Computer Engineering Commons^™

Textbooks For Computer Forensic Courses: A Preliminary Study, Jigang Liu, Larry Gottschalk, Kuodi Jian

Annual ADFSL Conference on Digital Forensics, Security and Law

As computer forensics develops into one of the fastest-growing areas in the computer related fields, many universities and colleges are offering or are planning to offer a course in computer forensics. When instructors begin to develop a new course in the area, one of critical questions they would ask is what textbook should be used. To better answer the question, we conducted a study in which we tried to find which textbooks are being used in computer forensic courses. We believe that the results and analysis of our study will help instructors in choosing adequate textbooks for their new course …

Do Current Erasure Programs Remove Evidence Of Bittorrent Activity?, Andrew Woodward, Craig Valli

Annual ADFSL Conference on Digital Forensics, Security and Law

This research in progress aims to evaluate the effectiveness of commercial programs to erase traces of the use of BitTorrent software. The erasure programs MaxErase, P2PDoctor, Privacy Suite, Window Washer and R-Clean and Wipe were used on a machine that had used the BitTorrent client Azureus to download two torrent files. The drive was imaged and then searched for torrent files. The registry was also examined on the source machine. The program R-Clean and Wipe left evidence in both the registry and the image of the name and type of files that had been downloaded with this software. Of greater …

Investigating Information Structure Of Phishing Emails Based On Persuasive Communication Perspective, Ki Jung Lee, Il-Yeol Song

Annual ADFSL Conference on Digital Forensics, Security and Law

Current approaches of phishing filters depend on classifying messages based on textually discernable features such as IP-based URLs or domain names as those features that can be easily extracted from a given phishing message. However, in the same sense, those easily perceptible features can be easily manipulated by sophisticated phishers. Therefore, it is important that universal patterns of phishing messages should be identified for feature extraction to serve as a basis for text classification. In this paper, we demonstrate that user perception regarding phishing message can be identified in central and peripheral routes of information processing. We also present a …

The Case For Teaching Network Protocols To Computer Forensics Examiners, Gary C. Kessler, Matt Fasulo

Annual ADFSL Conference on Digital Forensics, Security and Law

Most computer forensics experts are well-versed in basic computer hardware technology, operating systems, common software applications, and computer forensics tools. And while many have rudimentary knowledge about the Internet and simple network-lookup tools, they are not trained in the analysis of network communication protocols and the use of packet sniffers. This paper describes digital forensics applications for network analysis and includes four case studies.

Keywords: computer forensics education, network forensics, protocol analysis

Defending Against Insider Use Of Digital Steganography, James E. Wingate, Glenn D. Watt, Marc Kurtz, Chad W. Davis, Robert Lipscomb

Annual ADFSL Conference on Digital Forensics, Security and Law

The trusted insider is among the most harmful and difficult to detect threats to information security, according to the Federal Plan for Information Assurance and Cyber Security Research and Development released in April 2006. By default, employees become trusted insiders when granted the set of privileges needed to do their jobs, which typically includes access to the Internet. It is generally presumed the insiders are loyally working to achieve the organization’s goals and objectives and would not abuse the privileges given to them. However, some insiders will inevitably abuse some of their privileges. For example, a trusted insider might abuse …

Computer Geolocation Using Extracted Features, Chad M.S. Steel

Annual ADFSL Conference on Digital Forensics, Security and Law

This paper compares the extracted feature data from a sample set of hard drive images in an effort to relate the features to the physical location of the drive. A list of probable zip codes, phone numbers, place names, and IP addresses are extracted from raw drive images and compared to manually identified geolocation data. The results of the individual extractions are then analyzed to determine the feasibility in using automated extraction and analysis techniques for geolocating hard drives.

Keywords: hard disk forensics, geocoding, geolocation

Towards Redaction Of Digital Information From Electronic Devices, Gavin W. Manes, Lance Watson, David Greer, Alex Barclay, John Hale

Annual ADFSL Conference on Digital Forensics, Security and Law

In the discovery portion of court proceedings, it is necessary to produce information to opposing counsel. Traditionally, this information is in paper form with all privileged information removed. Increasingly, the information requested during discovery exists in digital form and savvy counsel is requesting direct access to the original digital source: a broad spectrum of additional digital information can be often be extracted using digital forensics. This paper describes the major problems which must be solved to redact digital information from electronic devices. The primary hurdle facing digital redaction is the lack of a rational process for systematically handling encoded, encrypted, …

Education For Cyber Crime Investigators, David Greer, Joe Mulenex, John Hale, Gavin W. Manes

