Physical Sciences and Mathematics Commons^™

An Empirical Investigation Of The Evidence Recovery Process In Digital Forensics, Kevin Parviz

CCE Theses and Dissertations

The widespread use of the digital media in committing crimes, and the steady increase of their storage capacity has created backlogs at digital forensic labs. The problem is exacerbated especially in high profile crimes. In many such cases the judicial proceedings mandate full analysis of the digital media, when doing so is rarely accomplished or practical. Prior studies have proposed different phases for forensic analysis, to lessen the backlog issues. However, these phases are not distinctly differentiated, and some proposed solutions may not be practical. This study utilized several past police forensic analyses. Each case was chosen for having five …

Camouflaged Poisoning Attack On Graph Neural Networks, Chao Jiang, Yi He, Richard Chapman, Hongyi Wu

Computer Science Faculty Publications

Graph neural networks (GNNs) have enabled the automation of many web applications that entail node classification on graphs, such as scam detection in social media and event prediction in service networks. Nevertheless, recent studies revealed that the GNNs are vulnerable to adversarial attacks, where feeding GNNs with poisoned data at training time can lead them to yield catastrophically devastative test accuracy. This finding heats up the frontier of attacks and defenses against GNNs. However, the prior studies mainly posit that the adversaries can enjoy free access to manipulate the original graph, while obtaining such access could be too costly in …

The Survey On Cross-Border Collection Of Digital Evidence By Representatives From Polish Prosecutors’ Offices And Judicial Authorities, Paweł Olber Dr

Journal of Digital Forensics, Security and Law

Dynamic development of IT technology poses new challenges related to the cross-border collection of electronic evidence from the cloud. Many times investigators need to secure data stored on foreign servers directly and then look for solutions on how to turn the data into a legitimate source of evidence. To study the situation and propose solutions, I conducted a survey among Polish representatives of public prosecutors' offices and courts. This paper presents information from digital evidence collection practices across multiple jurisdictions. I stated that representatives from the prosecution and the judiciary in Poland are aware of the issues associated with cross-border …

Digital Forensics In The Next Five Years, Laoise Luciano, Ibrahim Baggili, Mateusz Topor, Peter Casey, Frank Breitinger

Electrical & Computer Engineering and Computer Science Faculty Publications

Cyber forensics has encountered major obstacles over the last decade and is at a crossroads. This paper presents data that was obtained during the National Workshop on Redefining Cyber Forensics (NWRCF) on May 23-24, 2017 supported by the National Science Foundation and organized by the University of New Haven. Qualitative and quantitative data were analyzed from twenty-four cyber forensics expert panel members. This work identified important themes that need to be addressed by the community, focusing on (1) where the domain currently is; (2) where it needs to go and; (3) steps needed to improve it. Furthermore, based on the …

A Novel Privacy Preserving User Identification Approach For Network Traffic, Nathan Clarke, Fudong Li, Steven Furnell

Research outputs 2014 to 2021

The prevalence of the Internet and cloud-based applications, alongside the technological evolution of smartphones, tablets and smartwatches, has resulted in users relying upon network connectivity more than ever before. This results in an increasingly voluminous footprint with respect to the network traffic that is created as a consequence. For network forensic examiners, this traffic represents a vital source of independent evidence in an environment where anti-forensics is increasingly challenging the validity of computer-based forensics. Performing network forensics today largely focuses upon an analysis based upon the Internet Protocol (IP) address – as this is the only characteristic available. More typically, …

Gaslight: A Comprehensive Fuzzing Architecture For Memory Forensics Frameworks, Andrew Case, Arghya Kusum Das, Seung Jong Park, J. (Ram) Ramanujam, Golden G. Richard

Computer Science Faculty Research & Creative Works

Memory forensics is now a standard component of digital forensic investigations and incident response handling, since memory forensic techniques are quite effective in uncovering artifacts that might be missed by traditional storage forensics or live analysis techniques. Because of the crucial role that memory forensics plays in investigations and because of the increasing use of automation of memory forensics techniques, it is imperative that these tools be resilient to memory smear and deliberate tampering. Without robust algorithms, malware may go undetected, frameworks may crash when attempting to process memory samples, and automation of memory forensics techniques is difficult. In this …

A Forensic Email Analysis Tool Using Dynamic Visualization, Johannes Stadlinger, Andreas Dewald

Journal of Digital Forensics, Security and Law

Communication between people counts to the most important information of today’s business. As a result, in case of forensic investigations in big companies, analysis of communication data in general and especially email, as the still most widely used business communication platform with an immense and still growing volume, is a typical task in digital forensics. One of the challenges is to identify the relevant communication partners and structures in the suspects surrounding as quickly as possible in order to react appropriately and identify further targets of evaluation. Due to the amount of emails in typical inboxes, reading through all the …

