Dealing with temporal inconsistency in automated computer forensic profiling

Computer profiling is the automated forensic examination of a computer system in order to provide a human investigator with a characterisation of the activities that have taken place on that system. As part of this process, the logical components of the computer system – components such as users, files and applications - are enumerated and the relationships between them discovered and reported. This information is enriched with traces of historical activity drawn from system logs and from evidence of events found in the computer file system. A potential problem with the use of such information is that some of it may be inconsistent and contradictory thus compromising its value. This work examines the impact of temporal inconsistency in such information and discusses two types of temporal inconsistency that may arise – inconsistency arising out of the normal errant behaviour of a computer system, and inconsistency arising out of deliberate tampering by a suspect – and techniques for dealing with inconsistencies of the latter kind. We examine the impact of deliberate tampering through experiments conducted with prototype computer profiling software. Based on the results of these experiments, we discuss techniques which can be employed in computer profiling to deal with such temporal inconsistencies.

Computer vision profiling of neurite outgrowth dynamics reveals spatiotemporal modularity of Rho GTPase signaling

Rho guanosine triphosphatases (GTPases) control the cytoskeletal dynamics that power neurite outgrowth. This process consists of dynamic neurite initiation, elongation, retraction, and branching cycles that are likely to be regulated by specific spatiotemporal signaling networks, which cannot be resolved with static, steady-state assays. We present NeuriteTracker, a computer-vision approach to automatically segment and track neuronal morphodynamics in time-lapse datasets. Feature extraction then quantifies dynamic neurite outgrowth phenotypes. We identify a set of stereotypic neurite outgrowth morphodynamic behaviors in a cultured neuronal cell system. Systematic RNA interference perturbation of a Rho GTPase interactome consisting of 219 proteins reveals a limited set of morphodynamic phenotypes. As proof of concept, we show that loss of function of two distinct RhoA-specific GTPase-activating proteins (GAPs) leads to opposite neurite outgrowth phenotypes. Imaging of RhoA activation dynamics indicates that both GAPs regulate different spatiotemporal Rho GTPase pools, with distinct functions. Our results provide a starting point to dissect spatiotemporal Rho GTPase signaling networks that regulate neurite outgrowth.

Computer profiling for forensic purposes

Computer forensics is the process of gathering and analysing evidence from computer systems to aid in the investigation of a crime. Typically, such investigations are undertaken by human forensic examiners using purpose-built software to discover evidence from a computer disk. This process is a manual one, and the time it takes for a forensic examiner to conduct such an investigation is proportional to the storage capacity of the computer's disk drives. The heterogeneity and complexity of various data formats stored on modern computer systems compounds the problems posed by the sheer volume of data. The decision to undertake a computer forensic examination of a computer system is a decision to commit significant quantities of a human examiner's time. Where there is no prior knowledge of the information contained on a computer system, this commitment of time and energy occurs with little idea of the potential benefit to the investigation. The key contribution of this research is the design and development of an automated process to describe a computer system and its activity for the purposes of a computer forensic investigation. The term proposed for this process is computer profiling. A model of a computer system and its activity has been developed over the course of this research. Using this model a computer system, which is the subj ect of investigation, can be automatically described in terms useful to a forensic investigator. The computer profiling process IS resilient to attempts to disguise malicious computer activity. This resilience is achieved by detecting inconsistencies in the information used to infer the apparent activity of the computer. The practicality of the computer profiling process has been demonstrated by a proof-of concept software implementation. The model and the prototype implementation utilising the model were tested with data from real computer systems. The resilience of the process to attempts to disguise malicious activity has also been demonstrated with practical experiments conducted with the same prototype software implementation.

Towards Automation in Digital Investigations : Seeking Efficiency in Digital Forensics in Mobile and Cloud Environments

Cybercrime and related malicious activity in our increasingly digital world has become more prevalent and sophisticated, evading traditional security mechanisms. Digital forensics has been proposed to help investigate, understand and eventually mitigate such attacks. The practice of digital forensics, however, is still fraught with various challenges. Some of the most prominent of these challenges include the increasing amounts of data and the diversity of digital evidence sources appearing in digital investigations. Mobile devices and cloud infrastructures are an interesting specimen, as they inherently exhibit these challenging circumstances and are becoming more prevalent in digital investigations today. Additionally they embody further characteristics such as large volumes of data from multiple sources, dynamic sharing of resources, limited individual device capabilities and the presence of sensitive data. These combined set of circumstances make digital investigations in mobile and cloud environments particularly challenging. This is not aided by the fact that digital forensics today still involves manual, time consuming tasks within the processes of identifying evidence, performing evidence acquisition and correlating multiple diverse sources of evidence in the analysis phase. Furthermore, industry standard tools developed are largely evidence-oriented, have limited support for evidence integration and only automate certain precursory tasks, such as indexing and text searching. In this study, efficiency, in the form of reducing the time and human labour effort expended, is sought after in digital investigations in highly networked environments through the automation of certain activities in the digital forensic process. To this end requirements are outlined and an architecture designed for an automated system that performs digital forensics in highly networked mobile and cloud environments. Part of the remote evidence acquisition activity of this architecture is built and tested on several mobile devices in terms of speed and reliability. A method for integrating multiple diverse evidence sources in an automated manner, supporting correlation and automated reasoning is developed and tested. Finally the proposed architecture is reviewed and enhancements proposed in order to further automate the architecture by introducing decentralization particularly within the storage and processing functionality. This decentralization also improves machine to machine communication supporting several digital investigation processes enabled by the architecture through harnessing the properties of various peer-to-peer overlays. Remote evidence acquisition helps to improve the efficiency (time and effort involved) in digital investigations by removing the need for proximity to the evidence. Experiments show that a single TCP connection client-server paradigm does not offer the required scalability and reliability for remote evidence acquisition and that a multi-TCP connection paradigm is required. The automated integration, correlation and reasoning on multiple diverse evidence sources demonstrated in the experiments improves speed and reduces the human effort needed in the analysis phase by removing the need for time-consuming manual correlation. Finally, informed by published scientific literature, the proposed enhancements for further decentralizing the Live Evidence Information Aggregator (LEIA) architecture offer a platform for increased machine-to-machine communication thereby enabling automation and reducing the need for manual human intervention.

