Physical Sciences and Mathematics Commons^™

Automatic Log Parser To Support Forensic Analysis, Hudan Studiawan, Ferdous Sohel, Christian Payne

Australian Digital Forensics Conference

Event log parsing is a process to split and label each field in a log entry. Existing approaches commonly use regular expressions or parsing rules to extract the fields. However, such techniques are time-consuming as a forensic investigator needs to define a new rule for each log file type. In this paper, we present a tool, namely nerlogparser, to parse the log entries automatically, where log parsing is modeled as a named entity recognition problem. We use a deep machine learning technique, specifically the bidirectional long short-term memory networks, as the underlying architecture for this purpose. Unlike existing tools, nerlogparser …

Is Working With What We Have Enough?, Brian Cusack, Bryce Antony

Australian Digital Forensics Conference

Augmented reality (AR) digital environments have introduced a new complexity to digital investigation where augmented overlays of real objects may be momentary, changed, distorted and evade the usual methods for evidence collection. It is possible an investigator applying standard investigation methods factually reports a real situation and its digital context but has none of the relevant evidence. In this situation the potential for a fair hearing is low and the chance of retrial high. Such situations are unacceptably dangerous and require redress. In this paper the AR condition is considered in terms of its complexity and management during an investigation. …

Digital Forensics Investigative Framework For Control Rooms In Critical Infrastructure, Brian Cusack, Amr Mahmoud

Australian Digital Forensics Conference

In this paper a cyber-forensic framework with a detailed guideline for protecting control systems is developed to improve the forensic capability for big data in critical infrastructures. The main objective of creating a cyber-forensic plan is to cover the essentials of monitoring, troubleshooting, data reconstruction, recovery, and the safety of classified information. The problem to be addressed in control rooms is the diversity and quantity of data, and for investigators, bringing together the different skill groups for managing data and device diversity. This research embraces establishing of a new digital forensic model for critical infrastructures that supports digital forensic investigators …

Building A Dataset For Image Steganography, Chris Woolley, Ahmed Ibrahim, Peter Hannay

Australian Digital Forensics Conference

Image steganography and steganalysis techniques discussed in the literature rely on using a dataset(s)created based on cover images obtained from the public domain, through the acquisition of images from Internet sources, or manually. This issue often leads to challenges in validating, benchmarking, and reproducing reported techniques in a consistent manner. It is our view that the steganography/steganalysis research community would benefit from the availability of common datasets, thus promoting transparency and academic integrity. In this research, we have considered four aspects: image acquisition, pre-processing, steganographic techniques, and embedding rate in building a dataset for image steganography.

A Centralised Platform For Digital Forensic Investigations In Cloud-Based Environments, Shaunak Mody, Alastair Nisbet

Australian Digital Forensics Conference

Forensic investigations of digital media traditionally involve seizing a device and performing a forensic investigation. Often legal and physical obstructions must be overcome so that the investigator has access to the device and the right to secure it for investigation purposes. Taking a forensic image of a hard disk may need to be done in the field but analysis can usually be performed at a later time. With the rapid increase in hard disk size, the acquiring of a forensic image can take hours or days. This poses significant issues for forensic investigators when potential evidence resides in the cloud. …

Proceedings Of The 15th Australian Digital Forensics Conference, 5-6 December 2017, Edith Cowan University, Perth, Australia, Craig Valli

Australian Digital Forensics Conference

Conference Foreword This is the sixth year that the Australian Digital Forensics Conference has been held under the banner of the Security Research Institute, which is in part due to the success of the security conference program at ECU. As with previous years, the conference continues to see a quality papers with a number from local and international authors. 8 papers were submitted and following a double blind peer review process, 5 were accepted for final presentation and publication. Conferences such as these are simply not possible without willing volunteers who follow through with the commitment they have initially made, …

Iseek, A Tool For High Speed, Concurrent, Distributed Forensic Data Acquisition, Richard Adams, Graham Mann, Valerie Hobbs

Australian Digital Forensics Conference

Electronic discovery (also written as e-discovery or eDiscovery) and digital forensics are processes in which electronic data is sought, located, secured, and processed with the expectation that it may be used as evidence in legal proceedings. Electronic evidence plays a fundamental role in many aspects of litigation (Stanfield, 2009). However, both eDiscovery and digital forensic approaches that rely on the creation of an index as part of their processing are struggling to cope with the huge increases in hard disk storage capacity. This paper introduces a novel technology that meets the existing and future data volume challenges faced by practitioners …

A Framework For Forensic Reconstruction Of Spontaneous Ad Hoc Networks, Alastair Nisbet

