government computers from intrusions and damage caused by hackers, identity thieves, and other cyber criminals. The law was later amended to extend the scope of its application to financial institutions’, business’s and consumers’ computers. To aid in the pursuit of cyber criminals, one of the subsequent revisions to the law included provision “G” that gave the right to private parties to seek compensation for damages in a civil action for …

Why Are We Not Getting Better At Data Disposal?, Andy Jones

Annual ADFSL Conference on Digital Forensics, Security and Law

This paper describes two sets of research, the first of which has been carried out over a period of four years into the levels and types of information that can be found on computer hard disks that are offered for sale on the second hand market. The second research project examined a number of second-hand hand held devices including PDAs, mobile (cell) phones and RIM Blackberry devices. The primary purpose of this research was to gain an understanding of the reasons for the failure to effectively remove potentially sensitive information from the disks and handheld devices. Other objectives included determining …

Don’T Touch That! And Other E-Discovery Issues, Linda Volonino

Annual ADFSL Conference on Digital Forensics, Security and Law

The ability to preserve and access electronically stored information (ESI) took on greater urgency when amendments to the Federal Rules of Civil Procedure went into effect in December 2006. These amendments, referred to as the electronic discovery (e-discovery) amendments, focus on the discovery phase of civil litigation, audits, or investigations. Discovery is the investigative phase of a legal case when opponents learn what evidence is available and how accessible it is. When ESI is the subject of discovery, it is called e-discovery. Recognizing that most business and personal records and communications are electronic, Judge Shira A. Scheindlin stated, "We used …

Analysis Of The ‘Db’ Windows Registry Data Structure, Damir Kahvedžić, Tahar Kechadi

Annual ADFSL Conference on Digital Forensics, Security and Law

The Windows Registry stores a wide variety of data representing a host of different user properties, settings and program information. The data structures used by the registry are designed to be adaptable to store these differences in a simple format. In this paper we will highlight the existence of a rare data structure that is used to store a large amount of data within the registry hives. We analyse the manner in which this data structure stores its data and the implications that it may have on evidence retrieval and digital investigation. In particular, we reveal that the three of …

Correlating Orphaned Windows Registry Data Structures, Damir Kahvedžić, Tahar Kechadi

Annual ADFSL Conference on Digital Forensics, Security and Law

Recently, it has been shown that deleted entries of the Microsoft Windows registry (keys) may still reside in the system files once the entries have been deleted from the active database. Investigating the complete keys in context may be extremely important from both a Forensic Investigation point of view and a legal point of view where a lack of context can bring doubt to an argument. In this paper we formalise the registry behaviour and show how a retrieved value may not maintain a relation to the part of the registry it belonged to and hence lose that context. We …

Graduate Accounting Students' Perception Of It Forensics: A Multi-Dimensional Analysis, Grover S. Kearns

Annual ADFSL Conference on Digital Forensics, Security and Law

Forensics and information technology (IT) have become increasingly important to accountants and auditors. Undergraduate accounting students are introduced to general IT topics but discussion of forensic knowledge is limited. A few schools have introduced an undergraduate major in forensic accounting. Some graduate schools offer accounting students an emphasis in forensic or fraud accounting that includes instruction in forensics and information technology. When students do not view the IT topics as being equally important to their careers as traditional accounting topics, these attitudes may reduce the quality of the course. In an effort to assess student attitudes, a survey of 46 …

Visualization Of Honeypot Data Using Graphviz And Afterglow, Craig Valli

Annual ADFSL Conference on Digital Forensics, Security and Law

This research in progress paper explores the use of Graphviz and Afterglow for the analysis of data emanating from a honeypot system. Honeypot systems gather a wide range of data that is often difficult to readily search for patterns and trends using conventional log file analysis techniques. The data from the honeypots has been statically extracted and processed through Afterglow scripts to produce inputs suitable for use by the DOT graph based tools contained within Graphviz. This paper explores some of the benefits and drawbacks of currently using this type of approach.