Whitelisting System State In Windows Forensic Memory Visualizations, Joshua A. Lapso, Gilbert L. Peterson, James S. Okolica

Faculty Publications

Examiners in the field of digital forensics regularly encounter enormous amounts of data and must identify the few artifacts of evidentiary value. One challenge these examiners face is manual reconstruction of complex datasets with both hierarchical and associative relationships. The complexity of this data requires significant knowledge, training, and experience to correctly and efficiently examine. Current methods provide text-based representations or low-level visualizations, but levee the task of maintaining global context of system state on the examiner. This research presents a visualization tool that improves analysis methods through simultaneous representation of the hierarchical and associative relationships and local detailed data …

Drop (Drone Open Source Parser) Your Drone: Forensic Analysis Of The Dji Phantom Iii, Devon R. Clark, Christopher S. Meffert, Ibrahim Baggili, Frank Breitinger

Electrical & Computer Engineering and Computer Science Faculty Publications

The DJI Phantom III drone has already been used for malicious activities (to drop bombs, remote surveillance and plane watching) in 2016 and 2017. At the time of writing, DJI was the drone manufacturer with the largest market share. Our work presents the primary thorough forensic analysis of the DJI Phantom III drone, and the primary account for proprietary file structures stored by the examined drone. It also presents the forensically sound open source tool DRone Open source Parser (DROP) that parses proprietary DAT files extracted from the drone's nonvolatile internal storage. These DAT files are encrypted and encoded. The …

Exploring Myths In Digital Forensics: Separating Science From Ritual, Gary C. Kessler, Gregory H. Carlton

Publications

Digital forensic methodology deviates significantly relative to the methods of other forensic sciences for numerous practical reasons, and it has been largely influenced by factors derived from the inception and evolution of this relatively new and rapidly changing field. Digital forensics methodology was developed more by practitioners in its early days rather than by computer scientists. This led to accepted best practices in the field that may not represent the best or, at least, tested, science. This paper explores some of these differences in the practice and evolution between digital and other forensic sciences, and recommends scientific approaches to apply …

The Impact Of Md5 File Hash Collisions On Digital Forensic Imaging, Gary C. Kessler

Journal of Digital Forensics, Security and Law

The Message Digest 5 (MD5) hash is commonly used as for integrity verification in the forensic imaging process. The ability to force MD5 hash collisions has been a reality for more than a decade, although there is a general consensus that hash collisions are of minimal impact to the practice of computer forensics. This paper describes an experiment to determine the results of imaging two disks that are identical except for one file, the two versions of which have different content but otherwise occupy the same byte positions on the disk, are the same size, and have the same hash …

The 2016 Analysis Of Information Remaining On Computer Hard Disks Offered For Sale On The Second Hand Market In The Uae, Thomas Martin, Andy Jones, Mohammed Alzaabi

Journal of Digital Forensics, Security and Law

This research describes our survey of data remaining on computer hard disks sold on the second hand market in the United Arab Emirates (UAE). This is a repetition of the first survey conducted in 2012 (Jones, Martin, & Alzaabi, 2012). Similar studies have been carried over the last ten years in the United Kingdom, Australia, USA, Germany and France: (Jones, Mee, Meyler, & Gooch, 2005), (Jones, Valli, Sutherland, & Thomas, 2006), (Jones, Valli, Dardick, & Sutherland, 2008), (Jones, Valli, Dardick, & Sutherland, 2009). This research was undertaken to gain insight into the volumes of data found on second-hand disks purchased …

The Impact Of Sha-1 File Hash Collisions On Digital Forensic Imaging: A Follow-Up Experiment, Gary C. Kessler

Journal of Digital Forensics, Security and Law

A previous paper described an experiment showing that Message Digest 5 (MD5) hash collisions of files have no impact on integrity verification in the forensic imaging process. This paper describes a similar experiment applied when two files have a Secure Hash Algorithm (SHA-1) collision.

Book Review: Challenges To Digital Forensic Evidence, Gary C. Kessler

Gary C. Kessler

This document is Dr. Kessler's review of Challenges to Digital Forensic Evidence, by Fred Cohen. Fred Cohen & Associates, 2008. ISBN 1-878109-41-3

Book Review: Mac Os X, Ipod, And Iphone Forensic Analysis Dvd Toolkit, Gary C. Kessler

Gary C. Kessler

This document is Dr. Kessler's review of MAC OS X, iPod, and iPhone Forensic Analysis DVD Toolkit, edited by Jesse Varsalone. Syngress, 2009. ISBN: 978-1-59749-297-3.

