Physical Sciences and Mathematics Commons^™

Case Study: A New Method For Investigating Crimes Against Children, Hallstein Asheim Hansen, Stig Andersen, Stefan Axelsson, Svein Hopland

Annual ADFSL Conference on Digital Forensics, Security and Law

Investigations of crimes against children are often complex, both in terms of the varied and large amount of digital technology encountered and the offensive nature of the crimes. Such cases are numerous, large, and prioritised, requiring digital forensics competence. Earlier digital forensics was considered and treated as a typical forensic science like fingerprint analysis, performed in a laboratory isolated from the investigative team. This decoupled way of working has proved to be both inefficient and error prone.

At the Digital Forensic Unit of Oslo Police District we have developed a new way of working that addresses many of the problems …

Exploring Digital Evidence With Graph Theory, Imani Palmer, Boris Gelfand, Roy Campbell

Annual ADFSL Conference on Digital Forensics, Security and Law

The analysis phase of the digital forensic process is the most complex. The analysis phase remains very subjective to the views of the forensic practitioner. There are many tools dedicated to assisting the investigator during the analysis process. However, they do not address the challenges. Digital forensics is in need of a consistent approach to procure the most judicious conclusions from the digital evidence. The objective of this paper is to discuss the ability of graph theory, a study of related mathematical structures, to aid in the analysis phase of the digital forensic process. We develop a graph-based representation of …

Digital Forensics Tool Selection With Multi-Armed Bandit Problem, Umit Karabiyik, Tugba Karabiyik

Annual ADFSL Conference on Digital Forensics, Security and Law

Digital forensics investigation is a long and tedious process for an investigator in general. There are many tools that investigators must consider, both proprietary and open source. Forensics investigators must choose the best tool available on the market for their cases to make sure they do not overlook any evidence resides in suspect device within a reasonable time frame. This is however hard decision to make, since learning and testing all available tools make their job only harder. In this project, we define the digital forensics tool selection for a specific investigative task as a multi-armed bandit problem assuming that …

Downstream Competence Challenges And Legal/Ethical Risks In Digital Forensics, Michael M. Losavio, Antonio Losavio

Annual ADFSL Conference on Digital Forensics, Security and Law

Forensic practice is an inherently human-mediated system, from processing and collection of evidence to presentation and judgment. This requires attention to human factors and risks which can lead to incorrect judgments and unjust punishments.

For digital forensics, such challenges are magnified by the relative newness of the discipline and the use of electronic evidence in forensic proceedings. Traditional legal protections, rules of procedure and ethics rules mitigate these challenges. Application of those traditions better ensures forensic findings are reliable. This has significant consequences where findings may impact a person's liberty or property, a person's life or even the political direction …

Detecting Deception In Asynchronous Text, Fletcher Glancy

Annual ADFSL Conference on Digital Forensics, Security and Law

Glancy and Yadav (2010) developed a computational fraud detection model (CFDM) that successfully detected financial reporting fraud in the text of the management’s discussion and analysis (MDA) portion of annual filings with the United States Securities and Exchange Commission (SEC). This work extends the use of the CFDM to additional genres, demonstrates the generalizability of the CFDM and the use of text mining for quantitatively detecting deception in asynchronous text. It also demonstrates that writers committing fraud use words differently from truth tellers.

Understanding Deleted File Decay On Removable Media Using Differential Analysis, James H. Jones Jr, Anurag Srivastava, Josh Mosier, Connor Anderson, Seth Buenafe

Annual ADFSL Conference on Digital Forensics, Security and Law

Digital content created by picture recording devices is often stored internally on the source device, on either embedded or removable media. Such storage media is typically limited in capacity and meant primarily for interim storage of the most recent image files, and these devices are frequently configured to delete older files as necessary to make room for new files. When investigations involve such devices and media, it is sometimes these older deleted files that would be of interest. It is an established fact that deleted file content may persist in part or in its entirety after deletion, and identifying the …

Development Of A Professional Code Of Ethics In Digital Forensics, Kathryn C. Seigfried-Spellar, Marcus Rogers, Danielle M. Crimmins 2184089

