Global ETD Search

61	Need for speed : A study of the speed of forensic disk imaging tools Stewart, Dawid, Arvidsson, Alex January 2022 (has links) As our society becomes increasingly digitalized, there is an ever-increasing need for forensic tools to become faster and faster. This paper was made to help the Police and other digital forensic investigators choose the fastest disk imaging tool while still maintaining the integrity of the imaged disk. To answer this, an experiment including 162 disk imaging tests was done, with an active imaging and verification time of over 160 hours. The results were analyzed with the help of a scoring system and statistical significance tests. The paper also aimed to show if there is any difference when making images of disks that are filled to 100% compared to disks filled to 50%, and which of the disk imaging tools that handles it best. The results of the experiment showed that Guymager was the fastest disk imaging tool among the tested alternatives. It also illustrated that the speed was affected by the disks being filled to 50% as opposed to 100%. Guymager showed the best performance improvement using the EWF_E01 format, and OSForensics showed the biggest improvement when imaging using the DD format. Disk imaging digital forensics data extraction Computer and Information Sciences Data- och informationsvetenskap
62	A Forensic Examination of Database Slack Joseph W. Balazs (5930528) 23 July 2021 (has links) This research includes an examination and analysis of the phenomenon of database slack.<br>Database forensics is an underexplored subfield of Digital Forensics, and the lack of research is<br>becoming more important with every breach and theft of data. A small amount of research exists<br>in the literature regarding database slack. This exploratory work examined what partial records of<br>forensic significance can be found in database slack. A series of experiments performed update<br>and delete transactions upon data in a PostgreSQL database, which created database slack.<br>Patterns of hexadecimal indicators for database slack in the file system were found and analyzed.<br>Despite limitations in the experiments, the results indicated that partial records of forensic<br>significance are found in database slack. Significantly, partial records found in database slack<br>may aid a forensic investigation of a database breach. The details of the hexadecimal patterns of<br>the database slack fill in gaps in the literature, the impact of log findings on an investigation was<br>shown, and complexity aspects back up existing parts of database forensics research. This<br>research helped to lessen the dearth of work in the area of database forensics as well as database slack.<br> Database Forensics Digital Forensics Databases PostgreSQL
63	USER ATTRIBUTION IN DIGITAL FORENSICS THROUGH MODELING KEYSTROKE AND MOUSE USAGE DATA USING XGBOOST Shruti Gupta (12112488) 20 April 2022 (has links) <p>The increase in the use of digital devices, has vastly increased the amount of data used and consequently, has increased the availability and relevance of digital evidence. Typically, digital evidence helps to establish the identity of an offender by identifying the username or the user account logged into the device at the time of offense. Investigating officers need to establish the link between that user and an actual person. This is difficult in the case of computers that are shared or compromised. Also, the increasing amount of data in digital investigations necessitates the use of advanced data analysis approaches like machine learning, while keeping pace with the constantly evolving techniques. It also requires reporting on known error rates for these advanced techniques. There have been several research studies exploring the use of behavioral biometrics to support this user attribution in digital forensics. However, the use of the state-of-the-art XGBoost algorithm, hasn’t been explored yet. This study builds on previously conducted research by modeling user interaction using the XGBoost algorithm, based on features related to keystroke and mouse usage, and verifying the performance for user attribution. With an F1 score and Area Under the Receiver Operating Curve (AUROC) of .95, the algorithm successfully attributes the user event to the right user. The XGBoost model also outperforms other classifiers based on algorithms such as Support Vector Machines (SVM), Boosted SVM and Random Forest.</p> Computer System Security Computer-Human Interaction digital forensics user attribution behavioral biometrics
