Law Commons^™

Inivited Paper - Potential Changes To Ediscovery Rules In Federal Court: A Discussion Of The Process, Substantive Changes And Their Applicability And Impact On Virginia Practice, Joseph J. Schwerha, Susan L. Mitchell, John W. Bagby

Annual ADFSL Conference on Digital Forensics, Security and Law

The Federal Rules of Civil Procedure (FRCP) are subject to a unique process also once used in revising the Federal Rules of Evidence (FRE). Today, this process is followed in revisions of the FRCP, the Federal Rules of Criminal Procedure and the Federal Bankruptcy Rules. This unique rulemaking process differs significantly from traditional notice and comment rulemaking required for a majority of federal regulatory agencies under the Administrative Procedure Act (APA).1 Most notably, rule-making for the federal courts’ procedural matters remain unaffected by the invalidation of legislative veto. It is still widely, but wrongly believed, that the legislative veto was …

On The Network Performance Of Digital Evidence Acquisition Of Small Scale Devices Over Public Networks, Irvin Homem, Spyridon Dosis

Annual ADFSL Conference on Digital Forensics, Security and Law

While cybercrime proliferates – becoming more complex and surreptitious on the Internet – the tools and techniques used in performing digital investigations are still largely lagging behind, effectively slowing down law enforcement agencies at large. Real-time remote acquisition of digital evidence over the Internet is still an elusive ideal in the combat against cybercrime. In this paper we briefly describe the architecture of a comprehensive proactive digital investigation system that is termed as the Live Evidence Information Aggregator (LEIA). This system aims at collecting digital evidence from potentially any device in real time over the Internet. Particular focus is made …

A Review Of Recent Case Law Related To Digital Forensics: The Current Issues, Kelly A. Cole, Shruti Gupta, Dheeraj Gurugubelli, Marcus K. Rogers

Annual ADFSL Conference on Digital Forensics, Security and Law

Digital forensics is a new field without established models of investigation. This study uses thematic analysis to explore the different issues seen in the prosecution of digital forensic investigations. The study looks at 100 cases from different federal appellate courts to analyze the cause of the appeal. The issues are categorized into one of four categories, ‘search and seizure’, ‘data analysis’, ‘presentation’ and ‘legal issues’. The majority of the cases reviewed related to the search and seizure activity.

Keywords: Computer Investigation, Case Law, Digital Forensics, Legal Issues, and Courts

A New Cyber Forensic Philosophy For Digital Watermarks In The Context Of Copyright Laws, Vinod P. Bhattathiripad, Sneha Sudhakaran, Roshna K. Thalayaniyil

Annual ADFSL Conference on Digital Forensics, Security and Law

The objective of this paper is to propose a new cyber forensic philosophy for watermark in the context of copyright laws for the benefit of the forensic community and the judiciary worldwide. The paper first briefly introduces various types of watermarks, and then situates watermarks in the context of the ideaexpression dichotomy and the copyright laws. It then explains the forensic importance of watermarks and proposes a forensic philosophy for them in the context of copyright laws. Finally, the paper stresses the vital need to incorporate watermarks in the forensic tests to establish software copyright infringement and also urges the …

A Survey Of Software-Based String Matching Algorithms For Forensic Analysis, Yi-Ching Liao

Annual ADFSL Conference on Digital Forensics, Security and Law

Employing a fast string matching algorithm is essential for minimizing the overhead of extracting structured files from a raw disk image. In this paper, we summarize the concept, implementation, and main features of ten software-based string matching algorithms, and evaluate their applicability for forensic analysis. We provide comparisons between the selected software-based string matching algorithms from the perspective of forensic analysis by conducting their performance evaluation for file carving. According to the experimental results, the Shift-Or algorithm (R. Baeza-Yates & Gonnet, 1992) and the Karp-Rabin algorithm (Karp & Rabin, 1987) have the minimized search time for identifying the locations of …

Investigating Forensics Values Of Windows Jump Lists Data, Ahmad Ghafarian

Annual ADFSL Conference on Digital Forensics, Security and Law

Starting with Windows 7, Microsoft introduced a new feature to the Windows Operating Systems called Jump Lists. Jump Lists stores information about user activities on the host machine. These activities may include links to the recently visited web pages, applications executed, or files processed. Computer forensics investigators may find traces of misuse in Jump Lists auto saved files. In this research, we investigate the forensics values of Jump Lists data. Specifically, we use several tools to view Jump Lists data on a virtual machine. We show that each tool reveal certain types of information about user’s activity on the host …

