Measuring The Robustness of Forensic Tools' Ability to Detect Data Hiding Techniques

Moses, Samuel Isaiah

01 June 2017

The goal of this research is to create a methodology that measures the robustness and effectiveness of forensic tools' ability to detect data hiding. First, an extensive search for any existing guidelines testing against data hiding was performed. After finding none, existing guidelines and frameworks in cybersecurity and cyber forensics were reviewed. Next, I created the methodology in this thesis. This methodology includes a set of steps that a user should take to evaluate a forensic tool. The methodology has been designed to be flexible and scalable so as new anti-forensic data hiding methods are discovered and developed, they can easily be added to the framework, and the evaluator using the framework can tailor it to the files they are most focused on. Once a polished draft of the entire methodology was completed, it was reviewed by information technology and security professionals and updated based on their feedback.Two popular forensic tools – Autopsy/Sleuthkit and X-Ways – were evaluated using the methodology developed. Evaluation revealed improvements in the methodology that were updated. I propose that the methodology can be an effective tool to provide insight and evaluate forensic tools.

forensics

anti-forensics

methodology

security

Systems Engineering

Anti-forensiska metoder på smarta mobiltelefoner : Går akademisk forskning hand i hand med lagens långa arm? / Anti-forensic methods on smartphones : Does academic research grasp the long arm of the law?

Sundelin, Martina, Nilsson, Eric

January 2023

Mobiltelefoners höga förekomst i IT-forensiska utredningar innebär påfrestningar för polisen. Mobilinriktad anti-forensik är dock ett smalt och relativt nytt forskningsområde. Genom att strikt fokusera på smarta mobiltelefoner, och utifrån en anti-forensisk definition som ställer krav på avsikt, så utförde vi en systematisk litteraturstudie i syfte att kartlägga den akademiska forskarvärldens bidrag till fältet. Resonemanget bakom denna undersökning är att en kartläggning av vad som finns inom ett avgränsat område samtidigt bör resultera i en kartläggning av vad som inte finns om tillräcklig praktisk kännedom föreligger. För kartläggningen inhämtades över 500 artiklar varav 45 slutligen sorterades in efter sin anti-forensiska påverkan i en standardmodell för IT-forensisk process. Den praktiska kännedomen baseras på inhämtade perspektiv från polisregionerna Nord, Öst och Syd, vars IT-forensiker vittnar om utmaningsdrabbade delar i en standardmodell för IT-forensisk process. Med hjälp av båda kan vi peka på bristområden där framtida forskning bör lägga sitt fokus för att stödja polisens arbete i dagsläget. Vi finner att forskning tenderar att fokusera på undersökning och analys av bevis, medan IT-forensikerna snarare ser identifiering och insamling av bevis som problematiska områden. Dessutom identifierar vi flera områden där mer forskning kan vara aktuell, exempelvis vad gäller applikationer som förstör användardata. / Mobile phones are common sources of evidence in IT-forensic investigations, and this fact is causing additional strain for law enforcement work. Meanwhile, mobile anti-forensics is a small and relatively new area of research. With a strict focus on smart mobile phones, and using an anti-forensics definition that places the intentions of the user in focus, we have performed a systematic literature study with the purpose of mapping the academic research related to the field. Our reasoning is that mapping the performed research should also result in a map of the research that has yet to be performed, if a practical perspective is applied. Over 500 articles were handled as part of the literature study, of which 45 articles were included and sorted based on their anti-forensic content into a model for the IT-forensic process. The practical perspective was sourced from interviews with the North, East, and Southern Swedish police regions. Their IT-forensic experts describe which parts of the IT-forensic process are subject to the most difficult challenges. By taking both perspectives into account we are able to identify areas of deficiency where future research should be focused in order to better support the work of law enforcement. We find that research tends to focus on the latter half of the IT-forensic process whereas the IT-forensic experts call out identification and collection of evidence as areas of interest. We also identify a multitude of areas where more research is needed, for example in relation to data-destroying applications.

Anti-forensics

Mobile-forensics

Literature study

Survey

Mobile anti-forensics

encryption

steganography

IT-forensics

forensics

Other Computer and Information Science

Annan data- och informationsvetenskap

Vers l’anti-criminalistique en images numériques via la restauration d’images / Towards digital image anti-forensics via image restoration

