Global ETD Search

1	A forensically-enabled IaaS cloud computing architecture Alqahtany, Saad January 2017 (has links) Cloud computing has been advancing at an intense pace. It has become one of the most important research topics in computer science and information systems. Cloud computing offers enterprise-scale platforms in a short time frame with little effort. Thus, it delivers significant economic benefits to both commercial and public entities. Despite this, the security and subsequent incident management requirements are major obstacles to adopting the cloud. Current cloud architectures do not support digital forensic investigators, nor comply with today’s digital forensics procedures – largely due to the fundamental dynamic nature of the cloud. When an incident has occurred, an organization-based investigation will seek to provide potential digital evidence while minimising the cost of the investigation. Data acquisition is the first and most important process within digital forensics – to ensure data integrity and admissibility. However, access to data and the control of resources in the cloud is still very much provider-dependent and complicated by the very nature of the multi-tenanted operating environment. Thus, investigators have no option but to rely on the Cloud Service Providers (CSPs) to acquire evidence for them. Due to the cost and time involved in acquiring the forensic image, some cloud providers will not provide evidence beyond 1TB despite a court order served on them. Assuming they would be willing or are required to by law, the evidence collected is still questionable as there is no way to verify the validity of evidence and whether evidence has already been lost. Therefore, dependence on the CSPs is considered one of the most significant challenges when investigators need to acquire evidence in a timely yet forensically sound manner from cloud systems. This thesis proposes a novel architecture to support a forensic acquisition and analysis of IaaS cloud-base systems. The approach, known as Cloud Forensic Acquisition and Analysis System (Cloud FAAS), is based on a cluster analysis of non-volatile memory that achieves forensically reliable images at the same level of integrity as the normal “gold standard” computer forensic acquisition procedures with the additional capability to reconstruct the image at any point in time. Cloud FAAS fundamentally, shifts access of the data back to the data owner rather than relying on a third party. In this manner, organisations are free to undertaken investigations at will requiring no intervention or cooperation from the cloud provider. The novel architecture is validated through a proof-of-concept prototype. A series of experiments are undertaken to illustrate and model how Cloud FAAS is capable of providing a richer and more complete set of admissible evidence than what current CSPs are able to provide. Using Cloud FAAS, investigators have the ability to obtain a forensic image of the system after, just prior to or hours before the incident. Therefore, this approach can not only create images that are forensically sound but also provide access to deleted and more importantly overwritten files – which current computer forensic practices are unable to achieve. This results in an increased level of visibility for the forensic investigator and removes any limitations that data carving and fragmentation may introduce. In addition, an analysis of the economic overhead of operating Cloud FAAS is performed. This shows the level of disk change that occurs is well with acceptable limits and is relatively small in comparison to the total volume of memory available. The results show Cloud FAAS has both a technical and economic basis for solving investigations involving cloud computing. 004.67
2	Data visualisation in digital forensics Fei, B.K.L. (Bennie Kar Leung) 07 March 2007 (has links) As digital crimes have risen, so has the need for digital forensics. Numerous state-of-the-art tools have been developed to assist digital investigators conduct proper investigations into digital crimes. However, digital investigations are becoming increasingly complex and time consuming due to the amount of data involved, and digital investigators can find themselves unable to conduct them in an appropriately efficient and effective manner. This situation has prompted the need for new tools capable of handling such large, complex investigations. Data mining is one such potential tool. It is still relatively unexplored from a digital forensics perspective, but the purpose of data mining is to discover new knowledge from data where the dimensionality, complexity or volume of data is prohibitively large for manual analysis. This study assesses the self-organising map (SOM), a neural network model and data mining technique that could potentially offer tremendous benefits to digital forensics. The focus of this study is to demonstrate how the SOM can help digital investigators to make better decisions and conduct the forensic analysis process more efficiently and effectively during a digital investigation. The SOM’s visualisation capabilities can not only be used to reveal interesting patterns, but can also serve as a platform for further, interactive analysis. / Dissertation (MSc (Computer Science))--University of Pretoria, 2007. / Computer Science / unrestricted Visualisation Analysis Digital forensics Digital investigation Self-organising map UCTD
3	The Comprehensive Digital Forensic Investigation Process Model (CDFIPM) for digital forensic practice Montasari, Reza January 2016 (has links) No description available.
