Reconhecimento de adulterações em imagens digitais: uma abordagem passiva

Cunha , Lucas Marques da

22 June 2016

Submitted by Fernando Souza (fernandoafsou@gmail.com) on 2017-08-16T13:37:17Z No. of bitstreams: 1 arquivototal.pdf: 3482689 bytes, checksum: 32f617e5ecce7581c6cf74bc8c431049 (MD5) / Made available in DSpace on 2017-08-16T13:37:17Z (GMT). No. of bitstreams: 1 arquivototal.pdf: 3482689 bytes, checksum: 32f617e5ecce7581c6cf74bc8c431049 (MD5) Previous issue date: 2016-06-22 / Coordenação de Aperfeiçoamento de Pessoal de Nível Superior - CAPES / The creation and marketing of image editing software allowed ordinary people to perform any kind of manipulation in digital images. In a judicial context, where authenticity and data integrity are crucial, the development of techniques to ensure such attributes are needed. Forensic analysis of digital image aims to use computational scientific methods, such as analysis of a sensor device and JPEG (Joint Photographic Experts Group) artifacts, in order to recognize the presence or absence of such attributes. This paper presents a passive approach to Tampering Recognition in Digital Images with and without JPEG compression using two approaches. The first approach is based on analysis of the 4-pixel neighborhood that may be classified as interpolated or not. Based on such analysis, we obtain information about the standard CFA (Color Filter Array) pattern to investigate the authenticity and integrity of images with low or no compression according to misclassification of pixels. The second approach is based on inconsistency analysis of BAG (Block Grid Artifact) pattern in images with high compression created under tampering techniques like composition and cloning. The image's BAG is the distinction of JPEG blocks. Furthermore, segmentation techniques have been defined for precise location of the tampered area. The method selects one of the approaches according to the image compression ratio. The analysis is performed in agreement with the values of accuracy, sensitivity, specificity, and accuracy. The accuracy rates ranged from 85.1% to 95.4% and precision rates between 41.7% to 74.3%. Values from 32.3% to 82.2% were obtained for sensitivity rates and between 85.9% to 99.2% for specificity in an image database composed by 960 images interpolated by different algorithms and tampered by composition and cloning. The methods described in the literature have a limited scope related to the formats of the images tested and how they gauge their effectiveness. The approach proposed differs from these techniques presenting a most wide scope in the mentioned questions, covering images with and without compression, and assessing the efficiency from metrics able to prove the assumptions during the research. / A criação e comercialização de softwares de edição de imagens permitiram que pessoas leigas pudessem realizar qualquer tipo de manipulação em imagens digitais. Em um cenário judicial em que autenticidade e integridade dos dados são cruciais, há necessidade de técnicas que permitam promover tais atributos. A análise forense em imagens digitais busca por meio de métodos científicos computacionais, como a análise do sensor do dispositivo e artefatos JPEG (Joint Photographic Experts Group), reconhecer a presença ou ausência desses atributos. O presente trabalho apresenta uma Abordagem Passiva para o Reconhecimento de adulterações em imagens digitais com e sem compressão JPEG utilizando duas abordagens. A primeira abordagem baseia-se na técnica de análise da vizinhança-4 de um pixel que pode ser classificado como interpolado ou não interpolado. A partir dessa análise, obtêm-se as informações sobre o padrão CFA (Color Filter Array) de modo a investigar a autenticidade e integridade de imagens com baixa ou nenhuma compressão, de acordo com a classificação incorreta dos pixels. A segunda abordagem baseia-se na Análise da Inconsistência do BAG (Block Artifact Grid) de imagens com alta compressão gerado a partir de técnicas de adulteração, tais como composição e clonagem. O BAG da imagem trata-se da demarcação dos blocos JPEG. Além disso, foram definidas técnicas de segmentação para localização precisa da região adulterada. O método seleciona uma das abordagens, a partir do valor da taxa de compressão da imagem. A análise dos resultados é feita a partir dos valores de acurácia, sensibilidade, especificidade e precisão. As taxas de acurácia variaram de 85,1% a 95,4%, e com taxas de precisão entre 41,7% a 74,3%. Para as taxas de sensibilidade, obteve-se valores entre 32,3% a 82,2% e para especificidade valores entre 85,9% a 99,2%, para uma base de dados composta por 960 imagens interpoladas por algoritmos distintos e adulteradas por técnicas de composição e clonagem. Os métodos descritos na literatura apresentam um escopo limitado referente aos formatos das imagens que foram testadas e ao modo como aferem a eficiência de suas técnicas. A abordagem proposta distingue-se dessas técnicas apresentando um escopo com maior abrangência nos quesitos mencionados, englobando imagens com e sem compressão, além de aferir a eficiência a partir de métricas capazes de comprovar as hipóteses levantadas ao longo da pesquisa.

