Physical Sciences and Mathematics Commons^™

A Study Of Forensic Imaging In The Absence Of Write-Blockers, Gary C. Kessler, Gregory H. Carlton

Journal of Digital Forensics, Security and Law

Best practices in digital forensics demand the use of write-blockers when creating forensic images of digital media, and this has been a core tenet of computer forensics training for decades. The practice is so ingrained that the integrity of images created without a write-blocker are immediately suspect. This paper describes a research framework that compares forensic images acquired with and without utilizing write-blockers in order to understand the extent of the differences, if any, in the resultant forensic copies. We specifically address whether differences are superficial or evidentiary, and we discuss the impact of admitting evidence acquired without write blocking. …

Educating The Next Generation Of Cyberforensic Professionals, Mark Pollitt, Philip Craiger

Publications

This paper provides a historical overview of the development of cyberforensics as a scientific discipline, along with a description of the current state of training, educational programs, certification and accreditation. The paper traces the origins of cyberforensics, the acceptance of cyberforensics as a forensic science and its recognition as a component of information security. It also discusses the development of professional certification and standardized bodies of knowledge that have had a substantial impact on the discipline. Finally, it discusses the accreditation of cyberforensic educational programs, its linkage with the bodies of knowledge and its effect on cyberforensic educational programs.

Information Security Challenge Of Qr Codes, Nik Thompson, Kevin Lee

Journal of Digital Forensics, Security and Law

The discipline of information security must adapt to new technologies and methods of interaction with those technologies. New technologies present both challenges and opportunities for the security professional, especially for areas such as digital forensics. Challenges can be in the form of new devices such as smartphones or new methods of sharing information, such as social networks. One such rapidly emerging interaction technology is the use of Quick Response (QR) codes. These offer a physical mechanism for quick access to Web sites for advertising and social interaction. This paper argues that the common implementation of QR codes potentially presents security …

The Advanced Data Acquisition Model (Adam): A Process Model For Digital Forensic Practice, Richard Adams, Val Hobbs, Graham Mann

Journal of Digital Forensics, Security and Law

As with other types of evidence, the courts make no presumption that digital evidence is reliable without some evidence of empirical testing in relation to the theories and techniques associated with its production. The issue of reliability means that courts pay close attention to the manner in which electronic evidence has been obtained and in particular the process in which the data is captured and stored. Previous process models have tended to focus on one particular area of digital forensic practice, such as law enforcement, and have not incorporated a formal description. We contend that this approach has prevented the …

Analysis Of A Second Hand Google Mini Search Appliance, Stephen Larson

Journal of Digital Forensics, Security and Law

Information and the technological advancements for which mankind develops with regards to its storage has increased tremendously over the past few decades. As the total amount of data stored rapidly increases in conjunction with the amount of widely available computer-driven devices being used, solutions are being developed to better harness this data (LaTulippe, 2011). One of these solutions is commonly known as a search appliance. Search appliances have been used in e-discovery for several years. The Google Mini Search Appliance (Mini) has not only been used for e-discovery, but for indexing and searching internal documents. To accomplish these tasks, search …

Identifying And Attributing Similar Traces With Greatest Common Factor Analysis, Fred Cohen

Journal of Digital Forensics, Security and Law

This paper presents an algorithm for comparing large numbers of traces to each other and identifying and presenting groups of traces with similar features. It is applied to forensic analysis in which groups of similar traces are automatically identified and presented so that attribution and other related claims may be asserted, and independently confirmed or refuted. The approach of this paper is to identify an approximate algorithm that will find a large subset of greatest common factor similar groups of arbitrary factors in far less time and space than an exact algorithm using examiner-provided selection criteria for factor definition.