An Empirical Comparison Of Widely Adopted Hash Functions In Digital Forensics: Does The Programming Language And Operating System Make A Difference?, Satyendra Gurjar, Ibrahim Baggili, Frank Breitinger, Alice Fischer

Annual ADFSL Conference on Digital Forensics, Security and Law

Hash functions are widespread in computer sciences and have a wide range of applications such as ensuring integrity in cryptographic protocols, structuring database entries (hash tables) or identifying known files in forensic investigations. Besides their cryptographic requirements, a fundamental property of hash functions is efficient and easy computation which is especially important in digital forensics due to the large amount of data that needs to be processed when working on cases. In this paper, we correlate the runtime efficiency of common hashing algorithms (MD5, SHA-family) and their implementation. Our empirical comparison focuses on C-OpenSSL, Python, Ruby, Java on Windows and …

Two Challenges Of Stealthy Hypervisors Detection: Time Cheating And Data Fluctuations, Igor Korkin

Annual ADFSL Conference on Digital Forensics, Security and Law

Hardware virtualization technologies play a significant role in cyber security. On the one hand these technologies enhance security levels, by designing a trusted operating system. On the other hand these technologies can be taken up into modern malware which is rather hard to detect. None of the existing methods is able to efficiently detect a hypervisor in the face of countermeasures such as time cheating, temporary self-uninstalling, memory hiding etc. New hypervisor detection methods which will be described in this paper can detect a hypervisor under these countermeasures and even count several nested ones. These novel approaches rely on the …

Hot Zone Identification: Analyzing Effects Of Data Sampling On Spam Clustering, Rasib Khan, Mainul Mizan, Ragib Hasan, Alan Sprague

Annual ADFSL Conference on Digital Forensics, Security and Law

Email is the most common and comparatively the most efficient means of exchanging information in today's world. However, given the widespread use of emails in all sectors, they have been the target of spammers since the beginning. Filtering spam emails has now led to critical actions such as forensic activities based on mining spam email. The data mine for spam emails at the University of Alabama at Birmingham is considered to be one of the most prominent resources for mining and identifying spam sources. It is a widely researched repository used by researchers from different global organizations. The usual process …

Investigative Techniques Of N-Way Vendor Agreement And Network Analysis Demonstrated With Fake Antivirus, Gary Warner, Mike Nagy, Kyle Jones, Kevin Mitchem

Annual ADFSL Conference on Digital Forensics, Security and Law

Fake AntiVirus (FakeAV) malware experienced a resurgence in the fall of 2013 after falling out of favor after several high profile arrests. FakeAV presents two unique challenges to investigators. First, because each criminal organization running a FakeAV affiliate system regularly alters the appearance of their system, it is sometimes difficult to know whether an incoming criminal complaint or malware sample is related to one ring or the other. Secondly, because FakeAV is delivered in a “Pay Per Install” affiliate model, in addition to the ring-leaders of each major ring, there are many high-volume malware infection rings who are all using …

Work In Progress: An Architecture For Network Path Reconstruction Via Backtraced Ospf Lsdb Synchronization, Raymond A. Hansen

Annual ADFSL Conference on Digital Forensics, Security and Law

There has been extensive work in crime scene reconstruction of physical locations, and much is known in terms of digital forensics of computing devices. However, the network has remained a nebulous combination of entities that are largely ignored during an investigation due to the transient nature of the data that flows through the networks. This paper introduces an architecture for network path reconstruction using the network layer reachability information shared via OSPF Link State Advertisements and the routines and functions of OSPF::rt_sched() as applied to the construction of identical Link State Databases for all routers within an Area.

Application Of Toral Automorphisms To Preserve Confidentiality Principle In Video Live Streaming, Enrique García-Carbajal, Clara Cruz-Ramos, Mariko Nakano-Miyatake

Annual ADFSL Conference on Digital Forensics, Security and Law

Most of the Live Video Systems do not preserve the Confidentiality principle, and send all frames of the video without any protection, allowing an easy “man in the middle” attack. But when it does, it uses cryptographic techniques over streaming data or makes use of secure channel systems. This generates low frame rate and demands many processor resources. In fact native Live Video Streaming demands many resources of all System.

