Physical Sciences and Mathematics Commons^™

Forensic Investigation Of Small-Scale Digital Devices: A Futuristic View, Farkhund Iqbal, Aasia Jaffri, Zainab Khalid, Aine Macdermott, Qazi Ejaz Ali, Patrick C. K. Hung

All Works

Small-scale digital devices like smartphones, smart toys, drones, gaming consoles, tablets, and other personal data assistants have now become ingrained constituents in our daily lives. These devices store massive amounts of data related to individual traits of users, their routine operations, medical histories, and financial information. At the same time, with continuously evolving technology, the diversity in operating systems, client storage localities, remote/cloud storages and backups, and encryption practices renders the forensic analysis task multi-faceted. This makes forensic investigators having to deal with an array of novel challenges. This study reviews the forensic frameworks and procedures used in investigating small-scale …

An Ml Based Digital Forensics Software For Triage Analysis Through Face Recognition, Gaurav Gogia, Parag H. Rughani

Journal of Digital Forensics, Security and Law

Since the past few years, the complexity and heterogeneity of digital crimes has increased exponentially, which has made the digital evidence & digital forensics paramount for both criminal investigation and civil litigation cases. Some of the routine digital forensic analysis tasks are cumbersome and can increase the number of pending cases especially when there is a shortage of domain experts. While the work is not very complex, the sheer scale can be taxing. With the current scenarios and future predictions, crimes are only going to become more complex and the precedent of collecting and examining digital evidence is only going …

Book Review: Digital Forensics And Cyber Investigation

International Journal of Cybersecurity Intelligence & Cybercrime

No abstract provided.

Using Deep Learning To Detect Social Media ‘Trolls’, Áine Macdermott, Michal Motylinski, Farkhund Iqbal, Kellyann Stamp, Mohammed Hussain, Andrew Marrington

All Works

Detecting criminal activity online is not a new concept but how it can occur is changing. Technology and the influx of social media applications and platforms has a vital part to play in this changing landscape. As such, we observe an increasing problem with cyber abuse and ‘trolling’/toxicity amongst social media platforms sharing stories, posts, memes sharing content. In this paper we present our work into the application of deep learning techniques for the detection of ‘trolls’ and toxic content shared on social media platforms. We propose a machine learning solution for the detection of toxic images based on embedded …

Assessing The Practical Cybersecurity Skills Gained Through Criminal Justice Academic Programs To Benefit Security Operations Centers (Socs), Lucy Tsado, Jung Seob "Scott" Kim

Journal of Cybersecurity Education, Research and Practice

Private-sector and public-sector organizations have increasingly built specific business units for securing company assets, reputation, and lives, known as security operations centers (SOCs). Depending on the organization, these centers may also be referred to as global security operations centers, cybersecurity operations centers, fusion centers, and corporate command centers, among many other names. The concept of centralized function within an organization to improve an organization’s security posture has attracted both the government and the private sectors to either build their own SOCs or hire third-party SOC companies.

In this article, the need for a multidisciplinary approach to cybersecurity education at colleges …

Error Level Analysis Technique For Identifying Jpeg Block Unique Signature For Digital Forensic Analysis, Nor Amira Nor Azhan, Richard Adeyemi Ikuesan, Shukor Abd Razak, Victor R. Kebande

All Works

The popularity of unique image compression features of image files opens an interesting research analysis process, given that several digital forensics cases are related to diverse file types. Of interest has been fragmented file carving and recovery which forms a major aspect of digital forensics research on JPEG files. Whilst there exist several challenges, this paper focuses on the challenge of determining the co-existence of JPEG fragments within various file fragment types. Existing works have exhibited a high false-positive rate, therefore rendering the need for manual validation. This study develops a technique that can identify the unique signature of JPEG …

Automated Reconstructions For The Digital Forensic Examiner Workflow, Ryan P. Montgomery

Theses and Dissertations

One product of a digital forensics examination is a reconstruction of events recorded in the media. A reconstruction places all of the case relevant trace into temporal, identity and associative relationships. Creating this reconstruction is a manual and time consuming process for the examiner. This thesis presents AIER. AIER integrates automation, abstraction and visualization into the Autopsy forensic software to improve the reconstruction process. The integration utilizes a custom Autopsy ingest module to extract and abstract artifact data and an interactive graph-based timeline visualization module. These improvements to the forensic examiner workflow are evaluated through a series of use cases.

