Global ETD Search

41	Towards Real-Time Volatile Memory Forensics: Frameworks, Methods, and Analysis Sylve, Joseph T 19 May 2017 (has links) Memory forensics (or memory analysis) is a relatively new approach to digital forensics that deals exclusively with the acquisition and analysis of volatile system memory. Because each function performed by an operating system must utilize system memory, analysis of this memory can often lead to a treasure trove of useful information for forensic analysts and incident responders. Today’s forensic investigators are often subject to large case backlogs, and incident responders must be able to quickly identify the source and cause of security breaches. In both these cases time is a critical factor. Unfortunately, today’s memory analysis tools can take many minutes or even hours to perform even simple analysis tasks. This problem will only become more prevalent as RAM prices continue to drop and systems with very large amounts of RAM become more common. Due to the volatile nature of data resident in system RAM it is also desirable for investigators to be able to access non-volatile copies of system RAM that may exist on a device’s hard drive. Such copies are often created by operating systems when a system is being suspended and placed into a power safe mode. This dissertation presents work on improving the speed of memory analysis and the access to non-volatile copies of system RAM. Specifically, we propose a novel memory analysis framework that can provide access to valuable artifacts orders of magnitude faster than existing tools. We also propose two new analysis techniques that can provide faster and more resilient access to important forensic artifacts. Further, we present the first analysis of the hibernation file format used in modern versions of Windows. This work allows access to evidence in non-volatile copies of system RAM that were not previously able to be analyzed. Finally, we propose future enhancements to our memory analysis framework that should address limitations with the current design. Taken together, this dissertation represents substantial work towards advancing the field of memory forensics. Information Security
42	Collaborative Digital Forensics: Architecture, Mechanisms, and Case Study January 2011 (has links) abstract: In order to catch the smartest criminals in the world, digital forensics examiners need a means of collaborating and sharing information with each other and outside experts that is not prohibitively difficult. However, standard operating procedures and the rules of evidence generally disallow the use of the collaboration software and techniques that are currently available because they do not fully adhere to the dictated procedures for the handling, analysis, and disclosure of items relating to cases. The aim of this work is to conceive and design a framework that provides a completely new architecture that 1) can perform fundamental functions that are common and necessary to forensic analyses, and 2) is structured such that it is possible to include collaboration-facilitating components without changing the way users interact with the system sans collaboration. This framework is called the Collaborative Forensic Framework (CUFF). CUFF is constructed from four main components: Cuff Link, Storage, Web Interface, and Analysis Block. With the Cuff Link acting as a mediator between components, CUFF is flexible in both the method of deployment and the technologies used in implementation. The details of a realization of CUFF are given, which uses a combination of Java, the Google Web Toolkit, Django with Apache for a RESTful web service, and an Ubuntu Enterprise Cloud using Eucalyptus. The functionality of CUFF's components is demonstrated by the integration of an acquisition script designed for Android OS-based mobile devices that use the YAFFS2 file system. While this work has obvious application to examination labs which work under the mandate of judicial or investigative bodies, security officers at any organization would benefit from the improved ability to cooperate in electronic discovery efforts and internal investigations. / Dissertation/Thesis / M.S. Computer Science 2011 Computer Science Android forensics collaborative forensics digital forensics forensic framework YAFFS
43	Reconstruction in Database Forensics Adedayo, Oluwasola Mary January 2015 (has links) The increasing usage of databases in the storage of critical and sensitive information in many organizations has led to an increase in the rate at which databases are exploited in computer crimes. Databases are often manipulated to facilitate crimes and as such are usually of interest during many investigations as useful information relevant to the investigation can be found therein. A branch of digital forensics that deals with the identification, preservation, analysis and presentation of digital evidence from databases is known as database forensics. Despite the large amount of information that can be retrieved from databases and the amount of research that has been done on various aspects of databases, database security and digital forensics in general, very little has been done on database forensics. Databases have also been excluded from traditional digital investigations until very recently. This can be attributed to the inherent complexities of databases and the lack of knowledge on how the information contained in the database can be retrieved, especially in cases where such information have been modified or existed in the past. This thesis addresses one major part of the challenges