In this paper we propose a technique to preserve confidentiality in Video Live Streaming applying a confusing visual method making use of the Toral Automorphism Spatial Transformation over each frame. …

Visualizing Instant Messaging Author Writeprints For Forensic Analysis, Angela Orebaugh, Jason Kinser, Jeremy Allnutt

Annual ADFSL Conference on Digital Forensics, Security and Law

As cybercrime continues to increase, new cyber forensics techniques are needed to combat the constant challenge of Internet anonymity. In instant messaging (IM) communications, criminals use virtual identities to hide their true identity, which hinders social accountability and facilitates cybercrime. Current instant messaging products are not addressing the anonymity and ease of impersonation over instant messaging. It is necessary to have IM cyber forensics techniques to assist in identifying cyber criminals as part of the criminal investigation. Instant messaging behavioral biometrics include online writing habits, which may be used to create an author writeprint to assist in identifying an author …

Botnet Forensic Investigation Techniques And Cost Evaluation, Brian Cusack

Annual ADFSL Conference on Digital Forensics, Security and Law

Botnets are responsible for a large percentage of damages and criminal activity on the Internet. They have shifted attacks from push activities to pull techniques for the distribution of malwares and continue to provide economic advantages to the exploiters at the expense of other legitimate Internet service users. In our research we asked; what is the cost of the procedural steps for forensically investigating a Botnet attack? The research method applies investigation guidelines provided by other researchers and evaluates these guidelines in terms of the cost to a digital forensic investigator. We conclude that investigation of Botnet attacks is both …

Development And Dissemination Of A New Multidisciplinary Undergraduate Curriculum In Digital Forensics, Masooda Bashir, Jenny A. Applequist, Roy H. Campbell, Lizanne Destefano, Gabriela L. Garcia, Anthony Lang

Annual ADFSL Conference on Digital Forensics, Security and Law

The Information Trust Institute (ITI) at the University of Illinois at Urbana-Champaign is developing an entirely new multidisciplinary undergraduate curriculum on the topic of digital forensics, and this paper presents the findings of the development process, including initial results and evaluation of a pilot offering of the coursework to students. The curriculum consists of a four-course sequence, including introductory and advanced lecture courses with parallel laboratory courses, followed by an advanced course. The content has been designed to reflect both the emerging national standards and the strong multidisciplinary character of the profession of digital forensics, and includes modules developed collaboratively …

Computer Forensics For Accountants, Grover S. Kearns

Annual ADFSL Conference on Digital Forensics, Security and Law

Digital attacks on organizations are becoming more common and more sophisticated. Firms are interested in providing data security and having an effective means to respond to attacks. Accountants possess important investigative and analytical skills that serve to uncover fraud in forensic investigations. Some accounting students take courses in forensic accounting but few colleges offer a course in computer forensics for accountants. Educators wishing to develop such a course may find developing the curriculum daunting. A major element of such a course is the use of forensic software. This paper argues the importance of computer forensics to accounting students and offers …

Applying Memory Forensics To Rootkit Detection, Igor Korkin, Ivan Nesterov

Annual ADFSL Conference on Digital Forensics, Security and Law

Volatile memory dump and its analysis is an essential part of digital forensics. Among a number of various software and hardware approaches for memory dumping there are authors who point out that some of these approaches are not resilient to various anti-forensic techniques, and others that require a reboot or are highly platform dependent. New resilient tools have certain disadvantages such as low speed or vulnerability to rootkits which directly manipulate kernel structures, e.g., page tables. A new memory forensic system – Malware Analysis System for Hidden Knotty Anomalies (MASHKA) is described in this paper. It is resilient to popular …

The Federal Rules Of Civil Procedure: Politics In The 2013-2014 Revision, John W. Bagby, Byron Granda, Emily Benoit, Alexander Logan, Ryan Snell, Joseph J. Schwerha

Annual ADFSL Conference on Digital Forensics, Security and Law

Pre-trial discovery is perpetually controversial. Parties advantaged by strict privacy can often avoid justice when this is disadvantageous to their interests. Contrawise, parties advantaged by relaxed litigation privacy can achieve justice when all facts are accessible irrespective of their repositories, ownership or control. American-style pre-trial discovery in civil and regulatory enforcement is relatively rare around the world. U.S. discovery rules open nearly all relevant and non-privileged data for use by opposing parties. The traditional discovery process was costly and time consuming in the world of tangible paper data. However, these burdens have increased, rather than diminished as often predicted, as …

