Uncovering Signal : Simplifying Forensic Investigations of the Signal Application / Signals Svaghet : Underlättande av forensiska undersökningar av chatapplikationen Signal

Liljekvist, Erika, Hedlund, Oscar

January 2021

The increasing availability of easy-to-use end-to-end encrypted messaging applications has made it possible for more people to conduct their conversations privately. This is something that criminals have taken advantage of and it has proven to make digital forensic investigations more difficult as methods of decrypting the data are needed. In this thesis, data from iOS and Windows devices is extracted and analysed, with focus on the application Signal. Even though other operating systems are compatible with the Signal application, such as Android, it is outside the scope of this thesis. The results of this thesis provide access to data stored in the encrypted application Signalwithout the need for expensive analysis tools. This is done by developing and publishing the first open-source script for decryption and parsing of the Signal database. The script is available for anyone at https://github.com/decryptSignal/decryptSignal.

Signal

Encryption

Digital forensics

Database analysis

Decryption

SQLCipher

Jailbreak

Objection

FRIDA

Open-source

Digital forensic tool

Computer Systems

Datorsystem

Evaluation of cloud hosted digital forensic solutions and challenges : A systematic literature review

Tysk, Henrik

January 2024

Everything in modern society is rapidly becoming digitised, which increases both the accessibility and convenience of many services. The downside is that cybercrime is increasing at the same rate. We need digital evidence in order to prosecute cyber-criminals, and in order to capture digital evidence, we need digital forensics. Digital forensics have become increasingly challenging for investigators. The amount of data we generate keeps increasing, which amplifies the workload significantly. More data is being stored in cloud environments, which adds further complexity to investigations. One approach to dealing with these challenges is to move digital forensics to cloud services and utilising their computational power and sharing capabilities to enhance digital investigations. This study examines what types of cloud hosted digital forensic platforms or frameworks exist, and what their differences are. It is also investigated if there are any specific challenges when using cloud services to host digital forensics. The study uses a systematic literature review to gather data, which is analyzed with thematic coding. The results show that there are many different methods for hosting digital forensics in a cloud environment, which vary greatly in both scope and underlying technology. It is found that most frameworks are theoretical and have yet to be used in real world scenarios, and only one is being used by law enforcement. It was also found that there are challenges which are specific to this type of digital forensics, such as insufficient service level agreements by cloud service providers and privacy related challenges.

Digital forensics

forensics as a service

FCE

FaaS

DFaaS

Information Systems, Social aspects

Practical Application of Fast Disk Analysis for Selective Data Acquisition

gorbov, sergey

11 August 2016

Using a forensic imager to produce a copy of the storage is a common practice. Due to the large volumes of the modern disks, the imaging may impose severe time overhead which ultimately delays the investigation process. We proposed automated disk analysis techniques that precisely identify regions on the disk that contain data. We also developed a high performance imager that produces AFFv3 images at rates exceeding 300MB/s. Using multiple disk analysis strategies we can analyze a disk within a few minutes and yet reduce the imaging time of by many hours. Partial AFFv3 images produced by our imager can be analyzed by existing digital forensics tools, which makes our approach to be easily incorporated into the workflow of practicing forensics investigators. The proposed approach renders feasible in the forensic environments where the time is critical constraint, as it provides significant performance boost, which facilitates faster investigation turnaround times and reduces case backlogs.

Information Security

Other Computer Sciences

WhatsApp Forensics: Locating Artifacts in Web and Desktop Clients

Nicolas Villacis Vukadinovic (6623858)

14 May 2019

WhatsApp is the most popular instant messaging application worldwide. Since 2016, users can send and receive messages through desktop clients, either through the WhatsApp desktop application or the web client accessible from supported web browsers. The author identified a gap in the literature in terms of WhatsApp forensics for desktop and web clients. The aim of the study was to locate forensic artifacts on WhatsApp clients. These clients included the desktop application on both Windows and Mac operating systems. Chrome and Firefox web clients were also analyzed for the Windows operating system, as well as Chrome and Safari web clients on the Mac operating system. A WhatsApp log file was identified as the main artifact providing information throughout all clients analyzed. Cached profile pictures were also found, as well as history information about visited websites and ran applications.

