Law Commons^™

Development Of A Distributed Print‐Out Monitoring System For Efficient Forensic Investigation, Satoshi Kai, Tetsutaro Uehara

Annual ADFSL Conference on Digital Forensics, Security and Law

If information leakage occurs, an investigator is instructed to specify what documents were leaked and who leaked them. In the present work, a distributed print-out monitoring system—which consists of a virtual printer driver and print-out policy/log management servers—was developed. For easily matching the discovered (i.e., leaked) paper document with the print-out log, the virtual printer driver acquires full-text of printed-out documents by DDI hooking technique to check the content, transforms a spool file to a picture file and creates both a thumbnail and text log for forensic investigation afterwards. The log size is as only about 0.04 times bigger than …

Mac Os X Forensics: Password Discovery, David Primeaux, Robert Dahlberg, Kamnab Keo, Stephen Larson, B. Pennell, K. Sherman

Annual ADFSL Conference on Digital Forensics, Security and Law

OS X provides a password-rich environment in which passwords protect OS X resources and perhaps many other resources accessed through OS X. Every password an investigator discovers in an OS X environment has the potential for use in discovering other such passwords, and any discovered passwords may also be useful in other aspects of an investigation, not directly related to the OS X environment. This research advises the use of multiple attack vectors in approaching the password problem in an OS X system, including the more generally applicable non-OS X-specific techniques such as social engineering or well-known password cracking techniques …

Software Piracy Forensics: Impact And Implications Of Post‐Piracy Modifications, Vinod Bhattathiripad, S. Santhosh Baboo

Annual ADFSL Conference on Digital Forensics, Security and Law

Piracy is potentially possible at any stage of the lifetime of the software. In a post-piracy situation, however, the growth of the respective versions of the software (both the original and pirated) is expected to be in different directions as a result of expectedly different implementation strategies. This paper shows how such post-piracy modifications are of special interest to a cyber crime expert investigating software piracy and suggests that the present software piracy forensic (or software copyright infringement investigation) approaches require amendments to take in such modifications. For this purpose, the paper also presents a format that is jargon-free, so …

Understanding Issues In Cloud Forensics: Two Hypothetical Case Studies, Josiah Dykstra, Alan T. Sherman

Annual ADFSL Conference on Digital Forensics, Security and Law

The inevitable vulnerabilities and criminal targeting of cloud environments demand an understanding of how digital forensic investigations of the cloud can be accomplished. We present two hypothetical case studies of cloud crimes; child pornography being hosted in the cloud, and a compromised cloudbased website. Our cases highlight shortcomings of current forensic practices and laws. We describe significant challenges with cloud forensics, including forensic acquisition, evidence preservation and chain of custody, and open problems for continued research.

Keywords: Cloud computing, cloud forensics, digital forensics, case studies

A Practitioners Guide To The Forensic Investigation Of Xbox 360 Gaming Consoles, Ashley L. Podhradsky, Rob D’Ovidio, Cindy Casey

Annual ADFSL Conference on Digital Forensics, Security and Law

Given the ubiquitous nature of computing, individuals now have nearly 24-7 access to the internet. People are not just going online through traditional means with a PC anymore, they are now frequently using nontraditional devices such as cell phones, smart phones, and gaming consoles. Given the increased use of gaming consoles for online access, there is also an increased use of gaming consoles to commit criminal activity. The digital forensic community has been tasked with creating new approaches for forensically analyzing gaming consoles. In this research paper the authors demonstrate different tools, both commercial and open source, available to forensically …

Sampling: Making Electronic Discovery More Cost Effective, Milton Luoma, Vicki Luoma

Annual ADFSL Conference on Digital Forensics, Security and Law

With the huge volumes of electronic data subject to discovery in virtually every instance of litigation, time and costs of conducting discovery have become exceedingly important when litigants plan their discovery strategies. Rather than incurring the costs of having lawyers review every document produced in response to a discovery request in search of relevant evidence, a cost effective strategy for document review planning is to use statistical sampling of the database of documents to determine the likelihood of finding relevant evidence by reviewing additional documents. This paper reviews and discusses how sampling can be used to make document review more …

Digital Forensics And The Law, Karon N. Murff, Hugh E. Gardenier, Martha L. Gardenier

Annual ADFSL Conference on Digital Forensics, Security and Law

As computers and digital devices become more entrenched in our way of life, they become tools for both good and nefarious purposes. When the digital world collides with the legal world, a vast chasm is created. This paper will reflect how the legal community is failing to meet its obligation to provide adequate representation due to a lack of education about digital (computer) forensics. Whether in a civil litigation setting or a criminal setting, attorneys, prosecutors and judges have inadequate knowledge when it comes to the important questions they need to ask regarding digital evidence. Reliance on expert witnesses is …