Book Review: Digital Forensic Evidence Examination, Gary C. Kessler

Gary C. Kessler

This document is Dr. Kessler's review of the second edition of Digital Forensic Evidence Examination by Fred Cohen. ASP Press, 2010. ISBN: 978-1-878109-45-3

A Cyber Forensics Needs Analysis Survey: Revisiting The Domain's Needs A Decade Later, Vikram S. Harichandran, Frank Breitinger, Ibrahim Baggili, Andrew Marrington

Electrical & Computer Engineering and Computer Science Faculty Publications

The number of successful cyber attacks continues to increase, threatening financial and personal security worldwide. Cyber/digital forensics is undergoing a paradigm shift in which evidence is frequently massive in size, demands live acquisition, and may be insufficient to convict a criminal residing in another legal jurisdiction. This paper presents the findings of the first broad needs analysis survey in cyber forensics in nearly a decade, aimed at obtaining an updated consensus of professional attitudes in order to optimize resource allocation and to prioritize problems and possible solutions more efficiently. Results from the 99 respondents gave compelling testimony that the following …

A Cyber Forensics Needs Analysis Survey: Revisiting The Domain's Needs A Decade Later, Vikram S. Harichandran, Frank Breitinger, Ibrahim Baggili, Andrew Marrington

All Works

© 2015 Elsevier Ltd. The number of successful cyber attacks continues to increase, threatening financial and personal security worldwide. Cyber/digital forensics is undergoing a paradigm shift in which evidence is frequently massive in size, demands live acquisition, and may be insufficient to convict a criminal residing in another legal jurisdiction. This paper presents the findings of the first broad needs analysis survey in cyber forensics in nearly a decade, aimed at obtaining an updated consensus of professional attitudes in order to optimize resource allocation and to prioritize problems and possible solutions more efficiently. Results from the 99 respondents gave compelling …

Digital Forensics In Law Enforcement: A Needs Based Analysis Of Indiana Agencies, Teri A. Cummins Flory

Journal of Digital Forensics, Security and Law

Cyber crime is a growing problem, with the impact to society increasing exponentially, but the ability of local law enforcement agencies to investigate and successfully prosecute criminals for these crimes is unclear. Many national needs assessments have previously been conducted, and all indicated that state and local law enforcement did not have the training, tools, or staff to effectively conduct digital investigations, but very few have been completed recently. This study provided a current and localized assessment of the ability of Indiana law enforcement agencies to effectively investigate crimes involving digital evidence, the availability of training for both law enforcement …

The Proceedings Of 14th Australian Digital Forensics Conference, 5-6 December 2016, Edith Cowan University, Perth, Australia, Craig Valli

Australian Digital Forensics Conference

Conference Foreword

This is the fifth year that the Australian Digital Forensics Conference has been held under the banner of the Security Research Institute, which is in part due to the success of the security conference program at ECU. As with previous years, the conference continues to see a quality papers with a number from local and international authors. 11 papers were submitted and following a double blind peer review process, 8 were accepted for final presentation and publication. Conferences such as these are simply not possible without willing volunteers who follow through with the commitment they have initially made, …

Forensic Investigation Of Cyberstalking Cases Using Behavioural Evidence Analysis, Noora Al Mutawa, Joanne Bryce, Virginia N.L. Franqueira, Andrew Marrington

All Works

Behavioural Evidence Analysis (BEA) is, in theory, useful in developing an understanding of the offender, the victim, the crime scene, and the dynamics of the crime. It can add meaning to the evidence obtained through digital forensic techniques and assist investigators with reconstruction of a crime. There is, however, little empirical research examining the application of BEA to actual criminal cases, particularly cyberstalking cases. This study addresses this gap by examining the utility of BEA for such cases in terms of understanding the behavioural and motivational dimensions of offending, and the way in which digital evidence can be interpreted. It …

Understanding Computer Forensics Requirements In China Via The “Panda Burning Incense” Virus Case, Frank Law, K. P. Chow, Y. H. Mai

Journal of Digital Forensics, Security and Law

In March 2012, Mainland China has amended its Criminal Procedure Law, which includes the introduction of a new type of evidence, i.e., digital evidence, to the court of law. To better understand the development of computer forensics and digital evidence in Mainland China, this paper discusses the Chinese legal system in relation to digital investigation and how the current legal requirements affect the existing legal and technical usage of digital evidence at legal proceedings. Through studying the famous “Panda Burning Incense (Worm.WhBoy.cw)” virus case that happened in 2007, this paper aims to provide a better understanding of how to properly …

A Study Of Forensic Imaging In The Absence Of Write-Blockers, Gary C. Kessler, Gregory H. Carlton

