Advanced Techniques for Improving the Efficacy of Digital Forensics Investigations

Marziale, Lodovico

20 December 2009

Digital forensics is the science concerned with discovering, preserving, and analyzing evidence on digital devices. The intent is to be able to determine what events have taken place, when they occurred, who performed them, and how they were performed. In order for an investigation to be effective, it must exhibit several characteristics. The results produced must be reliable, or else the theory of events based on the results will be flawed. The investigation must be comprehensive, meaning that it must analyze all targets which may contain evidence of forensic interest. Since any investigation must be performed within the constraints of available time, storage, manpower, and computation, investigative techniques must be efficient. Finally, an investigation must provide a coherent view of the events under question using the evidence gathered. Unfortunately the set of currently available tools and techniques used in digital forensic investigations does a poor job of supporting these characteristics. Many tools used contain bugs which generate inaccurate results; there are many types of devices and data for which no analysis techniques exist; most existing tools are woefully inefficient, failing to take advantage of modern hardware; and the task of aggregating data into a coherent picture of events is largely left to the investigator to perform manually. To remedy this situation, we developed a set of techniques to facilitate more effective investigations. To improve reliability, we developed the Forensic Discovery Auditing Module, a mechanism for auditing and enforcing controls on accesses to evidence. To improve comprehensiveness, we developed ramparser, a tool for deep parsing of Linux RAM images, which provides previously inaccessible data on the live state of a machine. To improve efficiency, we developed a set of performance optimizations, and applied them to the Scalpel file carver, creating order of magnitude improvements to processing speed and storage requirements. Last, to facilitate more coherent investigations, we developed the Forensic Automated Coherence Engine, which generates a high-level view of a system from the data generated by low-level forensics tools. Together, these techniques significantly improve the effectiveness of digital forensic investigations conducted using them.

Computer Forensics

Digital Forensics

Digital Investigation

File Carving

Live Forensics

RAM Forensics

Forensic Discovery

Forensic Discovery Auditing

The fluid dynamics of droplet impacts on inclined surfaces with application to forensic blood-spatter analysis

Lockard, Michael

21 September 2015

Bloodstain pattern analysis is used in the investigation of a crime scene to infer the impact velocity and size of an impacting droplet and from these, the droplet’s point and cause of origin. The final pattern is the result of complex fluid dynamic processes involved in the impact and spreading of a blood drop on a surface with variable surface properties such as wettability and porosity. An experiment has been designed to study these processes and the resulting patterns for the case of a single Newtonian droplet impacting an inclined surface with variable roughness and wetting properties. An experimental apparatus, including a droplet generator, has been designed to produce droplets on-demand, and that impact an interchangeable surface. In addition, a blood-simulant liquid has been developed as a replacement for performing tests with real blood. With this apparatus and blood simulant, fluid dynamics concepts, such as contact line motion and wetting behavior are examined in the context of parameters of interest to the forensics community. These include eccentricity, spread factor and the number of spines formed on impact. The effect of varying dimensionless parameters including Reynolds number, Weber number and Laplace number, the angle of impact and surface properties is examined. Correlations are developed for predicting conditions at the point of impact from those observed later, as would be available to a forensics examiner, and the accuracy of the predictions developed in this thesis are evaluated.

Blood-spatter

Droplet impacts

Forensics

An Investigation into the identification, reconstruction, and evidential value of thumbnail cache file fragments in unallocated space