Technical Behaviours Of Child Sexual Exploitation Material Offenders, Chad Steel, Emily Newman, Suzanne O'Rourke, Ethel Quayle

Journal of Digital Forensics, Security and Law

An exploration of the technological behaviours of previously convicted child sexual exploitation material (CSEM) offenders provides a foundation for future applied research into deterrence, investigation, and treatment efforts. This study evaluates the technology choices and transitions of individuals previously convicted of CSEM offenses. Based on their inclusion in two sex offender registries, anonymous survey results (n=78) were collected from English-speaking adults within the United States. CSEM offenders chose technologies based on both utility and perceived risk; peer-to-peer and web-browsers were the most common gateway technologies and showed substantial sustained usage; a substantial minority of users never stored CSEM and only …

Forensic Discoverability Of Ios Vault Applications, Alissa Gilbert, Kathryn C. Seigfried-Spellar

Journal of Digital Forensics, Security and Law

Vault Applications are used to store potentially sensitive information on a smartphone; and are available on Android and iOS. The purpose of using these applications could be used to hide potential evidence or illicit photos. After comparing five different iOS photo vaults, each vault left evidence and photos behind. However, of the three forensic toolkits used, each produced different results in their scans of the phone. The media left behind was due to the photo vaults not protecting their information as claimed, and using basic obfuscation techniques in place of security controls. Future research will look at how newer security …

Secure Storage Model For Digital Forensic Readiness, Avinash Singh, Richard Adeyemi Ikuesan, Hein Venter

All Works

Securing digital evidence is a key factor that contributes to evidence admissibility during digital forensic investigations, particularly in establishing the chain of custody of digital evidence. However, not enough is done to ensure that the environment and access to the evidence are secure. Attackers can go to extreme lengths to cover up their tracks, which is a serious concern to digital forensics – particularly digital forensic readiness. If an attacker gains access to the location where evidence is stored, they could easily alter the evidence (if not remove it altogether). Even though integrity checks can be performed to ensure that …

An Empirical Investigation Of The Evidence Recovery Process In Digital Forensics, Kevin Parviz

CCE Theses and Dissertations

The widespread use of the digital media in committing crimes, and the steady increase of their storage capacity has created backlogs at digital forensic labs. The problem is exacerbated especially in high profile crimes. In many such cases the judicial proceedings mandate full analysis of the digital media, when doing so is rarely accomplished or practical. Prior studies have proposed different phases for forensic analysis, to lessen the backlog issues. However, these phases are not distinctly differentiated, and some proposed solutions may not be practical. This study utilized several past police forensic analyses. Each case was chosen for having five …

Social Media User Relationship Framework (Smurf), Anne David, Sarah Morris, Gareth Appleby-Thomas

Journal of Digital Forensics, Security and Law

The use of social media has spread through many aspects of society, allowing millions of individuals, corporate as well as government entities to leverage the opportunities it affords. These opportunities often end up being exploited by a small percentage of the user community who use it for objectionable or unlawful activities; for example, trolling, cyber bullying, grooming, luring. In some cases, these unlawful activities result in investigations where swift retrieval of critical evidence required in order to save a life.

