Social and Behavioral Sciences Commons^™

Identifying And Attributing Similar Traces With Greatest Common Factor Analysis, Fred Cohen

Journal of Digital Forensics, Security and Law

This paper presents an algorithm for comparing large numbers of traces to each other and identifying and presenting groups of traces with similar features. It is applied to forensic analysis in which groups of similar traces are automatically identified and presented so that attribution and other related claims may be asserted, and independently confirmed or refuted. The approach of this paper is to identify an approximate algorithm that will find a large subset of greatest common factor similar groups of arbitrary factors in far less time and space than an exact algorithm using examiner-provided selection criteria for factor definition.

Table Of Contents

Journal of Digital Forensics, Security and Law

No abstract provided.

Column: The Physics Of Digital Information-Part 2, Fred Cohen

Journal of Digital Forensics, Security and Law

In part 1 of this series (Cohen, 2011a), we discussed some of the basics of building a physics of digital information. Assuming, as we have, that science is about causality and that a scientific theory should require that cause(C) produces effect (E) via mechanism M (written C→ME), we explore that general theory of digital systems from the perspective of attributing effects (i.e., traces of activities in digital systems) to their causes. Full details of the current version of this physics are available online2 , and in this article, we explore a few more of them.

An Overview Of The Jumplist Configuration File In Windows 7, Harjinder S. Lallie, Parmjit S. Bains

Journal of Digital Forensics, Security and Law

The introduction of Jumplists in Windows 7 was an important feature from a forensic examiners viewpoint. Jumplist configuration files can provide the examiner with a wealth of information relating to file access and in particular: dates/times, Volume GUIDs and unique file object IDs relating to those files. Some of the information in the Jumplist could be used to build a more precise timeline relating to system and file usage. In this article, we analyse the structure of a Jumplist configuration file and in particular a record from a Jumplist configuration file and highlight some of the important entries therein.

Comparing Android Applications To Find Copying, Larry Melling, Bob Zeidman

Journal of Digital Forensics, Security and Law

The Android smartphone operating system includes a Java virtual machine that enables rapid development and deployment of a wide variety of applications. The open nature of the platform means that reverse engineering of applications is relatively easy, and many developers are concerned as applications similar to their own show up in the Android marketplace and want to know if these applications are pirated. Fortunately, the same characteristics that make an Android application easy to reverse engineer and copy also provide opportunities for Android developers to compare downloaded applications to their own. This paper describes the process for comparing a developer’s …

Pandora’S Email Box? An Exploratory Study Of Web-Based Email Forgery Detection And Validation., Richard Boddington, Grant Boxall, Jeremy Ardley

Journal of Digital Forensics, Security and Law

Web based email systems may be a source of pristine digital evidence because of the perceived difficulty of client tampering with messages stored inside the email account. We demonstrate that such assumption is wrong in the case of Windows Live Hotmail®1 . Windows Live Mail®1 synchronises message on client-side computers with the Hotmail® server, benefiting users wishing to synchronise their email accounts and personal devices. However, this synchronisation opens an exploit for wrongdoers to tamper with existing email messages and attachments as well as facilitating the insertion of fabricated messages. The exploit process enables persistent storage of tampered and fabricated …

Applying The Acpo Principles In Public Cloud Forensic Investigations, Harjinder S. Lallie, Lee Pimlott

Journal of Digital Forensics, Security and Law

The numerous advantages offered by cloud computing has fuelled its growth and has made it one of the most significant of current computing trends. The same advantages have created complex issues for those conducting digital forensic investigations. Digital forensic investigators rely on the ACPO (Association of Chief Police Officers) or similar guidelines when conducting an investigation, however the guidelines make no reference to some of the issues presented by cloud investigations. This study investigates the impact of cloud computing on ACPO’s core principles and asks whether these principles can still be applied in a cloud investigation and the challenges presented …

Technology Corner: Dating Of Electronic Hardware For Prior Art Investigations, Sellam Ismail

Journal of Digital Forensics, Security and Law

In many legal matters, specifically patent litigation, determining and authenticating the date of computer hardware or other electronic products or components is often key to establishing the item as legitimate evidence of prior art. Such evidence can be used to buttress claims of technologies available or of events transpiring by or at a particular date.

Book Review: The Software Ip Detective's Handbook: Measurement, Comparison, And Infringement Detections, Diane Barrett

Journal of Digital Forensics, Security and Law

Do not the book title fool you into thinking that the book is only for those looking to detect software infringement detection. It is a comprehensive look at software intellectual property. The book covers a wide range of topics and has something to offer for just about everyone from lawyers to programmers.

Column: Factors Affecting Data Decay, Kevin Fairbanks, Simson Garfinkel

Journal of Digital Forensics, Security and Law

In nuclear physics, the phrase decay rate is used to denote the rate that atoms and other particles spontaneously decompose. Uranium-235 famously decays into a variety of daughter isotopes including Thorium and Neptunium, which themselves decay to others. Decay rates are widely observed and wildly different depending on many factors, both internal and external. U-235 has a half-life of 703,800,000 years, for example, while free neutrons have a half-life of 611 seconds and neutrons in an atomic nucleus are stable.

