Information Security Commons^™

A Forensic Overview Of The Lg Smart Tv, Iain Sutherland, Konstantino Xynos, Huw Read, Andy Jones, Tom Drange

Australian Digital Forensics Conference

The emerging Smart TV platform will likely replace traditional television sets over time as the entertainment and communication centrepiece in people’s homes. Given its expanded functionality and now, its online presence, there is a need to identify how they may become part of forensic investigations. The purpose of this paper is to introduce the area of Smart TVs and the potential forensic value these systems present in combination with their ever advancing functionality and capabilities. We provide an overview of Smart TV systems highlighting functionality and potential issues. We also take an initial look at two particular models, from the …

Audit: Automated Disk Investigation Toolkit, Umit Karabiyik, Sudhir Aggarwal

Journal of Digital Forensics, Security and Law

Software tools designed for disk analysis play a critical role today in forensics investigations. However, these digital forensics tools are often difficult to use, usually task specific, and generally require professionally trained users with IT backgrounds. The relevant tools are also often open source requiring additional technical knowledge and proper configuration. This makes it difficult for investigators without some computer science background to easily conduct the needed disk analysis. In this paper, we present AUDIT, a novel automated disk investigation toolkit that supports investigations conducted by non-expert (in IT and disk technology) and expert investigators. Our proof of concept design …

A Study Of Forensic Imaging In The Absence Of Write-Blockers, Gary C. Kessler, Gregory H. Carlton

Journal of Digital Forensics, Security and Law

Best practices in digital forensics demand the use of write-blockers when creating forensic images of digital media, and this has been a core tenet of computer forensics training for decades. The practice is so ingrained that the integrity of images created without a write-blocker are immediately suspect. This paper describes a research framework that compares forensic images acquired with and without utilizing write-blockers in order to understand the extent of the differences, if any, in the resultant forensic copies. We specifically address whether differences are superficial or evidentiary, and we discuss the impact of admitting evidence acquired without write blocking. …

A Forensically-Enabled Iaas Cloud Computing Architecture, Saad Alqahtany, Nathan Clarke, Steven Furnell, Christoph Reich

Australian Digital Forensics Conference

Current cloud architectures do not support digital forensic investigators, nor comply with today’s digital forensics procedures largely due to the dynamic nature of the cloud. Whilst much research has focused upon identifying the problems that are introduced with a cloud-based system, to date there is a significant lack of research on adapting current digital forensic tools and techniques to a cloud environment. Data acquisition is the first and most important process within digital forensics – to ensure data integrity and admissibility. However, access to data and the control of resources in the cloud is still very much provider-dependent and complicated …

12th Australian Digital Forensics Conference, 2014, Edith Cowan University: Conference Details, Security Research Institute, Edith Cowan University

Australian Digital Forensics Conference

No abstract provided.

An Efficient Similarity Digests Database Lookup -- A Logarithmic Divide And Conquer Approach, Frank Breitinger, Christian Rathgeb, Harald Baier

Electrical & Computer Engineering and Computer Science Faculty Publications

Investigating seized devices within digital forensics represents a challenging task due to the increasing amount of data. Common procedures utilize automated file identification, which reduces the amount of data an investigator has to examine manually. In the past years the research field of approximate matching arises to detect similar data. However, if n denotes the number of similarity digests in a database, then the lookup for a single similarity digest is of complexity of O(n). This paper presents a concept to extend existing approximate matching algorithms, which reduces the lookup complexity from O(n) to O(log(n)). Our proposed approach is based …

Quantifying Relevance Of Mobile Digital Evidence As They Relate To Case Types: A Survey And A Guide For Best Practices, Shahzad Saleem, Ibrahim Baggili, Oliver Popov

Electrical & Computer Engineering and Computer Science Faculty Publications

In this work, a survey was conducted to help quantify the relevance of nineteen types of evidence (such as SMS) to seven types of digital investigations associated with mobile devices (MD) (such as child pornography). 97 % of the respondents agreed that every type of digital evidence has a different level of relevance to further or solve a particular investigation. From 55 serious participants, a data set of 5,772 responses regarding the relevance of nineteen types of digital evidence for all the seven types of digital investigations was obtained. The results showed that (i) SMS belongs to the most relevant …

Educating The Next Generation Of Cyberforensic Professionals, Mark Pollitt, Philip Craiger

Publications

This paper provides a historical overview of the development of cyberforensics as a scientific discipline, along with a description of the current state of training, educational programs, certification and accreditation. The paper traces the origins of cyberforensics, the acceptance of cyberforensics as a forensic science and its recognition as a component of information security. It also discusses the development of professional certification and standardized bodies of knowledge that have had a substantial impact on the discipline. Finally, it discusses the accreditation of cyberforensic educational programs, its linkage with the bodies of knowledge and its effect on cyberforensic educational programs.

