Towards Automation in Digital Investigations : Seeking Efficiency in Digital Forensics in Mobile and Cloud Environments

Homem, Irvin

January 2016

Cybercrime and related malicious activity in our increasingly digital world has become more prevalent and sophisticated, evading traditional security mechanisms. Digital forensics has been proposed to help investigate, understand and eventually mitigate such attacks. The practice of digital forensics, however, is still fraught with various challenges. Some of the most prominent of these challenges include the increasing amounts of data and the diversity of digital evidence sources appearing in digital investigations. Mobile devices and cloud infrastructures are an interesting specimen, as they inherently exhibit these challenging circumstances and are becoming more prevalent in digital investigations today. Additionally they embody further characteristics such as large volumes of data from multiple sources, dynamic sharing of resources, limited individual device capabilities and the presence of sensitive data. These combined set of circumstances make digital investigations in mobile and cloud environments particularly challenging. This is not aided by the fact that digital forensics today still involves manual, time consuming tasks within the processes of identifying evidence, performing evidence acquisition and correlating multiple diverse sources of evidence in the analysis phase. Furthermore, industry standard tools developed are largely evidence-oriented, have limited support for evidence integration and only automate certain precursory tasks, such as indexing and text searching. In this study, efficiency, in the form of reducing the time and human labour effort expended, is sought after in digital investigations in highly networked environments through the automation of certain activities in the digital forensic process. To this end requirements are outlined and an architecture designed for an automated system that performs digital forensics in highly networked mobile and cloud environments. Part of the remote evidence acquisition activity of this architecture is built and tested on several mobile devices in terms of speed and reliability. A method for integrating multiple diverse evidence sources in an automated manner, supporting correlation and automated reasoning is developed and tested. Finally the proposed architecture is reviewed and enhancements proposed in order to further automate the architecture by introducing decentralization particularly within the storage and processing functionality. This decentralization also improves machine to machine communication supporting several digital investigation processes enabled by the architecture through harnessing the properties of various peer-to-peer overlays. Remote evidence acquisition helps to improve the efficiency (time and effort involved) in digital investigations by removing the need for proximity to the evidence. Experiments show that a single TCP connection client-server paradigm does not offer the required scalability and reliability for remote evidence acquisition and that a multi-TCP connection paradigm is required. The automated integration, correlation and reasoning on multiple diverse evidence sources demonstrated in the experiments improves speed and reduces the human effort needed in the analysis phase by removing the need for time-consuming manual correlation. Finally, informed by published scientific literature, the proposed enhancements for further decentralizing the Live Evidence Information Aggregator (LEIA) architecture offer a platform for increased machine-to-machine communication thereby enabling automation and reducing the need for manual human intervention.

Computer forensics

network forensics

mobile devices

mobile forensics

cloud computing

semantic web

hypervisors

virtualization

remote acquisition

automation

evidence analysis

correlation

P2P

bittorrent

Computer Sciences

Datavetenskap (datalogi)

Anti-forensiska metoder på smarta mobiltelefoner : Går akademisk forskning hand i hand med lagens långa arm? / Anti-forensic methods on smartphones : Does academic research grasp the long arm of the law?