Testing And Evaluating The Harmonised Digital Forensic Investigation Process In Post Mortem Digital Investigation, Emilio R. Mumba, H. S. Venter

Annual ADFSL Conference on Digital Forensics, Security and Law

Existing digital forensic investigation process models have provided guidelines for identifying and preserving potential digital evidence captured from a crime scene. However, for any of the digital forensic investigation process models developed across the world to be adopted and fully applied by the scientific community, it has to be tested. For this reason, the Harmonized Digital Forensic Investigation Process (HDFIP) model, currently a working draft towards becoming an international standard for digital forensic investigations (ISO/IEC 27043), needs to be tested.

This paper, therefore, presents the findings of a case study used to test the HDFIP model implemented in the ISO/IEC …

Generation And Handling Of Hard Drive Duplicates As Piece Of Evidence, T. Kemmerich, F. Junge, N. Kuntze, C. Rudolph, B. Endicott-Popovsky, L. Großkopf

Annual ADFSL Conference on Digital Forensics, Security and Law

An important area in digital forensics is images of hard disks. The correct production of the images as well as the integrity and authenticity of each hard disk image is essential for the probative force of the image to be used at court. Integrity and authenticity are under suspicion as digital evidence is stored and used by software based systems. Modifications to digital objects are hard or even impossible to track and can occur even accidentally. Even worse, vulnerabilities occur for all current computing systems. Therefore, it is difficult to guarantee a secure environment for forensic investigations. But intended deletions …

Internet Addiction To Child Pornography, Rachel Sitarz, Marcus Rogers, Lonnie Bentley, Eugene Jackson

Annual ADFSL Conference on Digital Forensics, Security and Law

During the present age and time, it seems as though people in society have become addicted to nearly anything and everything, whether it be to a substance, an activity or an object. The Internet and pornography is no exception. While commonly thought of as a deviant behavior, many are displaying addictions towards the Internet and pornography. More alarming, however, are those who are viewing, downloading, or trading child pornography and displaying addictive Internet behaviors, for they are spending excessive amounts of time engaging in the proliferation of child pornographic materials. For this reason, addiction to the Internet and usage of …

Using Internet Artifacts To Profile A Child Pornography Suspect, Marcus K. Rogers, Kathryn C. Seigfried-Spellar

Annual ADFSL Conference on Digital Forensics, Security and Law

Digital evidence plays a crucial role in child pornography investigations. However, in the following case study, the authors argue that the behavioral analysis or “profiling” of digital evidence can also play a vital role in child pornography investigations. The following case study assessed the Internet Browsing History (Internet Explorer Bookmarks, Mozilla Bookmarks, and Mozilla History) from a suspected child pornography user’s computer. The suspect in this case claimed to be conducting an ad hoc law enforcement investigation. After the URLs were classified (Neutral; Adult Porn; Child Porn; Adult Dating sites; Pictures from Social Networking Profiles; Chat Sessions; Bestiality; Data Cleaning; …

Life (Logical Iosforensics Examiner): An Open Source Iosbackup Forensics Examination Tool, Ibrahim Baggili, Shadi Al Awawdeh, Jason Moore

Annual ADFSL Conference on Digital Forensics, Security and Law

In this paper, we present LiFE (Logical iOS Forensics Examiner), an open source iOS backup forensics examination tool. This tool helps both researchers and practitioners alike in both understanding the backup structures of iOS devices and forensically examining iOS backups. The tool is currently capable of parsing device information, call history, voice messages, GPS locations, conversations, notes, images, address books, calendar entries, SMS messages, Aux locations, facebook data and e-mails. The tool consists of both a manual interface (where the user is able to manually examine the backup structures) and an automated examination interface (where the tool pulls out evidence …

Why Penetration Testing Is A Limited Use Choice For Sound Cyber Security Practice, Craig Valli, Andrew Woodward, Peter Hannay, Mike Johnstone