Computer Forensics For Graduate Accountants: A Motivational Curriculum Design Approach, Grover S. Kearns

Annual ADFSL Conference on Digital Forensics, Security and Law

Computer forensics involves the investigation of digital sources to acquire evidence that can be used in a court of law. It can also be used to identify and respond to threats to hosts and systems. Accountants use computer forensics to investigate computer crime or misuse, theft of trade secrets, theft of or destruction of intellectual property, and fraud. Education of accountants to use forensic tools is a goal of the AICPA (American Institute of Certified Public Accountants). Accounting students, however, may not view information technology as vital to their career paths and need motivation to acquire forensic knowledge and skills. …

The Defiance College Undergraduate Major In Digital Forensic Science: Setting The Bar Higher, Gregg H. Gunsch

Annual ADFSL Conference on Digital Forensics, Security and Law

This paper provides background information to accompany the panel discussion on Curriculum Design and Implementation in Computer Forensics Education. It is specifically focused on the content and delivery of Defiance College’s undergraduate (B.S.) program majoring in Digital Forensic Science (DFS). The genesis and evolution of the Defiance College DFS program are described, along with its successes, challenges and known opportunities for improvement. The desired outcomes of the panel discussion include articulating the necessary components of an undergraduate program, refining expectations of knowledge and skills required of students upon graduation, and suggesting strategies for achieving those expectations despite inevitable resource limitations …

Digital Records Forensics: A New Science And Academic Program For Forensic Readiness, Luciana Duranti, Barbara Endicott-Popovsky

Annual ADFSL Conference on Digital Forensics, Security and Law

This paper introduces the Digital Records Forensics project, a research endeavour located at the University of British Columbia in Canada and aimed at the development of a new science resulting from the integration of digital forensics with diplomatics, archival science, information science and the law of evidence, and of an interdisciplinary graduate degree program, called Digital Records Forensics Studies, directed to professionals working for law enforcement agencies, legal firms, courts, and all kind of institutions and business that require their services. The program anticipates the need for organizations to become “forensically ready,” defined by John Tan as “maximizing the ability …

A Layered Framework Approach To Mitigate Crimeware, Mathew Nyamagwa

Annual ADFSL Conference on Digital Forensics, Security and Law

Crimeware attacks are growing at such an alarming rate and are becoming so prevalent that the FBI now rank cybercrime among its top priorities after terrorism and espionage. New studies estimate cyber crimes cost firms an astounding $1 trillion annually. But the good news? Over 80% of them are preventable. Crimeware is not a purely technical threat but more or a socio-technical affair. This clearly brings out the fact that computers do not commit a crime, but we (humans) do! In this paper I propose a layered approach that involves all stakeholders from end-users to service-providers and law enforcement to …

Canvass - A Steganalysis Forensic Tool For Jpeg Images, Jennifer L. Davidson, Jaikishan Jalan

Annual ADFSL Conference on Digital Forensics, Security and Law

Steganography is a way to communicate a message such that no one except the sender and recipient suspects the existence of the message. This type of covert communication lends itself to a variety of different purposes such as spy-to-spy communication, exchange of pornographic material hidden in innocuous image files, and other illicit acts. Computer forensic personnel have an interest in testing for possible steganographic files, but often do not have access to the technical and financial resources required to perform steganalysis in an effective manner. This paper describes the results of a funded effort by a grant from the National …

Measuring Whitespace Patterns As An Indication Of Plagiarism, Ilana Shay, Nikolaus Baer, Robert Zeidman

Annual ADFSL Conference on Digital Forensics, Security and Law

There are several different methods of comparing source code from different programs to find copying1 . Perhaps the most common method is comparing source code statements, comments, strings, identifiers, and instruction sequences. However, there are anecdotes about the use of whitespace patterns in code. These virtually invisible patterns of spaces and tabs have been used in litigation to imply copying, but no formal study has been performed that shows that these patterns can actually identify copied code. This paper presents a detailed study of whitespace patterns and the uniqueness of these patterns in different programs.

Keywords: Copyright Infringement, Intellectual Property, …

Electronic Discovery: A Fool’S Errand Where Angels Fear To Tread?, Milton Luoma, Vicki Luoma

Annual ADFSL Conference on Digital Forensics, Security and Law

Electronic discovery has transformed the discovery phase of civil litigation in recent years. The expectations of lawyers and parties were initially established in the Rowe and Zubulake cases that led to a complete revision of the electronic discovery rules contained in the Federal Rules of Civil Procedure. Subsequent cases have underscored the importance of document search methodologies and implications for attorneys, IT professionals, and digital forensics professionals. The authors review how electronic discovery has evolved thus far and offer recommendations regarding the electronic discovery process.

