994 resultados para Forensic Tools
Resumo:
Due to extension of using CCTVs and the other video security systems in all areas, these sorts of devices have been introduced as the most important digital evidences to search and seizure crimes. Video forensics tools are developed as a part of digital forensics tools to analyze digital evidences and clear vague points of them for presenting in the courts Existing video forensics tools have been facilitated the investigation process by providing different features based on various video editing techniques. In this paper, some of the most popular video forensics tools are discussed and the strengths and shortages of them are compared and consequently, an alternative framework which includes the strengths of existing popular tools is introduced.
Resumo:
The increasing complexity and number of digital forensic tasks required in criminal investigations demand the development of an effective and efficient testing methodology, enabling tools of similar functionalities to be compared based on their performance. Assuming that the tool tester is familiar with the underlying testing platform and has the ability to use the tools correctly, we provide a numerical solution for the lower bound on the number of testing cases needed to determine comparative capabilities of any set of digital forensic tools. We also present a case study on the performance testing of password cracking tools, which allows us to confirm that the lower bound on the number of testing runs needed is closely related to the row size of certain orthogonal arrays. We show how to reduce the number of test runs by using knowledge of the underlying system
Resumo:
This thesis surveys the latest development of digital forensic tools designed for anti-cybercrime purposes. It discusses the necessity of testing the digital forensics tools, and presents a novel testing framework. This new testing framework takes the viewpoint of software vendors rather than traditional software engineering approaches.
Resumo:
In previous work, the authors presented a theoretical lower bound on the required number of testing runs for performance testing of digital forensic tools. We also demonstrated a practical method of testing showing how to tolerate both measurement and random errors in order to achieve results close to this bound. In this paper, we extend the previous work to the situation of correctness testing. The contribution of this methodology enables the tester to achieve correctness testing results of high quality from a manageable number of observations and in a dynamic but controllable way. This is of particular interest to forensic testers who do not have access to sophisticated equipment and who can allocate only a small amount of time to testing.
Resumo:
In previous work, the authors presented a theoretical lower bound on the required number of testing runs for performance testing of digital forensic tools. However, experimental errors are inevitable in laboratory settings, occurring as measurement errors or as random errors and can result in practical situations where the number of testing runs is far from the theoretical bound. This paper adapts our former work to tolerate such errors in the testing results. The contribution of our new methodology enables the tester to achieve performance testing results of high quality from a manageable number of observations and in a dynamic but controllable way. This is of particular interest to forensic testers who do not have access to sophisticated equipment and who can allocate only a small amount of time to testing.
Resumo:
Digital forensics relates to the investigation of a crime or other suspect behaviour using digital evidence. Previous work has dealt with the forensic reconstruction of computer-based activity on single hosts, but with the additional complexity involved with a distributed environment, a Web services-centric approach is required. A framework for this type of forensic examination needs to allow for the reconstruction of transactions spanning multiple hosts, platforms and applications. A tool implementing such an approach could be used by an investigator to identify scenarios of Web services being misused, exploited, or otherwise compromised. This information could be used to redesign Web services in order to mitigate identified risks. This paper explores the requirements of a framework for performing effective forensic examinations in a Web services environment. This framework will be necessary in order to develop forensic tools and techniques for use in service oriented architectures.
Resumo:
We present a three-component model of a digital investigation which comprises: determination of input-output layers, assignment of read and write operations associated with use of forensic tools, and time-stamping of read and write operations. This builds on work of several authors, culminating in the new model presented here which is generic, scalable and compatible with all functions in the system, and which is guaranteed to produce a high quality of reproducibility.
Resumo:
Network forensics is a branch of digital forensics which has evolved recently as a very important discipline used in monitoring and analysing network traffic-particularly for the purposes of tracing intrusions and attacks. This paper presents an analysis of the tools and techniques used in network forensic analysis. It further examines the application of network forensics to vital areas such as malware and network attack detection; IP traceback and honeypots; and intrusion detection. Further, the paper addresses new and emerging areas of network forensic development which include critical infrastructure forensics, wireless network forensics, as well as its application to social networking. © 2012 IEEE.