Integridade

Autenticidade

Reconhecimento

Análise Forense

Integrity

Authenticity

Recognition

Forensics Analyses

Identificação biométrica de pessoas via características dos seios paranasais obtidas de tomografias computadorizadas / Biometric human identification by means of paranasal sinuses features obtained from computed tomographys

Souza Júnior, Luis Antonio [UNESP]

05 August 2016

Submitted by Luís Antonio de Souza Júnior null (lu.playon@gmail.com) on 2016-09-12T15:53:45Z No. of bitstreams: 1 Dissertacao_Luis_Souza_2016_final.pdf: 13262847 bytes, checksum: 14720c149fae5d6dcaceedbc097f8aed (MD5) / Approved for entry into archive by Felipe Augusto Arakaki (arakaki@reitoria.unesp.br) on 2016-09-14T19:26:15Z (GMT) No. of bitstreams: 1 souzajunior_la_me_sjrp.pdf: 13262847 bytes, checksum: 14720c149fae5d6dcaceedbc097f8aed (MD5) / Made available in DSpace on 2016-09-14T19:26:15Z (GMT). No. of bitstreams: 1 souzajunior_la_me_sjrp.pdf: 13262847 bytes, checksum: 14720c149fae5d6dcaceedbc097f8aed (MD5) Previous issue date: 2016-08-05 / Coordenação de Aperfeiçoamento de Pessoal de Nível Superior (CAPES) / A identificação biométrica de pessoas na área forense está em constante estudo para facilitar e melhorar as maneiras de identificação mediante a avaliação de diversas estruturas que podem ser utilizadas como características biométricas. Os seios paranasais, cavidades ósseas presentes no crânio, apresentam alta individualidade e permanência, podendo ser utilizados em sistemas biométricos forenses. As maneiras de representação digital dos seios paranasais são modalidades de exames médicos, conhecidos como raios-X e tomografia computadorizada. As imagens de raios-X como ferramentas para obtenção de características dos seios paranasais apresentam alta aplicação nos trabalhos correlatos, entretanto, nesta modalidade de imagem, algumas desvantagens, como a baixa qualidade de resolução dificultam a identificação dos seios paranasais. Com a tomografia computadorizada, uma nova avaliação pode ser realizada para a obtenção das características dos seios paranasais, visto que esta modalidade de exame gera uma sequência de imagens com qualidade superior, tornando a segmentação e extração de características dos seios paranasais mais simples, intuitiva e precisa, facilitando seu uso em sistemas de reconhecimento biométrico. O objetivo desta dissertação foi desenvolver um novo método de identificação humana utilizando estruturas dos seios paranasais, obtidas de imagens de tomografia computadorizada, como características biométricas. Este método propõe avanços significativos principalmente nas etapas de segmentação e extração de características, uma vez que a segmentação das estruturas dos seios paranasais é realizada de forma automática. As características propostas como descritores são baseadas nas regiões e nas formas das estruturas dos seios paranasais. Resultados experimentais obtidos sobre uma base de dados contendo 310 imagens de tomografia computadorizada mostraram que o método automático proposto nesta dissertação obteve taxa de segmentação medida pelo Coeficiente KAPPA igual a 88,52% na segmentação dos seios frontais e 79,30% na segmentação dos seios maxilares. Com relação à identificação de pessoas, o método proposto obteve, no melhor caso, 8,99% de taxa de erro igual (EER). Assim, nesta dissertação de mestrado concluiu-se que: os seios da face podem ser utilizados com êxito para a identificação forense de pessoas, em particular os seios frontais; que os descritores de forma para os seios frontais são mais efetivos do que os descritores de região para a identificação de pessoas, enquanto que para os seios maxilares, os descritores de forma não apresentam alto valor de discriminação entre os indivíduos e; que é possível automatizar o processo de segmentação dos seios