A Forensic Comparison: Windows 7 And Windows 8, Peter J. Wilson

Theses

Whenever a new operating system or new version of an operating system is released, forensic investigators must re-examine the new operating system or new version. They do so to determine if there are significant differences that will impact and change the way they perform their investigations. With the release of Microsoft's latest operating system, Windows 8, and its update, Windows 8.1, understanding the similarities and differences between Windows 8 and previous operating systems such as Windows 7 is critical. This paper forensically examines Windows 7 and Windows 8 to determine those similarities and differences.

Information Security Challenge Of Qr Codes, Nik Thompson, Kevin Lee

Journal of Digital Forensics, Security and Law

The discipline of information security must adapt to new technologies and methods of interaction with those technologies. New technologies present both challenges and opportunities for the security professional, especially for areas such as digital forensics. Challenges can be in the form of new devices such as smartphones or new methods of sharing information, such as social networks. One such rapidly emerging interaction technology is the use of Quick Response (QR) codes. These offer a physical mechanism for quick access to Web sites for advertising and social interaction. This paper argues that the common implementation of QR codes potentially presents security …

The Advanced Data Acquisition Model (Adam): A Process Model For Digital Forensic Practice, Richard Adams, Val Hobbs, Graham Mann

Journal of Digital Forensics, Security and Law

As with other types of evidence, the courts make no presumption that digital evidence is reliable without some evidence of empirical testing in relation to the theories and techniques associated with its production. The issue of reliability means that courts pay close attention to the manner in which electronic evidence has been obtained and in particular the process in which the data is captured and stored. Previous process models have tended to focus on one particular area of digital forensic practice, such as law enforcement, and have not incorporated a formal description. We contend that this approach has prevented the …

Analysis Of A Second Hand Google Mini Search Appliance, Stephen Larson

Journal of Digital Forensics, Security and Law

Information and the technological advancements for which mankind develops with regards to its storage has increased tremendously over the past few decades. As the total amount of data stored rapidly increases in conjunction with the amount of widely available computer-driven devices being used, solutions are being developed to better harness this data (LaTulippe, 2011). One of these solutions is commonly known as a search appliance. Search appliances have been used in e-discovery for several years. The Google Mini Search Appliance (Mini) has not only been used for e-discovery, but for indexing and searching internal documents. To accomplish these tasks, search …

Identifying And Attributing Similar Traces With Greatest Common Factor Analysis, Fred Cohen

Journal of Digital Forensics, Security and Law

This paper presents an algorithm for comparing large numbers of traces to each other and identifying and presenting groups of traces with similar features. It is applied to forensic analysis in which groups of similar traces are automatically identified and presented so that attribution and other related claims may be asserted, and independently confirmed or refuted. The approach of this paper is to identify an approximate algorithm that will find a large subset of greatest common factor similar groups of arbitrary factors in far less time and space than an exact algorithm using examiner-provided selection criteria for factor definition.

Identifying Trace Evidence From Target-Specific Data Wiping Application Software, Gregory H. Carlton, Gary C. Kessler

Security Studies & International Affairs - Daytona Beach

"One area of particular concern for computer forensics examiners involves situations in which someone utilized software applications to destroy evidence. There are products available in the marketplace that are relatively inexpensive and advertised as being able to destroy targeted portions of data stored within a computer system. This study was undertaken to analyze a subset of these tools in order to identify trace evidence, if any, left behind on disk media after executing these applications. We evaluated five Windows 7 compatible software products whose advertised features include the ability for users to wipe targeted files, folders, or evidence of selected …

Implementing The Automated Phases Of The Partially-Automated Digital Triage Process Model, Gary Cantrell, David A. Dampier

Journal of Digital Forensics, Security and Law

Digital triage is a pre-digital-forensic phase that sometimes takes place as a way of gathering quick intelligence. Although effort has been undertaken to model the digital forensics process, little has been done to-date to model digital triage. This work discusses the further development of a model that attempts to address digital triage, the Partially-automated Crime Specific Digital Triage Process model. The model itself will be presented along with a description of how its automated functionality was implemented to facilitate model testing.