This paper presents a proof of concept (PoC) framework for social media user attribution. The framework aims to provide digital …

Towards Increasing Trust In Expert Evidence Derived From Malware Forensic Tools, Ian M. Kennedy, Blaine Price, Arosha Bandara

Journal of Digital Forensics, Security and Law

Following a series of high profile miscarriages of justice in the UK linked to questionable expert evidence, the post of the Forensic Science Regulator was created in 2008. The main objective of this role is to improve the standard of practitioner competences and forensic procedures. One of the key strategies deployed to achieve this is the push to incorporate a greater level of scientific conduct in the various fields of forensic practice. Currently there is no statutory requirement for practitioners to become accredited to continue working with the Criminal Justice System of England and Wales. However, the Forensic Science Regulator …

A First Look At Forensic Analysis Of Sailfishos, Krassimir Tzvetanov, Umit Karabiyik

Faculty Publications

SailfishOS is a Linux kernel-based embedded device operation system, mostly deployed on cell phones. Currently, there is no sufficient research in this space, and at the same time, this operating system is gaining popularity, so it is likely for investigators to encounter it in the field. This paper focuses on mapping the digital artifacts pertinent to an investigation, which can be found on the filesystem of a phone running SailfishOS 3.2. Currently, there is no other known publicly available research and no commercially available solutions for the acquisition and analysis of this platform. This is a major gap, as the …

A Two-Stage Model For Social Network Investigations In Digital Forensics, Anne David, Sarah Morris, Gareth Appleby-Thomas

Journal of Digital Forensics, Security and Law

This paper proposes a two-stage model for identifying and contextualizing features from artefacts created as a result of social networking activity. This technique can be useful in digital investigations and is based on understanding and the deconstruction of the processes that take place prior to, during and after user activity; this includes corroborating artefacts. Digital Investigations are becoming more complex due to factors such as, the volume of data to be examined; different data formats; a wide range of sources for digital evidence; the volatility of data and the limitations of some of the standard digital forensic tools. This paper …

Digital Forensic Readiness: An Examination Of Law Enforcement Agencies In The State Of Maryland, James B. Mcnicholas Iii

Masters Theses & Doctoral Dissertations

Digital forensic readiness within the law enforcement community, especially at the local level, has gone mostly unexplored. As a result, a current lack of data exists that examines the digital forensic readiness of individual agencies, the possibility of proximity relationships, and correlations between readiness and backlogs. This quantitative, crosssectional research study sought to explore these issues by focusing on the state of Maryland. The study resulted in the creation of a digital forensic readiness scoring model that was then used to assign digital forensic readiness scores to thirty (30) of the one-hundred-forty-one (141) law enforcement agencies throughout Maryland. It was …

Review Of Fundamental To Know About The Future, Hannarae Lee

International Journal of Cybersecurity Intelligence & Cybercrime

What we consider fundamental elements can be easily overlooked or perceived as facts without the process of empirical testing. Especially in the field of cybercrime and cybersecurity, there are more speculations regarding the prevalence and the scope of harm carried out by wrongdoers than empirically tested studies. To fill the void, three articles included in the current issue addresses empirical findings of fundamental concerns and knowledge in the field of cybercrime and cybersecurity.

Fast Forensic Triage Using Centralised Thumbnail Caches On Windows Operating Systems, Sean Mckeown, Gordon Russell, Petra Leimich

Journal of Digital Forensics, Security and Law

A common investigative task is to identify known contraband images on a device, which typically involves calculating cryptographic hashes for all the files on a disk and checking these against a database of known contraband. However, modern drives are now so large that it can take several hours just to read this data from the disk, and can contribute to the large investigative backlogs suffered by many law enforcement bodies. Digital forensic triage techniques may thus be used to prioritise evidence and effect faster investigation turnarounds. This paper proposes a new forensic triage method for investigating disk evidence relating to …

Chip-Off Success Rate Analysis Comparing Temperature And Chip Type, Choli Ence, Joan Runs Through, Gary D. Cantrell