in database forensics, which is the reconstruction of the information stored in the database at some earlier time. The dimensions involved in a database forensics analysis problem are identified and the thesis focuses on one of these dimensions. Concepts such as the relational algebra log and the inverse relational algebra are introduced as tools in the definition of a theoretical framework that can be used for database forensics. The thesis provides an algorithm for database reconstruction and outlines the correctness proof of the algorithm. Various techniques for a complete regeneration of deleted or lost data during a database forensics analysis are also described. Due to the importance of having adequate logs in order to use the algorithm, specifications of an ideal log configuration for an effective reconstruction process are given, putting into consideration the various dimensions of the database forensics problem space. Throughout the thesis, practical situations that illustrate the application of the algorithms and techniques described are given. The thesis provides a scientific approach that can be used for handling database forensics analysis practice and research, particularly in the aspect of reconstructing the data in a database. It also adds to the field of digital forensics by providing insights into the field of database forensics reconstruction. / Thesis (PhD)--University of Pretoria, 2015. / Computer Science / PhD / Unrestricted Computer Science Digital Forensics Database Forensics Digital Forensics Investigation Forensic analysis UCTD
44	Password Managers in Digital Forensics Hähni, Sascha David January 2023 (has links) Digital forensics – the scientific process to draw evidence from digital devices confiscated in a criminal investigation – is constantly adapting to technological changes. A current challenge is the widespread use of encryption that makes classical data retrieval methods obsolete. Relevant data must now be retrieved from running devices and without delay, ideally directly at the time of seizure. This requires standardised processes and specialised tools to ensure no data is overlooked, that forensic integrity is maintained, and that encrypted data can be successfully made available to investigators. While research produced many promising results in this field in the last years, there is still much work to be done due to countless different applications, operating systems, and devices that all behave in different ways. This thesis addresses a software category called password managers – applications that store login credentials to different services. Despite the obvious value of password manager data to a criminal investigation, a comprehensive description of a forensic process on how to extract such data has not yet been in the focus of research. The present work addresses this gap and presents a process to extract forensically relevant data from two password manager applications – Bitwarden and KeePass – by extending an existing forensic framework called Vision. Using design science, a forensic extraction process was developed by thoroughly analysing the inner workings of the mentioned password managers. The artefact was named Password Manager Forensics (PMF) and consists of a four-step extraction process with different Python modules to automate the extraction of relevant data. PMF was tested against three scenarios in a laboratory setting to evaluate its applicability in an investigative context. The results show that the artefact is able to extract forensically relevant information related to password managers that would otherwise not be readily available to investigators. PMF is capable to identify and extract relevant files, to extract master passwords from a memory dump, to parse configuration files for relevant data, to brute-force master passwords and PIN codes, to decrypt, extract, and validate password manager vault data, and to create summary reports. PMF is the first comprehensive forensic process to extract relevant data from password managers. This brings new opportunities for digital forensics examiners and a potential to improve the handling of devices that contain password manager data in digital investigations. The current version of PMF only supports Windows desktop applications of Bitwarden and KeePass. Yet, due to the open and flexible architecture of the artefact, further expansion and improvement is possible in future research. Digital Forensics Password Managers Memory Forensics Live Forensics Computer Sciences Datavetenskap (datalogi)
45	Forensic Analysis of Navigation Applications on Android and iOS Platforms Neesha Shantaram (11656642) 19 December 2021 (has links) <div>With the increased evolution in technology over the past decade, there has been a gradual inclination towards utilizing advanced tools, like location-based applications which incorporate features such as constant route or traffic updates with Global Positioning System (GPS), among</div><div>others, which aid in smooth living. Such applications gain access to private information of users, among their other life hack qualities, thus producing a highly vulnerable ground for data exposure such as current location. With the increase in mobile application-based attacks, there exists a</div><div>constant threat scenario in terms of criminal activities which pose an ultimate challenge while tackling large amount of data. This research primarily focuses on the extent of user-specific data that can be obtained while forensically collecting and analysing data from Waze and HEREwego</div><div>applications