Annual ADFSL Conference on Digital Forensics, Security and Law

Digital forensics and cyber crime investigations are continually growing, rapidly changing fields requiring law enforcement agencies to meet very rigorous training requirements. New opportunities for committing criminal activity against persons, organization or property are presented every day with the proliferation of personal digital devices, computers, the internet, computer networks, and automated data systems. Whether the crime involves attacks against computer systems, electronic information, or more traditional crimes such as murder, money laundering or fraud, electronic evidence is becoming more prevalent. It is no surprise that law enforcement and criminal justice officials are being overwhelmed by the volume of investigations and …

The Evolution Of Internet Legal Regulation In Addressing Crime And Terrorism, Murdoch Watney

Annual ADFSL Conference on Digital Forensics, Security and Law

Internet regulation has evolved from self-regulation to the criminalization of conduct to state control of information available, accessed and submitted. Criticism has been leveled at the different forms of state control and the methods employed to enforce state control. After the terrorist attack on the USA on 11 September 2001, governments justify Internet state control as a law enforcement and national security tool against the abuse and misuse of the Internet for the commission of serious crimes, such as phishing, child pornography; terrorism and copyright infringement. Some Internet users and civil rights groups perceive state control as an abomination which …

New Federal Rules And Digital Evidence, Gavin W. Manes, Elizabeth Downing, Lance Watson, Christopher Thrutchley

Annual ADFSL Conference on Digital Forensics, Security and Law

The newly revised Federal Rules of Civil Procedure and developments under the Federal Rules of Evidence have a significant impact on the use, collection, and treatment of digital evidence for legal proceedings. The Rules now formally grant electronic documents and digital evidence the same status as paper and other forms of tangible evidence. As a result, the availability and proper preservation of potentially relevant electronic evidence must be considered, at the very latest, in the preliminary stages of litigation and, at the earliest, as soon as litigation is reasonably anticipated. It is important for professionals to be familiar with the …

The Gap Between Theory And Practice In Digital Forensics, Joseph C. Sremack

Annual ADFSL Conference on Digital Forensics, Security and Law

Digital forensics is a young field that is being defined by the reactive nature of its development – in terms of both research and practice. As technology develops, digital forensics is forced to react and adapt. The rapid development of technology and the lack of an established theoretical foundation has led to a disconnect between the theory and practice of digital forensics. While the base theoretical issues are being worked on by researchers, practitioners are dealing with entirely new sets of issues. The complexity of investigations is increasing, and anti-forensics techniques are advancing as well. The disconnect will be resolved …

Teams Responsibilities For Digital Forensic Process, Salma Abdalla, Sherif Hazem, Sherif Hashem

Annual ADFSL Conference on Digital Forensics, Security and Law

This paper presents a detailed digital forensics process model and the responsible teams to perform it. The discussed model presents three teams and a forensic leader who coordinate between the three teams; these teams are physical crime scene team, laboratory examination team and courtroom team. These teams are responsible of achieving the digital forensic model by applying five main phases which are preparation phase, physical forensics and investigation phase, digital forensics phase, reporting and presentation phase and closure phase.

Most of the existing models in this field are either theoretical that deals with data processing or based on a legal …

Monitoring And Surveillance In The Workplace: Lessons Learnt? – Investigating The International Legal Position, Verine Etsebeth

Annual ADFSL Conference on Digital Forensics, Security and Law

When considering the legal implications of monitoring and surveillance in the workplace, the question may be asked why companies deploy computer surveillance and monitoring in the first place. Several reasons may be put forward to justify why more than 80% of all major American firms monitor employee e-mails and Internet usage. However, what most companies forget is the fact that the absence or presence of monitoring and surveillance activities in a company holds serious legal consequences for companies. From the discussion in this paper it will become apparent that there is a vast difference in how most countries approach this …

An Exploratory Analysis Of Computer Mediated Communications On Cyberstalking Severity, Stephen D. Barnes, David P. Biros

Annual ADFSL Conference on Digital Forensics, Security and Law

The interaction between disjunctive interpersonal relationships, those where the parties to the relationship disagree on the goals of the relationship, and the use of computer mediated communications channels is a relatively unexplored domain. Bargh (2002) suggests that CMC channels can amplify the development of interpersonal relationships, and notes that the effect is not constant across communications activities. This proposal suggests a line of research that explores the interaction between computer mediated communications (CMC) and stalking, which is a common form of disjunctive relationships. Field data from cyberstalking cases will be used to look at the effects of CMC channels on …

The General Digital Forensics Model, Steven Rigby, Marcus K. Rogers

Annual ADFSL Conference on Digital Forensics, Security and Law

The lack of a graphical representation of all of the principles, processes, and phases necessary to carry out an digital forensic investigation is a key inhibitor to effective education in this newly emerging field of study. Many digital forensic models have been suggested for this purpose but they lack explanatory power as they are merely a collection of lists or one-dimensional figures. This paper presents a new multi-dimensional model, the General Digital Forensics Model (GDFM), that shows the relationships and inter-connectedness of the principles and processes needed within the domain of digital forensics.