frontais e maxilares utilizando-se imagens de tomografia computadorizada. / Biometric identification of people in the forensic field is constantly being studied to facilitate and improve the identification methods through the evaluation of several structures that can be used as biometric features. The paranasal sinuses, bone cavities present in the skull, have high individuality and permanence and can be used in forensic biometric systems. The X-rays and Computed Tomography are modalities of medical examinations used for the digital representation of the paranasal sinuses. X-rays images as a tool to obtain characteristics of the paranasal sinuses are highly applicable in the related works, however, in this imaging modality, some disadvantages, such as low quality resolution, make these structures harder to acquire. With computed tomography representation, a new evaluation can be performed to obtain the paranasal sinuses features, knowing that this exam modality generates an image sequence with higher quality, making the paranasal sinuses segmentation and feature extraction simpler, intuitive and precise, facilitating its use in biometric recognition systems. The objective of this master’s dissertation was the development of a new human identification method that uses paranasal sinuses structures as biometric features, obtained from computed tomography images. This method proposes significant advances, specially on the segmentation and features extraction stages, once the segmentation of the paranasal sinuses structures is performed automatically. The characteristics proposed for the feature descriptors are based on the region and shape of the paranasal structures. The experimental results obtained from a database composed by 310 computed tomography images presented that the automatic method proposed in this dissertation showed 88.52% of frontal sinuses segmentation and 79.30% of correct maxillary sinuses segmentation using the KAPPA coefficient. Relative to the persons identification, the proposed method presented in the best case 8.99% of EER. Therefore, in this master’s dissertation, it was concluded that: the face sinuses, and in particular the frontal sinuses, can be used with success for the forensic human identification; for the human identification based on the frontal sinuses the shape descriptors are more efficient than the region descriptors, while that for the human identification based on maxillary sinuses, the shape descriptors do not presented high discrimination performance and; it is possible to automate the frontal and maxillary sinuses segmentation process using computed tomography images.

Biometria

Tomografia computadorizada

Seios paranasais

Identificação forense

Biometrics

Paranasal sinuses

Computed tomography

Forensics identification

LiUMIMO : A MIMO Testbed for Broadband Software Defined Radio

Fältström, Johan, Gidén, Fredrik

January 2009

In order to keep up with the increasing demand on speed and reliability in modern wireless systems, new standards have to be introduced. By using Multiple Input Multiple Output technology (MIMO) and Orthogonal Frequency Division Multiplexing (OFDM) technologies the performance can be increased dramatically. Forthcoming standards such as WLAN 802.11n, WiMax and 3GPP LTE are all taking advantage of MIMO technology. To perform realistic tests with these standards it is often not enough to run software simulations in for example Matlab. Instead, as many real world parameters as possible need to be included. This can be done using a testbed, like the LiUMIMO, that actually transmits and receives data through the air. The LiUMIMO is designed as a Software Defined Radio (SDR), only the RF front end and the data log are implemented in hardware, while all signal processing will be performed in Matlab.