on Android and iOS platforms. In order to address the lack of forensic research on the above mentioned applications, an in-depth forensic analysis is conducted in this study, utilizing Cellebrite, a professional tool to provide and verify the evidence acquired, that aid in any digital forensic investigations. On the Waze application, 12 artifacts were populated on the Android device and 17 artifacts on the iOS device, out of which 12 artifacts were recovered from the Android device (100% of the artifacts populated) and 12 artifacts from the iOS device (70.58% of the artifacts populated). Similarly on the HEREwego application, 14 artifacts were populated on the Android device and 13 artifacts on the iOS device, out of which 7 artifacts were recovered from the Android device (50% of the artifacts populated) and 7 artifacts from iOS device (53.84% of the artifacts populated).</div> Technology not elsewhere classified Digital Forensics Mobile Forensics Cyber Forensics Android Forensics iOS Forensics GPS Navigation Mobile applications UFED Cellebrite Waze HEREwego
46	Anti-forensiska metoder på smarta mobiltelefoner : Går akademisk forskning hand i hand med lagens långa arm? / Anti-forensic methods on smartphones : Does academic research grasp the long arm of the law? Sundelin, Martina, Nilsson, Eric January 2023 (has links) Mobiltelefoners höga förekomst i IT-forensiska utredningar innebär påfrestningar för polisen. Mobilinriktad anti-forensik är dock ett smalt och relativt nytt forskningsområde. Genom att strikt fokusera på smarta mobiltelefoner, och utifrån en anti-forensisk definition som ställer krav på avsikt, så utförde vi en systematisk litteraturstudie i syfte att kartlägga den akademiska forskarvärldens bidrag till fältet. Resonemanget bakom denna undersökning är att en kartläggning av vad som finns inom ett avgränsat område samtidigt bör resultera i en kartläggning av vad som inte finns om tillräcklig praktisk kännedom föreligger. För kartläggningen inhämtades över 500 artiklar varav 45 slutligen sorterades in efter sin anti-forensiska påverkan i en standardmodell för IT-forensisk process. Den praktiska kännedomen baseras på inhämtade perspektiv från polisregionerna Nord, Öst och Syd, vars IT-forensiker vittnar om utmaningsdrabbade delar i en standardmodell för IT-forensisk process. Med hjälp av båda kan vi peka på bristområden där framtida forskning bör lägga sitt fokus för att stödja polisens arbete i dagsläget. Vi finner att forskning tenderar att fokusera på undersökning och analys av bevis, medan IT-forensikerna snarare ser identifiering och insamling av bevis som problematiska områden. Dessutom identifierar vi flera områden där mer forskning kan vara aktuell, exempelvis vad gäller applikationer som förstör användardata. / Mobile phones are common sources of evidence in IT-forensic investigations, and this fact is causing additional strain for law enforcement work. Meanwhile, mobile anti-forensics is a small and relatively new area of research. With a strict focus on smart mobile phones, and using an anti-forensics definition that places the intentions of the user in focus, we have performed a systematic literature study with the purpose of mapping the academic research related to the field. Our reasoning is that mapping the performed research should also result in a map of the research that has yet to be performed, if a practical perspective is applied. Over 500 articles were handled as part of the literature study, of which 45 articles were included and sorted based on their anti-forensic content into a model for the IT-forensic process. The practical perspective was sourced from interviews with the North, East, and Southern Swedish police regions. Their IT-forensic experts describe which parts of the IT-forensic process are subject to the most difficult challenges. By taking both perspectives into account we are able to identify areas of deficiency where future research should be focused in order to better support the work of law enforcement. We find that research tends to focus on the latter half of the IT-forensic process whereas the IT-forensic experts call out identification and collection of evidence as areas of interest. We also identify a multitude of areas where more research is needed, for example in relation to data-destroying applications. Anti-forensics Mobile-forensics Literature study Survey Mobile anti-forensics encryption steganography IT-forensics forensics Other Computer and Information Science Annan data- och informationsvetenskap
47	Método para ranqueamento e triagem de computadores aplicado à perícia de informática. / Method for computer ranking and triage applied to computer forensics. Barbosa, Akio Nogueira 08 October 2015 (has links) Considerando-se que uma das tarefas mais comuns para um perito judicial que atua na área da informática é procurar vestígios de interesse no conteúdo de dispositivos de armazenamento de dados (DADs), que esses vestígios na maioria das vezes consistem em palavras-chave (PChs) e durante o tempo necessário para realização da duplicação do DAD o perito fica praticamente impossibilitado de interagir com os dados contidos no mesmo, decidiu-se verificar a hipótese de que seja possível na etapa de coleta, realizar simultaneamente à duplicação do DAD a varredura para procurar PCHs em dados brutos (raw data), sem com isso impactar significativamente o tempo de duplicação. O principal objetivo desta tese é propor um método que possibilite identificar os DADs com maior chance de conter vestígios de interesse para uma determinada perícia ao término da etapa de coleta, baseado