Australian Digital Forensics Conference

Spontaneous ad hoc networks are distinguished by rapid deployment for a specific purpose, with no forward planning or pre-design in their topology. Often these networks will spring up through necessity whenever a network is required urgently but briefly. This may be in a disaster recovery setting, military uses where often the network is unplanned but the devices are pre-installed with security settings, educational networks or networks created as a one-off for a meeting such as in a business organisation. Generally, wireless networks pose problems for forensic investigators because of the open nature of the medium, but if logging procedures and …

Analysis Of Attempted Intrusions: Intelligence Gathered From Ssh Honeypots, Priya Rabadia, Craig Valli, Ahmed Ibrahim, Zubair A. Baig

Australian Digital Forensics Conference

Honeypots are a defensive cyber security countermeasure used to gather data on intruder activities. By analysing the data collected by honeypots, mitigation strategies for cyberattacks launched against cyber-enabled infrastructures can be developed. In this paper, intelligence gathered from six Secure Shell (SSH) honeypots is presented. The paper is part of an ongoing investigation into analysing malicious activities captured by the honeypots. This paper focuses on the time of day attempted intrusions have occurred. The honeypot data has been gathered from 18th July 2012 until 13th January 2016; a period of 1,247 days. All six honeypots have the same hardware and …

Detecting And Tracing Slow Attacks On Mobile Phone User Service, Brian Cusack, Zhuang Tian

Australian Digital Forensics Conference

The lower bandwidth of mobile devices has until recently filtered the range of attacks on the Internet. However, recent research shows that DOS and DDOS attacks, worms and viruses, and a whole range of social engineering attacks are impacting on broadband smartphone users. In our research we have developed a metric-based system to detect the traditional slow attacks that can be effective using limited resources, and then employed combinations of Internet trace back techniques to identify sources of attacks. Our research question asked: What defence mechanisms are effective? We critically evaluate the available literature to appraise the current state of …

The Proceedings Of 14th Australian Digital Forensics Conference, 5-6 December 2016, Edith Cowan University, Perth, Australia, Craig Valli

Australian Digital Forensics Conference

Conference Foreword

This is the fifth year that the Australian Digital Forensics Conference has been held under the banner of the Security Research Institute, which is in part due to the success of the security conference program at ECU. As with previous years, the conference continues to see a quality papers with a number from local and international authors. 11 papers were submitted and following a double blind peer review process, 8 were accepted for final presentation and publication. Conferences such as these are simply not possible without willing volunteers who follow through with the commitment they have initially made, …

A Forensic Examination Of Several Mobile Device Faraday Bags & Materials To Test Their Effectiveness, Ashleigh Lennox-Steele, Alastair Nisbet

Australian Digital Forensics Conference

A Faraday bag is designed to shield a mobile phone or small digital device from radio waves entering the bag and reaching the device, or to stop radio waves escaping through the bag from the device. The effectiveness of these shields is vital for security professionals and forensic investigators who seize devices and wish to ensure that their contents are not read, modified or deleted prior to a forensic examination. This research tests the effectiveness of several readily available Faraday bags. The Faraday bags tested are all available through online means and promise complete blocking of all signals through the …

An Exploration Of Artefacts Of Remote Desktop Applications On Windows, Paresh Kerai, Vimal Murji Vekariya

Australian Digital Forensics Conference

Remote Desktop Applications (RDA) such as Virtual Network Computing (VNC), Cisco WebEx, GoToMeeting and LogMeIn have been adapted and utilised recently. This is because they facilitate tier-one support to configure computers, networks and solve application-related issues from a remote location. The direct benefit from the use of these applications, is the time (and therefore cost) saving for organisations. Unfortunately, “remoting” technology can also be used by criminals to perform illegal activities, hence remote applications are of key interest to law agencies and forensic investigators. The research outlined in this paper aims to identify any artefacts left behind by common remote …

Survey On Remnant Data Research: The Artefacts Recovered And The Implications In A Cyber Security Conscious World, Michael James, Patryk Szewczyk

Australian Digital Forensics Conference

The prevalence of remnant data in second hand storage media is well documented. Since 2004 there have been ten separate papers released through Edith Cowan University alone. Despite numerous government agencies providing advice on securing personal and corporate information, and news articles highlighting the need for data security, the availability of personal and confidential data on second hand storage devices is continuing, indicating a systemic laissez faire attitude to data security, even in our supposedly cyber security conscious world. The research continues, but there seems to be a lack of correlation of these studies to identify trends or common themes …

Google Earth Forensics On Ios 10’S Location Service, Brian Cusack, Raymond Lutui

Australian Digital Forensics Conference

The easy access and common usage of GNSS systems has provided a wealth of evidential information that may be accessed by a digital forensic investigator. Google Earth is commonly used on all manner of devices for geolocation services and consequently has a wide range of tools that will relate real time and stored GNSS data to maps. As an aid to investigation Google Earth forensics is available for use. An investigator can use it by downloading geolocation data from devices and placing it on Google Earth maps, place geolocation data on historical archival maps, or by direct usage of the …

