Reconstruction of falsified computer logs for digital forensics investigations

Digital forensics investigations aim to find evidence that helps confirm or disprove a hypothesis about an alleged computer-based crime. However, the ease with which computer-literate criminals can falsify computer event logs makes the prosecutor's job highly challenging. Given a log which is suspected to have been falsified or tampered with, a prosecutor is obliged to provide a convincing explanation for how the log may have been created. Here we focus on showing how a suspect computer event log can be transformed into a hypothesised actual sequence of events, consistent with independent, trusted sources of event orderings. We present two algorithms which allow the effort involved in falsifying logs to be quantified, as a function of the number of `moves' required to transform the suspect log into the hypothesised one, thus allowing a prosecutor to assess the likelihood of a particular falsification scenario. The first algorithm always produces an optimal solution but, for reasons of efficiency, is suitable for short event logs only. To deal with the massive amount of data typically found in computer event logs, we also present a second heuristic algorithm which is considerably more efficient but may not always generate an optimal outcome.

Digital forensics in law enforcement: the case of online victimisation of children

Online victimisation of children is concerned with sexual abuse caused with the help of online technologies. Digital forensics is a powerful methodology to discover, prevent and bring criminals to justice. Digital forensics is dependent on tools and access to information from a variety of sources in digital government. This paper reports from a knowledge enhancement project to gain new insights into offender investigations in law enforcement.

Dealing with temporal inconsistency in automated computer forensic profiling

Computer profiling is the automated forensic examination of a computer system in order to provide a human investigator with a characterisation of the activities that have taken place on that system. As part of this process, the logical components of the computer system – components such as users, files and applications - are enumerated and the relationships between them discovered and reported. This information is enriched with traces of historical activity drawn from system logs and from evidence of events found in the computer file system. A potential problem with the use of such information is that some of it may be inconsistent and contradictory thus compromising its value. This work examines the impact of temporal inconsistency in such information and discusses two types of temporal inconsistency that may arise – inconsistency arising out of the normal errant behaviour of a computer system, and inconsistency arising out of deliberate tampering by a suspect – and techniques for dealing with inconsistencies of the latter kind. We examine the impact of deliberate tampering through experiments conducted with prototype computer profiling software. Based on the results of these experiments, we discuss techniques which can be employed in computer profiling to deal with such temporal inconsistencies.

Survey : video forensic tools

Due to extension of using CCTVs and the other video security systems in all areas, these sorts of devices have been introduced as the most important digital evidences to search and seizure crimes. Video forensics tools are developed as a part of digital forensics tools to analyze digital evidences and clear vague points of them for presenting in the courts Existing video forensics tools have been facilitated the investigation process by providing different features based on various video editing techniques. In this paper, some of the most popular video forensics tools are discussed and the strengths and shortages of them are compared and consequently, an alternative framework which includes the strengths of existing popular tools is introduced.

Forensic challenges in service oriented architectures

Digital forensics relates to the investigation of a crime or other suspect behaviour using digital evidence. Previous work has dealt with the forensic reconstruction of computer-based activity on single hosts, but with the additional complexity involved with a distributed environment, a Web services-centric approach is required. A framework for this type of forensic examination needs to allow for the reconstruction of transactions spanning multiple hosts, platforms and applications. A tool implementing such an approach could be used by an investigator to identify scenarios of Web services being misused, exploited, or otherwise compromised. This information could be used to redesign Web services in order to mitigate identified risks. This paper explores the requirements of a framework for performing effective forensic examinations in a Web services environment. This framework will be necessary in order to develop forensic tools and techniques for use in service oriented architectures.

FIA : an open foresic integration architecture for composing digital evidence

The analysis and value of digital evidence in an investigation has been the domain of discourse in the digital forensic community for several years. While many works have considered different approaches to model digital evidence, a comprehensive understanding of the process of merging different evidence items recovered during a forensic analysis is still a distant dream. With the advent of modern technologies, pro-active measures are integral to keeping abreast of all forms of cyber crimes and attacks. This paper motivates the need to formalize the process of analyzing digital evidence from multiple sources simultaneously. In this paper, we present the forensic integration architecture (FIA) which provides a framework for abstracting the evidence source and storage format information from digital evidence and explores the concept of integrating evidence information from multiple sources. The FIA architecture identifies evidence information from multiple sources that enables an investigator to build theories to reconstruct the past. FIA is hierarchically composed of multiple layers and adopts a technology independent approach. FIA is also open and extensible making it simple to adapt to technological changes. We present a case study using a hypothetical car theft case to demonstrate the concepts and illustrate the value it brings into the field.