matlab in the air

mimo

radio forensics

SDR

Software defined radio

LTE

WiMAX

LiUMIMO

FPGA

Computer Engineering

Datorteknik

FORENSE COMPUTACIONAL EM AMBIENTE DE REDE BASEADO NA GERAÇÃO DE ALERTAS DE SISTEMAS DE DETECÇÃO DE INTRUSOS AUXILIADO PELA ENGENHARIA DIRIGIDA POR MODELOS / COMPUTATIONAL FORENSIC IN ENVIRONMENT OF NETWORK BASED ON GENERATING OF ALERTS OF INTRUDERS DETECTION SYSTEMS ASSISTED BY ENGINEERING DIRECTED BY MODELS

DUARTE, Lianna Mara Castro

19 October 2012

Made available in DSpace on 2016-08-17T14:53:23Z (GMT). No. of bitstreams: 1 Dissertacao Liana Mara.pdf: 7779999 bytes, checksum: eff54ba035aa6dab1569b8f121f7ee0a (MD5) Previous issue date: 2012-10-19 / Coordenação de Aperfeiçoamento de Pessoal de Nível Superior / Even the great progress of techniques used by protection systems as firewalls, intrusion detection systems and antivirus to detect and prevent attacks are not enough to eliminate the cyber-attacks threat. Known attacks for decades still achieve success, and well-known vulnerabilities continue to exist and reappear on the Internet and corporate networks [1]. The intrusion detection technologies we have today provide rich information about attacks. However, the main focus of intrusion detection focuses on the fact that security has been compromised. The computer forensics, on the other hand, attempts to understand and explain what happened to the security environment and how a security violation can happen [2]. However, there is a lack of investigative mechanisms to work synergistically with these sensors and identify not only the attackers, but the malicious actions that were performed. The lack of standardization in the process of computer and network forensics [3], as well as the heterogeneity of tools and the fact that the log/alert files depend on developers, causes a large variety in the formats of these security alerts. Moreover, the knowledge used in the incidents investigation still restricted to security analysts in each case. This work proposes, the development of a model based on computer forensics that can be applied in a network environment to work with IDS NIDIA [4] and heterogeneous IDSs associating information to alerts about procedures that can be performed to investigate the incident using existing tools. The methodology used to develop this was initially use literature to achieve the proposed objectives, derived from books, theses, dissertations, research papers and hypermedia documents, followed by the gathering of information for the development of the solution and analysis tools that could assist in the implementation and modeling the prototype, that was assisted by Model Driven Architecture. / Mesmo o grande progresso das técnicas utilizadas pelos sistemas de proteção como firewalls, sistemas de detecção de invasão e antivírus para detecção e prevenção de ataques, não são suficientes para eliminar a ameaça dos ciberataques. Mesmo ataques que existem há décadas ainda alcançam sucesso, e as vulnerabilidades bem conhecidas continuam a existir e reaparecer na Internet e redes corporativas [1]. As tecnologias de detecção de intrusão atuais fornecem informações ricas sobre um ataque. No entanto, o principal foco de detecção de intrusão centra-se no fato da segurança ter sido comprometida. A computação forense, por outro lado, tenta entender e explicar o que aconteceu com o ambiente de segurança e como uma violação de segurança pode acontecer [2]. No entanto, existe uma carência de mecanismos investigativos que possam trabalhar em sinergia com estes sensores e identificar não só os atacantes, mas as ações maliciosas que foram executadas. A falta de padronização no processo de realização da forense computacional e de rede [3], assim como a heterogeneidade das ferramentas e o fato de que os tipos de arquivos de logs dependem dos desenvolvedores, faz com que haja uma grande variedade nos formatos destes alertas de segurança. Além disto, o conhecimento empregado na investigação dos incidentes fica restrito aos analistas de segurança de cada caso. Esta dissertação propõe, de forma geral, o desenvolvimento de um modelo baseado na forense computacional que possa ser aplicado em ambiente de rede para trabalhar em conjunto com o IDS NIDIA [4] e IDSs heterogêneos associando aos alertas informações sobre procedimentos que podem ser executados para a investigação dos incidentes utilizando ferramentas existentes. A metodologia empregada para o desenvolvimento deste trabalho utilizou inicialmente de pesquisa bibliográfica para atingir os objetivos propostos, oriundas de livros, teses, dissertações, artigos científicos e documentos hipermídia, seguida de levantamento das informações para a elaboração da solução e uma análise de ferramentas que pudessem auxiliar no processo de modelagem e implementação do protótipo que foi auxiliado pela Arquitetura Dirigida por Modelos.