Morris, S L A

08 October 2013

©Cranfield University / This thesis establishes the evidential value of thumbnail cache file fragments identified in unallocated space. A set of criteria to evaluate the evidential value of thumbnail cache artefacts were created by researching the evidential constraints present in Forensic Computing. The criteria were used to evaluate the evidential value of live system thumbnail caches and thumbnail cache file fragments identified in unallocated space. Thumbnail caches can contain visual thumbnails and associated metadata which may be useful to an analyst during an investigation; the information stored in the cache may provide information on the contents of files and any user or system behaviour which interacted with the file. There is a standard definition of the purpose of a thumbnail cache, but not the structure or implementation; this research has shown that this has led to some thumbnail caches storing a variety of other artefacts such as network place names. The growing interest in privacy and security has led to an increase in user’s attempting to remove evidence of their activities; information removed by the user may still be available in unallocated space. This research adapted popular methods for the identification of contiguous files to enable the identification of single cluster sized fragments in Windows 7, Ubuntu, and Kubuntu. Of the four methods tested, none were able to identify each of the classifications with no false positive results; this result led to the creation of a new approach which improved the identification of thumbnail cache file fragments. After the identification phase, further research was conducted into the reassembly of file fragments; this reassembly was based solely on the potential thumbnail cache file fragments and structural and syntactical information. In both the identification and reassembly phases of this research image only file fragments proved the most challenging resulting in a potential area of continued future research. Finally this research compared the evidential value of live system thumbnail caches with identified and reassembled fragments. It was determined that both types of thumbnail cache artefacts can provide unique information which may assist with a digital investigation. ii This research has produced a set of criteria for determining the evidential value of thumbnail cache artefacts; it has also identified the structure and related user and system behaviour of popular operating system thumbnail cache implementations. This research has also adapted contiguous file identification techniques to single fragment identification and has developed an improved method for thumbnail cache file fragment identification. Finally this research has produced a proof of concept software tool for the automated identification and reassembly of thumbnail cache file fragments.

Computer forensics

Contextual analysis

Cybercrime

A structured approach to malware detection and analysis in digital forensics investigation

AlMarri, Saeed

January 2017

Within the World Wide Web (WWW), malware is considered one of the most serious threats to system security with complex system issues caused by malware and spam. Networks and systems can be accessed and compromised by various types of malware, such as viruses, worms, Trojans, botnet and rootkits, which compromise systems through coordinated attacks. Malware often uses anti-forensic techniques to avoid detection and investigation. Moreover, the results of investigating such attacks are often ineffective and can create barriers for obtaining clear evidence due to the lack of sufficient tools and the immaturity of forensics methodology. This research addressed various complexities faced by investigators in the detection and analysis of malware. In this thesis, the author identified the need for a new approach towards malware detection that focuses on a robust framework, and proposed a solution based on an extensive literature review and market research analysis. The literature review focussed on the different trials and techniques in malware detection to identify the parameters for developing a solution design, while market research was carried out to understand the precise nature of the current problem. The author termed the new approaches and development of the new framework the triple-tier centralised online real-time environment (tri-CORE) malware analysis (TCMA). The tiers come from three distinctive phases of detection and analysis where the entire research pattern is divided into three different domains. The tiers are the malware acquisition function, detection and analysis, and the database operational function. This framework design will contribute to the field of computer forensics by making the investigative process more effective and efficient. By integrating a hybrid method for malware detection, associated limitations with both static and dynamic methods are eliminated. This aids forensics experts with carrying out quick, investigatory processes to detect the behaviour of the malware and its related elements. The proposed framework will help to ensure system confidentiality, integrity, availability and accountability. The current research also focussed on a prototype (artefact) that was developed in favour of a different approach in digital forensics and malware detection methods. As such, a new Toolkit was designed and implemented, which is based on a simple architectural structure and built from open source software that can help investigators develop the skills to critically respond to current cyber incidents and analyses.

Anti-Forensik : Anti-forensiska metoder på mobila enheter

Bade, Hans, Hedlund, Oscar

January 2018

Mobiltelefoner har blivit grundläggande för extrahering av digitala artefakter i fo-rensiska utredningar. Androids Linuxbaserade operativsystem medför större möj-ligheter för anti-forensiska metoder, detta gör att kunskap om anti-forensik äressentiell för dagens IT-forensiska utredare. I denna studie belyses effekten avanti-forensik i Androidbaserade mobila enheter samt så upplyses det om dagensanti-forensiska attack metoder mot forensiska verktyg. Genom experiment så vi-sas det hur man kan förhindra ett forensisk verktyg från att extrahera data medanvändning av ett simpelt script. / Mobile phones have become essential for the extraction of digital artifacts in foren-sic investigations. Android’s Linux-based operating systems bring greater potentialfor anti-forensic methods, which means that knowledge of anti-forensics is essen-tial to today’s IT forensic investigators. In this study, the effect of anti-forensicson Android-based mobile devices is highlighted, as well as revealing today’s anti-forensic attack methods against forensic tools. By experiment, it is shown how toprevent a forensic tool from extracting data by using a simple script.