64	VEHICLE AND MOBILE APPLICATIONS INTERACTION ANALYSIS: DIGITAL FORENSICS APPROACH Qiyuan Li (12476838) 28 April 2022 (has links) <p> </p> <p>With the Internet of Things (IoT) development, vehicles have become an essential part of this data transmission network. In order to access the vehicle's status via personal mobile devices, an increasing number of car manufacturers have began to provide mobile applications; some third-party companies offer Bluetooth adaptors for the On-Board Diagnostics-II (OBD-II) port on vehicles made post-1996 in the United States. By connecting the smartphone and the vehicle with either of these methods, the mobile applications can retrieve detailed data and the history of the vehicle. This research aims to answer what forensically relevant artifacts can be recovered from the MB Companion, FIXD, and Nonda ZUS applications. The research methods include adapting the National Institute of Standards and Technology (NIST) forensics framework, generating mock user data, extracting user data, and conducting in-depth digital forensics analysis. The recovered geolocation data, the vehicle-related artifacts, the applications on different vehicle brands, and the applications on various device platforms are primarily examined in the research.</p> digital forensics iot forensics mobile forensics vehicle forensics
65	Combating Data Leakage in the Cloud Dlamini, Moses Thandokuhle January 2020 (has links) The increasing number of reports on data leakage incidents increasingly erodes the already low consumer confidence in cloud services. Hence, some organisations are still hesitant to fully trust the cloud with their confidential data. Therefore, this study raises a critical and challenging research question: How can we restore the damaged consumer confidence and improve the uptake and security of cloud services? This study makes a plausible attempt at unpacking and answering the research question in order to holistically address the data leakage problem from three fronts, i.e. conflict-aware virtual machine (VM) placement, strong authentication and digital forensic readiness. Consequently, this study investigates, designs and develops an innovative conceptual architecture that integrates conflict-aware VM placement, cutting-edge authentication and digital forensic readiness to strengthen cloud security and address the data leakage problem in the hope of eventually restoring consumer confidence in cloud services. The study proposes and presents a conflict-aware VM placement model. This model uses varying degrees of conflict tolerance levels, the construct of sphere of conflict and sphere of non-conflict. These are used to provide the physical separation of VMs belonging to conflicting tenants that share the same cloud infrastructure. The model assists the cloud service provider to make informed VM placement decisions that factor in their tenants’ security profile and balance it against the relevant cost constraints and risk appetite. The study also proposes and presents a strong risk-based multi-factor authentication mechanism that scales up and down, based on threat levels or risks posed on the system. This ensures that users are authenticated using the right combination of access credentials according to the risk they pose. This also ensures end-to-end security of authentication data, both at rest and in transit, using an innovative cryptography system and steganography. Furthermore, the study proposes and presents a three-tier digital forensic process model that proactively collects and preserves digital evidence in anticipation of a legal lawsuit or policy breach investigation. This model aims to reduce the time it takes to conduct an investigation in the cloud. Moreover, the three-tier digital forensic readiness process model collects all user activity in a forensically sound manner and notifies investigators of potential security incidents before they occur. The current study also evaluates the effectiveness and efficiency of the proposed solution in addressing the data leakage problem. The results of the conflict-aware VM placement model are derived from simulated and real cloud environments. In both cases, the results show that the conflict-aware VM placement model is well suited to provide the necessary physical isolation of VM instances that belong to conflicting tenants in order to prevent data leakage threats. However, this comes with a performance cost in the sense that higher conflict tolerance levels on bigger VMs take more time to be placed, compared to smaller VM instances with low conflict tolerance levels. From the risk-based multifactor authentication point of view, the results reflect that the proposed solution is effective and to a certain extent also efficient in preventing unauthorised users, armed with legitimate credentials, from gaining access to systems that they are not authorised to access. The results also demonstrate the uniqueness of the approach in that even minor deviations from the norm are correctly classified as anomalies. Lastly, the results reflect that the proposed 3-tier digital forensic readiness process model is effective in the collection and storage of potential digital evidence. This is done in a forensically sound manner and stands to significantly improve the turnaround time of a digital forensic investigation process. Although the classification of incidents may not be perfect, this can be improved with time and is considered part of the future work suggested by the researcher. / Thesis (PhD)--University of Pretoria, 2020. / Computer Science / PhD / Unrestricted Security of Cloud Computing Cloud Computing Digital Forensics Behavioural Multifactor Authentication Data Leakage Threats Information Security UCTD