4	Formalization Of Input And Output In Modern Operating Systems: The Hadley Model Gerber, Matthew 01 January 2005 (has links) We present the Hadley model, a formal descriptive model of input and output for modern computer operating systems. Our model is intentionally inspired by the Open Systems Interconnection model of networking; I/O as a process is defined as a set of translations between a set of computer-sensible forms, or layers, of information. To illustrate an initial application domain, we discuss the utility of the Hadley model and a potential associated I/O system as a tool for digital forensic investigators. To illustrate practical uses of the Hadley model we present the Hadley Specification Language, an essentially functional language designed to allow the translations that comprise I/O to be written in a concise format allowing for relatively easy verifiability. To further illustrate the utility of the language we present a read/write Microsoft DOS FAT12 and read-only Linux ext2 file system specification written in the new format. We prove the correctness of the read-only side of these descriptions. We present test results from operation of our HSL-driven system both in user mode on stored disk images and as part of a Linux kernel module allowing file systems to be read. We conclude by discussing future directions for the research. hadley system operating systems software verification software reliability device drivers digital investigation Computer Sciences Engineering
5	Advanced Techniques for Improving the Efficacy of Digital Forensics Investigations Marziale, Lodovico 20 December 2009 (has links) Digital forensics is the science concerned with discovering, preserving, and analyzing evidence on digital devices. The intent is to be able to determine what events have taken place, when they occurred, who performed them, and how they were performed. In order for an investigation to be effective, it must exhibit several characteristics. The results produced must be reliable, or else the theory of events based on the results will be flawed. The investigation must be comprehensive, meaning that it must analyze all targets which may contain evidence of forensic interest. Since any investigation must be performed within the constraints of available time, storage, manpower, and computation, investigative techniques must be efficient. Finally, an investigation must provide a coherent view of the events under question using the evidence gathered. Unfortunately the set of currently available tools and techniques used in digital forensic investigations does a poor job of supporting these characteristics. Many tools used contain bugs which generate inaccurate results; there are many types of devices and data for which no analysis techniques exist; most existing tools are woefully inefficient, failing to take advantage of modern hardware; and the task of aggregating data into a coherent picture of events is largely left to the investigator to perform manually. To remedy this situation, we developed a set of techniques to facilitate more effective investigations. To improve reliability, we developed the Forensic Discovery Auditing Module, a mechanism for auditing and enforcing controls on accesses to evidence. To improve comprehensiveness, we developed ramparser, a tool for deep parsing of Linux RAM images, which provides previously inaccessible data on the live state of a machine. To improve efficiency, we developed a set of performance optimizations, and applied them to the Scalpel file carver, creating order of magnitude improvements to processing speed and storage requirements. Last, to facilitate more coherent investigations, we developed the Forensic Automated Coherence Engine, which generates a high-level view of a system from the data generated by low-level forensics tools. Together, these techniques significantly improve the effectiveness of digital forensic investigations conducted using them. Computer Forensics Digital Forensics Digital Investigation File Carving Live Forensics RAM Forensics Forensic Discovery Forensic Discovery Auditing
6	Método para ranqueamento e triagem de computadores aplicado à perícia de informática. / Method for computer ranking and triage applied to computer forensics. Barbosa, Akio Nogueira 08 October 2015 (has links) Considerando-se que uma das tarefas mais comuns para um perito judicial que atua na área da informática é procurar vestígios de interesse no conteúdo de dispositivos de armazenamento de dados (DADs), que esses vestígios na maioria das vezes consistem em palavras-chave (PChs) e durante o tempo necessário para realização da duplicação do DAD o perito fica praticamente impossibilitado de interagir com os dados contidos no mesmo, decidiu-se verificar a hipótese de que seja possível na etapa de coleta, realizar simultaneamente à duplicação do DAD a varredura para procurar PCHs em dados brutos (raw data), sem com isso impactar significativamente o tempo de duplicação. O principal objetivo desta tese é propor um método que possibilite identificar os DADs com maior chance de conter vestígios de interesse para uma determinada perícia ao término da etapa de coleta, baseado na quantidade de ocorrências de PCHs encontradas por um mecanismo de varredura que atua no nível de dados brutos. A partir desses resultados é realizada uma triagem dos DADs. Com os resultados da triagem é realizado um processo de ranqueamento, indicando quais DADs deverão ser examinados prioritariamente na etapa de análise. Os resultados dos experimentos mostraram que é possível e viável a aplicação do método sem onerar o tempo de duplicação e com um bom nível de