na quantidade de ocorrências de PCHs encontradas por um mecanismo de varredura que atua no nível de dados brutos. A partir desses resultados é realizada uma triagem dos DADs. Com os resultados da triagem é realizado um processo de ranqueamento, indicando quais DADs deverão ser examinados prioritariamente na etapa de análise. Os resultados dos experimentos mostraram que é possível e viável a aplicação do método sem onerar o tempo de duplicação e com um bom nível de precisão. Em muitos de casos, a aplicação do método contribui para a diminuição da quantidade de DADs que devem ser analisados, auxiliando a diminuir o esforço humano necessário. / Considering that one of the most common tasks for a legal expert acting in the information technology area is to look for invidences of interest in the content data storage devices (DADs). In most cases these evidences consist of keywords. During the time necessary to perform the DAD duplication, the expert is practically unable to interact with the data contained on DAD. In this work we have decided to verify the following hypothesis: It is possible, at the collection stage, to simultaneously hold the duplication of the DAD and scan to search for keywords in raw data, without thereby significantly impact the duplication time. The main objective of this thesis is to propose a method that allows to identify DADs with a strong chance of containing evidences of interest for a particular skill at the end of the collection stage, based on the keywords occurrences found by a scanner mechanism that operates at the raw data level. Based on these results, a triage of DADs is established. With the results of the triage, a ranking process is made, providing an indication of which DADs should be examined first at the analysis stage. The results of the ours experiments showed that it is possible and feasible to apply the method without hindering the duplication time and with a certain level of accuracy. In most cases, the application of the method contributes to reduce the number of DADs that must be analyzed, helping to reduces the human effort required. Computer forensics Computer triage Digital forense Digital forensics Digital investigation Forensics triage Investigação digital Perícia de computadores Perícia de informática Triagem de computadores
48	Método para ranqueamento e triagem de computadores aplicado à perícia de informática. / Method for computer ranking and triage applied to computer forensics. Akio Nogueira Barbosa 08 October 2015 (has links) Considerando-se que uma das tarefas mais comuns para um perito judicial que atua na área da informática é procurar vestígios de interesse no conteúdo de dispositivos de armazenamento de dados (DADs), que esses vestígios na maioria das vezes consistem em palavras-chave (PChs) e durante o tempo necessário para realização da duplicação do DAD o perito fica praticamente impossibilitado de interagir com os dados contidos no mesmo, decidiu-se verificar a hipótese de que seja possível na etapa de coleta, realizar simultaneamente à duplicação do DAD a varredura para procurar PCHs em dados brutos (raw data), sem com isso impactar significativamente o tempo de duplicação. O principal objetivo desta tese é propor um método que possibilite identificar os DADs com maior chance de conter vestígios de interesse para uma determinada perícia ao término da etapa de coleta, baseado na quantidade de ocorrências de PCHs encontradas por um mecanismo de varredura que atua no nível de dados brutos. A partir desses resultados é realizada uma triagem dos DADs. Com os resultados da triagem é realizado um processo de ranqueamento, indicando quais DADs deverão ser examinados prioritariamente na etapa de análise. Os resultados dos experimentos mostraram que é possível e viável a aplicação do método sem onerar o tempo de duplicação e com um bom nível de precisão. Em muitos de casos, a aplicação do método contribui para a diminuição da quantidade de DADs que devem ser analisados, auxiliando a diminuir o esforço humano necessário. / Considering that one of the most common tasks for a legal expert acting in the information technology area is to look for invidences of interest in the content data storage devices (DADs). In most cases these evidences consist of keywords. During the time necessary to perform the DAD duplication, the expert is practically unable to interact with the data contained on DAD. In this work we have decided to verify the following hypothesis: It is possible, at the collection stage, to simultaneously hold the duplication of the DAD and scan to search for keywords in raw data, without thereby significantly impact the duplication time. The main objective of this thesis is to propose a method that allows to identify DADs with a strong chance of containing evidences of interest for a particular skill at the end of the collection stage, based on the keywords occurrences found by a scanner mechanism that operates at the raw data level. Based on these results, a triage of DADs is established. With the results of the triage, a ranking process is made, providing an indication of which DADs should be examined first at the analysis stage. The results of the ours experiments showed that it is possible and feasible to apply the method without hindering the duplication time and with a certain level of accuracy. In most cases, the application of the method contributes to reduce the number of DADs that must be analyzed, helping to reduces the human effort required. Digital forense Investigação digital Perícia de computadores Perícia de informática Triagem de computadores Computer forensics Computer triage Digital forensics Digital investigation Forensics triage