Computação Forense

MDA

IDS

Forensics Computer

MDA

IDS

Utilização da técnica de identificação genética: panorama da realidade dos serviços oficiais de identificação brasileiros e a importância da atuação do cirurgião-dentista na equipe forense / Using the technique of genetic identification: picture of reality official identification of the Brazilian and the importance of role of dentistry-on forensic team

Andréia Moribe Baraldi

13 February 2009

A análise do DNA pode ser considerada um dos principais progressos técnicos para investigação criminal desde a descoberta das impressões digitais. Seu surgimento trouxe novos paradigmas para os critérios utilizados na formulação da culpabilidade no campo do Direito Penal, bem como no estabelecimento da certeza jurídica nas relações de filiação, campo do Direito Civil. Foi incorporada à rotina forense pelas polícias de países do primeiro mundo e começa a ser introduzida no contexto pericial em alguns Estados do Brasil. No entanto, o uso destas técnicas de identificação genética origina uma série de exigências de qualidade e excelência aos laboratórios que as realizam. Portanto, definição de normas, estabelecimento de padrões e criação de sistemas de credenciamento e certificação tornaram-se absolutamente necessários. Levando-se em consideração a crescente influência exercida pelo DNA no contexto forense, este trabalho teve como objetivo conhecer a realidade brasileira diante desta tecnologia e a importância da atuação do cirurgião-dentista na equipe forense. Para isso, tentou-se contato com o serviço oficial de identificação central da capital de cada um dos vinte e seis estados brasileiros além do Distrito Federal. Participaram da pesquisa 17 (dezessete) Estados (Minas Gerais, Goiás, Rio Grande do Sul, Pará, Pernambuco, Alagoas, Paraná, São Paulo, Paraíba, Bahia, Rio de Janeiro, Roraima, Amapá, Maranhão, Rio Grande do Norte, Ceará e Tocantins). A coleta de dados foi realizada através de um questionário. A partir deste foi possível estabelecer que a maioria dos serviços (88%) faz uso da técnica de identificação genética. Dentre estes, apenas o Rio Grande do Norte não adota protocolos de coleta e armazenamento das amostras biológicas. O sangue é a amostra biológica de eleição, porém em casos de ossadas ou quando o cadáver encontra-se carbonizado e/ou avançado estado de decomposição, os dentes são utilizados como fonte de DNA. Geralmente as amostras biológicas coletadas são provenientes de crimes sexuais. Apesar de marcas de mordida serem evidências freqüentemente encontradas em crimes desta natureza, a coleta de saliva (suabe) é realizada apenas em 43% dos Estados. Dentre as diversas categorias de profissionais que compõem a equipe de DNA forense, os farmacêuticos se destacam (43%). Possuem certificado de creditação apenas 50% dos laboratórios (São Paulo, Rio de Janeiro, Paraná, Rio Grande do Sul, Bahia, Roraima e Amapá). O presente trabalho permitiu compreender a maneira pela qual esses serviços estão se estruturando e desenvolvendo essa tecnologia. Através dos resultados obtidos neste estudo foi possível verificar a influência crescente exercida pela técnica de DNA nos processos de identificação, a importância da atuação de uma equipe multiprofissional - uma vez que a contribuição de cada área e a metodologia empregada no processo serão influenciadas pela condição do material biológico apresentado para o exame - e ressaltar a importância dos conhecimentos específicos do odontolegista, principalmente pelo fato dos elementos dentários e da saliva constituírem potenciais fontes de DNA. / The analysis of DNA can be considered major technical advances for criminal investigation since the discovery of fingerprints. Its emergence has brought new paradigms for the criteria used in the formulation of culpability in the field of criminal law, as well as the establishment of legal certainty in relations of affiliation, field of civil law. It was incorporated in routine forensic police from the countries of first world and beginning to be introduced in the context expert in some Brazilian states. However, the use of these techniques of genetic identification, gives quality requirements and excellence laboratories that perform them. Therefore, setting standards, setting principle and creating systems of accreditation and certification have become absolutely necessary. Taking into account the growing influence of the DNA in the forensic context, this study aimed to know the Brazilian reality on this technology and the importance of the role of surgeon-dentist in the forensic team. For this reason, attempts were made to contact the department\'s official identification center of the capital of each of the twenty-six Brazilian states than the Federal District. Participated in the survey 17 (seventeen) States (Minas Gerais, Goiás, Rio Grande do Sul, Para, Pernambuco, Alagoas, Paraná, São Paulo, Paraíba, Bahia, Rio de Janeiro, Roraima, Amapá, Maranhão, Rio Grande do Norte, Ceara and Tocantins). Data collection was conducted through a questionnaire. From this could be established that the majority of services (88%) made use of the technique of genetic identification. Among these, only the Rio Grande do Norte do not adopt protocols for collection and storage of biological samples. The blood is the biological sample of choice, but in cases of carcass or when the corpse is carbonized and / or advanced state of decomposition, the teeth are used as a source of DNA. Usually the samples are collected from sexual crimes. Despite the bite marks are frequently found evidence in such crimes, the collection of saliva (swab) is performed only in 43% of the states. Among the various categories of professionals who make up the team of forensic DNA, pharmacists are stressed (43%). They certificate of accreditation of laboratories only 50% (São Paulo, Rio de Janeiro, Paraná, Rio Grande do Sul, Bahia, Roraima and Amapá). This work could understand the way in which these services are structuring and developing this technology. Through the results of this study was to check the growing influence exercised by the technique of DNA in cases of identification, the importance of the many occupational, since the contribution of each area and the methodology employed in the process will be influenced by the condition of biological material submitted for review and emphasize the importance of specific knowledge of forensic dentist, mainly because of dental elements, in cases of advanced decomposition and charring, and the saliva, bite marks on this, are potential sources of DNA.