Keywords: Electronic discovery, e-discovery, keyword search, concept search,

Hard Disk Storage: Firmware Manipulation And Forensic Impact And Current Best Practice, Gareth Davies, Iain Sutherland

Annual ADFSL Conference on Digital Forensics, Security and Law

The most common form of storage media utilized in both commercial and domestic systems is the hard disk drive, consequently these devices feature heavily in digital investigations. Hard disk drives are a collection of complex components. These components include hardware and firmware elements that are essential for the effective operation of the drive. There are now a number of devices available, intended for data recovery, which can be used to manipulate the firmware components contained within the drive. It has been previously shown that it is possible to alter firmware for malicious purposes, either to conceal information or to prevent …

Social Networking: A Boon To Criminals, Tejashree D. Datar, Richard Mislan

Annual ADFSL Conference on Digital Forensics, Security and Law

With the world getting more and more digitized, social networking has also found a place in the cyber world. These social networking sites (SNSs) which enable people to socialize, and build and maintain relationships are attracting attention of all kinds of people such as teens, adults, sports persons, and even businesses. But these SNSs are also getting unwanted attention from people like sexual predators, spammers, and people involved in criminal and illegal activities. This paper talks about SNSs and how these sites are exploited for criminal or illegal activity. The SNSs are discussed in detail with respect to user profiles, …

Organizational Handling Of Digital Evidence, Sheona A. Hoolachan, William B. Glisson

Annual ADFSL Conference on Digital Forensics, Security and Law

There are a number of factors that impact a digital forensics investigation. These factors include: the digital media in question, implemented processes and methodologies, the legal aspects, and the individuals involved in the investigation. This paper presents the initial idea that Digital Forensic Practice (DFP) recommendations can potentially improve how organizations handle digital evidence. The recommendations are derived from an in-depth survey conducted with practitioners in both commercial organizations and law enforcement along with supporting literature. The recommendations presented in this paper can be used to assess an organization’s existing digital forensics practices and a guide to Digital Forensics Improvement …

A Framework To Integrate The Data Of Interview Investigation And Digital Evidence, Fahad Alshathry

Annual ADFSL Conference on Digital Forensics, Security and Law

The physical interview process in crime investigation produces an extremely large amount of data, particularly in big cases. In comparison, examiners of digital evidence have enormous amounts of data to search through whilst looking for data relating to the investigation. However, the links between their results are limited. Whilst investigators need to refute or support their hypothesis throughout, digital evidence examiners often use search based keywords. These keywords are usually created from evidence taken from the physical investigation reports and this basic method has been found to have many shortcomings and limitations. This paper proposes a highly automatic framework to …

Higate (High Grade Anti‐Tamper Equipment) Prototype And Application To E‐Discovery, Yui Sakurai, Yuki Ashino, Tetsutaro Uehara, Hiroshi Yoshiura, Ryoichi Sasaki

Annual ADFSL Conference on Digital Forensics, Security and Law

These days, most data is digitized and processed in various ways by computers. In the past, computer owners were free to process data as desired and to observe the inputted data as well as the interim results. However, the unrestricted processing of data and accessing of interim results even by computer users is associated with an increasing number of adverse events. These adverse events often occur when sensitive data such as personal or confidential business information must be handled by two or more parties, such as in the case of e-Discovery, used in legal proceedings, or epidemiologic studies. To solve …

Developing Voip Honeypots: A Preliminary Investigation Into Malfeasant Activity, Craig Valli

Annual ADFSL Conference on Digital Forensics, Security and Law

30 years ago PABX systems were compromised by hackers wanting to make long distance calls at some other entities expense. This activity faded as telephony became cheaper and PABX systems had countermeasures installed to overcome attacks. Now the world has moved onto the provision of telephony via broadband enabled Voice over Internet Protocol (VoIP) with this service now being provided as a replacement for conventional fixed wire telephony by major telecommunication providers worldwide. Due to increasing bandwidth it is possible for systems to support multiple voice connections simultaneously. The networked nature of the Internet allows for attackers of these VoIP …

Developing A Baccalaureate Digital Forensics Major, John H. Riley

Annual ADFSL Conference on Digital Forensics, Security and Law

As colleges and universities consider instituting a bachelor’s degree in digital forensics or computer forensics, there are numerous questions to be addressed. While some of these normally occur in the development of any new major, there are aspects of digital forensics which do not often (if ever) occur in other majors. We discuss the issues that should be resolved in the development of a baccalaureate degree program in digital forensics.

Keywords: Digital forensics major. Computer forensics major.