49	<b>EXPLORING FEMTECH: INVESTIGATING CLUE AND PRIVACY CONCERNS AMONG MENSTRUATORS</b> Claire Elyse Rightley (18423219) 22 April 2024 (has links) <p dir="ltr">FemTech is a booming subset of mHealth applications that was worth $51 billion in 2021 (Stewart, 2022b). FemTech largely focuses on menstruation, pregnancy, and fertility tracking. As with any technology, it comes with privacy and security risks for users, but these risks are more acute due to the sensitive nature of the data being collected. While privacy and security shortcomings have been highlighted for years, concerns were discussed widely in the United States after the Supreme Court released its <i>Dobbs v. Jackson</i> decision on June 24, 2022, which overturned <i>Roe v. Wade</i>, a 1973 decision that protected abortion as a constitutional right and limited states’ abilities to place restrictions on abortions. With abortion no longer a constitutional right, many states have outlawed or heavily restricted the procedure, and individuals expressed concern about their digital data being used in investigations as it has been in select previous cases (e.g., <i>State of Indiana v. Purvi Patel</i>, 2015; <i>State of Mississippi v. Latice Fisher</i>, 2018; <i>The State of Nebraska v. Celeste Burgess</i>, 2023; <i>The State of Nebraska v. Jessica Burgess</i>, 2023). While Big Tech has been scrutinized for turning user data over to law enforcement, many have more heavily questioned the protections offered by period tracking app companies due to the abundant amount of health data these companies possess about their users (e.g., Basu, 2022; Bradley et al., 2022; Cole, 2022). These apps have historically fallen short in protections for their user data in general (e.g., Beilinson, 2020; <i>Developer of Popular Women’s Fertility-Tracking App Settles FTC Allegations That It Misled Consumers About the Disclosure of Their Health Data</i>, 2021; Quintin, 2017). Clue is one of the most popular FemTech apps with millions of downloads across the Apple App Store and Google Play Store, and the company has spoken out widely about their privacy protections in the wake of the <i>Dobbs v. Jackson</i> decision (<i>‎Clue Period Tracker & Calendar</i>, n.d.; <i>Clue Period Tracker & Calendar</i>, n.d.; <i>Clue’s Response to Roe vs Wade Decision</i>, 2022). This research presents a forensic analysis of Clue on both iOS and Android after two months of data population, finding that some user-entered data was available in the app cache or .db-wal files on both iOS and Android but was entirely erased after the deletion of the app on the phones. This research also presents results from a survey of 31 menstruators in the United States, finding that online privacy in general is a concern for many users, and most find it unacceptable for period tracking applications to share user health data with advertisers or law enforcement.</p> Digital forensics FemTech digital forensics mobile forensics digital privacy online privacy mHealth applications period tracking apps Clue period tracker
50	Judges' Awareness, Understanding, and Application of Digital Evidence Kessler, Gary Craig 01 January 2010 (has links) As digital evidence grows in both volume and importance in criminal and civil courts, judges need to fairly and justly evaluate the merits of the offered evidence. To do so, judges need a general understanding of the underlying technologies and applications from which digital evidence is derived. Due to the relative newness of the computer forensics field, there have been few studies on the use of digital forensic evidence and none about judges' relationship with digital evidence. This study addressed judges' awareness, knowledge, and perceptions of digital evidence, using grounded theory methods. The interaction of judges with digital evidence has a social aspect that makes a study of this relationship well suited to grounded theory. This study gathered data via a written survey distributed to judges in the American Bar Association and National Judicial College, followed by interviews with judges from Massachusetts and Vermont. The results indicated that judges generally recognize the importance of evidence derived from digital sources, although they are not necessarily aware of all such sources. They believe that digital evidence needs to be authenticated just like any type of evidence and that it is the role of attorneys rather than of judges to mount challenges to that evidence, as appropriate. Judges are appropriately wary of digital evidence, recognizing how easy it is to alter or misinterpret such evidence. Less technically aware judges appear even more wary of digital evidence than their more knowledgeable peers. Judges recognize that they need additional training in computer and Internet technology as the computer forensics process and digital evidence, citing a lack of availability of such training. This training would enable judges to better understand the arguments presented by lawyers, testimony offered by technical witnesses, and judicial opinions forming the basis of decisional law. A framework for such training is provided in this report. This study is the first in the U.S. to analyze judges and digital forensics, thus opening up a new avenue of research. It is the second time that grounded theory has been employed in a digital forensics study, demonstrating the applicability of that methodology to this discipline. Computer forensics Digital evidence Judges Computer Sciences

Search results