Fan, Wei

30 April 2015

La criminalistique en images numériques se développe comme un outil puissant pour l'authentification d'image, en travaillant de manière passive et aveugle sans l'aide d'informations d'authentification pré-intégrées dans l'image (contrairement au tatouage fragile d'image). En parallèle, l'anti-criminalistique se propose d'attaquer les algorithmes de criminalistique afin de maintenir une saine émulation susceptible d'aider à leur amélioration. En images numériques, l'anti-criminalistique partage quelques similitudes avec la restauration d'image : dans les deux cas, l'on souhaite approcher au mieux les informations perdues pendant un processus de dégradation d'image. Cependant, l'anti-criminalistique se doit de remplir au mieux un objectif supplémentaire, extit{i.e.} : être non détectable par la criminalistique actuelle. Dans cette thèse, nous proposons une nouvelle piste de recherche pour la criminalistique en images numériques, en tirant profit des concepts/méthodes avancés de la restauration d'image mais en intégrant des stratégies/termes spécifiquement anti-criminalistiques. Dans ce contexte, cette thèse apporte des contributions sur quatre aspects concernant, en criminalistique JPEG, (i) l'introduction du déblocage basé sur la variation totale pour contrer les méthodes de criminalistique JPEG et (ii) l'amélioration apportée par l'adjonction d'un lissage perceptuel de l'histogramme DCT, (iii) l'utilisation d'un modèle d'image sophistiqué et d'un lissage non paramétrique de l'histogramme DCT visant l'amélioration de la qualité de l'image falsifiée; et, en criminalistique du filtrage médian, (iv) l'introduction d'une méthode fondée sur la déconvolution variationnelle. Les résultats expérimentaux démontrent l'efficacité des méthodes anti-criminalistiques proposées, avec notamment une meilleure indétectabilité face aux détecteurs criminalistiques actuels ainsi qu'une meilleure qualité visuelle de l'image falsifiée par rapport aux méthodes anti-criminalistiques de l'état de l'art. / Image forensics enjoys its increasing popularity as a powerful image authentication tool, working in a blind passive way without the aid of any a priori embedded information compared to fragile image watermarking. On its opponent side, image anti-forensics attacks forensic algorithms for the future development of more trustworthy forensics. When image coding or processing is involved, we notice that image anti-forensics to some extent shares a similar goal with image restoration. Both of them aim to recover the information lost during the image degradation, yet image anti-forensics has one additional indispensable forensic undetectability requirement. In this thesis, we form a new research line for image anti-forensics, by leveraging on advanced concepts/methods from image restoration meanwhile with integrations of anti-forensic strategies/terms. Under this context, this thesis contributes on the following four aspects for JPEG compression and median filtering anti-forensics: (i) JPEG anti-forensics using Total Variation based deblocking, (ii) improved Total Variation based JPEG anti-forensics with assignment problem based perceptual DCT histogram smoothing, (iii) JPEG anti-forensics using JPEG image quality enhancement based on a sophisticated image prior model and non-parametric DCT histogram smoothing based on calibration, and (iv) median filtered image quality enhancement and anti-forensics via variational deconvolution. Experimental results demonstrate the effectiveness of the proposed anti-forensic methods with a better forensic undetectability against existing forensic detectors as well as a higher visual quality of the processed image, by comparisons with the state-of-the-art methods.

Anti criminalistique

Image numérique

Restauration d’image

Compression JPEG

Filtrage médian

Image anti forensics

Image restoration

JPEG compression

Median filtering

620

Anti-Forensik : Anti-forensiska metoder på mobila enheter

Bade, Hans, Hedlund, Oscar

January 2018

Mobiltelefoner har blivit grundläggande för extrahering av digitala artefakter i fo-rensiska utredningar. Androids Linuxbaserade operativsystem medför större möj-ligheter för anti-forensiska metoder, detta gör att kunskap om anti-forensik äressentiell för dagens IT-forensiska utredare. I denna studie belyses effekten avanti-forensik i Androidbaserade mobila enheter samt så upplyses det om dagensanti-forensiska attack metoder mot forensiska verktyg. Genom experiment så vi-sas det hur man kan förhindra ett forensisk verktyg från att extrahera data medanvändning av ett simpelt script. / Mobile phones have become essential for the extraction of digital artifacts in foren-sic investigations. Android’s Linux-based operating systems bring greater potentialfor anti-forensic methods, which means that knowledge of anti-forensics is essen-tial to today’s IT forensic investigators. In this study, the effect of anti-forensicson Android-based mobile devices is highlighted, as well as revealing today’s anti-forensic attack methods against forensic tools. By experiment, it is shown how toprevent a forensic tool from extracting data by using a simple script.

Anti-Forensics

Forensics

mobile forensics

Digital Forensics

Anti-forensik

forensik

mobil forensik

mobil anti-forensik

Digital forensik

Computer Engineering

Datorteknik

Identifying anti-forensics : Attacks on the digital forensic process

Siljac, Stjepan

January 2022

The area of digital forensics might be old but the idea that criminals or other organisations are actively working to hide their steps is somewhat new. Roughly a year ago, a company announced that they can actively exploit security flaws in a popular digital forensics suite, thus raising questions of validity of evidence submitted to court. It is not known if this exploit is being used in the wild but the mere thought of security issues existing in tools is a serious issue for law enforcement. This paper sets out to clarify the digital forensic process, what tools are used within the digital forensic process and what anti-forensic techniques are available on the market. Using the digital forensic process as a base, this paper produces a model that classifies anti-forensic techniques into realms and shows which realm affects which stage of the digital forensics process. The digital forensic process, anti-forensic techniques and the model was then tested in a Delphi-inspired study where questions regarding the digital forensic process and anti- forensic techniques was asked to digital forensic specialists as well as information security specialists. The goal of the Delphi-study was to reach a consensus regarding the foundations (process and techniques) and their internal relationships (as described in the model). The first part of this paper’s conclusion is that a digital forensic process should contain the following stages: Planning -> Identification -> Acquisition -> Analysis -> Presentation. The paper also concludes that there are several digital forensic tools available for a practitioner, both open and closed source, and that the practitioner uses a mixture of the two. Apart from the process and the tools used, this paper concludes that there are several anti-forensic techniques available on the market and that these could be used by any malicious user that actively want to disrupt the digital forensic process. A second conclusion is that the proposed model connects the stages of the digital forensic process with anti-forensic techniques though the use of realms. The proposed model can be used to develop anti-anti-forensics methods, processes or techniques.

digital forensics

digital forensic process

digital forensic tools

anti-forensics

digital evidence

Övrig annan teknik