Digital Evidence Education In Schools Of Law, Aaron Alva, Barbara Endicott-Popovsky

Journal of Digital Forensics, Security and Law

An examination of State of Connecticut v. Julie Amero provides insight into how a general lack of understanding of digital evidence can cause an innocent defendant to be wrongfully convicted. By contrast, the 101-page opinion in Lorraine v. Markel American Insurance Co. provides legal precedence and a detailed consideration for the admission of digital evidence. An analysis of both cases leads the authors to recommend additions to Law School curricula designed to raise the awareness of the legal community to ensure such travesties of justice, as in the Amero case, don’t occur in the future. Work underway at the University …

A Case Study In Forensic Analysis Of Control, Fred Cohen

Journal of Digital Forensics, Security and Law

This paper describes a case study in which a method for forensic analysis of control was applied to resolve probative technical issues in a legal action. It describes one instance in which the analysis was successfully applied without challenge, addresses the details of most of the different facets of the analysis method, and demonstrates how such analysis provides a systematic approach to using technical methods to address legal issues as a case study.

Kindle Forensics: Acquisition & Analysis, Peter Hannay

Journal of Digital Forensics, Security and Law

The Amazon Kindle eBook reader supports a wide range of capabilities beyond reading books. This functionality includes an inbuilt cellular data connection known as Whispernet. The Kindle provides web browsing, an application framework, eBook delivery and other services over this connection. The historic data left by user interaction with this device may be of forensic interest. Analysis of the Amazon Kindle device has resulted in a method to reliably extract and interpret data from these devices in a forensically complete manner.

Legal Issues Regarding Digital Forensic Examiners Third Party Consent To Search, Thomas Lonardo, Doug White, Tricia P. Martland, Alan Rea

Journal of Digital Forensics, Security and Law

This paper focuses on Federal law as it relates to consent to search relating to Fourth Amendment privacy in the practice of Digital Forensics. In particular, Digital Examiners should be aware of how decisions in Federal Court may impact their ability to acquire evidence in both civil and criminal settings. Digital Forensics, being a relatively new field, is particularly subject to change as cases and appeals are decided. This paper provides an overview of relevant case law relating to issues in Digital Forensics. More importantly, our research provides Digital Forensic Examiners (DFE), as defined by Lonardo, White, and Rea (2008, …

Investigating Modern Communication Technologies: The Effect Of Internet-Based Communication Technologies On The Investigation Process, Matthew Simon, Jill Slay

Journal of Digital Forensics, Security and Law

Communication technologies are commonplace in modern society. For many years there were only a handful of communication technologies provided by large companies, namely the Public Switched Telephone Network (PSTN) and mobile telephony; these can be referred to as traditional communication technologies. Over the lifetime of traditional communication technologies has been little technological evolution and as such, law enforcement developed sound methods for investigating targets using them. With the advent of communication technologies that use the Internet – Internet-based or contemporary communication technologies – law enforcement are faced with many challenges. This paper discusses these challenges and their potential impact. It …

Adaptation Of Pyflag To Efficient Analysis Of Seized Computer Data Storage, Aleksander Byrski, Wojciech Stryjewski, Bartłomiej Czechowicz

Journal of Digital Forensics, Security and Law

Based on existing software aimed at investigation support in the analysis of computer data storage seized during investigation (PyFlag), an extension is proposed involving the introduction of dedicated components for data identification and filtering. Hash codes for popular software contained in NIST/NSRL database are considered in order to avoid unwanted files while searching and to classify them into several categories. The extension allows for further analysis, e.g. using artificial intelligence methods. The considerations are illustrated by the overview of the system's design.