Anti-Forensics

Forensics

mobile forensics

Digital Forensics

Anti-forensik

forensik

mobil forensik

mobil anti-forensik

Digital forensik

Computer Engineering

Datorteknik

A Historical Perspective Framed Content Analysis Investigation of Persuasive Shifts in Interstate Oratorical Association Final Round Speeches

Bistodeau, Keith Cyril

January 2014

This thesis explores the historical trends of persuasion as it functions in the competitive forensic setting, looking at the structures used as well as the topics of the speeches. Persuasion plays a large role in our academic and daily lives, which stresses the importance of studying this area due to the large role it plays in our society. This thesis explores the persuasive speeches in the final round of the Interstate Oratorical Association competition from 1970, 1980, 1990, 2000 and 2010 to document the historical trends of persuasive strategies used as a representation of the role forensics fills in our understanding of persuasive trends.

Forensics (Public speaking)

Persuasion (Rhetoric)

Industrial Internet of Things Edge Computing : Edge Forensics

Sufiye, Shooresh

January 2018

Internet of Things (IoT) is an upcoming prominent technology which is quickly growing. Not all IoTdemands of computing resources can be satisfied by cloud, and obstacles are firmer when it comes to mobility and agility. Thus, edge computing as a suitable middleware can fill the gap between cloud and IoT devices. Refer to the latest researches, edge security is still evolving, and forensics is almost untouched. In this work, we attempt to study available technologies and materials then design and implement an edge computing application which addresses the challenge of log collection from different edge devices. The interaction between edge and cloud is in a fashion that cloud entity can perform log collection from heterogeneous edge devices belong to different owners. On the other hand, due to local computing on the logs, the edge devicecan trust cloud party. Results show that thanks to the crucial topological position of the edge devices, the concept of edge computing can easily solve similar cloud challenges.