Keywords: process model, computer forensics, expert learning, …

Guideline Model For Digital Forensic Investigation, Salma Abdalla, Sherif Hazem, Sherif Hashem

Annual ADFSL Conference on Digital Forensics, Security and Law

This paper proposes a detailed guideline model for digital forensics; the proposed model consists of five main phases, Preparation phase, Physical Forensics and Investigation Phase, Digital Forensics Phase, Reporting and Presentation Phase, and Closure Phase.

Most of the existing models in this field do not cover all aspects of digital forensic investigations, as they focus mainly on the processing of digital evidence or on the legal points. Although they gave good information to base on it a guide, but they are not detailed enough to describe fully the investigative process in a way that can be used by investigators during …

Hardware Virtualization Applied To Rootkit Defense, Douglas P. Medley

Theses and Dissertations

This research effort examines the idea of applying virtualization hardware to enhance operating system security against rootkits. Rootkits are sets of tools used to hide code and/or functionality from the user and operating system. Rootkits can accomplish this feat through using access to one part of an operating system to change another part that resides at the same privilege level. Hardware assisted virtualization (HAV) provides an opportunity to defeat this tactic through the introduction of a new operating mode. Created to aid operating system virtualization, HAV provides hardware support for managing and saving multiple states of the processor. This hardware …

Implementation And Optimization Of The Advanced Encryption Standard Algorithm On An 8-Bit Field Programmable Gate Array Hardware Platform, Ryan J. Silva

Theses and Dissertations

The contribution of this research is three-fold. The first is a method of converting the area occupied by a circuit implemented on a Field Programmable Gate Array (FPGA) to an equivalent as a measure of total gate count. This allows direct comparison between two FPGA implementations independent of the manufacturer or chip family. The second contribution improves the performance of the Advanced Encryption Standard (AES) on an 8-bit computing platform. This research develops an AES design that occupies less than three quarters of the area reported by the smallest design in current literature as well as significantly increases area efficiency. …

On-Demand Key Distribution For Mobile Ad-Hoc Networks, Daniel F. Graham

Theses and Dissertations

Mobile ad-hoc networks offer dynamic portable communication with little or no infrastructure. While this has many benefits, there are additional shortcomings specific to wireless communication that must be addressed. This research proposes gossip-based on-demand key distribution as a means to provide data encryption for mobile ad-hoc networks. This technique uses message keys to avoid encrypting and decrypting a message at every node. Other optimizations used include secure channel caching and joint rekey messages. The use of gossip makes the scheme robust to node failure. Experimental results show only a 15% increase in end-to-end delay with a node failure rate of …

Book Review: No Place To Hide, Gary C. Kessler

Journal of Digital Forensics, Security and Law

This issue presents the second Book Review column for the JDFSL. It is an experiment to broaden the services that the journal provides to readers, so we are anxious to get your reaction. Is the column useful and interesting? Should we include more than one review per issue? Should we also review products? Do you have suggested books/products for review and/or do you want to write a review? All of this type of feedback -- and more -- is appreciated. Please feel free to send comments to Gary Kessler (gary.kessler@champlain.edu) or Glenn Dardick (gdardick@dardick.net).

Investigating Information Structure Of Phishing Emails Based On Persuasive Communication Perspective, Ki J. Lee, Il-Yeol Song

Journal of Digital Forensics, Security and Law

Current approaches of phishing filters depend on classifying messages based on textually discernable features such as IP-based URLs or domain names as those features that can be easily extracted from a given phishing message. However, in the same sense, those easily perceptible features can be easily manipulated by sophisticated phishers. Therefore, it is important that universal patterns of phishing messages should be identified for feature extraction to serve as a basis for text classification. In this paper, we demonstrate that user perception regarding phishing message can be identified in central and peripheral routes of information processing. We also present a …

Monitoring And Surveillance In The Workplace: Lessons Learnt? – Investigating The International Legal Position, Verine Etsebeth

Journal of Digital Forensics, Security and Law

When considering the legal implications of monitoring and surveillance in the workplace, the question may be asked why companies deploy computer surveillance and monitoring in the first place. Several reasons may be put forward to justify why more than 80% of all major American firms monitor employee e-mails and Internet usage. However, what most companies forget is the fact that the absence or presence of monitoring and surveillance activities in a company holds serious legal consequences for companies. From the discussion in this paper it will become apparent that there is a vast difference in how most countries approach this …

The Evolution Of Internet Legal Regulation In Addressing Crime And Terrorism, Murdoch Watney