Computer System Security

WhatsApp

web client

desktop client

artifacts

windows

mac

chrome

safari

firefox

edge

digital forensics

cyber forensics

computer forensics

forensics

Proposing a maturity assessment model based on the digital forensic readiness commonalities framework

Claims, Ivan Prins

January 2013

Magister Commercii (Information Management) - MCom(IM) / The purpose of the study described in this thesis was to investigate the structure required to implement and manage digital forensic readiness within an enterprise. A comparative analysis of different digital forensic readiness frameworks was performed and, based on the findings of the analysis, the digital forensic readiness commonalities framework (DFRCF) was extended. The resultant structure was used to design a digital forensic readiness maturity assessment model (DFRMAM) that will enable organisations to assess their forensic readiness. In conclusion, both the extended DFRCF and the DFRMAM are shown to be validated by forensic practitioners, using semi-structured interviews. A qualitative research design and methodology was used to perform a comparative analysis of the various digital forensic readiness frameworks, to comprehend the underlying structures. All the participant responses were recorded and transcribed. Analysis of the findings resulting from the study showed that participants mostly agreed with the structure of the extended DFRCF; however, key changes were introduced to the extended DFRCF. The participants also validated the DFRMAM, and the majority of respondents opted for a checklist-type MAM. Digital forensic readiness is a very sensitive topic since organisations fear that their information might be made public and, as a result, increase their exposure to forensic incidents and reputational risk. Because of this, it was difficult to find participants who have a forensic footprint and are willing, able, and knowledgeable about digital forensic readiness. This study will contribute to the body of knowledge by presenting an original, validated DFRCF and DFRMAM. Practitioners and organisations now have access to non-proprietary DFRMAM.

Digital Forensic Readiness (DFR)

Maturity Assessment Model (DFRMAM)

Goals and Objectives of DFR

DFR Model

Design Principles

Digital forensic practitioners

Towards a unified fraud management and digital forensic framework for mobile applications

Bopape, Rudy Katlego

06 1900

Historically, progress in technology development has continually created new opportunities for criminal activities which, in turn, have triggered the need for the development of new security-sensitive systems. Organisations are now adopting mobile technologies for numerous applications to capitalise on the mobile revolution. They are now able to increase their operational efficiency as well as responsiveness and competitiveness and, most importantly, can now meet new, growing customers’ demands. However, although mobile technologies and applications present many new opportunities, they also present challenges. Threats to mobile phone applications are always on the rise and, therefore, compel organisations to invest money and time, among other technical controls, in an attempt to protect them from incurring losses. The computerisation of core activities (such as mobile banking in the banking industry, for example) has effectively exposed organisations to a host of complex fraud challenges that they have to deal with in addition to their core business of providing services to their end consumers. Fraudsters are able to use mobile devices to remotely access enterprise applications and subsequently perform fraudulent transactions. When this occurs, it is important to effectively investigate and manage the cause and findings, as well as to prevent any future similar attacks. Unfortunately, clients and consumers of these organisations are often ignorant of the risks to their assets and the consequences of the compromises that might occur. Organisations are therefore obliged, at least, to put in place measures that will not only minimise fraud but also be capable of detecting and preventing further similar incidents. The goal of this research was to develop a unified fraud management and digital forensic framework to improve the security of Information Technology (IT) processes and operations in organisations that make available mobile phone applications to their clients for business purposes. The research was motivated not only by the increasing reliance of organisations on mobile applications to service their customers but also by the fact that digital forensics and fraud management are often considered to be separate entities at an organisational level. This study proposes a unified approach to fraud management and digital forensic analysis to simultaneously manage and investigate fraud that occurs through the use of mobile phone applications. The unified Fraud Management and Digital Forensic (FMDF) framework is designed to (a) determine the suspicious degree of fraudulent transactions and (b) at the same time, to feed into a process that facilitates the investigation of incidents. A survey was conducted with subject matter experts in the banking environment. Data was generated through a participatory self-administered online questionnaire. Collected data was then presented, analysed and interpreted quantitatively and qualitatively. The study found that there was a general understanding of the common fraud management methodologies and approaches throughout the banking industry and the use thereof. However, while many of the respondents indicated that fraud detection was an integral part of their processes, they take a rather reactive approach when it comes to fraud management and digital forensics. Part of the reason for the reactive approach is that many investigations are conducted in silos, with no central knowledge repository where previous cases can be retrieved for comparative purposes. Therefore, confidentiality, integrity and availability of data are critical for continued business operations. To mitigate the pending risks, the study proposed a new way of thinking that combines both components of fraud management and digital forensics for an optimised approach to managing security in mobile applications. The research concluded that the unified FMDF approach was considered to be helpful and valuable to professionals who participated in the survey. Although the case study focused on the banking industry, the study appears to be instrumental in informing other types of organisations that make available the use of mobile applications for their clients in fraud risk awareness and risk management in general. / Computing / M. Sc. (Computing)