precisão. Em muitos de casos, a aplicação do método contribui para a diminuição da quantidade de DADs que devem ser analisados, auxiliando a diminuir o esforço humano necessário. / Considering that one of the most common tasks for a legal expert acting in the information technology area is to look for invidences of interest in the content data storage devices (DADs). In most cases these evidences consist of keywords. During the time necessary to perform the DAD duplication, the expert is practically unable to interact with the data contained on DAD. In this work we have decided to verify the following hypothesis: It is possible, at the collection stage, to simultaneously hold the duplication of the DAD and scan to search for keywords in raw data, without thereby significantly impact the duplication time. The main objective of this thesis is to propose a method that allows to identify DADs with a strong chance of containing evidences of interest for a particular skill at the end of the collection stage, based on the keywords occurrences found by a scanner mechanism that operates at the raw data level. Based on these results, a triage of DADs is established. With the results of the triage, a ranking process is made, providing an indication of which DADs should be examined first at the analysis stage. The results of the ours experiments showed that it is possible and feasible to apply the method without hindering the duplication time and with a certain level of accuracy. In most cases, the application of the method contributes to reduce the number of DADs that must be analyzed, helping to reduces the human effort required. Computer forensics Computer triage Digital forense Digital forensics Digital investigation Forensics triage Investigação digital Perícia de computadores Perícia de informática Triagem de computadores
7	Método para ranqueamento e triagem de computadores aplicado à perícia de informática. / Method for computer ranking and triage applied to computer forensics. Akio Nogueira Barbosa 08 October 2015 (has links) Considerando-se que uma das tarefas mais comuns para um perito judicial que atua na área da informática é procurar vestígios de interesse no conteúdo de dispositivos de armazenamento de dados (DADs), que esses vestígios na maioria das vezes consistem em palavras-chave (PChs) e durante o tempo necessário para realização da duplicação do DAD o perito fica praticamente impossibilitado de interagir com os dados contidos no mesmo, decidiu-se verificar a hipótese de que seja possível na etapa de coleta, realizar simultaneamente à duplicação do DAD a varredura para procurar PCHs em dados brutos (raw data), sem com isso impactar significativamente o tempo de duplicação. O principal objetivo desta tese é propor um método que possibilite identificar os DADs com maior chance de conter vestígios de interesse para uma determinada perícia ao término da etapa de coleta, baseado na quantidade de ocorrências de PCHs encontradas por um mecanismo de varredura que atua no nível de dados brutos. A partir desses resultados é realizada uma triagem dos DADs. Com os resultados da triagem é realizado um processo de ranqueamento, indicando quais DADs deverão ser examinados prioritariamente na etapa de análise. Os resultados dos experimentos mostraram que é possível e viável a aplicação do método sem onerar o tempo de duplicação e com um bom nível de precisão. Em muitos de casos, a aplicação do método contribui para a diminuição da quantidade de DADs que devem ser analisados, auxiliando a diminuir o esforço humano necessário. / Considering that one of the most common tasks for a legal expert acting in the information technology area is to look for invidences of interest in the content data storage devices (DADs). In most cases these evidences consist of keywords. During the time necessary to perform the DAD duplication, the expert is practically unable to interact with the data contained on DAD. In this work we have decided to verify the following hypothesis: It is possible, at the collection stage, to simultaneously hold the duplication of the DAD and scan to search for keywords in raw data, without thereby significantly impact the duplication time. The main objective of this thesis is to propose a method that allows to identify DADs with a strong chance of containing evidences of interest for a particular skill at the end of the collection stage, based on the keywords occurrences found by a scanner mechanism that operates at the raw data level. Based on these results, a triage of DADs is established. With the results of the triage, a ranking process is made, providing an indication of which DADs should be examined first at the analysis stage. The results of the ours experiments showed that it is possible and feasible to apply the method without hindering the duplication time and with a certain level of accuracy. In most cases, the application of the method contributes to reduce the number of DADs that must be analyzed, helping to reduces the human effort required. Digital forense Investigação digital Perícia de computadores Perícia de informática Triagem de computadores Computer forensics Computer triage Digital forensics Digital investigation Forensics triage