Edge Forensics

Computer Systems

Datorsystem

Database forensics : Investigating compromised database management systems

Beyers, Hector Quintus

January 2013

The use of databases has become an integral part of modern human life. Often the data contained within databases has substantial value to enterprises and individuals. As databases become a greater part of people’s daily lives, it becomes increasingly interlinked with human behaviour. Negative aspects of this behaviour might include criminal activity, negligence and malicious intent. In these scenarios a forensic investigation is required to collect evidence to determine what happened on a crime scene and who is responsible for the crime. A large amount of the research that is available focuses on digital forensics, database security and databases in general but little research exists on database forensics as such. It is difficult for a forensic investigator to conduct an investigation on a DBMS due to limited information on the subject and an absence of a standard approach to follow during a forensic investigation. Investigators therefore have to reference disparate sources of information on the topic of database forensics in order to compile a self-invented approach to investigating a database. A subsequent effect of this lack of research is that compromised DBMSs (DBMSs that have been attacked and so behave abnormally) are not considered or understood in the database forensics field. The concept of compromised DBMSs was illustrated in an article by Olivier who suggested that the ANSI/SPARC model can be used to assist in a forensic investigation on a compromised DBMS. Based on the ANSI/SPARC model, the DBMS was divided into four layers known as the data model, data dictionary, application schema and application data. The extensional nature of the first three layers can influence the application data layer and ultimately manipulate the results produced on the application data layer. Thus, it becomes problematic to conduct a forensic investigation on a DBMS if the integrity of the extensional layers is in question and hence the results on the application data layer cannot be trusted. In order to recover the integrity of a layer of the DBMS a clean layer (newly installed layer) could be used but clean layers are not easy or always possible to configure on a DBMS depending on the forensic scenario. Therefore a combination of clean and existing layers can be used to do a forensic investigation on a DBMS. PROBLEM STATEMENT The problem to be addressed is how to construct the appropriate combination of clean and existing layers for a forensic investigation on a compromised DBMS, and ensure the integrity of the forensic results. APPROACH The study divides the relational DBMS into four abstract layers, illustrates how the layers can be prepared to be either in a found or clean forensic state, and experimentally combines the prepared layers of the DBMS according to the forensic scenario. The study commences with background on the subjects of databases, digital forensics and database forensics respectively to give the reader an overview of the literature that already exists in these relevant fields. The study then discusses the four abstract layers of the DBMS and explains how the layers could influence one another. The clean and found environments are introduced due to the fact that the DBMS is different to technologies where digital forensics has already been researched. The study then discusses each of the extensional abstract layers individually, and how and why an abstract layer can be converted to a clean or found state. A discussion of each extensional layer is required to understand how unique each layer of the DBMS is and how these layers could be combined in a way that enables a forensic investigator to conduct a forensic investigation on a compromised DBMS. It is illustrated that each layer is unique and could be corrupted in various ways. Therefore, each layer must be studied individually in a forensic context before all four layers are considered collectively. A forensic study is conducted on each abstract layer of the DBMS that has the potential to influence other layers to deliver incorrect results. Ultimately, the DBMS will be used as a forensic tool to extract evidence from its own encrypted data and data structures. Therefore, the last chapter shall illustrate how a forensic investigator can prepare a trustworthy forensic environment where a forensic investigation could be conducted on an entire PostgreSQL DBMS by constructing a combination of the appropriate forensic states of the abstract layers. RESULTS The result of this study yields an empirically demonstrated approach on how to deal with a compromised DBMS during a forensic investigation by making use of a combination of various states of abstract layers in the DBMS. Approaches are suggested on how to deal with a forensic query on the data model, data dictionary and application schema layer of the DBMS. A forensic process is suggested on how to prepare the DBMS to extract evidence from the DBMS. Another function of this study is that it advises forensic investigators to consider alternative possibilities on how the DBMS could be attacked. These alternatives might not have been considered during investigations on DBMSs to date. Our methods have been tested at hand of a practical example and have delivered promising results. / Dissertation (MEng)--University of Pretoria, 2013. / gm2014 / Electrical, Electronic and Computer Engineering / unrestricted

Database

Database Forensics

Compromised Database

Database Management System

Data Model Forensics

Data Dictionary Forensics

Application Schema Forensics

UCTD

Characterization and colorimetric analysis of semi-synthetic Salvia divinorum analogues