Journal of Digital Forensics, Security and Law

Throughout the digital forensic community, chip-off analysis provides examiners with a technique to obtain a physical acquisition from locked or damaged digital device. Thermal based chip-analysis relies upon the application of heat to remove the flash memory chip from the circuit board. Occasionally, a flash memory chip fails to successfully read despite following similar protocols as other flash memory chips. Previous research found the application of high temperatures increased the number of bit errors present in the flash memory chip. The purpose of this study is to analyze data collected from chip-off analyses to determine if a statistical difference exists …

A Practitioner Survey Exploring The Value Of Forensic Tools, Ai, Filtering, & Safer Presentation For Investigating Child Sexual Abuse Material, Laura Sanchez, Cinthya Grajeda, Ibrahim Baggili, Cory Hall

Electrical & Computer Engineering and Computer Science Faculty Publications

For those investigating cases of Child Sexual Abuse Material (CSAM), there is the potential harm of experiencing trauma after illicit content exposure over a period of time. Research has shown that those working on such cases can experience psychological distress. As a result, there has been a greater effort to create and implement technologies that reduce exposure to CSAM. However, not much work has explored gathering insight regarding the functionality, effectiveness, accuracy, and importance of digital forensic tools and data science technologies from practitioners who use them. This study focused specifically on examining the value practitioners give to the tools …

Security Analysis Of The Internet Of Things Using Digital Forensic And Penetration Testing Tools, Olajide Ojagbule

Electronic Theses and Dissertations

We exist in a universe where everything is related to the internet or each other like smart TVs, smart telephones, smart thermostat, cars and more. Internet of Things has become one of the most talked about technologies across the world and its applications range from the control of home appliances in a smart home to the control of machines on the production floor of an industry that requires less human intervention in performing basic daily tasks. Internet of Things has rapidly developed without adequate attention given to the security and privacy goals involved in its design and implementation. This document …

Mrsh-Mem: Approximate Matching On Raw Memory Dumps, Lorenz Liebler, Frank Breitinger

Electrical & Computer Engineering and Computer Science Faculty Publications

This paper presents the fusion of two subdomains of digital forensics: (1) raw memory analysis and (2) approximate matching. Specifically, this paper describes a prototype implementation named MRSH-MEM that allows to compare hard drive images as well as memory dumps and therefore can answer the question if a particular program (installed on a hard drive) is currently running / loaded in memory. To answer this question, we only require both dumps or access to a public repository which provides the binaries to be tested. For our prototype, we modified an existing approximate matching algorithm named MRSH-NET and combined it with …

Enhancement Of Media Splicing Detection: A General Framework, Songpon Teerakanok, Tetsutaro Uehara

Journal of Digital Forensics, Security and Law

Digital media (i.e., image, audio) has played an influential role in today information system. The increasing of popularity in digital media has brought forth many technological advancements. The advancements, however, also gives birth to a number of forgeries and attacks against this type of information. With the availability of easy-to-use media manipulating tools available online, the authenticity of today digital media cannot be guaranteed. In this paper, a new general framework for enhancing today media splicing detection has been proposed. By combining results from two traditional approaches, the enhanced detection results show improvement in term of clarity in which anomalies …

Fingerprinting Jpegs With Optimised Huffman Tables, Sean Mckeown, Gordon Russell, Petra Leimich

Journal of Digital Forensics, Security and Law

A common task in digital forensics investigations is to identify known contraband images. This is typically achieved by calculating a cryptographic digest, using hashing algorithms such as SHA256, for each image on a given medium, and comparing individual digests with a database of known contraband. However, the large capacities of modern storage media and time pressures placed on forensics examiners necessitates the development of more efficient processing methods. This work describes a technique for fingerprinting JPEGs with optimised Huffman tables which requires only the image header to be present on the media. Such fingerprints are shown to be robust across …

I Know What You Did Last Summer: Your Smart Home Internet Of Things And Your Iphone Forensically Ratting You Out, Gokila Dorai, Shiva Houshmand, Ibrahim Baggili