8	Provas digitais no processo penal: formulação do conceito, definição das características e sistematização do procedimento probatório / Digital evidence in the criminal procedure: definition of concept, characteristics and systematization of the evidenciary procedure Vaz, Denise Provasi 17 May 2012 (has links) O desenvolvimento de novas tecnologias e a formação da sociedade da informação, a partir do Século XX, acarretaram novos hábitos pessoais e sociais e transformações no processamento e arquivamento das informações. O tratamento e o registro de fatos e ideias passaram a ser feitos de maneira digital, com o uso de dispositivos eletrônicos que operam no sistema binário. Esse novo panorama trouxe diversos reflexos para o processo penal, principalmente relacionados à prova. Entretanto, a legislação e a jurisprudência não acompanharam o avanço tecnológico, abrindo-se um vazio normativo em matéria de procedimento probatório. Por essa razão, faz-se imprescindível a análise dos aspectos técnicos e sociais em face da teoria da prova, para se buscar conceituar o resultado do desenvolvimento tecnológico, ou seja, a prova digital, com a verificação de sua natureza jurídica e do procedimento probatório adequado para sua utilização no processo penal brasileiro. Assim, o objetivo desta tese é aferir o conceito e a natureza jurídica da prova digital e demonstrar que ela constitui espécie própria de fonte de prova, que, embora assemelhada ao documento, apresenta características peculiares, que demandam regulamentação específica de seu procedimento probatório. A partir do delineamento do conceito, da classificação e da caracterização da prova digital, examinam-se os meios de obtenção de prova e meios de prova adequados a essa fonte sui generis, observando a suficiência e a propriedade das normas existentes no ordenamento atual. Ao final, destacam-se os principais aspectos que carecem de regulação, propondo-se estrutura ainda rudimentar de normas para a matéria / The development of new technologies and the consequent rise of the Information Society, starting in the twentieth century, led to new personal and social habits and a revolution in the processing and storage of information. In this context, treatment and record of facts and ideas turned to be made digitally with the use of electronic devices operating in the binary system. This new situation has brought several consequences for the criminal proceedings, notably with respect to the evidence. However, legislation and case law have not kept up with the pace of technological change, opening up a normative vacuum in the field of evidence. For this reason, it is essential to analyze the technical and social aspects of this new scenario state of evidence theory in the wake of these changes, so as to conceptualize and establish a proper legal and evidentiary procedure for the verification of digital evidence in the criminal justice process. In assessing the concept and the legal nature of digital evidence, this thesis demonstrates that digital evidence is fundamentally a distinct kind of evidence, which, while similar to the document, nevertheless presents unique characteristics that require specific regulation of its evidentiary procedure. From the definition of the concept, classification and characterization of digital evidence, this thesis examines the proper methods of obtaining and producing digital evidence in a manner consistent with its unique nature, while at the same time questioning the sufficiency and adequacy of the rules in the current law regarding such methods. Finally, this thesis proposes a rudimentary framework of rules for this field. Criminal procedure Digital evidence Digital investigation Document Electronic evidence Evidence Evidenciary procedure Processo penal Prova (processo penal) Prova criminal Prova documental Sociedade da informação
9	Provas digitais no processo penal: formulação do conceito, definição das características e sistematização do procedimento probatório / Digital evidence in the criminal procedure: definition of concept, characteristics and systematization of the evidenciary procedure Denise Provasi Vaz 17 May 2012 (has links) O desenvolvimento de novas tecnologias e a formação da sociedade da informação, a partir do Século XX, acarretaram novos hábitos pessoais e sociais e transformações no processamento e arquivamento das informações. O tratamento e o registro de fatos e ideias passaram a ser feitos de maneira digital, com o uso de dispositivos eletrônicos que operam no sistema binário. Esse novo panorama trouxe diversos reflexos para o processo penal, principalmente relacionados à prova. Entretanto, a legislação e a jurisprudência não acompanharam o avanço tecnológico, abrindo-se um vazio normativo em matéria de procedimento probatório. Por essa razão, faz-se imprescindível a análise dos aspectos técnicos e sociais em face da teoria da prova, para se buscar conceituar o resultado do desenvolvimento tecnológico, ou seja, a prova digital, com a verificação de sua natureza jurídica e do procedimento probatório adequado para sua utilização no processo penal brasileiro. Assim, o objetivo desta tese é aferir o conceito e a natureza jurídica da prova digital e demonstrar que ela constitui espécie própria de fonte de prova, que, embora assemelhada ao documento, apresenta características peculiares, que demandam regulamentação específica de seu procedimento probatório. A partir do delineamento do conceito, da classificação e da caracterização da prova digital, examinam-se os meios de obtenção de prova e meios de prova adequados a essa fonte sui generis, observando a suficiência e a propriedade das normas existentes no ordenamento atual. Ao final, destacam-se os principais aspectos que carecem de regulação, propondo-se estrutura ainda rudimentar de normas para a matéria / The development of new technologies and the consequent rise of the Information Society, starting in the twentieth century, led to new personal and social habits and a revolution in the processing and storage of information. In this context, treatment and record of