Toward Alignment Between Communities Of Practice And Knowledge-Based Decision Support, Jason Nichols, David Biros, Mark Weiser

Journal of Digital Forensics, Security and Law

The National Repository of Digital Forensics Information (NRDFI) is a knowledge repository for law enforcement digital forensics investigators (LEDFI). Over six years, the NRDFI has undertaken significant design revisions in order to more closely align the architecture of the system with theory addressing motivation to share knowledge and communication within ego-centric groups and communities of practice. These revisions have been met with minimal change in usage patterns by LEDFI community members, calling into question the applicability of relevant theory when the domain for knowledge sharing activities expands beyond the confines of an individual organization to a community of practice. When …

Book Review: System Forensics, Investigation, And Response, Nate Keith

Journal of Digital Forensics, Security and Law

I recently expressed an interest to a respected colleague in finding a way to “give back” to the forensic community. He suggested writing a review for a text he recently received and provide feedback to the community. It is my intent to present an objective analysis of System Forensics, Investigation, and Response.

Automated Identification And Reconstruction Of Youtube Video Access, Jonathan Patterson, Christopher Hargreaves

Journal of Digital Forensics, Security and Law

YouTube is one of the most popular video-sharing websites on the Internet, allowing users to upload, view and share videos with other users all over the world. YouTube contains many different types of videos, from homemade sketches to instructional and educational tutorials, and therefore attracts a wide variety of users with different interests. The majority of YouTube visits are perfectly innocent, but there may be circumstances where YouTube video access is related to a digital investigation, e.g. viewing instructional videos on how to perform potentially unlawful actions or how to make unlawful articles. When a user accesses a YouTube video …

Technology Corner Automated Data Extraction Using Facebook, Nick V. Flor

Journal of Digital Forensics, Security and Law

Because of Facebook’s popularity, law enforcement agents often use it as a key source of evidence. But like many user digital trails, there can be a large amount of data to extract for analysis. In this paper, we explore the basics of extracting data programmatically from a user’s Facebook via a Web app. A data extraction app requests data using the Facebook Graph API, and Facebook returns a JSON object containing the data. Before an app can access a user’s Facebook data, the user must log into Facebook and give permission. Thus, this approach is limited to situations where users …

Column: Analysis Of Digital Traces, Fred Cohen

Journal of Digital Forensics, Security and Law

In part 1 of this series (Cohen, 2011a), Analysis of digital traces is a foundational process by which the examiner, typically using computer software tools, comes to understand and answer basic questions regarding digital traces.

On The Development Of A Digital Forensics Curriculum, Manghui Tu, Dianxiang Xu, Samsuddin Wira, Cristian Balan, Kyle Cronin

Journal of Digital Forensics, Security and Law

Computer Crime and computer related incidents continue their prevalence and frequency, resulting in losses approaching billions of dollars. To fight against these crimes and frauds, it is urgent to develop digital forensics education programs to train a suitable workforce that can effectively investigate computer crimes and incidents. There is presently no standard to guide the design of digital forensics curriculum for an academic program. In this research, previous work on digital forensics curriculum design and existing education programs are thoroughly investigated. Both digital forensics educators and practitioners were surveyed and results were analyzed to determine the industry and law enforcement …

Automatic Crash Recovery: Internet Explorer's Black Box, John Moran, Douglas Orr

Journal of Digital Forensics, Security and Law

A good portion of today's investigations include, at least in part, an examination of the user's web history. Although it has lost ground over the past several years, Microsoft's Internet Explorer still accounts for a large portion of the web browser market share. Most users are now aware that Internet Explorer will save browsing history, user names, passwords and form history. Consequently some users seek to eliminate these artifacts, leaving behind less evidence for examiners to discover during investigations. However, most users, and probably a good portion of examiners are unaware Automatic Crash Recovery can leave a gold mine of …

To License Or Not To License Updated: An Examination Of State Statutes Regarding Private Investigators And Digital Examiners, Thomas Lonardo, Doug White, Alan Rea

Journal of Digital Forensics, Security and Law

In this update to the 2009 year's study, the authors examine statutes that regulate, license, and enforce investigative functions in each US state. After identification and review of Private Investigator licensing requirements, the authors find that very few state statutes explicitly differentiate between Private Investigators and Digital Examiners, but do see a trend of more states making some distinction. The authors contacted all state regulatory agencies where statutory language was not explicit, and as a result, set forth the various state approaches to professional Digital Examiner licensing. As was the case in the previous two iterations of this research, the …

Book Review: Dispute Resolution And E-Discovery, Milton Luoma

Journal of Digital Forensics, Security and Law

As is apparent from its title, this book tackles two very current and difficult legal issues – electronic discovery and dispute resolution. The authors tie the two legal concepts together in an effort to provide litigants and practitioners a less expensive and less time consuming alternative than is typically the case with traditional litigation and court proceedings. By including electronic discovery in the discussions, the authors recognize the importance and significance of electronic discovery in mediation and arbitration as it is in traditional litigation.