66	Peering into the Dark : A Dark Web Digital Forensic Investigation on Windows 11 Kahlqvist, Johanna, Wilke, Frida January 2023 (has links) The ability to access the Internet while remaining anonymous is a necessity in today's society. Whistleblowers need it to establish contact with journalists, and individuals living under repressive regimes need it to access essential resources. Anonymity also allows malicious actors to evade identification from law enforcement and share ill-intentioned resources. Therefore, digital forensics is an area that needs to stay up to date with these developments. We investigate what artefacts can be discovered by conducting acquisition and analysis of a Windows 11 computer that has used the Tor browser to browse the Dark Web. Our results identify a variety of artefacts acquired from Windows Registry, active memory, storage, and network traffic. Furthermore, we discuss how these can be used in a digital forensic investigation. Dark Web Digital Forensics The Onion Router (Tor) Windows 11 Information Systems
67	Digital Forensic Analysis of Snapchat and BeReal : In Search of Artifacts Persson, Philip January 2023 (has links) Snapchat and BeReal are popular social media platforms focused on photo sharing and instant messaging. A tool often used in police investigations is the analysis of communication, this includes different electronic devices and smartphone devices. However, Law enforcement faces challenges when analyzing communication in police investigations due to encryption and privacy protection. The experiment included three phases: artifact production, data acquisition, and data examination & analysis. In the artifact production phase, four devices exchanged chat messages, images, and videos. The data acquisition phase involved using two licensed forensic tools, Magnet Axiom and MOBILedit Forensic PRO. The final phase involved examining and analyzing the extracted data to find artifacts that could serve as supporting evidence in criminal investigations. Several conclusions were drawn from this study. Notably, the experiment revealed diverse types of forensic artifacts. Metadata files that contained information about the applications were the most common. Examples of this were com.snapchat.android.apk and com.bereal.ft.apk for Android, and iTunesMetadata.plist together with other .plist files for iPhone. These files provide valuable data such as user information, activity, and timestamps. Important locations and key factors were also identified. Digital Forensics Snapchat BeReal Social media forensics Computer and Information Sciences Data- och informationsvetenskap
68	Password Managers in Digital Forensics Hähni, Sascha David January 2023 (has links) Digital forensics – the scientific process to draw evidence from digital devices confiscated in a criminal investigation – is constantly adapting to technological changes. A current challenge is the widespread use of encryption that makes classical data retrieval methods obsolete. Relevant data must now be retrieved from running devices and without delay, ideally directly at the time of seizure. This requires standardised processes and specialised tools to ensure no data is overlooked, that forensic integrity is maintained, and that encrypted data can be successfully made available to investigators. While research produced many promising results in this field in the last years, there is still much work to be done due to countless different applications, operating systems, and devices that all behave in different ways. This thesis addresses a software category called password managers – applications that store login credentials to different services. Despite the obvious value of password manager data to a criminal investigation, a comprehensive description of a forensic process on how to extract such data has not yet been in the focus of research. The present work addresses this gap and presents a process to extract forensically relevant data from two password manager applications – Bitwarden and KeePass – by extending an existing forensic framework called Vision. Using design science, a forensic extraction process was developed by thoroughly analysing the inner workings of the mentioned password managers. The artefact was named Password Manager Forensics (PMF) and consists of a four-step extraction process with different Python modules to automate the extraction of relevant data. PMF was tested against three scenarios in a laboratory setting to evaluate its applicability in an investigative context. The results show that the artefact is able to extract forensically relevant information related to password managers that would otherwise not be readily available to investigators. PMF is capable to identify and extract relevant files, to extract master passwords from a memory dump, to parse configuration files for relevant data, to brute-force master passwords and PIN codes, to decrypt, extract, and validate password manager vault data, and to create summary reports. PMF is the first comprehensive forensic process to extract relevant data from password managers. This brings new opportunities for digital forensics examiners and a potential to improve the handling of devices that contain password manager data in digital investigations. The current version of PMF only supports Windows desktop applications of Bitwarden and KeePass. Yet, due to the open and flexible architecture of the artefact, further expansion and improvement is possible in future research. Digital Forensics Password Managers Memory Forensics Live Forensics Computer Sciences Datavetenskap (datalogi)
