Digital Forensics in Second Life

Rakitianskaia, A.S. (Anastassia Sergeevna)

January 2015

Computers and the internet have become an integral part of our lives. People have grown accustomed to feeling constantly connected to the outside world, and in the past couple of decades online social networks and three-dimensional online virtual worlds have gained great popularity. In addition to social connections, virtual worlds (such as Second Life, a popular virtual world) offer their users opportunities for both work and play, and let them take part in things that might have been impossible in real life. However, the human factor plays a big role in the formation of the virtual community. The feeling of false anonymity online might lead to a feeling of freedom from any laws that govern the real world, and possibly facilitate offensive behaviour. The problem addressed by this study is the need to determine whether digital forensic techniques can be applied to an incident inside the Second Life environment (i.e. offensive behaviour between avatars, while logged in to Second Life), as well as to find possible sources of evidence accessible via the standard Second Life viewer. The former also requires a classification of various offenses committed in Second Life, in order to determine which actions are to be regarded as offences, and whether these actions occur inside or outside of the Second Life environment. In this dissertation the author’s own classification of various real-life offences is provided, together with a mapping of these offences to their alternatives in Second Life. Second Life is analysed and explored from a forensic perspective. A new digital forensic process model, derived from various existing models in the literature, has been developed by the author for this study. The model is designed to accommodate for the specifics of a virtual world environment. An exploratory experiment has been undertaken by the author in order to investigate how inexperienced users perceived Second Life, as well as how they reacted to attacks from other users, to identify the possible sources of evidence, and suggest possible digital forensic techniques based on the gathered data. / Dissertation (MSc)--University of Pretoria, 2015. / Computer Science / MSc / Unrestricted

Computer Security

Digital forensics

Forensic process

Virtual words

UCTD

Integrated digital forensic process model

Kohn, Michael Donovan

10 June 2013

The Information and Communications Technology (ICT) environment constitutes an integral part of our daily lives. Individual computer users and large corporate companies are increasingly dependent on services provided by ICT. These services range from basic communication to managing large databases with corporate client information. Within these ICT environments something is bound to go wrong for a number of reasons, which include an intentional attack on information services provided by an organisation. These organisations have in turn become interested in tracing the root cause of such an incident with the intent of successfully prosecuting a suspected malicious user. Digital forensics has developed signi cantly towards prosecuting such criminals. The volumes of information and rapid technological developments have contributed to making simple investigations rather cumbersome. In the digital forensics community a number of digital forensic process models have been proposed encapsulating a complete methodology for an investigation. Software developers have also greatly contributed toward the development of digital forensics tools. These developments have resulted in divergent views on digital forensic investigations. This dissertation presents the IDFPM - Integrated Digital Forensic Process Model. The model is presented after examining digital forensic process models within the current academic and law enforcement literature. An adapted sequential logic notation is used to represent the forensic models. The terminology used in the various models is examined and standardised to suit the IDFPM. Finally, a prototype supports a limited selection of the IDFPM processes, which will aid a digital forensic investigator. / Dissertation (MSc)--University of Pretoria, 2012. / Computer Science / unrestricted

Digital forensics

Digital evidence

Digital forensic framework.

Digital forensic process models

UCTD

A concept mapping case domain modeling approach for digital forensic investigations

Tanner, April L

10 December 2010

Over the decades, computer forensics has expanded from primarily examining computer evidence found on hard drives into the examination of digital devices with increasing storage capacity, to the identification of crimes and illegal activities involving the use of computers, to addressing standards and practices deficiencies, and to addressing the need to educate and train law enforcement, computer forensic technicians, and investigators. This dissertation presents the concept mapping case domain modeling approach to aid examiners/investigators in searching and identifying digital evidence and analyzing the case domain during the examination and analysis phase of the computer forensic investigation. The examination and analysis phases of a computer forensic process are two of the most important phases of the investigative process because the search for and identification of evidence data is crucial to a case; any data uncovered will help determine the guilt or innocence of a suspect. In addition, these phases can become very time consuming and cumbersome. Therefore, finding a method to reduce the amount of time spent searching and identifying potential evidence and analyzing the case domain would greatly enhance the efficiency of the computer forensic process. The hypothesis of this dissertation is that the concept mapping case domain modeling approach can serve as a method for organizing, examining, and analyzing digital forensic evidence and can enhance the quality of forensic examinations without increasing the time required to examine and analyze forensic evidence by more than 5%. Four experiments were conducted to evaluate the effectiveness of the concept mapping case domain modeling approach. Analysis of the experiments supports the hypothesis that the concept mapping case domain modeling approach can be used to organize, search, identify, and analyze digital evidence in an examination.

digital forensic process

digital forensic investigations

case domain modeling

computer forensics

concept mapping

Identifying anti-forensics : Attacks on the digital forensic process

Siljac, Stjepan

January 2022

The area of digital forensics might be old but the idea that criminals or other organisations are actively working to hide their steps is somewhat new. Roughly a year ago, a company announced that they can actively exploit security flaws in a popular digital forensics suite, thus raising questions of validity of evidence submitted to court. It is not known if this exploit is being used in the wild but the mere thought of security issues existing in tools is a serious issue for law enforcement. This paper sets out to clarify the digital forensic process, what tools are used within the digital forensic process and what anti-forensic techniques are available on the market. Using the digital forensic process as a base, this paper produces a model that classifies anti-forensic techniques into realms and shows which realm affects which stage of the digital forensics process. The digital forensic process, anti-forensic techniques and the model was then tested in a Delphi-inspired study where questions regarding the digital forensic process and anti- forensic techniques was asked to digital forensic specialists as well as information security specialists. The goal of the Delphi-study was to reach a consensus regarding the foundations (process and techniques) and their internal relationships (as described in the model). The first part of this paper’s conclusion is that a digital forensic process should contain the following stages: Planning -> Identification -> Acquisition -> Analysis -> Presentation. The paper also concludes that there are several digital forensic tools available for a practitioner, both open and closed source, and that the practitioner uses a mixture of the two. Apart from the process and the tools used, this paper concludes that there are several anti-forensic techniques available on the market and that these could be used by any malicious user that actively want to disrupt the digital forensic process. A second conclusion is that the proposed model connects the stages of the digital forensic process with anti-forensic techniques though the use of realms. The proposed model can be used to develop anti-anti-forensics methods, processes or techniques.

digital forensics

digital forensic process

digital forensic tools

anti-forensics

digital evidence

Övrig annan teknik