A framework for identifying associations in digital evidence using metadata

Digital forensics concerns the analysis of electronic artifacts to reconstruct events such as cyber crimes. This research produced a framework to support forensic analyses by identifying associations in digital evidence using metadata. It showed that metadata based associations can help uncover the inherent relationships between heterogeneous digital artifacts thereby aiding reconstruction of past events by identifying artifact dependencies and time sequencing. It also showed that metadata association based analysis is amenable to automation by virtue of the ubiquitous nature of metadata across forensic disk images, files, system and application logs and network packet captures. The results prove that metadata based associations can be used to extract meaningful relationships between digital artifacts, thus potentially benefiting real-life forensics investigations.

Near-infrared spectroscopic studies of human scalp hair in a forensic context

Human hair is a relatively inert biopolymer and can survive through natural disasters. It is also found as trace evidence at crime scenes. Previous studies by FTIRMicrospectroscopy and – Attenuated Total Reflectance (ATR) successfully showed that hairs can be matched and discriminated on the basis of gender, race and hair treatment, when interpreted by chemometrics. However, these spectroscopic techniques are difficult to operate at- or on-field. On the other hand, some near infrared spectroscopic (NIRS) instruments equipped with an optical probe, are portable and thus, facilitate the on- or at –field measurements for potential application directly at a crime or disaster scene. This thesis is focused on bulk hair samples, which are free of their roots, and thus, independent of potential DNA contribution for identification. It explores the building of a profile of an individual with the use of the NIRS technique on the basis of information on gender, race and treated hair, i.e. variables which can match and discriminate individuals. The complex spectra collected may be compared and interpreted with the use of chemometrics. These methods can then be used as protocol for further investigations. Water is a common substance present at forensic scenes e.g. at home in a bath, in the swimming pool; it is also common outdoors in the sea, river, dam, puddles and especially during DVI incidents at the seashore after a tsunami. For this reason, the matching and discrimination of bulk hair samples after the water immersion treatment was also explored. Through this research, it was found that Near Infrared Spectroscopy, with the use of an optical probe, has successfully matched and discriminated bulk hair samples to build a profile for the possible application to a crime or disaster scene. Through the interpretation of Chemometrics, such characteristics included Gender and Race. A novel approach was to measure the spectra not only in the usual NIR range (4000 – 7500 cm-1) but also in the Visible NIR (7500 – 12800 cm-1). This proved to be particularly useful in exploring the discrimination of differently coloured hair, e.g. naturally coloured, bleached or dyed. The NIR region is sensitive to molecular vibrations of the hair fibre structure as well as that of the dyes and damage from bleaching. But the Visible NIR region preferentially responds to the natural colourants, the melanin, which involves electronic transitions. This approach was shown to provide improved discrimination between dyed and untreated hair. This thesis is an extensive study of the application of NIRS with the aid of chemometrics, for matching and discrimination of bulk human scalp hair. The work not only indicates the strong potential of this technique in this field but also breaks new ground with the exploration of the use of the NIR and Visible NIR ranges for spectral sampling. It also develops methods for measuring spectra from hair which has been immersed in different water media (sea, river and dam)

A model for computer profiling

This paper discusses the use of models in automatic computer forensic analysis, and proposes and elaborates on a novel model for use in computer profiling, the computer profiling object model. The computer profiling object model is an information model which models a computer as objects with various attributes and inter-relationships. These together provide the information necessary for a human investigator or an automated reasoning engine to make judgements as to the probable usage and evidentiary value of a computer system. The computer profiling object model can be implemented so as to support automated analysis to provide an investigator with the information needed to decide whether manual analysis is required.

Hash based disk imaging using AFF4

Forensic imaging has been facing scalability challenges for some time. As disk capacity growth continues to outpace storage IO bandwidth, the demands placed on storage and time are ever increasing. Data reduction and de-duplication technologies are now commonplace in the Enterprise space, and are potentially applicable to forensic acquisition. Using the new AFF4 forensic file format we employ a hash based compression scheme to leverage an existing corpus of images, reducing both acquisition time and storage requirements. This paper additionally describes some of the recent evolution in the AFF4 file format making the efficient implementation of hash based imaging a reality.