Keywords: honeypot, network forensics, visualization, Graphviz, Afterglow

The Cyber-Workplace – Identifying Liability Issues In The Information Age And Managing E-Risk, Nigel Wilson

Annual ADFSL Conference on Digital Forensics, Security and Law

The information age provides numerous opportunities for modern society but also presents significant challenges in identifying liability issues and in managing risk. Technological change has occurred rapidly and is continuing at the same time as other major trends and changes are taking place in society and, in particular, in the workplace. The prospect of global liability and the complexity of jurisdictional differences present a considerable hurdle to the uniform regulation of liability issues. General legislation and legal principles have been readily applied to the cyber-world and to modern business practices and the workplace. Where necessary, legislatures have introduced specific legislation …

Data Mining Techniques For Fraud Detection, Rekha Bhowmik

Annual ADFSL Conference on Digital Forensics, Security and Law

The paper presents application of data mining techniques to fraud analysis. We present some classification and prediction data mining techniques which we consider important to handle fraud detection. There exist a number of data mining algorithms and we present statistics-based algorithm, decision tree-based algorithm and rule-based algorithm. We present Bayesian classification model to detect fraud in automobile insurance. Naïve Bayesian visualization is selected to analyze and interpret the classifier predictions. We illustrate how ROC curves can be deployed for model assessment in order to provide a more intuitive analysis of the models.

Keywords: Data Mining, Decision Tree, Bayesian Network, ROC …

Simple - Rethinking The Monolithic Approach To Digital Forensic Software, Craig Valli

Annual ADFSL Conference on Digital Forensics, Security and Law

This paper outlines a collaborative project nearing completion between the sec.au Security Research Group at Edith Cowan University and Western Australian Police Computer Crime Squad. The primary goal of this project is to create a software tool for use by non-technical law enforcement officers during the initial investigation and assessment of an electronic crime scene. This tool will be designed as an initial response tool, to quickly and easily find, view and export any relevant files stored on a computer, establishing if further expert investigation of that computer is warranted. When fully developed, the tool will allow investigators unprecedented real …

How Virtualized Environments Affect Computer Forensics, Diane Barrett

Annual ADFSL Conference on Digital Forensics, Security and Law

Virtualized environments can make forensics investigation more difficult. Technological advances in virtualization tools essentially make removable media a PC that can be carried around in a pocket or around a neck. Running operating systems and applications this way leaves very little trace on the host system. This paper will explore all the newest methods for virtualized environments and the implications they have on the world of forensics. It will begin by describing and differentiating between software and hardware virtualization. It will then move on to explain the various methods used for server and desktop virtualization. Next, it will describe the …

The Virtual Digital Forensics Lab - Expanding Law Enforcement Capabilities, Mark Mccoy, Sean A. Ensz

Annual ADFSL Conference on Digital Forensics, Security and Law

Law enforcement is attempting to respond to the growing and complex need to examine all manner of digital evidence using stand-alone forensic workstations and limited storage solutions. Digital forensic investigators often find their cases stalled by cumbersome and inflexible technology limiting their effectiveness. The Virtual Digital Forensics Lab (VDFL) is a new concept that applies existing enterprise host, storage, and network virtualization technologies to current forensic investigative methods. This paper details the concept of the VDFL, the technology solutions it employs, and the flexibility it provides for digital forensic investigators.

Keywords: Virtual Digital Forensics, digital forensic investigations, law enforcement, virtual …

Digital Forensic Certification Versus Forensic Science Certification, Nena Lim

Annual ADFSL Conference on Digital Forensics, Security and Law

Companies often rely on certifications to select appropriate individuals in disciplines such as accounting and engineering. The general public also tends to have confidence in a professional who has some kinds of certification because certification implies a standard of excellence and that the individual has expert knowledge in a specific discipline. An interesting question to the digital forensic community is: How is a digital forensic certification compared to a forensic science certification? The objective of this paper is to compare the requirements of a digital forensic certification to those of a forensic science certification. Results of the comparison shed lights …

Textbooks For Computer Forensic Courses: A Preliminary Study, Jigang Liu, Larry Gottschalk, Kuodi Jian