Memory Forensic Data Recovery Utilising Ram Cooling Methods, Kedar Gupta, Alastair Nisbet

Australian Digital Forensics Conference

Forensic investigations of digital devices is generally conducted on a seized device in a secure environment. This usually necessitates powering down the device and taking an image of the hard drive or semi-permanent storage in the case of solid state technology. Guidelines for forensic investigations of computers advise that the computer should be shut down by removing the power supply and thereby maintaining the hard disk in the state it was in whilst running. However, valuable forensic evidence often exists in the volatile memory which is lost when this process is followed. The issues of locked accounts on running computers …

Improving Forensic Software Tool Performance In Detecting Fraud For Financial Statements, Brian Cusack, Tau’Aho Ahokov

Australian Digital Forensics Conference

The use of computer forensics is important for forensic accounting practice because most accounting information is in digital forms today. The access to evidence is increasingly more complex and in far greater volumes than in previous decades. The effective and efficient means of detecting fraud are required for the public to maintain their confidence in the reliability of accounting audit and the reputation of accounting firms. The software tools used by forensic accounting can be called into question. Many appear inadequate when faced with the complexity of fraud and there needs to be the development of automated and specialist problem-solving …

Establishing Effective And Economical Traffic Surveillance In Tonga, Brian Cusack, George Maeakafa

Australian Digital Forensics Conference

The Pacific Islands are seriously challenged by the growth in wealth and the expansion of international material possessions. On the roads traffic has grown dramatically and the types of vehicles now using Island roads has greatly changed. With the importation of cheap second hand vehicles designed for freeway speeds serious safety issues have grown proportionally with the increasing numbers. In this research we consider the prohibitive costs of traditional traffic controls to economy and propose a light weight highly mobile aerial surveillance system that integrates with ground policing capability. Our research question was: How can road safety and security be …

Mapping The Laws Which Apply To Intercepting Wireless Communications In A Western Australian Legal Context, Tim Thomas, Craig Valli

Australian Digital Forensics Conference

The rapid evolution and deployment of WiFi technology creates a new environment where offenders can intercept and obtain sensitive information for use in the commissioning of further criminal activity. This paper explores how the law applies to an protects the wireless communications environment, with specific focus on the interception of WiFi data communications.

Steganography As A Threat – Fairytale Or Fact?, Tom Cleary

Australian Digital Forensics Conference

Almost since the birth of the Internet, there has been a fear that steganographically-encoded threats would be used to bring harm. Serious consideration has been given to the idea that merely downloading an image could introduce malware. Yet, for decades, evidence of this malware channel has been missing in action. There is still an unwritten assumption that images are harmless. Many vendors have implicitly avoided producing defences against steganographic threats. Is it truly impossible to make a widely harmful exploit this way or have malicious actors accepted general wisdom? Three recent papers suggest that there may be a new chapter …

Towards A Standardised Strategy To Collect And Distribute Application Software Artifacts, Thomas Laurenson, Stephen Macdonell, Hank Wolfe

Australian Digital Forensics Conference

Reference sets contain known content that are used to identify relevant or filter irrelevant content. Application profiles are a type of reference set that contain digital artifacts associated with application software. An application profile can be compared against a target data set to identify relevant evidence of application usage in a variety of investigation scenarios. The research objective is to design and implement a standardised strategy to collect and distribute application software artifacts using application profiles. An advanced technique for creating application profiles was designed using a formalised differential analysis strategy. The design was implemented in a live differential forensic …

Improving The Detection And Validation Of Inland Revenue Numbers, Henry Gee, Thomas Laurenson, Hank Wolfe

Australian Digital Forensics Conference

Forensic analysis commonly involves searching an investigation target for personal identifiable information. An Inland Revenue Department (IRD) number is used for taxation purposes in New Zealand and can provide evidence of perpetrator identity, transaction information or electronic fraud. This research has designed and implemented a bulk_extractor feature scanner to detect and validate IRD numbers (features). The IRD scanner has been tested on a known data set to ensure tool functionality. A large real world data set was then used to determine scanner effectiveness in a realistic investigation scenario. Real world data set testing highlighted a high number of unrelated features …

Mobile Device Damage And The Challenges To The Modern Investigator, Dan Blackman

Australian Digital Forensics Conference

Mobile Forensics has developed into an area of significant concern to law enforcement agencies and their counterparts, specifically as a result of individuals moving away from using traditional computers and focusing attention on their mobile device. Due to the smart phone being almost permanently attached to the person or in near proximity, it has become a significant source of information for investigators and can mean the difference between proving guilt or innocence. Tools have long been established, which provide agencies the ability to encapsulate expertise, which allows the easy download and production of reports for the mobile device and how …