69	The Hermeneutics Of The Hard Drive: Using Narratology, Natural Language Processing, And Knowledge Management To Improve The Effectiveness Of The Digital Forensic Process Pollitt, Mark 01 January 2013 (has links) In order to protect the safety of our citizens and to ensure a civil society, we ask our law enforcement, judiciary and intelligence agencies, under the rule of law, to seek probative information which can be acted upon for the common good. This information may be used in court to prosecute criminals or it can be used to conduct offensive or defensive operations to protect our national security. As the citizens of the world store more and more information in digital form, and as they live an ever-greater portion of their lives online, law enforcement, the judiciary and the Intelligence Community will continue to struggle with finding, extracting and understanding the data stored on computers. But this trend affords greater opportunity for law enforcement. This dissertation describes how several disparate approaches: knowledge management, content analysis, narratology, and natural language processing, can be combined in an interdisciplinary way to positively impact the growing difficulty of developing useful, actionable intelligence from the ever-increasing corpus of digital evidence. After exploring how these techniques might apply to the digital forensic process, I will suggest two new theoretical constructs, the Hermeneutic Theory of Digital Forensics and the Narrative Theory of Digital Forensics, linking existing theories of forensic science, knowledge management, content analysis, narratology, and natural language processing together in order to identify and extract narratives from digital evidence. An experimental approach will be described and prototyped. The results of these experiments demonstrate the potential of natural language processing techniques to digital forensics. Digital forensics narrative natural language processing narratology knowledge management xml Forensic Science and Technology
70	A Framework for Digital Investigation of Peer-to-Peer (P2P) Networks. An Investigation into the Security Challenges and Vulnerabilities of Peer-to-Peer Networks and the Design of a Standard Validated Digital Forensic Model for Network Investigations Musa, Ahmad S. January 2022 (has links) Peer-to-Peer (P2P) Networks have been presenting many fascinating capabilities to the internet since their inception, which has made and is still gathering so much interest. As a result, it is being used in many domains, particularly in transferring a large amount of data, which is essential for modern computing needs. A P2P network contains many independent nodes to form a highly distributed system. These nodes are used to exchange all kinds of files without using a single server as in a Client-Server architecture. Such types of files make the network highly vulnerable to malicious attackers. Nevertheless, P2P systems have become susceptible to different malicious attacks due to their widespread usage, including the threat of sharing malware and other dangerous programs, which can be significantly damaging and harmful. A significant obstacle with the current P2P network traffic monitoring and analysis involves many newly emerging P2P architectures possessing more intricate communication structures and traffic patterns than the traditional client-server architectures. The traffic volume generated by these networks, such as uTorrent, Gnutella, Ares, etc., was once well over half of the total internet traffic. The dynamic use of port numbers, multiple sessions, and other smart features of these applications complicate the characterization of current P2P traffic. Transport-level traffic identification is a preliminary but required step towards traffic characterization, which this thesis addresses. Therefore, a novel detection mechanism that relies on transport-level traffic characterization has been presented for P2P network investigation The importance of the investigation necessitates the formalization of frameworks to leverage the integration of forensics standards and accuracy to provide integrity to P2P networks. We employed the standard Analysis, Design, Development, Implementation, and Evaluation (ADDIE) model to aid a credible digital investigation. We considered the ADDIE model for validation as a standard digital forensic model for P2P network investigations using the United States’ Daubert Standard, the United Kingdom's Forensic Science Regulator Guidance – 218 (FSR-G-218), and Forensic Science Regulator Guidance – 201 (FSR-G-201) methodologies. The solution was evaluated using a realistic P2P investigation and showed accurate load distribution and reliable digital evidence. / Petroleum Technology Development Fund (PTDF) Nigeria Peer-to-Peer (P2P) networks Digital forensics Models Investigation Network security Validation Evidence Detection

Search results