Electrical & Computer Engineering and Computer Science Faculty Publications

The adoption of smart home Internet of Things (IoT) devices continues to grow. What if your devices can snitch on you and let us know where you are at any given point in time? In this work we examined the forensic artifacts produced by Nest devices, and in specific, we examined the logical backup structure of an iPhone used to control a Nest thermostat, Nest Indoor Camera and a Nest Outdoor Camera. We also integrated the Google Home Mini as another method of controlling the studied Smart Home devices. Our work is the primary account for the examination of Nest …

Digital Forensics In The Next Five Years, Laoise Luciano, Ibrahim Baggili, Mateusz Topor, Peter Casey, Frank Breitinger

Electrical & Computer Engineering and Computer Science Faculty Publications

Cyber forensics has encountered major obstacles over the last decade and is at a crossroads. This paper presents data that was obtained during the National Workshop on Redefining Cyber Forensics (NWRCF) on May 23-24, 2017 supported by the National Science Foundation and organized by the University of New Haven. Qualitative and quantitative data were analyzed from twenty-four cyber forensics expert panel members. This work identified important themes that need to be addressed by the community, focusing on (1) where the domain currently is; (2) where it needs to go and; (3) steps needed to improve it. Furthermore, based on the …

Cyber Anomaly Detection: Using Tabulated Vectors And Embedded Analytics For Efficient Data Mining, Robert J. Gutierrez, Kenneth W. Bauer, Bradley C. Boehmke, Cade M. Saie, Trevor J. Bihl

Faculty Publications

Firewalls, especially at large organizations, process high velocity internet traffic and flag suspicious events and activities. Flagged events can be benign, such as misconfigured routers, or malignant, such as a hacker trying to gain access to a specific computer. Confounding this is that flagged events are not always obvious in their danger and the high velocity nature of the problem. Current work in firewall log analysis is manual intensive and involves manpower hours to find events to investigate. This is predominantly achieved by manually sorting firewall and intrusion detection/prevention system log data. This work aims to improve the ability of …

Drone Forensic Analysis Using Open Source Tools, M A Hannan Bin Azhar, Thomas Edward Allen Barton, Tasmina Islam

Journal of Digital Forensics, Security and Law

Carrying capabilities of drones and their easy accessibility to public have led to an increase in crimes committed using drones in recent years. For this reason, the need for forensic analysis of drones captured from the crime scenes and the devices used for these drones is also paramount. This paper presents the extraction and identification of important artefacts from the recorded flight data as well as the associated mobile devices using open source tools and some basic scripts developed to aid the analysis of two popular drone systems- the DJI Phantom 3 Professional and Parrot AR. Drone 2.0. Although different …

Assessing And Expanding Extracurricular Cybersecurity Youth Activities' Impact On Career Interest, Michael H. Dunn

Theses and Dissertations

This thesis assesses and expands the potential of extracurricular activities to address the shortage of cybersecurity workers by increasing secondary school students’ interest in these careers. Competitions and badges, two forms of gamification often applied in extracurricular educational activities, have potential to improve motivation and increase interest in related careers, but are significantly understudied in the context of cybersecurity activities. CyberPatriot is the largest cybersecurity competition in the United States for secondary school students. Impact on participants’ career interests is assessed by analyzing responses to recent surveys conducted by the competition organizers. Analysis demonstrates significantly increased interest in cybersecurity in …

Digital Image Copy-Move Forgery Detection Based On Discrete Fractional Wavelet Transform, Amanjot Kaur Lamba, Neeru Jindal, Sanjay Sharma

Turkish Journal of Electrical Engineering and Computer Sciences

With the advancement of sophisticated cameras and image editing software tools, digital image tampering techniques are frequently used without leaving visual cues behind. Digital image copy-move forgery is a kind of image manipulation that involves copying and pasting of a certain section (or sections) within the same digital image. Generally, this is done with false intentions of hiding important information or providing false information in an image. In view of this, the focus of the present paper is to propose a discrete fractional wavelet transform-based scheme for identification of duplicated regions in the image. The test image is split into …