Fraud management

Digital forensics

Mobile applications

Mobile devices

Threats

Frameworks

Process models

Paradigms

005.35

Mobile apps

Mobile device forensics

Fraud -- Management

Cell phone systems -- Security measures

Digital forensic readiness for wireless sensor network environments

Mouton, Francois

24 January 2012

The new and upcoming field of wireless sensor networking is unfortunately still lacking in terms of both digital forensics and security. All communications between different nodes (also known as motes) are sent out in a broadcast fashion. These broadcasts make it quite difficult to capture data packets forensically and, at the same time, retain their integrity and authenticity. The study presents several attacks that can be executed successfully on a wireless sensor network, after which the dissertation delves more deeply into the flooding attack as it is one of the most difficult attacks to address in wireless sensor networks. Furthermore, a set of factors is presented to take into account while attempting to achieve digital forensic readiness in wireless sensor networks. The set of factors is subsequently discussed critically and a model is proposed for implementing digital forensic readiness in a wireless sensor network. The proposed model is next transformed into a working prototype that is able to provide digital forensic readiness to a wireless sensor network. The main contribution of this research is the digital forensic readiness prototype that can be used to add a digital forensics layer to any existing wireless sensor network. The prototype ensures the integrity and authenticity of each of the data packets captured from the existing wireless sensor network by using the number of motes in the network that have seen a data packet to determine its integrity and authenticity in the network. The prototype also works on different types of wireless sensor networks that are in the frequency range of the network on which the prototype is implemented, and does not require any modifications to be made to the existing wireless sensor network. Flooding attacks pose a major problem in wireless sensor networks due to the broadcasting of communication between motes in wireless sensor networks. The prototype is able to address this problem by using a solution proposed in this dissertation to determine a sudden influx of data packets within a wireless sensor network. The prototype is able to detect flooding attacks while they are occurring and can therefore address the flooding attack immediately. Finally, this dissertation critically discusses the advantages of having such a digital forensic readiness system in place in a wireless sensor network environment. Copyright / Dissertation (MSc)--University of Pretoria, 2012. / Computer Science / unrestricted

Digital forensic readiness

Flooding detection

Flooding attacks

Communication

Digital forensics

Wireless sensor network (WSN)