Cybercrime And The 2012 London Olympics, Denis Edgar-Nevill

Annual ADFSL Conference on Digital Forensics, Security and Law

The London 2012 Olympics is just three years away and the clock is ticking to put in place plans get it right. The potential for cybercrime to cause harm during this event is very great; harm to national reputation, harm to the reputation to the Olympic movement, and harm to individuals competing, watching or officiating. This paper considers the need to address these risks by taking a look at what has happened in the past at sporting events and the rising wave of electronic security threats and fraud facilitated by computers at recent Olympics. The problems for law enforcement are …

Methodology For Investigating Individuals Online Social Networking Persona, Jonathan T. Rajewski

Annual ADFSL Conference on Digital Forensics, Security and Law

When investigators from either the private or public sector review digital data surrounding a case for evidentiary value, they typically conduct a systematic categorization process to identify the relevant digital devices. Armed with the proper methodology to accomplish this task, investigators can quickly recognize the appropriate digital devices for forensic processing and review. This paper purposes a methodology for investigating an individual’s online social networking persona.

Keywords: Social Networking, Web 2.0, Internet Investigations, Online Social Networking Community

Bluetooth Hacking: A Case Study, Dennis Browning, Gary C. Kessler

Annual ADFSL Conference on Digital Forensics, Security and Law

This paper describes a student project examining mechanisms with which to attack Bluetooth-enabled devices. The paper briefly describes the protocol architecture of Bluetooth and the Java interface that programmers can use to connect to Bluetooth communication services. Several types of attacks are described, along with a detailed example of two attack tools, Bloover II and BT Info.

Keywords: Bluetooth hacking, mobile phone hacking, wireless hacking

Concerning File Slack, Stephen P. Larson

Annual ADFSL Conference on Digital Forensics, Security and Law

In this paper we discuss the phenomena known as file slack. File slack is created each time a file is created on a hard disk, and can contain private or confidential data. Unfortunately, the methods used by Microsoft Windows operating systems to organize and save files require file slack, and users have no control over what data is saved in file slack. This document will help create awareness about the security issue of file slack and discuss research results concerning file slack.

Keywords : Computer Forensics, File Slack, Ram Slack, Disk Slack

The Computer Fraud And Abuse Act And The Law Of Unintended Consequences, Milton Luoma, Vicki Luoma

Annual ADFSL Conference on Digital Forensics, Security and Law

One of the most unanticipated results of the Computer Fraud and Abuse Act arose from the law of unintended consequences. The CFAA was originally enacted in 1984 to protect federal government computers from intrusions and damage caused by hackers, identity thieves, and other cyber criminals. The law was later amended to extend the scope of its application to financial institutions’, business’s and consumers’ computers. To aid in the pursuit of cyber criminals, one of the subsequent revisions to the law included provision “G” that gave the right to private parties to seek compensation for damages in a civil action for …

Why Are We Not Getting Better At Data Disposal?, Andy Jones

Annual ADFSL Conference on Digital Forensics, Security and Law

This paper describes two sets of research, the first of which has been carried out over a period of four years into the levels and types of information that can be found on computer hard disks that are offered for sale on the second hand market. The second research project examined a number of second-hand hand held devices including PDAs, mobile (cell) phones and RIM Blackberry devices. The primary purpose of this research was to gain an understanding of the reasons for the failure to effectively remove potentially sensitive information from the disks and handheld devices. Other objectives included determining …

Don’T Touch That! And Other E-Discovery Issues, Linda Volonino

Annual ADFSL Conference on Digital Forensics, Security and Law

The ability to preserve and access electronically stored information (ESI) took on greater urgency when amendments to the Federal Rules of Civil Procedure went into effect in December 2006. These amendments, referred to as the electronic discovery (e-discovery) amendments, focus on the discovery phase of civil litigation, audits, or investigations. Discovery is the investigative phase of a legal case when opponents learn what evidence is available and how accessible it is. When ESI is the subject of discovery, it is called e-discovery. Recognizing that most business and personal records and communications are electronic, Judge Shira A. Scheindlin stated, "We used …

Analysis Of The ‘Db’ Windows Registry Data Structure, Damir Kahvedžić, Tahar Kechadi

Annual ADFSL Conference on Digital Forensics, Security and Law

The Windows Registry stores a wide variety of data representing a host of different user properties, settings and program information. The data structures used by the registry are designed to be adaptable to store these differences in a simple format. In this paper we will highlight the existence of a rare data structure that is used to store a large amount of data within the registry hives. We analyse the manner in which this data structure stores its data and the implications that it may have on evidence retrieval and digital investigation. In particular, we reveal that the three of …

Correlating Orphaned Windows Registry Data Structures, Damir Kahvedžić, Tahar Kechadi

Annual ADFSL Conference on Digital Forensics, Security and Law

Recently, it has been shown that deleted entries of the Microsoft Windows registry (keys) may still reside in the system files once the entries have been deleted from the active database. Investigating the complete keys in context may be extremely important from both a Forensic Investigation point of view and a legal point of view where a lack of context can bring doubt to an argument. In this paper we formalise the registry behaviour and show how a retrieved value may not maintain a relation to the part of the registry it belonged to and hence lose that context. We …