Identifying Trace Evidence From Target-Specific Data Wiping Application Software, Gregory H. Carlton, Gary C. Kessler

Security Studies & International Affairs - Daytona Beach

"One area of particular concern for computer forensics examiners involves situations in which someone utilized software applications to destroy evidence. There are products available in the marketplace that are relatively inexpensive and advertised as being able to destroy targeted portions of data stored within a computer system. This study was undertaken to analyze a subset of these tools in order to identify trace evidence, if any, left behind on disk media after executing these applications. We evaluated five Windows 7 compatible software products whose advertised features include the ability for users to wipe targeted files, folders, or evidence of selected …

Implementing The Automated Phases Of The Partially-Automated Digital Triage Process Model, Gary Cantrell, David A. Dampier

Journal of Digital Forensics, Security and Law

Digital triage is a pre-digital-forensic phase that sometimes takes place as a way of gathering quick intelligence. Although effort has been undertaken to model the digital forensics process, little has been done to-date to model digital triage. This work discusses the further development of a model that attempts to address digital triage, the Partially-automated Crime Specific Digital Triage Process model. The model itself will be presented along with a description of how its automated functionality was implemented to facilitate model testing.

Digital Evidence Education In Schools Of Law, Aaron Alva, Barbara Endicott-Popovsky

Journal of Digital Forensics, Security and Law

An examination of State of Connecticut v. Julie Amero provides insight into how a general lack of understanding of digital evidence can cause an innocent defendant to be wrongfully convicted. By contrast, the 101-page opinion in Lorraine v. Markel American Insurance Co. provides legal precedence and a detailed consideration for the admission of digital evidence. An analysis of both cases leads the authors to recommend additions to Law School curricula designed to raise the awareness of the legal community to ensure such travesties of justice, as in the Amero case, don’t occur in the future. Work underway at the University …

A Case Study In Forensic Analysis Of Control, Fred Cohen

Journal of Digital Forensics, Security and Law

This paper describes a case study in which a method for forensic analysis of control was applied to resolve probative technical issues in a legal action. It describes one instance in which the analysis was successfully applied without challenge, addresses the details of most of the different facets of the analysis method, and demonstrates how such analysis provides a systematic approach to using technical methods to address legal issues as a case study.

Kindle Forensics: Acquisition & Analysis, Peter Hannay

Journal of Digital Forensics, Security and Law

The Amazon Kindle eBook reader supports a wide range of capabilities beyond reading books. This functionality includes an inbuilt cellular data connection known as Whispernet. The Kindle provides web browsing, an application framework, eBook delivery and other services over this connection. The historic data left by user interaction with this device may be of forensic interest. Analysis of the Amazon Kindle device has resulted in a method to reliably extract and interpret data from these devices in a forensically complete manner.

Legal Issues Regarding Digital Forensic Examiners Third Party Consent To Search, Thomas Lonardo, Doug White, Tricia P. Martland, Alan Rea

Journal of Digital Forensics, Security and Law

This paper focuses on Federal law as it relates to consent to search relating to Fourth Amendment privacy in the practice of Digital Forensics. In particular, Digital Examiners should be aware of how decisions in Federal Court may impact their ability to acquire evidence in both civil and criminal settings. Digital Forensics, being a relatively new field, is particularly subject to change as cases and appeals are decided. This paper provides an overview of relevant case law relating to issues in Digital Forensics. More importantly, our research provides Digital Forensic Examiners (DFE), as defined by Lonardo, White, and Rea (2008, …

Investigating Modern Communication Technologies: The Effect Of Internet-Based Communication Technologies On The Investigation Process, Matthew Simon, Jill Slay

Journal of Digital Forensics, Security and Law

Communication technologies are commonplace in modern society. For many years there were only a handful of communication technologies provided by large companies, namely the Public Switched Telephone Network (PSTN) and mobile telephony; these can be referred to as traditional communication technologies. Over the lifetime of traditional communication technologies has been little technological evolution and as such, law enforcement developed sound methods for investigating targets using them. With the advent of communication technologies that use the Internet – Internet-based or contemporary communication technologies – law enforcement are faced with many challenges. This paper discusses these challenges and their potential impact. It …

Adaptation Of Pyflag To Efficient Analysis Of Seized Computer Data Storage, Aleksander Byrski, Wojciech Stryjewski, Bartłomiej Czechowicz

Journal of Digital Forensics, Security and Law

Based on existing software aimed at investigation support in the analysis of computer data storage seized during investigation (PyFlag), an extension is proposed involving the introduction of dedicated components for data identification and filtering. Hash codes for popular software contained in NIST/NSRL database are considered in order to avoid unwanted files while searching and to classify them into several categories. The extension allows for further analysis, e.g. using artificial intelligence methods. The considerations are illustrated by the overview of the system's design.

