Riktlinjers roll i IT-forensiska utredningar

Wiman, Jonathan, Lundström, Jonathan

January 2018

A wide range of professions is enjoying the privilege of standardized work, where a document states what operations are the best way to go about any given task. In the work of a digital forensic examiner, standards and guidelines are harder to define given the full range of tasks and continuously developing digital aspect. This study has the goal of mapping out existing digital forensic standards and examining whether or not any digital standards and guidelines are being used in the field of law enforcement. This study is also setting out to explain why, or why not these standards and guidelines are being used. This task is being performed using a literary study, using existing digital forensic standards, and also a set of interviews targeting digital forensics working in law enforcement. The study shows how digital forensic standards are not actively being used, and when guidelines are being used, they are used somewhat vaguely and not firmly enforced. The work of a digital forensic proves to use a more “best practice” approach where experience and competence are key. Standards and guidelines are being used so rarely because, with the extremely different cases, the constant development of technology, and the use of “unrestrained evaluation of evidence”; it simply cannot exist without limiting the digital forensic process.

it-forensik

digitalforensik

it-rätt

standard

riktlinjer

rättsväsende

intervjustudie

intervju

kartläggning

ISO

ASTM

SWGDE

utredningar

IT-brott

Computer and Information Sciences

Data- och informationsvetenskap

Forensiska Artefakter hos Mobila Applikationer : Utvinning och Analys av Applikationen Snapchat

Nordin, Anton, Liffner, Felix

January 2019

Today's smartphones and tablets use different applications and software for all sorts of purposes: communication, entertainment, fitness, to share images with each other, to keep up to date with the news and lots of different daily tasks. With the heavy usage of all these apps, it is no wonder that it comes with a few issues. Private data is stored in large quantities both on the local device and on the app-creators' servers. It is no wonder that applications advertising user secrecy and transient storage of user data. One of these applications is Snapchat, with over 500 million downloads on Google Play store, at the time of writing. Snapchat is a communication application with the niched feature that the images and messages sent, disappear once opened or after 24 hours have passed. With the illusion of privacy behind Snapchats niche it has become a breeding ground for criminal activity. The niche itself translates to a troublesome hurdle for law enforcement trying to retrieve evidence from devices of Snapchat users. This paper is aimed to investigate these issues and perform a methodology to retrieve potential evidence on a device using Snapchat to send images and messages. By performing a physical acquisition on a test device and analyzing to find artifacts pertaining to Snapchat and the test-data that was created. The method is performed on a Samsung Galaxy S4 with Android 5.0.1 running Snapchat version 10.52.3.0. Test data such as different images and messages were created and attempted to be retrieved at three points in time. First one being right after data creation. Second one after a restart and 24 hours after the data was created. And the third with 48 hours passed and the Snapchat user logged out at the time of acquisition. The acquisition resulted in the extraction of several sent images and a full text conversation between the experimental device and another party. A full video which was uploaded by the receiving user was able to be extracted even though the experimental device never actually viewed the video. The second acquisition which was made when 24h had passed gave the same results as the first one. This meant that time at least up to a day after the initial creation of the data did not have any effect on the evidence. However, when the Snapchat user was logged out from the application, the data was then unobtainable and had disappeared. Presumably Snapchat has a function which deletes personal data about the user when logged out from the application. This function might become a hurdle in law enforcement investigations where the application Snapchat is involved.

Forensics

Mobile forensics

DFIR

Snapchat

Magnet Axiom

Extraction

Snapchat analysis

Forensic investigation

Snapchat artifacts

forensic artifacts

digital forensics

Forensik

Digitalforensik

Mobilforensik

Snapchat

Artefakter

Magnet Axiom

Utvinning

Samsung Galaxy S4

Applikationer

Mobilutvinning

Övrig annan teknik

Computer and Information Sciences

Data- och informationsvetenskap