Extraction Of Electronic Evidence From Voip: Identification & Analysis Of Digital Speech, David Irwin, Arek Dadej, Jill Slay

Journal of Digital Forensics, Security and Law

The Voice over Internet Protocol (VoIP) is increasing in popularity as a cost effective and efficient means of making telephone calls via the Internet. However, VoIP may also be an attractive method of communication to criminals as their true identity may be hidden and voice and video communications are encrypted as they are deployed across the Internet. This produces a new set of challenges for forensic analysts compared with traditional wire-tapping of the Public Switched Telephone Network (PSTN) infrastructure, which is not applicable to VoIP. Therefore, other methods of recovering electronic evidence from VoIP are required. This research investigates the …

The Science Of Digital Forensics: Recovery Of Data From Overwritten Areas Of Magnetic Media, Fred Cohen

Journal of Digital Forensics, Security and Law

The first time I encountered data loss and recovery effects of magnetic memory was as a night and weekend computer operator for the computer science department of Carnegie-Mellon University in the 1973-1974 time frame. Part of my job involved dealing directly with outages and failures associated with magnetic memory components used in what, at the time, were large computer systems. On occasions, portions of magnetic core memory or disk drives would encounter various failure modes and the systems using these devices would have to be reconfigured to operate without the failed components until repair personnel could come in to repair …

An Australian Perspective On The Challenges For Computer And Network Security For Novice Endusers, Patryk Szewczyk

Journal of Digital Forensics, Security and Law

It is common for end-users to have difficulty in using computer or network security appropriately and thus have often been ridiculed when misinterpreting instructions or procedures. This discussion paper details the outcomes of research undertaken over the past six years on why security is overly complex for endusers. The results indicate that multiple issues may render end-users vulnerable to security threats and that there is no single solution to address these problems. Studies on a small group of senior citizens has shown that educational seminars can be beneficial in ensuring that simple security aspects are understood and used appropriately.

Implementing The Automated Phases Of The Partially-Automated Digital Triage Process Model, Gary Cantrell, David A. Dampier

Journal of Digital Forensics, Security and Law

Digital triage is a pre-digital-forensic phase that sometimes takes place as a way of gathering quick intelligence. Although effort has been undertaken to model the digital forensics process, little has been done to-date to model digital triage. This work discusses the further development of a model that attempts to address digital triage, the Partially-automated Crime Specific Digital Triage Process model. The model itself will be presented along with a description of how its automated functionality was implemented to facilitate model testing.

“Preemptive Suppression” – Judges Claim The Right To Find Digital Evidence Inadmissible Before It Is Even Discovered, Bob Simpson

Journal of Digital Forensics, Security and Law

Vermont state prosecutors have asked the Vermont Supreme Court to end a state trial judge’s practice of attaching conditions to computer warrants. The Vermont judge’s conditions are drawn from five conditions established in the 2009 decision of the 9th Circuit Court of Appeals in the Comprehensive Drug Testing, Inc. case (CDT II). This is the first time the validity of the “CDT conditions” will be decided by a state court of final jurisdiction in the United States

Book Review: Mastering Windows Network Forensics And Investigation, 2/E, John C. Ebert

Journal of Digital Forensics, Security and Law

The book is available as a paperback and e-book. The e-book versions allow you to preview several chapters at any of a number of online vendors. The e-book prices vary from the same as the soft cover version ($59.99) to about $38.99. Some of the vendor's e-books retain the color illustrations found in the print version, but others produce them in grey scale, so you might want to look out for that. The book is divided into four parts (17 chapters) plus two appendices.

I am compelled to give the book illustrations a highly unfavorable assessment regarding their readability qualities. …

Technology Corner: A Regular Expression Training App, Nick V. Flor

Journal of Digital Forensics, Security and Law

Regular expressions enable digital forensic analysts to find information in files. The best way for an analyst to become proficient in writing regular expressions is to practice. This paper presents the code for an app that allows an analyst to practice writing regular expressions.

Table Of Contents

Journal of Digital Forensics, Security and Law

No abstract provided.

Table Of Contents

Journal of Digital Forensics, Security and Law

No abstract provided.

Table Of Contents

Journal of Digital Forensics, Security and Law

No abstract provided.

Dns In Computer Forensics, Neil F. Wright

Journal of Digital Forensics, Security and Law

The Domain Name Service (DNS) is a critical core component of the global Internet and integral to the majority of corporate intranets. It provides resolution services between the human-readable name-based system addresses and the machine operable Internet Protocol (IP) based addresses required for creating network level connections. Whilst structured as a globally dispersed resilient tree data structure, from the Global and Country Code Top Level Domains (gTLD/ccTLD) down to the individual site and system leaf nodes, it is highly resilient although vulnerable to various attacks, exploits and systematic failures.