facts and ideas turned to be made digitally with the use of electronic devices operating in the binary system. This new situation has brought several consequences for the criminal proceedings, notably with respect to the evidence. However, legislation and case law have not kept up with the pace of technological change, opening up a normative vacuum in the field of evidence. For this reason, it is essential to analyze the technical and social aspects of this new scenario state of evidence theory in the wake of these changes, so as to conceptualize and establish a proper legal and evidentiary procedure for the verification of digital evidence in the criminal justice process. In assessing the concept and the legal nature of digital evidence, this thesis demonstrates that digital evidence is fundamentally a distinct kind of evidence, which, while similar to the document, nevertheless presents unique characteristics that require specific regulation of its evidentiary procedure. From the definition of the concept, classification and characterization of digital evidence, this thesis examines the proper methods of obtaining and producing digital evidence in a manner consistent with its unique nature, while at the same time questioning the sufficiency and adequacy of the rules in the current law regarding such methods. Finally, this thesis proposes a rudimentary framework of rules for this field. Processo penal Prova (processo penal) Prova criminal Prova documental Sociedade da informação Criminal procedure Digital evidence Digital investigation Document Electronic evidence Evidence Evidenciary procedure
10	LEIA: The Live Evidence Information Aggregator : A Scalable Distributed Hypervisor‐based Peer‐2‐Peer Aggregator of Information for Cyber‐Law Enforcement I Homem, Irvin January 2013 (has links) The Internet in its most basic form is a complex information sharing organism. There are billions of interconnected elements with varying capabilities that work together supporting numerous activities (services) through this information sharing. In recent times, these elements have become portable, mobile, highly computationally capable and more than ever intertwined with human controllers and their activities. They are also rapidly being embedded into other everyday objects and sharing more and more information in order to facilitate automation, signaling that the rise of the Internet of Things is imminent. In every human society there are always miscreants who prefer to drive against the common good and engage in illicit activity. It is no different within the society interconnected by the Internet (The Internet Society). Law enforcement in every society attempts to curb perpetrators of such activities. However, it is immensely difficult when the Internet is the playing field. The amount of information that investigators must sift through is incredibly massive and prosecution timelines stated by law are prohibitively narrow. The main solution towards this Big Data problem is seen to be the automation of the Digital Investigation process. This encompasses the entire process: From the detection of malevolent activity, seizure/collection of evidence, analysis of the evidentiary data collected and finally to the presentation of valid postulates. This paper focuses mainly on the automation of the evidence capture process in an Internet of Things environment. However, in order to comprehensively achieve this, the subsequent and consequent procedures of detection of malevolent activity and analysis of the evidentiary data collected, respectively, are also touched upon. To this effect we propose the Live Evidence Information Aggregator (LEIA) architecture that aims to be a comprehensive automated digital investigation tool. LEIA is in essence a collaborative framework that hinges upon interactivity and sharing of resources and information among participating devices in order to achieve the necessary efficiency in data collection in the event of a security incident. Its ingenuity makes use of a variety of technologies to achieve its goals. This is seen in the use of crowdsourcing among devices in order to achieve more accurate malicious event detection; Hypervisors with inbuilt intrusion detection capabilities to facilitate efficient data capture; Peer to Peer networks to facilitate rapid transfer of evidentiary data to a centralized data store; Cloud Storage to facilitate storage of massive amounts of data; and the Resource Description Framework from Semantic Web Technologies to facilitate the interoperability of data storage formats among the heterogeneous devices. Within the description of the LEIA architecture, a peer to peer protocol based on the Bittorrent protocol is proposed, corresponding data storage and transfer formats are developed, and network security protocols are also taken into consideration. In order to demonstrate the LEIA architecture developed in this study, a small scale prototype with limited capabilities has been built and tested. The prototype functionality focuses only on the secure, remote acquisition of the hard disk of an embedded Linux device over the Internet and its subsequent storage on a cloud infrastructure. The successful implementation of this prototype goes to show that the architecture is feasible and that the automation of the evidence seizure process makes the otherwise arduous process easy and quick to perform. Digital Investigation Incident Response Digital Evidence Automated Evidence Seizure Collaborative Forensics Live Forensics Big Data P2P Networks Cloud Storage Hypervisors Computer and Information Sciences Data- och informationsvetenskap

Search results