DNA dental

DNA forense

Identificação humana

Odontologia Legal

DNA forensics

Forensic Dentistry

Human Identification

Teeth DNA

Digital Evidence with Emphasis on Time

Olsson, Jens

January 2008

Computer Forensics is mainly about investigating crimes where computers has been involved. There are many tools available to aid the investigator with this task. We have created a prototype of a completely new type of tool where all evidences are indexed by its time variable and plotted on a timeline. We believed that this way would make it easier and more intuitive to find coherent evidence and would make it faster to work with for the investigator. We have performed a user test where a group of people has evaluated our prototype tool against a modern commercial computer forensic tool and the results of this test are much better than we expected. The results show that users completed the task much faster and that the results were more correct. They also experienced that the prototype were more intuitive to use and that it was easier to find evidence that was coherent in time.

cyber forensics

digital crime

e-fraud

Computer Sciences

Datavetenskap (datalogi)

Software Engineering

Programvaruteknik

Hash Comparison Module for OCFA

Axelsson, Therese, Melani, Daniel

January 2010

Child abuse content on the Internet is today an increasing problem and difficult to dealwith. The techniques used by paedophiles are getting more sophisticated which means ittakes more effort of the law enforcement to locate this content. To help solving this issue, a EU-funded project named FIVES is developing a set oftools to help investigations involving large amounts of image and video material. One ofthese tools aims to help identifying potentially illegal files by hash signatures derived fromusing classification information from another project. / FIVES

Algorithms

database

hash

OCFA

FIVES

Computer Forensics

Computer Sciences

Datavetenskap (datalogi)