Malware Forensics: Discovery Of The Intent Of Deception, Murray Brand, Craig Valli, Andrew Woodward

Journal of Digital Forensics, Security and Law

Malicious software (malware) has a wide variety of analysis avoidance techniques that it can employ to hinder forensic analysis. Although legitimate software can incorporate the same analysis avoidance techniques to provide a measure of protection against reverse engineering and to protect intellectual property, malware invariably makes much greater use of such techniques to make detailed analysis labour intensive and very time consuming. Analysis avoidance techniques are so heavily used by malware that the detection of the use of analysis avoidance techniques could be a very good indicator of the presence of malicious intent. However, there is a tendency for analysis …

Book Review: Digital Forensic Evidence Examination, Gary C. Kessler

Publications

This document is Dr. Kessler's review of the second edition of Digital Forensic Evidence Examination by Fred Cohen. ASP Press, 2010. ISBN: 978-1-878109-45-3

Book Review: Cyber Security And Global Information Assurance: Threat Analysis And Response Solutions, Gary C. Kessler

Publications

This document is Dr. Kessler's review of Cyber Security and Global Information Assurance: Threat Analysis and Response Solutions, edited by Kenneth J. Knapp. Information Science Reference, 2009. ISBN: 978-1-60566-326-5.

Information Sharing: Hackers Vs Law Enforcement, David P. Biros, Mark Weiser, Jim Burkman, Jason Nichols

Australian Information Warfare and Security Conference

The fields of information assurance and digital forensics continue to grow in both importance and complexity, spurred on by rapid advancement in digital crime. Contemporary law enforcement professionals facing such issues quickly discover that they cannot be successful while operating in a vacuum and turn to colleagues for assistance. However, there is a clear need for greater IT-based knowledge sharing capabilities amongst law enforcement organizations; an environment historically typified by a silo mentality. A number of efforts have attempted to provide such capabilities, only to be met with limited enthusiasm and difficulties in sustaining continued use. Conversely, the hacker community …

Steganography: Forensic, Security, And Legal Issues, Merrill Warkentin, Ernst Bekkering, Mark B. Schmidt

Journal of Digital Forensics, Security and Law

Steganography has long been regarded as a tool used for illicit and destructive purposes such as crime and warfare. Currently, digital tools are widely available to ordinary computer users also. Steganography software allows both illicit and legitimate users to hide messages so that they will not be detected in transit. This article provides a brief history of steganography, discusses the current status in the computer age, and relates this to forensic, security, and legal issues. The paper concludes with recommendations for digital forensics investigators, IT staff, individual users, and other stakeholders.

Analysis Of Information Remaining On Hand Held Devices Offered For Sale On The Second Hand, Andy Jones, Craig Valli, Iain Sutherland

Journal of Digital Forensics, Security and Law

The ownership and use of mobile phones, Personal Digital Assistants and other hand held devices is now ubiquitous both for home and business use. The majority of these devices have a high initial cost, a relatively short period before they become obsolescent and a relatively low second hand value. As a result of this, when the devices are replaced, there are indications that they tend to be discarded. As technology has continued to develop, it has led to an increasing diversity in the number and type of devices that are available, and the processing power and the storage capacity of …

Book Review: Challenges To Digital Forensic Evidence, Gary C. Kessler

Publications

This document is Dr. Kessler's review of Challenges to Digital Forensic Evidence, by Fred Cohen. Fred Cohen & Associates, 2008. ISBN 1-878109-41-3

A Grounded Theory Approach To Identifying And Measuring Forensic Data Acquisition Tasks, Gregory H. Carlton

Journal of Digital Forensics, Security and Law

As a relatively new field of study, little empirical research has been conducted pertaining to computer forensics. This lack of empirical research contributes to problems for practitioners and academics alike.

For the community of practitioners, problems arise from the dilemma of applying scientific methods to legal matters based on anecdotal training methods, and the academic community is hampered by a lack of theory in this evolving field. A research study utilizing a multi-method approach to identify and measure tasks practitioners perform during forensic data acquisitions and lay a foundation for academic theory development was conducted in 2006 in conjunction with …

A Methodology For The Forensic Acquisition Of The Tomtom One Satellite Navigation System - A Research In Progress, Peter Hannay

Australian Digital Forensics Conference

The use of Satellite Navigation Systems (SNS) has become increasingly common in recent years. The wide scale adoption of this technology has the potential to provide a valuable resource in forensic investigations. The potential of this resource is based on the ability to retrieve historical location data from the device in question while maintaining forensic integrity. This paper presents a methodology to acquire forensc images of the TomTom One satellite navigation unit. This methodology aims to be comprehensive and straightforward, while maintaining forensic integrity of the original evidence. However, in consideration of the aforementioned methodology, ti should be noted that …