Sundelin, Martina, Nilsson, Eric

January 2023

Mobiltelefoners höga förekomst i IT-forensiska utredningar innebär påfrestningar för polisen. Mobilinriktad anti-forensik är dock ett smalt och relativt nytt forskningsområde. Genom att strikt fokusera på smarta mobiltelefoner, och utifrån en anti-forensisk definition som ställer krav på avsikt, så utförde vi en systematisk litteraturstudie i syfte att kartlägga den akademiska forskarvärldens bidrag till fältet. Resonemanget bakom denna undersökning är att en kartläggning av vad som finns inom ett avgränsat område samtidigt bör resultera i en kartläggning av vad som inte finns om tillräcklig praktisk kännedom föreligger. För kartläggningen inhämtades över 500 artiklar varav 45 slutligen sorterades in efter sin anti-forensiska påverkan i en standardmodell för IT-forensisk process. Den praktiska kännedomen baseras på inhämtade perspektiv från polisregionerna Nord, Öst och Syd, vars IT-forensiker vittnar om utmaningsdrabbade delar i en standardmodell för IT-forensisk process. Med hjälp av båda kan vi peka på bristområden där framtida forskning bör lägga sitt fokus för att stödja polisens arbete i dagsläget. Vi finner att forskning tenderar att fokusera på undersökning och analys av bevis, medan IT-forensikerna snarare ser identifiering och insamling av bevis som problematiska områden. Dessutom identifierar vi flera områden där mer forskning kan vara aktuell, exempelvis vad gäller applikationer som förstör användardata. / Mobile phones are common sources of evidence in IT-forensic investigations, and this fact is causing additional strain for law enforcement work. Meanwhile, mobile anti-forensics is a small and relatively new area of research. With a strict focus on smart mobile phones, and using an anti-forensics definition that places the intentions of the user in focus, we have performed a systematic literature study with the purpose of mapping the academic research related to the field. Our reasoning is that mapping the performed research should also result in a map of the research that has yet to be performed, if a practical perspective is applied. Over 500 articles were handled as part of the literature study, of which 45 articles were included and sorted based on their anti-forensic content into a model for the IT-forensic process. The practical perspective was sourced from interviews with the North, East, and Southern Swedish police regions. Their IT-forensic experts describe which parts of the IT-forensic process are subject to the most difficult challenges. By taking both perspectives into account we are able to identify areas of deficiency where future research should be focused in order to better support the work of law enforcement. We find that research tends to focus on the latter half of the IT-forensic process whereas the IT-forensic experts call out identification and collection of evidence as areas of interest. We also identify a multitude of areas where more research is needed, for example in relation to data-destroying applications.

Anti-forensics

Mobile-forensics

Literature study

Survey

Mobile anti-forensics

encryption

steganography

IT-forensics

forensics

Other Computer and Information Science

Annan data- och informationsvetenskap

New and Emerging Mobile Apps Among Teens - Are Forensic Tools Keeping Up?

Kelsey Billups (8800973)

06 May 2020

Mobile applications are an important but fast changing piece of the digital forensics’ world. For mobile forensics researchers and field analysts, it is hard to keep up with the pace of the ever-changing world of the newest and most popular applications teens are using. Mobile forensic tools are quickly becoming more and more supportive of new applications, but with how quickly apps are changing and new ones being released, it is still difficult for the tools to keep up. The research question for this project examines to what extent digital forensic tools support new and emerging applications seen recently in investigations involving teenagers? For this research, a survey was conducted asking digital forensic analysts, and others who investigate digital crimes, what applications they are coming across most frequently during investigations involving teens and whether those applications are being supported by forensic tools. The top three applications from the survey that were not supported by mobile forensic tools, Monkey, Houseparty, and Likee were populated onto a test device and then evaluated and analyzed to see what forensic artifacts were found in those applications. The mobile application artifacts were then compared on two different forensic tools to see which tool obtains the most forensic artifacts from the applications. Through the examination and analysis of the applications and data contained within the apps, it was determined that 61% of the populated forensic artifacts were recovered manually and only 45% were recovered by a forensic tool for the Monkey application. 100% of the populated forensic artifacts were recovered manually and only 29% were recovered by a forensic tool for the Houseparty application. 42% of the populated forensic artifacts were recovered manually and only 3% were recovered by a forensic tool for the Likee application. It was found that the extent of support from digital forensic tools for these types of applications depends greatly on how the application stores the artifacts, but the artifact extraction support was limited for all applications. This research benefits in helping researchers and analysts by understanding the data and artifacts contained within the applications, what forensic artifacts are recoverable, and where to find those important artifacts. This research can help in finding important evidence for future investigations.<br>

Computer System Security

Mobile Technologies

cyber forensics

Digital Forensics

computer forensics

Mobile Forensics

mobile applications

mobile app

Social media use

Android

forensic toolkits

Forensiska Artefakter hos Mobila Applikationer : Utvinning och Analys av Applikationen Snapchat