Journal of Digital Forensics, Security and Law

Best practices in digital forensics demand the use of write-blockers when creating forensic images of digital media, and this has been a core tenet of computer forensics training for decades. The practice is so ingrained that the integrity of images created without a write-blocker are immediately suspect. This paper describes a research framework that compares forensic images acquired with and without utilizing write-blockers in order to understand the extent of the differences, if any, in the resultant forensic copies. We specifically address whether differences are superficial or evidentiary, and we discuss the impact of admitting evidence acquired without write blocking. …

Testing The Forensic Soundness Of Forensic Examination Environments On Bootable Media, Ahmed Fathy Abdul Latif Mohamed, Andrew Marrington, Farkhund Iqbal, Ibrahim Baggili

All Works

In this work we experimentally examine the forensic soundness of the use of forensic bootable CD/DVDs as forensic examination environments. Several Linux distributions with bootable CD/DVDs which are marketed as forensic examination environments are used to perform a forensic analysis of a captured computer system. Before and after the bootable CD/DVD examination, the computer system's hard disk is removed and a forensic image acquired by a second system using a hardware write blocker. The images acquired before and after the bootable CD/DVD examination are hashed and the hash values compared. Where the hash values are inconsistent, a differential analysis is …

Windows Surface Rt Tablet Forensics, Asif Iqbal, Hanan Al Obaidli, Andrew Marrington, Andy Jones

All Works

Small scale digital device forensics is particularly critical as a result of the mobility of these devices, leading to closer proximity to crimes as they occur when compared to computers. The Windows Surface tablet is one such device, combining tablet mobility with familiar Microsoft Windows productivity tools. This research considers the acquisition and forensic analysis of the Windows Surface RT tablet. We discuss the artifacts of both the Windows RT operating system and third-party applications. The contribution of this research is to provide a road map for the digital forensic examination of Windows Surface RT tablets.

Preliminary Forensic Analysis Of The Xbox One, Jason Moore, Ibrahim Baggili, Andrew Marrington, Armindo Rodrigues

All Works

Video game consoles can no longer be viewed as just gaming consoles but rather as full multimedia machines, capable of desktop computer-like performance. The past has shown that game consoles have been used in criminal activities such as extortion, identity theft, and child pornography, but with their ever-increasing capabilities, the likelihood of the expansion of criminal activities conducted on or over the consoles increases. This research aimed to take the initial step of understanding the Xbox One, the most powerful Microsoft console to date. We report the outcome of conducting a forensic examination of the Xbox One, and we provide …

A Forensic Comparison: Windows 7 And Windows 8, Peter J. Wilson

Theses

Whenever a new operating system or new version of an operating system is released, forensic investigators must re-examine the new operating system or new version. They do so to determine if there are significant differences that will impact and change the way they perform their investigations. With the release of Microsoft's latest operating system, Windows 8, and its update, Windows 8.1, understanding the similarities and differences between Windows 8 and previous operating systems such as Windows 7 is critical. This paper forensically examines Windows 7 and Windows 8 to determine those similarities and differences.

The Advanced Data Acquisition Model (Adam): A Process Model For Digital Forensic Practice, Richard Adams, Val Hobbs, Graham Mann

Journal of Digital Forensics, Security and Law

As with other types of evidence, the courts make no presumption that digital evidence is reliable without some evidence of empirical testing in relation to the theories and techniques associated with its production. The issue of reliability means that courts pay close attention to the manner in which electronic evidence has been obtained and in particular the process in which the data is captured and stored. Previous process models have tended to focus on one particular area of digital forensic practice, such as law enforcement, and have not incorporated a formal description. We contend that this approach has prevented the …

The 2012 Analysis Of Information Remaining On Computer Hard Disks Offered For Sale On The Second Hand Market In The Uae, Andy Jones, Thomas Martin, Mohammed Alzaabi

Australian Digital Forensics Conference

The growth in the use of computers in all aspects of our lives has continued to increase to the point where desktop, laptop, netbook or tablet computers are now almost essential in the way that we communicate and work. As a result of this, and the fact that these devices have a limited lifespan, enormous numbers of computers are being disposed of at the end of their useful life by individuals or/and organisations. As the cost of computing has reduced, the level of ‘consumerisation’ has increased together with the requirement for mobility. This has led to an increasing use of …

Identifying Trace Evidence From Target-Specific Data Wiping Application Software, Gregory H. Carlton, Gary C. Kessler

Security Studies & International Affairs - Daytona Beach

"One area of particular concern for computer forensics examiners involves situations in which someone utilized software applications to destroy evidence. There are products available in the marketplace that are relatively inexpensive and advertised as being able to destroy targeted portions of data stored within a computer system. This study was undertaken to analyze a subset of these tools in order to identify trace evidence, if any, left behind on disk media after executing these applications. We evaluated five Windows 7 compatible software products whose advertised features include the ability for users to wipe targeted files, folders, or evidence of selected …