Resumo:
The research presented in this thesis addresses inherent problems in signaturebased intrusion detection systems (IDSs) operating in heterogeneous environments. The research proposes a solution to address the difficulties associated with multistep attack scenario specification and detection for such environments. The research has focused on two distinct problems: the representation of events derived from heterogeneous sources and multi-step attack specification and detection. The first part of the research investigates the application of an event abstraction model to event logs collected from a heterogeneous environment. The event abstraction model comprises a hierarchy of events derived from different log sources such as system audit data, application logs, captured network traffic, and intrusion detection system alerts. Unlike existing event abstraction models where low-level information may be discarded during the abstraction process, the event abstraction model presented in this work preserves all low-level information as well as providing high-level information in the form of abstract events. The event abstraction model presented in this work was designed independently of any particular IDS and thus may be used by any IDS, intrusion forensic tools, or monitoring tools. The second part of the research investigates the use of unification for multi-step attack scenario specification and detection. Multi-step attack scenarios are hard to specify and detect as they often involve the correlation of events from multiple sources which may be affected by time uncertainty. The unification algorithm provides a simple and straightforward scenario matching mechanism by using variable instantiation where variables represent events as defined in the event abstraction model. The third part of the research looks into the solution to address time uncertainty. Clock synchronisation is crucial for detecting multi-step attack scenarios which involve logs from multiple hosts. Issues involving time uncertainty have been largely neglected by intrusion detection research. The system presented in this research introduces two techniques for addressing time uncertainty issues: clock skew compensation and clock drift modelling using linear regression. An off-line IDS prototype for detecting multi-step attacks has been implemented. The prototype comprises two modules: implementation of the abstract event system architecture (AESA) and of the scenario detection module. The scenario detection module implements our signature language developed based on the Python programming language syntax and the unification-based scenario detection engine. The prototype has been evaluated using a publicly available dataset of real attack traffic and event logs and a synthetic dataset. The distinct features of the public dataset are the fact that it contains multi-step attacks which involve multiple hosts with clock skew and clock drift. These features allow us to demonstrate the application and the advantages of the contributions of this research. All instances of multi-step attacks in the dataset have been correctly identified even though there exists a significant clock skew and drift in the dataset. Future work identified by this research would be to develop a refined unification algorithm suitable for processing streams of events to enable an on-line detection. In terms of time uncertainty, identified future work would be to develop mechanisms which allows automatic clock skew and clock drift identification and correction. The immediate application of the research presented in this thesis is the framework of an off-line IDS which processes events from heterogeneous sources using abstraction and which can detect multi-step attack scenarios which may involve time uncertainty.
Resumo:
INTRODUCTION: Cadaver dogs are known as valuable forensic tools in crime scene investigations. Scientific research attempting to verify their value is largely lacking, specifically for scents associated with the early postmortem interval. The aim of our investigation was the comparative evaluation of the reliability, accuracy, and specificity of three cadaver dogs belonging to the Hamburg State Police in the detection of scents during the early postmortem interval. MATERIAL AND METHODS: Carpet squares were used as an odor transporting media after they had been contaminated with the scent of two recently deceased bodies (PMI<3h). The contamination occurred for 2 min as well as 10 min without any direct contact between the carpet and the corpse. Comparative searches by the dogs were performed over a time period of 65 days (10 min contamination) and 35 days (2 min contamination). RESULTS: The results of this study indicate that the well-trained cadaver dog is an outstanding tool for crime scene investigation displaying excellent sensitivity (75-100), specificity (91-100), and having a positive predictive value (90-100), negative predictive value (90-100) as well as accuracy (92-100).