Annual ADFSL Conference on Digital Forensics, Security and Law

Penetration testing of networks is a process that is overused when demonstrating or evaluating the cyber security posture of an organisation. Most penetration testing is not aligned with the actual intent of the testing, but rather is driven by a management directive of wanting to be seen to be addressing the issue of cyber security. The use of penetration testing is commonly a reaction to an adverse audit outcome or as a result of being penetrated in the first place. Penetration testing used in this fashion delivers little or no value to the organisation being tested for a number of …

Awareness Of Scam E-Mails: An Exploratory Research Study, Tejashree D. Datar, Kelly A. Cole, Marcus K. Rogers

Annual ADFSL Conference on Digital Forensics, Security and Law

The goal of this research was to find the factors that influence a user’s ability to identify e-mail scams. It also aimed to understand user’s awareness regarding e-mail scams and actions that need to be taken if and when victimized. This study was conducted on a university campus with 163 participants. This study presented the participants with two scam e-mails and two legitimate e-mails and asked the participants to correctly identify these e-mails as scam or legitimate. The study focused on the ability of people to differentiate between scam and legitimate e-mails. The study attempted to determine factors that influence …

A Forensic Study Of The Effectiveness Of Selected Anti-Virus Products Against Ssdt Hooking Rootkits, Sami Al-Shaheri, Dale Lindskog, Pavol Zavarsky, Ron Ruhl

Annual ADFSL Conference on Digital Forensics, Security and Law

For Microsoft Windows Operating Systems, both anti-virus products and kernel rootkits often hook the System Service Dispatch Table (SSDT). This research paper investigates the interaction between these two in terms of the SSDT. To investigate these matters, we extracted digital evidence from volatile memory, and studied that evidence using the Volatility framework. Due to the diversity in detection techniques used by the anti-virus products, and the diversity of infection techniques used by rootkits, our investigation produced diverse results, results that helped us to understand several SSDT hooking strategies, and the interaction between the selected anti-virus products and the rootkit samples. …

An Ontology-Based Forensic Analysis Tool, Mohammed Alzaabi, Andy Jones, Thomas A. Martin

Annual ADFSL Conference on Digital Forensics, Security and Law

The analysis of forensic investigation results has generally been identified as the most complex phase of a digital forensic investigation. This phase becomes more complicated and time consuming as the storage capacity of digital devices is increasing, while at the same time the prices of those devices are decreasing. Although there are some tools and techniques that assist the investigator in the analysis of digital evidence, they do not adequately address some of the serious challenges, particularly with the time and effort required to conduct such tasks. In this paper, we consider the use of semantic web technologies and in …

First Glance: An Introductory Analysis Of Network Forensics Of Tor, Raymond Hansen

Annual ADFSL Conference on Digital Forensics, Security and Law

The Tor network is a low-latency overlay network for TCP flows that is designed to provide privacy and anonymity to its users. It is currently in use by many as a means to avoid censorship of both information to be shared and information to be retrieved. This paper details the architecture of the Tor network as a platform for evaluating the current state of forensic analysis of the Tor network. Specific attempts to block access to the Tor network are examined to identify (a) the processes utilized to identify Tor nodes, and (b) the resulting exposure of potentially inculpatory evidence. …

A Thematic Review Of User Compliance With Information Security Policies Literature, David Sikolia

Annual ADFSL Conference on Digital Forensics, Security and Law

The adoption of computer and internet technology has greatly improved the way businesses operate. However the risk to the confidentiality, integrity and availability of organizational data and systems has greatly increased too. Information security is an ever present concern for all organizations. Financial estimates of the impact of security breaches to information and technology resources range from hundreds of billions to over one trillion dollars each year worldwide (D'Arcy et al., 2011b). Organizations have therefore developed a combination of technical, administrative, and physical controls to reduce this risk (D'Arcy et al., 2011a). Administrative measures include the development of information security …

Journey Into Windows 8 Recovery Artifacts, W. K. Johnson

Annual ADFSL Conference on Digital Forensics, Security and Law

One of the most difficult processes of digital forensics is to understand how new technology interacts with current technology and how digital forensic analysts can utilize current Digital Forensics technologies and processes to recover and find information hidden. Microsoft has released their new operating system Windows 8, with this new release Microsoft has added some features to the operating system that will present some interesting complications to digital forensics. Since the initial release of the Windows 8 Release Candidates there have been some research released that focus primarily on the new user created artifacts and a few artifacts that have …