File System Modelling For Digital Triage: An Inductive Profiling Approach, Benjamin Rice, Benjamin Turnbull

Australian Digital Forensics Conference

Digital Triage is the initial, rapid screening of electronic devices as a precursor to full forensic analysis. Triage has numerous benefits including resource prioritisation, greater involvement of criminal investigators and the rapid provision of initial outcomes. In traditional scientific forensics and criminology, certain behavioural attributes and character traits can be identified and used to construct a case profile to focus an investigation and narrow down a list of suspects. This research introduces the Triage Modelling Tool (TMT), that uses a profiling approach to identify how offenders utilise and structure files through the creation of file system models. Results from the …

Cyber Blackbox For Collecting Network Evidence, Jooyoung Lee, Sunoh Choi, Yangseo Choi, Jonghyun Kim, Ikkyun Kim, Youngseok Lee

Australian Digital Forensics Conference

In recent years, the hottest topics in the security field are related to the advanced and persistent attacks. As an approach to solve this problem, we propose a cyber blackbox which collects and preserves network traffic on a virtual volume based WORM device, called EvidenceLock to ensure data integrity for security and forensic analysis. As a strategy to retain traffic for long enough periods, we introduce a deduplication method. Also this paper includes a study on the network evidence which is collected and preserved for analyzing the cause of cyber incident. Then, a method is proposed to suggest a starting …

Cyber Black Box: Network Intrusion Forensics System For Collecting And Preserving Evidence Of Attack, Jong-Hyun Kim, Joo-Young Lee, Yangseo Choi, Sunoh Choi, Ik-Kyun Kim

Australian Digital Forensics Conference

Once the system is compromised, the forensics and investigation are always executed after the attacks and the loss of some useful instant evidence. Since there is no log information necessary for analyzing an attack cause after the cyber incident occurs, it is difficult to analyze the cause of an intrusion even after an intrusion event is recognized. Moreover, in an advanced cyber incident such as advanced persistent threats, several months or more are expended in only analyzing a cause, and it is difficult to find the cause with conventional security equipment. In this paper, we introduce a network intrusion forensics …

Comparison Of Live Response, Linux Memory Extractor (Lime) And Mem Tool For Acquiring Android’S Volatile Memory In The Malware Incident, Andri Heriyanto, Craig Valli, Peter Hannay

Australian Digital Forensics Conference

The increasing use of encryption and obfuscation within the malware development arena has necessitated the use of volatile memory acquisition on smartphone platforms. Current smartphone forensics research lacks a well-formulated process for the acquisition of volatile memory. This research evaluates and contrasts three differing tools for acquisition of volatile memory from the Android platform: Live Response, Linux Memory Extractor (LiME) and Mem Tool. Evaluation is conducted through practical examination during the analysis of an infected device. The results demonstrate a combination of LiME and the Volatility Framework provides the most robust findings. Complexities due to the nature of LiME prevent …

Mining Social Networking Sites For Digital Evidence, Brian Cusack, Saud Alshaifi

Australian Digital Forensics Conference

OnLine Social Networking sites (SNS) hold a vast amount of information that individuals and organisations post about themselves. Investigations include SNS as sources of evidence and the challenge is to have effective tools to extract the evidence. In this exploratory research we apply the latest version of a proprietary tool to identify potential evidence from five SNS using three different browsers. We found that each web browser influenced the scope of the evidence extracted. In previous research we have shown that different open source and proprietary tools influence the scope of evidence obtained. In this research we asked, What variation …

The Challenges Of Seizing And Searching The Contents Of Wi-Fi Devices For The Modern Investigator, Dan Blackman, Patryk Szewczyk

Australian Digital Forensics Conference

To the modern law enforcement investigator, the potential for an offender to have a mobile device on his or her person, who connects to a Wi-Fi network, may afford evidence to place them at a scene, at a particular time. Whilst tools to interrogate mobile devices and Wi-Fi networks, have undergone significant development, little research has been conducted with regards to interrogating Wi-Fi routers and the evidence they may contain. This paper demonstrates that multiple inhibiting factors exist for forensic investigators when attempting to extract data from Wi-Fi routers at the scene. Data volatility means the Wi-Fi router cannot be …

Image Similarity Using Dynamic Time Warping Of Fractal Features, Ahmed Ibrahim, Craig Valli

Australian Digital Forensics Conference

Hashing algorithms such as MD/SHA variants have been used for years by forensic investigators to look for known artefacts of interest such as malicious files. However, such hashing algorithms are not effective when their hashes change with the slightest alteration in the file. Fuzzy hashing overcame this limitation to a certain extent by providing a close enough measure for slight modifications. As such, image forensics is an essential part of any digital crime investigation, especially in cases involving child pornography. Unfortunately such hashing algorithms can be thwarted easily by operations as simple as saving the original file in a different …