Construction, enrichment and semantic analysis of timelines : application to digital forensics / Construction, enrichissement et analyse sémantique de chronologies : application au domaine de la criminalistique informatique

Chabot, Yoan

30 November 2015

Obtenir une vision précise des évènements survenus durant un incident est un objectif difficile à atteindre lors d'enquêtes de criminalistique informatique. Le problème de la reconstruction d'évènements, ayant pour objectif la construction et la compréhension d'une chronologie décrivant un incident, est l'une des étapes les plus importantes du processus d'investigation. La caractérisation et la compréhension complète d'un incident nécessite d'une part d'associer à chaque fragment d'information sa signification passée, puis d'établir des liens sémantiques entre ces fragments. Ces tâches nécessitent l'exploration de grands volumes de données hétérogènes trouvés dans la scène de crime. Face à ces masses d'informations, les enquêteurs rencontrent des problèmes de surcharge cognitive les amenant à commettre des erreurs ou à omettre des informations pouvant avoir une forte valeur ajoutée pour les progrès de l'enquête. De plus, tout résultat produit au terme de la reconstruction d'évènements doit respecter un certain nombre de critères afin de pouvoir être utilisé lors du procès. Les enquêteurs doivent notamment être en capacité d'expliquer les résultats produits. Afin d'aider les enquêteurs face à ces problèmes, cette thèse introduit l'approche SADFC. L'objectif principal de cette approche est de fournir aux enquêteurs des outils les aidant à restituer la sémantique des entités composant la scène de crime et à comprendre les relations liant ces entités tout en respectant les contraintes juridiques. Pour atteindre cet objectif, SADFC est composé de deux éléments. Tout d'abord, SADFC s'appuie sur des fondations théoriques garantissant la crédibilité des résultats produits par les outils via une définition formelle et rigoureuse des processus utilisés. Cette approche propose ensuite une architecture centrée sur une ontologie pour modéliser les connaissances inhérentes à la scène de crime et assister l'enquêteur dans l'analyse de ces connaissances. La pertinence et l'efficacité de ces outils sont démontrées au travers d'une étude relatant un cas d'investigation fictive. / Having a clear view of events that occurred over time is a difficult objective to achieve in digital investigations (DI). Event reconstruction, which allows investigators to build and to understand the timeline of an incident, is one of the most important steps of a DI process. The complete understanding of an incident and its circumstances requires on the one hand to associate each piece of information to its meaning, and on the other hand to identify semantic relationships between these fragments. This complex task requires the exploration of a large and heterogeneous amount of information found on the crime scene. Therefore, investigators encounter cognitive overload problems when processing this data, causing them to make mistakes or omit information that could have a high added value for the progress of the investigation. In addition, any result produced by the reconstruction process must meet several legal requirements to be admissible at trial, including the ability to explain how the results were produced. To help the investigators to deal with these problems, this thesis introduces a semantic-based approach called SADFC. The main objective of this approach is to provide investigators with tools to help them find the meaning of the entities composing the crime scene and understand the relationships linking these entities, while respecting the legal requirements. To achieve this goal, SADFC is composed of two elements. First, SADFC is based on theoretical foundations, ensuring the credibility of the results produced by the tools via a formal and rigorous definition of the processes used. This approach then proposes an architecture centered on an ontology to model and structure the knowledge inherent to an incident and to assist the investigator in the analysis of this knowledge. The relevance and the effectiveness of this architecture are demonstrated through a case study describing a fictitious investigation.