Annual ADFSL Conference on Digital Forensics, Security and Law

As computer forensics develops into one of the fastest-growing areas in the computer related fields, many universities and colleges are offering or are planning to offer a course in computer forensics. When instructors begin to develop a new course in the area, one of critical questions they would ask is what textbook should be used. To better answer the question, we conducted a study in which we tried to find which textbooks are being used in computer forensic courses. We believe that the results and analysis of our study will help instructors in choosing adequate textbooks for their new course …

Do Current Erasure Programs Remove Evidence Of Bittorrent Activity?, Andrew Woodward, Craig Valli

Annual ADFSL Conference on Digital Forensics, Security and Law

This research in progress aims to evaluate the effectiveness of commercial programs to erase traces of the use of BitTorrent software. The erasure programs MaxErase, P2PDoctor, Privacy Suite, Window Washer and R-Clean and Wipe were used on a machine that had used the BitTorrent client Azureus to download two torrent files. The drive was imaged and then searched for torrent files. The registry was also examined on the source machine. The program R-Clean and Wipe left evidence in both the registry and the image of the name and type of files that had been downloaded with this software. Of greater …

Investigating Information Structure Of Phishing Emails Based On Persuasive Communication Perspective, Ki Jung Lee, Il-Yeol Song

Annual ADFSL Conference on Digital Forensics, Security and Law

Current approaches of phishing filters depend on classifying messages based on textually discernable features such as IP-based URLs or domain names as those features that can be easily extracted from a given phishing message. However, in the same sense, those easily perceptible features can be easily manipulated by sophisticated phishers. Therefore, it is important that universal patterns of phishing messages should be identified for feature extraction to serve as a basis for text classification. In this paper, we demonstrate that user perception regarding phishing message can be identified in central and peripheral routes of information processing. We also present a …

The Case For Teaching Network Protocols To Computer Forensics Examiners, Gary C. Kessler, Matt Fasulo

Annual ADFSL Conference on Digital Forensics, Security and Law

Most computer forensics experts are well-versed in basic computer hardware technology, operating systems, common software applications, and computer forensics tools. And while many have rudimentary knowledge about the Internet and simple network-lookup tools, they are not trained in the analysis of network communication protocols and the use of packet sniffers. This paper describes digital forensics applications for network analysis and includes four case studies.

Keywords: computer forensics education, network forensics, protocol analysis

Defending Against Insider Use Of Digital Steganography, James E. Wingate, Glenn D. Watt, Marc Kurtz, Chad W. Davis, Robert Lipscomb

Annual ADFSL Conference on Digital Forensics, Security and Law

The trusted insider is among the most harmful and difficult to detect threats to information security, according to the Federal Plan for Information Assurance and Cyber Security Research and Development released in April 2006. By default, employees become trusted insiders when granted the set of privileges needed to do their jobs, which typically includes access to the Internet. It is generally presumed the insiders are loyally working to achieve the organization’s goals and objectives and would not abuse the privileges given to them. However, some insiders will inevitably abuse some of their privileges. For example, a trusted insider might abuse …

Computer Geolocation Using Extracted Features, Chad M.S. Steel

Annual ADFSL Conference on Digital Forensics, Security and Law

This paper compares the extracted feature data from a sample set of hard drive images in an effort to relate the features to the physical location of the drive. A list of probable zip codes, phone numbers, place names, and IP addresses are extracted from raw drive images and compared to manually identified geolocation data. The results of the individual extractions are then analyzed to determine the feasibility in using automated extraction and analysis techniques for geolocating hard drives.

Keywords: hard disk forensics, geocoding, geolocation

Towards Redaction Of Digital Information From Electronic Devices, Gavin W. Manes, Lance Watson, David Greer, Alex Barclay, John Hale

Annual ADFSL Conference on Digital Forensics, Security and Law

In the discovery portion of court proceedings, it is necessary to produce information to opposing counsel. Traditionally, this information is in paper form with all privileged information removed. Increasingly, the information requested during discovery exists in digital form and savvy counsel is requesting direct access to the original digital source: a broad spectrum of additional digital information can be often be extracted using digital forensics. This paper describes the major problems which must be solved to redact digital information from electronic devices. The primary hurdle facing digital redaction is the lack of a rational process for systematically handling encoded, encrypted, …