Nordin, Anton, Liffner, Felix

January 2019

Today's smartphones and tablets use different applications and software for all sorts of purposes: communication, entertainment, fitness, to share images with each other, to keep up to date with the news and lots of different daily tasks. With the heavy usage of all these apps, it is no wonder that it comes with a few issues. Private data is stored in large quantities both on the local device and on the app-creators' servers. It is no wonder that applications advertising user secrecy and transient storage of user data. One of these applications is Snapchat, with over 500 million downloads on Google Play store, at the time of writing. Snapchat is a communication application with the niched feature that the images and messages sent, disappear once opened or after 24 hours have passed. With the illusion of privacy behind Snapchats niche it has become a breeding ground for criminal activity. The niche itself translates to a troublesome hurdle for law enforcement trying to retrieve evidence from devices of Snapchat users. This paper is aimed to investigate these issues and perform a methodology to retrieve potential evidence on a device using Snapchat to send images and messages. By performing a physical acquisition on a test device and analyzing to find artifacts pertaining to Snapchat and the test-data that was created. The method is performed on a Samsung Galaxy S4 with Android 5.0.1 running Snapchat version 10.52.3.0. Test data such as different images and messages were created and attempted to be retrieved at three points in time. First one being right after data creation. Second one after a restart and 24 hours after the data was created. And the third with 48 hours passed and the Snapchat user logged out at the time of acquisition. The acquisition resulted in the extraction of several sent images and a full text conversation between the experimental device and another party. A full video which was uploaded by the receiving user was able to be extracted even though the experimental device never actually viewed the video. The second acquisition which was made when 24h had passed gave the same results as the first one. This meant that time at least up to a day after the initial creation of the data did not have any effect on the evidence. However, when the Snapchat user was logged out from the application, the data was then unobtainable and had disappeared. Presumably Snapchat has a function which deletes personal data about the user when logged out from the application. This function might become a hurdle in law enforcement investigations where the application Snapchat is involved.

Forensics

Mobile forensics

DFIR

Snapchat

Magnet Axiom

Extraction

Snapchat analysis

Forensic investigation

Snapchat artifacts

forensic artifacts

digital forensics

Forensik

Digitalforensik

Mobilforensik

Snapchat

Artefakter

Magnet Axiom

Utvinning

Samsung Galaxy S4

Applikationer

Mobilutvinning

Övrig annan teknik

Computer and Information Sciences

Data- och informationsvetenskap

<strong>TOWARDS A TRANSDISCIPLINARY CYBER FORENSICS GEO-CONTEXTUALIZATION FRAMEWORK</strong>

Mohammad Meraj Mirza (16635918)

04 August 2023

<p>Technological advances have a profound impact on people and the world in which they live. People use a wide range of smart devices, such as the Internet of Things (IoT), smartphones, and wearable devices, on a regular basis, all of which store and use location data. With this explosion of technology, these devices have been playing an essential role in digital forensics and crime investigations. Digital forensic professionals have become more able to acquire and assess various types of data and locations; therefore, location data has become essential for responders, practitioners, and digital investigators dealing with digital forensic cases that rely heavily on digital devices that collect data about their users. It is very beneficial and critical when performing any digital/cyber forensic investigation to consider answering the six Ws questions (i.e., who, what, when, where, why, and how) by using location data recovered from digital devices, such as where the suspect was at the time of the crime or the deviant act. Therefore, they could convict a suspect or help prove their innocence. However, many digital forensic standards, guidelines, tools, and even the National Institute of Standards and Technology (NIST) Cyber Security Personnel Framework (NICE) lack full coverage of what location data can be, how to use such data effectively, and how to perform spatial analysis. Although current digital forensic frameworks recognize the importance of location data, only a limited number of data sources (e.g., GPS) are considered sources of location in these digital forensic frameworks. Moreover, most digital forensic frameworks and tools have yet to introduce geo-contextualization techniques and spatial analysis into the digital forensic process, which may aid digital forensic investigations and provide more information for decision-making. As a result, significant gaps in the digital forensics community are still influenced by a lack of understanding of how to properly curate geodata. Therefore, this research was conducted to develop a transdisciplinary framework to deal with the limitations of previous work and explore opportunities to deal with geodata recovered from digital evidence by improving the way of maintaining geodata and getting the best value from them using an iPhone case study. The findings of this study demonstrated the potential value of geodata in digital disciplinary investigations when using the created transdisciplinary framework. Moreover, the findings discuss the implications for digital spatial analytical techniques and multi-intelligence domains, including location intelligence and open-source intelligence, that aid investigators and generate an exceptional understanding of device users' spatial, temporal, and spatial-temporal patterns.</p>

Spatial data and applications

Knowledge representation and reasoning

Digital forensics

Data engineering and data science

Knowledge and information management

Digital curation and preservation

Cyber Crime

Cybersecurity

Cyber Forensics

DFIR

Digital Forensics

Incident Response

Threat Intelligence

Networking

Mobile Forensics

iOS Forensics

Intelligence

Open-source Intelligence (OSINT)

Location Intelligence

GIS

Spatial Analysis

Spatiotemporal Analysis

UAV Forensics

GeoDatabase

Geodata