Automated identification of digital evidence across heterogeneous data resources

Mohammed, Hussam J.

January 2018

Digital forensics has become an increasingly important tool in the fight against cyber and computer-assisted crime. However, with an increasing range of technologies at people's disposal, investigators find themselves having to process and analyse many systems with large volumes of data (e.g., PCs, laptops, tablets, and smartphones) within a single case. Unfortunately, current digital forensic tools operate in an isolated manner, investigating systems and applications individually. The heterogeneity and volume of evidence place time constraints and a significant burden on investigators. Examples of heterogeneity include applications such as messaging (e.g., iMessenger, Viber, Snapchat, and WhatsApp), web browsers (e.g., Firefox and Google Chrome), and file systems (e.g., NTFS, FAT, and HFS). Being able to analyse and investigate evidence from across devices and applications in a universal and harmonized fashion would enable investigators to query all data at once. In addition, successfully prioritizing evidence and reducing the volume of data to be analysed reduces the time taken and cognitive load on the investigator. This thesis focuses on the examination and analysis phases of the digital investigation process. It explores the feasibility of dealing with big and heterogeneous data sources in order to correlate the evidence from across these evidential sources in an automated way. Therefore, a novel approach was developed to solve the heterogeneity issues of big data using three developed algorithms. The three algorithms include the harmonising, clustering, and automated identification of evidence (AIE) algorithms. The harmonisation algorithm seeks to provide an automated framework to merge similar datasets by characterising similar metadata categories and then harmonising them in a single dataset. This algorithm overcomes heterogeneity issues and makes the examination and analysis easier by analysing and investigating the evidential artefacts across devices and applications based on the categories to query data at once. Based on the merged datasets, the clustering algorithm is used to identify the evidential files and isolate the non-related files based on their metadata. Afterwards, the AIE algorithm tries to identify the cluster holding the largest number of evidential artefacts through searching based on two methods: criminal profiling activities and some information from the criminals themselves. Then, the related clusters are identified through timeline analysis and a search of associated artefacts of the files within the first cluster. A series of experiments using real-life forensic datasets were conducted to evaluate the algorithms across five different categories of datasets (i.e., messaging, graphical files, file system, internet history, and emails), each containing data from different applications across different devices. The results of the characterisation and harmonisation process show that the algorithm can merge all fields successfully, with the exception of some binary-based data found within the messaging datasets (contained within Viber and SMS). The error occurred because of a lack of information for the characterisation process to make a useful determination. However, on further analysis, it was found that the error had a minimal impact on subsequent merged data. The results of the clustering process and AIE algorithm showed the two algorithms can collaborate and identify more than 92% of evidential files.

Digital Forensics ; HETEROGENEOUS DATA

Tvorba analytického nástroje ke zjišťování vazeb pro potřeby forenzních analýz ICT / Development of analytical tool for relation detection required in digital forensics

HOUŠKA, Jan

January 2015

The objective of this thesis is to design and implement an application, which will on the basis of outputs from selected forensic tools analyse and search for relations among individual participants in communication. The paper will first describe procedures of digital forensics and selected programs used for digital forensics. Following chapters will be dedicated to description of the whole development cycle of the application. The main outcome of the thesis will be a finished application meeting the requirements of the assignment and enabling not only search for relations based on outputs from forensic tools, but also search for additional possible relations from open sources.

digital forensics; forenzní analýza

Continued forensic development - investigation into current trends and proposed model for digital forensic practitioners

Van Ramesdonk, Paul

January 2016

Continuous professional development has been looked at in many professions over the years, most notably in primary and secondary education and in the medical fields. With digital forensics being cast into the limelight due to the rapid advancements in technology, academic institutions have added courses to address the void created by the boom in the industry. Little research has been done to address the issues that have now become apparent concerning continued learning in this field. The purpose of this research was to investigate the kinds of frameworks and methods used in other professions, and how the practitioners themselves see career development, and to create a framework that could be used to keep abreast of developments in the field of digital forensics, be it changes in the law, case law, or changes in software. The data analysis showed quite a number of continued learning approaches that could be employed in the digital/computer forensic fields to achieve the objective of keeping abreast of changes in the field. Some, understandably, are due to the nature of the discipline. As part of practitioners' current approach to continued learning, they rely heavily on knowledge sharing in the form of learning from other professionals, through self-study by reading books, articles and research conducted in the forensic field, the use of Information and Communications Technology (ICT) for education, and the use of Internet sources such as user forums, Facebook groups, and web-blogs. The majority of the respondents had received formal training in digital forensics, and of the total number of participants, only six percent had not been involved in any form of continued learning activities in the past five years. When looking at the data obtained, and because there are no formal requirements to perform continued learning in the digital/computer forensic field, it becomes clear that individuals themselves need to be self-driven to keep up to date with changes in the field. As seen in studies focused on continued learning activities in other professions, the research shows that digital/computer forensic practitioners experience similar barriers to their own approaches to continued learning.