From crime to court - an experience report of a digital forensics group project module.

This paper discusses the large-scale group project undertaken by BSc Hons Digital Forensics students at Abertay University in their penultimate year. The philosophy of the project is to expose students to the full digital crime "life cycle", from commission through investigation, preparation of formal court report and finally, to prosecution in court. In addition, the project is novel in two aspects; the "crimes" are committed by students, and the moot court proceedings, where students appear as expert witnesses for the prosecution, are led by law students acting as counsels for the prosecution and defence. To support students, assessments are staged across both semesters with staff feedback provided at critical points. Feedback from students is very positive, highlighting particularly the experience of engaging with the law students and culminating in the realistic moot court, including a challenging cross-examination. Students also commented on the usefulness of the final debrief, where the whole process and the student experience is discussed in an informal plenary meeting between DF students and staff, providing an opportunity for the perpetrators and investigators to discuss details of the "crimes", and enabling all groups to learn from all crimes and investigations. We conclude with a reflection on the challenges encountered and a discussion of planned changes.

Extending the advanced forensic format to accommodate multiple data sources, logical evidence, arbitrary information and forensic workflow

Forensic analysis requires the acquisition and management of many different types of evidence, including individual disk drives, RAID sets, network packets, memory images, and extracted files. Often the same evidence is reviewed by several different tools or examiners in different locations. We propose a backwards-compatible redesign of the Advanced Forensic Formatdan open, extensible file format for storing and sharing of evidence, arbitrary case related information and analysis results among different tools. The new specification, termed AFF4, is designed to be simple to implement, built upon the well supported ZIP file format specification. Furthermore, the AFF4 implementation has downward comparability with existing AFF files.

计算机取证的相关法律技术问题研究

法律界研究计算机证据的有关法律特性及其认定,而计算机科学领域的研究人员则从技术的角度研究计算证据的技术特征及其获取技术.由于这一学科是建立在法学和计算机科学之上的交叉学科,必须从这两个学科及其派生学科上体现出的特殊性的角度对其进行研究.在这一领域把法律和技术分离的做法会导致法律认定上的错误和技术上的无序性.通过将法律和计算机技术相结合对计算机取证进行了研究.阐明了计算机取证的相关法律问题,重点研究了计算机取证的技术方法和工具,并给出了一个计算机取证实验的技术过程.提出了目前计算机取证相关法律法规和计算机取证技术的不足,指出了今后法律法规的进一步健全、计算机取证工作的规范化和计算机取证技术的发展趋势.

计算机取证的技术方法及工具研究

计算机取证(computer forensics)是一个迅速成长的研究领域,在国家安全、消费者保护和犯罪调查方面有着重要的应用前景。由于计算机证据的特殊性,为了保证其满足证据的可采用性标准,即关联性、可靠性和合法性,其获取需要采取特殊的技术和方法,使用特殊的工具。本文对用于计算机取证的技术方法进行了较为详细的分析研究,分析对比了国内外的计算机取证工具。

面向入侵的取证系统框架

在分析常见入侵攻击的基础上抽象出入侵过程的一般模式，提出针对入侵攻击的取证系统应满足的特征。提出了入侵取证模型，并基于这一取证模型在操作系统内核层实现了取证系统原型KIFS（kernel intrusion forensic system）。在对实际入侵的取证实验中，根据KIFS得到的证据，成功记录并重构了一个针对FreeBSD系统漏洞的本地提升权限攻击的完整过程。

C’est ma collection mais c’est bien plus que ça : analyse des processus de collecte et de l’évolution des images dans les collections de pornographie juvénile

Cette thèse de doctorat analyse les processus et les actions des consommateurs de pornographie juvénile. Nous soutenons que l’univers des collectionneurs de pornographie juvénile se distingue par trois particularités : la préférence sexuelle, l’offre pornographique dans un monde immatériel et la sociabilité virtuelle. Afin de mettre cette thèse à l’épreuve, nous avons eu accès aux disques durs de 40 personnes condamnées pour des infractions de pornographie juvénile. La méthode de l’analyse informatique judiciaire (computer forensics) utilisée dans ce contexte a permis de recréer les événements entourant la collection d’images par ces personnes. De plus, un échantillon des images possédées par ces individus a été catégorisé selon l’âge et les actes posés sur les images (n = 61 244). En plus des nombreux points qu’il a en commun avec les collectionneurs d’objets populaires, les résultats montrent l’importance de la préférence sexuelle dans la perception et les stratégies du collectionneur, l’omniprésence des images de pornographie adulte dans les collections et la sociabilité virtuelle comme mesure d’efficacité dans la découverte des contenus. En outre, en créant quatre groupes différents en fonction de l’évolution de la gravité des images dans le temps, nous avons découvert que le groupe où il y a aggravation à la fois dans l’âge et dans la gravité des actes posés est le groupe le plus nombreux, avec 37,5 % des sujets. Les résultats de l’étude mettent également en évidence la pertinence de l’utilisation de l’informatique judiciaire dans les études en criminologie.