Carter, Rhiannon

24 September 2015

Salvia divinorum is a hallucinogenic herb from the mint family, Lamiaceae. An estimated 1.8 million people over the age of 12 have used S. divinorum in their lifetime as of 2008. The abuse of S. divinorum is attractive to teens and young adults who wish to experiment with psychoactive materials. The plant material and extracts are widely available via the Internet, and it is known that S. divinorum will not show up on common drug screens. The active component in S. divinorum is salvinorin A, which is a non-nitrogenous diterpene that is a highly selective kappa opioid receptor (KOR) agonist, reported to be the most potent naturally occurring hallucinogen. Since salvinorin A is such a selective and potent agonist of the KOR, there is interest in researching analogues in efforts to develop and understand therapeutic drugs for depression, schizophrenia, and other mental illnesses, resulting in the discovery of analogues with increased potency. These semi-synthetic salvinorin analogues have been abused by spraying the drug on innocuous plant material or on cigarette papers as a substrate for smoking. This practice poses a significant health risk, as most new analogues will have little safety and toxicity data associated with common abuse routes. Chemical characterization of the potent analogue, salvinorin B ethoxymethyl ether (SB-EME) was performed in order to develop methods of differentiation from Salvia divinorum and salvinorin A. These characterization techniques include HPLC, UV/Vis, NMR, and a colorimetric assay with Ehrlich's reagent. Adulteration of other plant materials with salvinorin A and analogues was performed and analyzed to determine if fortified materials can be detected by colorimetric assay. The validation studies of the HPLC method for SB-EME were found to be accurate (%RE < 12%), precise (RSD = 12%), and linear (R2 = 0.9993) over the mass range of 0.038 µg - 4.8 µg. The LOD was determined to be 0.038 µg, and the LOQ was determined to be 0.113 µg. Significant matrix effects were observed when using Salvia officinalis as a blank matrix, affecting the accuracy and selectivity of the method. However, the purified solutions of SB-EME had baseline resolution from salvinorin A and salvinorin B, which allows for easy qualitative distinction if adulterated samples are suspected. UV/Vis analysis provided a rapid and facile SB-EME characterization method. The UV/Vis trace for SB-EME was distinguishable from both salvinorin A and salvinorin B. NMR analysis confirmed the structures of salvinorin A, salvinorin B and SB-EME, with resonances specific to each compound. The colorimetric assay with Ehrlich's reagent provided a red-orange result with salvinorin B and SB-EME, similar to salvinorin A. While this does not provide differentiation in the field, it does allow all materials related to Salvia divinorum to be identified and collected for further analysis in the lab, as this colorimetric analysis allows easy distinction from common kitchen herbs such as mint, basil, and sage. Characterization of the colored species in the assay with Ehrlich's reagent was performed with UV/Vis, HPLC, and NMR. The UV/Vis analysis showed a new peak at 500 nm in the aqueous layer, which would correspond to a red-orange color. HPLC analysis revealed a new, highly retained peak from the DCM layer of the assay. 1H NMR analysis indicated that the backbone of the salvinorins was not stable in acid, and the molecule that creates the color was likely a degraded analogue. The analysis of the adulterated plant materials by colorimetric assay was inconclusive, as color intensity decreased as concentration of spiked standard increased. HPLC analysis of the vial remnants after the colorimetric assay confirm recoveries of the spiking compounds up to an average of 22% for salvinorin A, 96% for salvinorin B, and 41% for SB-EME over all matrices, indicating incomplete deposition of standard material onto the plant material. In conclusion, salvinorin B ethoxymethyl ether can be detected in the field through the use of Ehrlich's reagent as a colorimetric assay. Further laboratory tests, including HPLC and UV/Vis, were shown to easily distinguish the ether derivative from salvinorin A and B.

Chemistry

Ehrlich's Reagent

Forensics

Salvia

The face of Stonehenge: 3D surface scanning, 3D printing and facial reconstruction of the Winterbourne Stoke cranium

Nilsson, O., Sparrow, Thomas, Holland, Andrew D., Wilson, Andrew S.

19 August 2022

No / Stonehenge is one of the world’s most iconic archaeological sites and yet we know relatively little about the people that created this important prehistoric monument. This chapter contributes to this narrative by reconstructing the face of a high-status male who was recovered during nineteenth-century excavation of a Neolithic Long Barrow. Situated in the barrow cemetery at Winterbourne Stoke, this site is important to the contextual setting and contemporary development of Stonehenge as a ceremonial and ritual centre. The chapter reports on the combination of digital bioarchaeology and visual heritage methods, together with forensic reconstruction, that transformed the physical remains of the individual into digital data that was manipulated for 3D printing; and subsequent anatomical and visual art interpretation to yield physical life-like characteristics. His facial features have been rebuilt on the 3D printed skull, muscle by muscle, to create a highly realistic face from the era. The aim of this project was to provide a tangible connection to the archaeology of the Stonehenge landscape and to the people that developed its ceremonial and ritual significance—narrowing the temporal distance through the emotional experience it means to gaze into the eyes of a Neolithic individual.

Facial reconstruction

Forensics

Neolithic

Stonehenge