Information Systems

digital forensics

TIKTOK FORENSIC SCRAPER TO RETRIEVE USER VIDEO DETAILS

Akshata Nirmal Thole (14221547)

06 December 2022

<p>TIKTOK FORENSIC SCRAPER TO RETRIEVE USER VIDEO DETAILS.</p> <p><br></p> <p>Thesis - Akshata Thole </p> <p><br></p>

Digital forensics

TikTok

Web Scraping

Digital Forensics

OSINT

Security

Analysis of WeChat in Mobile and Computer Systems: Forensics Perspective

Jiaxuan Zhou (14228318)

08 December 2022

<p>WeChat is one of the most popular applications in the world. By 2021, there were 1.24 billion users of WeChat. Many people call it the `super app` because it is an application for everything. Besides the basic messaging feature, it also supports online payment, video posts, news feeds, and more. Due to its wide usage, many criminals are using the platforms for illegal activities such as bank fraud, cyberbullying, and stalking. For these reasons, we need to understand WeChat forensically to assist investigators in cases involving WeChat.</p> <p>Previous research was mostly focused on the messaging of the WeChat application. However, artifacts of other features remain on the device undiscovered. These features can provide crucial evidence to a case such as geo-locations or monetary transactions. WeChat keeps updates monthly, and these updates may add new features or modify the data structure. The official website does not provide a detailed description of its features so it is hard for a non-WeChat user to understand the functionalities. Therefore, research is required to analyze the background, structure, and possible artifacts remaining of the WeChat app to assist practitioners who encounter WeChat in an investigation. This study included all platforms that WeChat provides, Windows, MacOS, Android, and iOS.</p>

Digital forensics

WeChat Analysis

Forensic Analysis

Digital Forensics

Prototype Digital Forensics Repository

Mandelecha, Sonal

10 August 2005

The explosive growth in technology has led to a new league of a crime involving identity theft, stealing trade secrets, malicious virus attacks, hacking of DVD players, etc. The law enforcement community which has been trained to deal with traditional form of crime, is now being trained in a new realm of Digital Forensics. Forensics investigators have realized that often the most valuable resource available to them is experience and knowledge of fellow investigators. But there is seldom an explicit mechanism for disseminating this knowledge. Hence the same problems and mistakes continue to resurface and the same solutions are re-invented. In this Thesis we design and create a knowledge base, a Digital Forensics Repository, to support the sharing of experiences about the Forensics Investigation Process. It offers capabilities such as submission of lessons, online search and retrieval which will provide a means of querying into an ever increasing knowledge base.

Digital Forensics Repository

ASP.NET

C#

A structured approach to malware detection and analysis in digital forensics investigation

AlMarri, Saeed

January 2017

Within the World Wide Web (WWW), malware is considered one of the most serious threats to system security with complex system issues caused by malware and spam. Networks and systems can be accessed and compromised by various types of malware, such as viruses, worms, Trojans, botnet and rootkits, which compromise systems through coordinated attacks. Malware often uses anti-forensic techniques to avoid detection and investigation. Moreover, the results of investigating such attacks are often ineffective and can create barriers for obtaining clear evidence due to the lack of sufficient tools and the immaturity of forensics methodology. This research addressed various complexities faced by investigators in the detection and analysis of malware. In this thesis, the author identified the need for a new approach towards malware detection that focuses on a robust framework, and proposed a solution based on an extensive literature review and market research analysis. The literature review focussed on the different trials and techniques in malware detection to identify the parameters for developing a solution design, while market research was carried out to understand the precise nature of the current problem. The author termed the new approaches and development of the new framework the triple-tier centralised online real-time environment (tri-CORE) malware analysis (TCMA). The tiers come from three distinctive phases of detection and analysis where the entire research pattern is divided into three different domains. The tiers are the malware acquisition function, detection and analysis, and the database operational function. This framework design will contribute to the field of computer forensics by making the investigative process more effective and efficient. By integrating a hybrid method for malware detection, associated limitations with both static and dynamic methods are eliminated. This aids forensics experts with carrying out quick, investigatory processes to detect the behaviour of the malware and its related elements. The proposed framework will help to ensure system confidentiality, integrity, availability and accountability. The current research also focussed on a prototype (artefact) that was developed in favour of a different approach in digital forensics and malware detection methods. As such, a new Toolkit was designed and implemented, which is based on a simple architectural structure and built from open source software that can help investigators develop the skills to critically respond to current cyber incidents and analyses.

Cheetah: An Economical Distributed RAM Drive

Tingstrom, Daniel

20 January 2006

Current hard drive technology shows a widening gap between the ability to store vast amounts of data and the ability to process. To overcome the problems of this secular trend, we explore the use of available distributed RAM resources to effectively replace a mechanical hard drive. The essential approach is a distributed Linux block device that spreads its blocks throughout spare RAM on a cluster and transfers blocks using network capacity. The presented solution is LAN-scalable, easy to deploy, and faster than a commodity hard drive. The specific driving problem is I/O intensive applications, particularly digital forensics. The prototype implementation is a Linux 2.4 kernel module, and connects to Unix based clients. It features an adaptive prefetching scheme that seizes future data blocks for each read request. We present experimental results based on generic benchmarks as well as digital forensic applications that demonstrate significant performance gains over commodity hard drives.