Journal of Digital Forensics, Security and Law

Internet regulation has evolved from self-regulation to the criminalization of conduct to state control of information available, accessed and submitted. Criticism has been leveled at the different forms of state control and the methods employed to enforce state control. After the terrorist attack on the USA on 11 September 2001, governments justify Internet state control as a law enforcement and national security tool against the abuse and misuse of the Internet for the commission of serious crimes, such as phishing, child pornography; terrorism and copyright infringement. Some Internet users and civil rights groups perceive state control as an abomination which …

Information Technology Act 2000 In India - Authentication Of E-Documents, R. G. Pawar, B. S. Sawant, A. Kaiwade

Journal of Digital Forensics, Security and Law

The Information Technology Act 2000 has enacted in India on 9th June 2000. This Act has mentioned provision of authentication of electronic document. It is the need of hour at that time that such provision is needed in the Indian Law system, especially for electronic commerce and electronic governance. Electronic commerce”, which involve the use of alternatives to paper based methods of communication and storage information. To do electronic commerce there should be authentication of particular document. The working of internet is the documents are traveling in terms of bits from one destination to other destination, through various media like …

The Common Body Of Knowledge: A Framework To Promote Relevant Information Security Research, Kenneth J. Knapp, F. N. Ford, Thomas E. Marshall, R. K. Rainer

Journal of Digital Forensics, Security and Law

This study proposes using an established common body of knowledge (CBK) as one means of organizing information security literature. Consistent with calls for more relevant information systems (IS) research, this industrydeveloped framework can motivate future research towards topics that are important to the security practitioner. In this review, forty-eight articles from ten IS journals from 1995 to 2004 are selected and cross-referenced to the ten domains of the information security CBK. Further, we distinguish articles as empirical research, frameworks, or tutorials. Generally, this study identified a need for additional empirical research in every CBK domain including topics related to legal …

An Exploratory Analysis Of Computer Mediated Communications On Cyberstalking Severity, Stephen D. Barnes, David P. Biros

Journal of Digital Forensics, Security and Law

The interaction between disjunctive interpersonal relationships, those where the parties to the relationship disagree on the goals of the relationship, and the use of computer mediated communications channels is a relatively unexplored domain. Bargh (2002) suggests that CMC channels can amplify the development of interpersonal relationships, and notes that the effect is not constant across communications activities. This proposal suggests a line of research that explores the interaction between computer mediated communications (CMC) and stalking, which is a common form of disjunctive relationships. Field data from cyberstalking cases will be used to look at the effects of CMC channels on …

Making Molehills Out Of Mountains: Bringing Security Research To The Classroom, Richard G. Taylor

Journal of Digital Forensics, Security and Law

Security research published in academic journals rarely finds its way to the business community or into the classroom. Even though the research is of high quality, it is written in a manner that is difficult to read and to understand. This paper argues that one way to get this academic research into the business community is to incorporate it into security classrooms. To do so, however, academic articles need to be adapted into a classroom-friendly format. This paper suggests ways to do this and provides an example of an academic article that was adapted for use in a security management …

Computer Crimes: A Case Study Of What Malaysia Can Learn From Others?, Janaletchumi Appudurai, Chitra L. Ramalingam

Journal of Digital Forensics, Security and Law

Rapid development of information technology (IT) has brought with it many new applications such as e-commerce and global business. The past few years have seen activities in the legislative arena covering issues such as digital signatures, the international recognition of electronic documents and privacy and data protection. Both the developed and developing countries have exhibited keenness to embrace the IT environment. Securing this electronic environment from intrusion, however, continues to be problematic. A particular favorite form of computer crime would be ‘hacking’. As more computer systems move on to on-line processing and improved telecommunications, computer hackers are now a real …

Providing A Foundation For Analysis Of Volatile Data Stores, Timothy Vidas

Journal of Digital Forensics, Security and Law

Current threats against typical computer systems demonstrate a need for forensic analysis of memory-resident data in addition to the conventional static analysis common today. Certain attacks and types of malware exist solely in memory and leave little or no evidentiary information on nonvolatile stores such as a hard disk drive. The desire to preserve system state at the time of response may even warrant memory acquisition independent of perceived threats and the ability to analyze the acquired duplicate.

Tools capable of duplicating various types of volatile data stores are becoming widely available. Once the data store has been duplicated, current …

Education Organization Baseline Control Protection And Trusted Level Security, Wasim A. Al-Hamdani

Journal of Digital Forensics, Security and Law

Many education organizations have adopted for security the enterprise best practices for implementation on their campuses, while others focus on ISO Standard (or/and) the National Institution of Standards and Technology.

All these adoptions are dependent on IT personal and their experiences or knowledge of the standard. On top of this is the size of the education organizations. The larger the population in an education organization, the more the problem of information and security become very clear. Thus, they have been obliged to comply with information security issues and adopt the national or international standard. The case is quite different when …