Security

Sensor networks

Broadcasting

Wireless networks

UCTD

On digital forensic readiness for information privacy incidents

Reddy, Kamil

26 September 2012

The right to information privacy is considered a basic human right in countries that recognise the right to privacy. South Africa, and other countries that recognise this right, offer individuals legal protections for their information privacy. Individuals, organisations and even governments in these countries often have an obligation under such laws to protect information privacy. Large organisations, for example, multinational companies and government departments are of special concern when it comes to protecting information privacy as they often hold substantial amounts of information about many individuals. The protection of information privacy, therefore, has become ever more significant as technological advances enable information privacy to be breached with increasing ease. There is, however, little research on holistic approaches to protecting information privacy in large organisations. Holistic approaches take account of both technical and non-technical factors that affect information privacy. Nontechnical factors may include the management of information privacy protection measures and other factors such as manual business processes and organisational policies. Amongst the protections that can be used by large organisations to protect information privacy is the ability to investigate incidents involving information privacy. Since large organisations typically make extensive use of information technology to store or process information, such investigations are likely to involve digital forensics. Digital forensic investigations require a certain amount of preparedness or readiness for investigations to be executed in an optimal fashion. The available literature on digital forensics and digital forensic readiness (DFR), unfortunately, does not specifically deal with the protection of information privacy, which has requirements over and above typical digital forensic investigations that are more concerned with information security breaches. The aim of this thesis, therefore, is to address the lack of research into DFR with regard to information privacy incidents. It adopts a holistic approach to DFR since many of the necessary measures are non-technical. There is, thus, an increased focus on management as opposed to specific technical issues. In addressing the lack of research into information privacy-specific DFR, the thesis provides large organisations with knowledge to better conduct digital forensic investigations into information privacy incidents. Hence, it allows for increased information privacy protection in large organisations because investigations may reveal the causes of information privacy breaches. Such breaches may then be prevented in future. The ability to conduct effective investigations also has a deterrent effect that may dissuade attempts at breaching information privacy. This thesis addresses the lack of research into information privacy-specific DFR by presenting a framework that allows large organisations to develop a digital forensic readiness capability for information privacy incidents. The framework is an idealistic representation of measures that can be taken to develop such a capability. In reality, large organisations operate within cost constraints. We therefore also contribute by showing how a cost management methodology known as time-driven activity-based costing can be used to determine the cost of DFR measures. Organisations are then able to make cost versus risk decisions when deciding which measures in the framework they wish to implement. Lastly, we introduce the concept of a digital forensics management system. The management of DFR in a large organisation can be a difficult task prone to error as it involves coordinating resources across multiple departments and organisational functions. The concept of the digital forensics management system proposed here allows management to better manage DFR by providing a central system from which information is available and control is possible. We develop an architecture for such a system and validate the architecture through a proof-of-concept prototype. / Thesis (PhD)--University of Pretoria, 2012. / Computer Science / unrestricted

Information privacy

Information privacy management

Digital forensics

Digital forensic readiness

Digital forensic readiness management

Privacy

Time-driven activity-based costing

UCTD

Digitální forenzní věda a její aplikace při forenzním auditu účetnictví / Digital forensics and its application to forensic audit

Martinka, Jan

January 2015

This thesis aims to describe a process framework suitable for conducting digital forensics investigation projects as support for forensic audit. Selection of existing digital forensics investigation framework was a subject of criterial comparison. Described new framework is a result of combination and enhancement of those frameworks, which were suitable for the characteristics of forensic audit. Thesis also discusses digital forensics methods for fraud examination and risk assessment as a part of external audit.

Forensic Analysis of Navigation Applications on Android and iOS Platforms

Neesha Shantaram (11656642)

19 December 2021

<div>With the increased evolution in technology over the past decade, there has been a gradual inclination towards utilizing advanced tools, like location-based applications which incorporate features such as constant route or traffic updates with Global Positioning System (GPS), among</div><div>others, which aid in smooth living. Such applications gain access to private information of users, among their other life hack qualities, thus producing a highly vulnerable ground for data exposure such as current location. With the increase in mobile application-based attacks, there exists a</div><div>constant threat scenario in terms of criminal activities which pose an ultimate challenge while tackling large amount of data. This research primarily focuses on the extent of user-specific data that can be obtained while forensically collecting and analysing data from Waze and HEREwego</div><div>applications on Android and iOS platforms. In order to address the lack of forensic research on the above mentioned applications, an in-depth forensic analysis is conducted in this study, utilizing Cellebrite, a professional tool to provide and verify the evidence acquired, that aid in any digital forensic investigations. On the Waze application, 12 artifacts were populated on the Android device and 17 artifacts on the iOS device, out of which 12 artifacts were recovered from the Android device (100% of the artifacts populated) and 12 artifacts from the iOS device (70.58% of the artifacts populated). Similarly on the HEREwego application, 14 artifacts were populated on the Android device and 13 artifacts on the iOS device, out of which 7 artifacts were recovered from the Android device (50% of the artifacts populated) and 7 artifacts from iOS device (53.84% of the artifacts populated).</div>

Technology not elsewhere classified

Digital Forensics

Mobile Forensics

Cyber Forensics

Android Forensics

iOS Forensics

GPS

Navigation

Mobile applications

UFED Cellebrite

Waze

HEREwego