Digital forensics

File carving

Data storage

A method to enhance the accuracy of digital forensics in the absence of complete evidence in Saudi Arabia

Alanazi, Fahad Mosalm

January 2017

The tremendous increase in the use of digital devices has led to their involvement in the vast majority of current criminal investigations. As a result, digital forensics has increasingly become one of the most important aspects of criminal investigations. The digital forensics process involves consideration of a number of important phases in order to achieve the required level of accuracy and to reach a successful conclusion of the investigation into the digital aspects of crimes; through obtaining acceptable evidence for use in a court of law. There have been a number of models developed and produced since 1984 to support the digital investigation processes. In this submission, I introduce a proposed model for the digital investigation processes which is based on the scope of the Saudi Arabia investigation process, which has been integrated with existing models of digital investigation processes and has produced a new phase to deal with a situation where there is insufficient evidence. In this research, grounded theory has been adopted as a research method to investigate and explore the participant’s perspectives and their opinions regarding the adoption of a method of a digital forensics investigation process in the absence of complete evidence in the Saudi Arabian context. The interaction of investigators with digital forensics processes involves the social aspect of digital investigation which is why it was suitable to adopt a grounded theory approach. A semi-structured data collection approach has been adopted, to enable the participants to express their visions, concerns, opinions and feelings related to factors that impact the adoption of the DF model for use in cases where there is an absence of sufficient evidence in Saudi Arabia. The proposed model emerged after conducting a number of interviews and analysing the data of this research. The researcher developed the proposed model based on the answers of the participant which helped the researcher to find a solution for dealing with cases where there is insufficient evidence, through adding a unique step in the investigation process, the “TraceBack” Phase. This study is the first in Saudi Arabia to be developed to enhance the accuracy of digital forensics in the absence of sufficient evidence, which opens a new method of research. It is also the first time has been employed a grounded theory in a digital forensics study in the Saudi context, where it was used in a digital forensics study, which indicates the possibility of applying this methodology to this field.

600

A forensically-enabled IaaS cloud computing architecture

Alqahtany, Saad

January 2017

Cloud computing has been advancing at an intense pace. It has become one of the most important research topics in computer science and information systems. Cloud computing offers enterprise-scale platforms in a short time frame with little effort. Thus, it delivers significant economic benefits to both commercial and public entities. Despite this, the security and subsequent incident management requirements are major obstacles to adopting the cloud. Current cloud architectures do not support digital forensic investigators, nor comply with today’s digital forensics procedures – largely due to the fundamental dynamic nature of the cloud. When an incident has occurred, an organization-based investigation will seek to provide potential digital evidence while minimising the cost of the investigation. Data acquisition is the first and most important process within digital forensics – to ensure data integrity and admissibility. However, access to data and the control of resources in the cloud is still very much provider-dependent and complicated by the very nature of the multi-tenanted operating environment. Thus, investigators have no option but to rely on the Cloud Service Providers (CSPs) to acquire evidence for them. Due to the cost and time involved in acquiring the forensic image, some cloud providers will not provide evidence beyond 1TB despite a court order served on them. Assuming they would be willing or are required to by law, the evidence collected is still questionable as there is no way to verify the validity of evidence and whether evidence has already been lost. Therefore, dependence on the CSPs is considered one of the most significant challenges when investigators need to acquire evidence in a timely yet forensically sound manner from cloud systems. This thesis proposes a novel architecture to support a forensic acquisition and analysis of IaaS cloud-base systems. The approach, known as Cloud Forensic Acquisition and Analysis System (Cloud FAAS), is based on a cluster analysis of non-volatile memory that achieves forensically reliable images at the same level of integrity as the normal “gold standard” computer forensic acquisition procedures with the additional capability to reconstruct the image at any point in time. Cloud FAAS fundamentally, shifts access of the data back to the data owner rather than relying on a third party. In this manner, organisations are free to undertaken investigations at will requiring no intervention or cooperation from the cloud provider. The novel architecture is validated through a proof-of-concept prototype. A series of experiments are undertaken to illustrate and model how Cloud FAAS is capable of providing a richer and more complete set of admissible evidence than what current CSPs are able to provide. Using Cloud FAAS, investigators have the ability to obtain a forensic image of the system after, just prior to or hours before the incident. Therefore, this approach can not only create images that are forensically sound but also provide access to deleted and more importantly overwritten files – which current computer forensic practices are unable to achieve. This results in an increased level of visibility for the forensic investigator and removes any limitations that data carving and fragmentation may introduce. In addition, an analysis of the economic overhead of operating Cloud FAAS is performed. This shows the level of disk change that occurs is well with acceptable limits and is relatively small in comparison to the total volume of memory available. The results show Cloud FAAS has both a technical and economic basis for solving investigations involving cloud computing.

004.67