Annual ADFSL Conference on Digital Forensics, Security and Law

Academics, government officials, and practitioners suggest the field of digital forensics is in need of a professional code of ethics. In response to this need, the authors developed and proposed a professional code of ethics in digital forensics. The current paper will discuss the process of developing the professional code of ethics, which included four sets of revisions based on feedback and suggestions provided by members of the digital forensic community. The final version of the Professional Code of Ethics in Digital Forensics includes eight statements, and we hope this is a step toward unifying the field of digital forensics …

Defining A Cyber Jurisprudence, Peter R. Stephenson Phd

Annual ADFSL Conference on Digital Forensics, Security and Law

Jurisprudence is the science and philosophy or theory of the law. Cyber law is a very new concept and has had, compared with other, older, branches of the law, little structured study. However, we have entered the cyber age and the law - on all fronts - is struggling to keep pace with technological advances in cyberspace. This research explores a possible theory and philosophy of cyber law, and, indeed, whether it is feasible to develop and interpret a body of law that addresses current and emerging challenges in cyber space.

While there is an expanding discussion of the nature …

Fast Filtering Of Known Png Files Using Early File Features, Sean Mckeown, Gordon Russell, Petra Leimich

Annual ADFSL Conference on Digital Forensics, Security and Law

A common task in digital forensics investigations is to identify known contraband images. This is typically achieved by calculating a cryptographic digest, using hashing algorithms such as SHA256, for each image on a given media, comparing individual digests with a database of known contraband. However, the large capacities of modern storage media, and increased time pressure on forensics examiners, necessitates that more efficient processing mechanisms be developed. This work describes a technique for creating signatures for images of the PNG format which only requires a tiny fraction of the file to effectively distinguish between a large number of images. Highly …

Harnessing Predictive Models For Assisting Network Forensic Investigations Of Dns Tunnels, Irvin Homem, Panagiotis Papapetrou

Annual ADFSL Conference on Digital Forensics, Security and Law

In recent times, DNS tunneling techniques have been used for malicious purposes, however network security mechanisms struggle to detect them. Network forensic analysis has been proven effective, but is slow and effort intensive as Network Forensics Analysis Tools struggle to deal with undocumented or new network tunneling techniques. In this paper, we present a machine learning approach, based on feature subsets of network traffic evidence, to aid forensic analysis through automating the inference of protocols carried within DNS tunneling techniques. We explore four network protocols, namely, HTTP, HTTPS, FTP, and POP3. Three features are extracted from the DNS tunneled traffic: …

Detect Kernel-Mode Rootkits Via Real Time Logging & Controlling Memory Access, Satoshi Tanda, Irvin Homem, Igor Korkin

Annual ADFSL Conference on Digital Forensics, Security and Law

Modern malware and spyware platforms attack existing antivirus solutions and even Microsoft PatchGuard. To protect users and business systems new technologies developed by Intel and AMD CPUs may be applied. To deal with the new malware we propose monitoring and controlling access to the memory in real time using Intel VT-x with EPT. We have checked this concept by developing MemoryMonRWX, which is a bare-metal hypervisor. MemoryMonRWX is able to track and trap all types of memory access: read, write, and execute. MemoryMonRWX also has the following competitive advantages: fine-grained analysis, support of multi-core CPUs and 64-bit Windows 10. MemoryMonRWX …

An Accidental Discovery Of Iot Botnets And A Method For Investigating Them With A Custom Lua Dissector, Max Gannon, Gary Warner, Arsh Arora

Annual ADFSL Conference on Digital Forensics, Security and Law

This paper presents a case study that occurred while observing peer-to-peer network communications on a botnet monitoring station and shares how tools were developed to discover what ultimately was identified as Mirai and many related IoT DDOS Botnets. The paper explains how researchers developed a customized protocol dissector in Wireshark using the Lua coding language, and how this enabled them to quickly identify new DDOS variants over a five month period of study.

Kelihos Botnet: A Never-Ending Saga, Arsh Arora, Max Gannon, Gary Warner

Annual ADFSL Conference on Digital Forensics, Security and Law

This paper investigates the recent behavior of the Kelihos botnet, a spam-sending botnet that accounts for many millions of emails sent each day. The paper demonstrates how a team of students are able to perform a longitudinal malware study, making significant observations and contributions to the understanding of a major botnet using tools and techniques taught in the classroom. From this perspective the paper has two objectives: encouragement and observation. First, by providing insight into the methodology and tools used by student researchers to document and understand a botnet, the paper strives to embolden other academic programs to follow a …