Criminalistique informatique

Reconstruction d'évènements

Ontologie

Analyse de chronologies

Digital forensics

Event reconstruction

Forensic ontology

Timeline analysis

006

Den IT-forensiska utvinningen i molnet : En kartläggning över den IT-forensiska utvinningen i samband med molntjänster samt vilka möjligheter och svårigheter den möter

Blid, Emma, Massler, Patrick

January 2017

Det blir allt vanligare att spara data online, i stället för på fysiska lagringsmedium. Detta bringar många möjligheter för dig som användare, men orsakar också nya problem framför allt inom utredningsarbetet. Problemen i kombinationen IT-forensik och molntjänster kan framför allt delas upp i två kategorier, vilka är juridiska respektive tekniska problem. De juridiska problemen berör främst att servern som lagrar data och ägaren till denna ofta befinner sig i en annan nation än där det misstänkta brottet utreds. De flesta juridiska problem kan tyckas enkla att lösa genom lagändringar, men är mer omfattande än så då både de konsekvenser det kan ha för molnleverantörerna, liksom de fördelar det kan ha för rättsväsendet, måste tas hänsyn till och noga övervägas. De tekniska problemen finns det ofta redan lösningar på. Många av dessa kan dock inte anses vara reella då krävd storlek på lagringsytan, och kostnaderna därtill, inte är i proportion av vad som skulle kunna uppnås. De flesta tekniska lösningar ger även nya problem i form av etiska dilemman då de kräver utökad lagring av personlig information. Att spara information och eventuellt behöva utreda information kopplat till en person som inte är misstänkt gör intrång på den personliga integriteten. Molnet har dock också möjligheter där den främsta för IT-forensiken är vad som kallas Digital Forensics as a Service. Detta innebär att molnets resurser nyttjas för att lösa resurstunga problem som hade varit betydligt mer tidskrävande att genomföra lokalt, likaså att möjligheterna för samarbeten och specialkompetens ökar, i syfte att underlätta och effektivera det IT-forensiska arbetet. / It is becoming more common to save data online, rather than on physical storage media. This brings many opportunities for you as a user, but also causes new problems, especially within the crime investigations. The problems in the combination of digital forensics and cloud services can be divided into two main categories, which are legal issues and technical issues. The legal issues primarily concern that the server that stores data and the owner of the server is typically based in a different nation than where the suspected crime is investigated. Most legal issues may seem easy to solve through law changes, but are more extensive than that, as both the consequences it may have for the cloud suppliers, as well as the benefits it may have for the justice system, must be taken into consideration. The technical issues often have solutions. However, many of these cannot be considered as realistic since the size of the required storage space, and the costs caused by it, are not proportional to what could be achieved. Most technical solutions also give rise to new issues in the form of ethical dilemmas as they require enhanced storage of personal information. To save more information and to possibly need to investigate information associated with a person who is not suspected of committing the crime intrudes the personal integrity. The cloud, however, also brings opportunities where the foremost for digital forensics is what is called Digital Forensics as a Service. This means that the cloud’s resources are utilised to solve resource related problems that had been significantly more time consuming to implement locally, as well as the opportunities for cooperation and expertise increase, in order to facilitate and enhance IT-forensic work.

IT-forensik

digital forensics

molnmiljö

cloud environment

Computer and Information Science

Data- och informationsvetenskap

Automatic Forensic Analysis of PCCC Network Traffic Log

Senthivel, Saranyan

09 August 2017

Most SCADA devices have a few built-in self-defence mechanisms and tend to implicitly trust communications received over the network. Therefore, monitoring and forensic analysis of network traffic is a critical prerequisite for building an effective defense around SCADA units. In this thesis work, We provide a comprehensive forensic analysis of network traffic generated by the PCCC(Programmable Controller Communication Commands) protocol and present a prototype tool capable of extracting both updates to programmable logic and crucial configuration information. The results of our analysis shows that more than 30 files are transferred to/from the PLC when downloading/uplloading a ladder logic program using RSLogix programming software including configuration and data files. Interestingly, when RSLogix compiles a ladder-logic program, it does not create any lo-level representation of a ladder-logic file. However the low-level ladder logic is present and can be extracted from the network traffic log using our prototype tool. the tool extracts SMTP configuration from the network log and parses it to obtain email addresses, username and password. The network log contains password in plain text.

Information Security