Malware Forensics: Discovery Of The Intent Of Deception, Murray Brand, Craig Valli, Andrew Woodward

Journal of Digital Forensics, Security and Law

Malicious software (malware) has a wide variety of analysis avoidance techniques that it can employ to hinder forensic analysis. Although legitimate software can incorporate the same analysis avoidance techniques to provide a measure of protection against reverse engineering and to protect intellectual property, malware invariably makes much greater use of such techniques to make detailed analysis labour intensive and very time consuming. Analysis avoidance techniques are so heavily used by malware that the detection of the use of analysis avoidance techniques could be a very good indicator of the presence of malicious intent. However, there is a tendency for analysis …

Book Review: Digital Forensic Evidence Examination, Gary C. Kessler

Publications

This document is Dr. Kessler's review of the second edition of Digital Forensic Evidence Examination by Fred Cohen. ASP Press, 2010. ISBN: 978-1-878109-45-3

Book Review: Cyber Security And Global Information Assurance: Threat Analysis And Response Solutions, Gary C. Kessler

Publications

This document is Dr. Kessler's review of Cyber Security and Global Information Assurance: Threat Analysis and Response Solutions, edited by Kenneth J. Knapp. Information Science Reference, 2009. ISBN: 978-1-60566-326-5.

Steganography: Forensic, Security, And Legal Issues, Merrill Warkentin, Ernst Bekkering, Mark B. Schmidt

Journal of Digital Forensics, Security and Law

Steganography has long been regarded as a tool used for illicit and destructive purposes such as crime and warfare. Currently, digital tools are widely available to ordinary computer users also. Steganography software allows both illicit and legitimate users to hide messages so that they will not be detected in transit. This article provides a brief history of steganography, discusses the current status in the computer age, and relates this to forensic, security, and legal issues. The paper concludes with recommendations for digital forensics investigators, IT staff, individual users, and other stakeholders.

Analysis Of Information Remaining On Hand Held Devices Offered For Sale On The Second Hand, Andy Jones, Craig Valli, Iain Sutherland

Journal of Digital Forensics, Security and Law

The ownership and use of mobile phones, Personal Digital Assistants and other hand held devices is now ubiquitous both for home and business use. The majority of these devices have a high initial cost, a relatively short period before they become obsolescent and a relatively low second hand value. As a result of this, when the devices are replaced, there are indications that they tend to be discarded. As technology has continued to develop, it has led to an increasing diversity in the number and type of devices that are available, and the processing power and the storage capacity of …

Book Review: Challenges To Digital Forensic Evidence, Gary C. Kessler

Publications

This document is Dr. Kessler's review of Challenges to Digital Forensic Evidence, by Fred Cohen. Fred Cohen & Associates, 2008. ISBN 1-878109-41-3

A Grounded Theory Approach To Identifying And Measuring Forensic Data Acquisition Tasks, Gregory H. Carlton

Journal of Digital Forensics, Security and Law

As a relatively new field of study, little empirical research has been conducted pertaining to computer forensics. This lack of empirical research contributes to problems for practitioners and academics alike.

For the community of practitioners, problems arise from the dilemma of applying scientific methods to legal matters based on anecdotal training methods, and the academic community is hampered by a lack of theory in this evolving field. A research study utilizing a multi-method approach to identify and measure tasks practitioners perform during forensic data acquisitions and lay a foundation for academic theory development was conducted in 2006 in conjunction with …