Resumo:
The introduction of profiling systems with increased sensitivity has led to a concurrent increase in the risk of detecting contaminating DNA in forensic casework. To evaluate the contamination risk of tools used during exhibit examination we have assessed the occurrence and level of DNA transferred between mock casework exhibits, comprised of cotton or glass substrates, and high-risk vectors (scissors, forceps, and gloves). The subsequent impact of such transfer in the profiling of a target sample was also investigated. Dried blood or touch DNA, deposited on the primary substrate, was transferred via the vector to the secondary substrate, which was either DNA-free or contained a target sample (dried blood or touch DNA). Pairwise combinations of both heavy and light contact were applied by each vector in order to simulate various levels of contamination. The transfer of dried blood to DNA-free cotton was observed for all vectors and transfer scenarios, with transfer substantially lower when glass was the substrate. Overall touch DNA transferred less efficiently, with significantly lower transfer rates than blood when transferred to DNA-free cotton; the greatest transfer of touch DNA occurred between cotton and glass substrates. In the presence of a target sample, the detectability of transferred DNA decreased due to the presence of background DNA. Transfer had no impact on the detectability of the target profile, however, in casework scenarios where the suspect profiles are not known, profile interpretation becomes complicated by the addition of contaminating alleles and the probative value of the evidence may be affected. The results of this study reiterate the need for examiners to adhere to stringent laboratory cleaning protocols, particularly in the interest of contamination minimisation, and to reduce the handling of items to prevent intra-item transfer.
Resumo:
Traumatic lesions of the subcutaneous fatty tissue provide important clues for forensic reconstruction. The interpretation of these patterns requires a precise description and recording of the position and extent of each lesion. During conventional autopsy, this evaluation is performed by dissecting the skin and subcutaneous tissues in successive layers. In this way, depending on the force and type of impact (right angle or tangent), several morphologically distinct stages of fatty tissue damage can be differentiated: perilobular hemorrhage (I), contusion (II), or disintegration (III) of the fat lobuli, and disintegration with development of a subcutaneous cavity (IV). In examples of virtopsy cases showing blunt trauma to the skin and fatty tissue, we analyzed whether these lesions can also be recorded and classified using multislice computed tomography (MSCT) and magnetic resonance imaging (MRI). MSCT has proven to be a valuable screening method to detect the lesions, but MRI is necessary in order to properly differentiate and classify the grade of damage. These noninvasive radiological diagnostic tools can be further developed to play an important role in forensic examinations, in particular when it comes to evaluating living trauma victims.
Resumo:
Forensic analysis requires the acquisition and management of many different types of evidence, including individual disk drives, RAID sets, network packets, memory images, and extracted files. Often the same evidence is reviewed by several different tools or examiners in different locations. We propose a backwards-compatible redesign of the Advanced Forensic Formatdan open, extensible file format for storing and sharing of evidence, arbitrary case related information and analysis results among different tools. The new specification, termed AFF4, is designed to be simple to implement, built upon the well supported ZIP file format specification. Furthermore, the AFF4 implementation has downward comparability with existing AFF files.
Resumo:
The increasing use of social media, applications or platforms that allow users to interact online, ensures that this environment will provide a useful source of evidence for the forensics examiner. Current tools for the examination of digital evidence find this data problematic as they are not designed for the collection and analysis of online data. Therefore, this paper presents a framework for the forensic analysis of user interaction with social media. In particular, it presents an inter-disciplinary approach for the quantitative analysis of user engagement to identify relational and temporal dimensions of evidence relevant to an investigation. This framework enables the analysis of large data sets from which a (much smaller) group of individuals of interest can be identified. In this way, it may be used to support the identification of individuals who might be ‘instigators’ of a criminal event orchestrated via social media, or a means of potentially identifying those who might be involved in the ‘peaks’ of activity. In order to demonstrate the applicability of the framework, this paper applies it to a case study of actors posting to a social media Web site.
Resumo:
Recent studies observing the transfer of DNA via examination tools used within forensic laboratories (scissors, forceps and gloves) have highlighted the contamination risk of such implements if protocols following their use and replacement are not adhered to. Whilst these previous studies focus primarily on the transfer of biological substances to a substrate via high-risk vectors, this investigation considers the proportion of DNA that remains on the high-risk vectors following contact with the substrate. Dried blood or touch DNA was deposited on cotton or glass substrates to create mock exhibits. Following primary contact with the deposit, the vector similarly contacted a secondary DNA-free substrate. Combinations of singular and multiple contacts were applied. Immediately following contact with the secondary substrate, the vector was sampled in order to determine the proportion of DNA-containing material remaining on the vectors following contacts. Residual DNA was detected on the vectors in most instances, with the amount retained influenced by the vector, substrates and biological substance applied. The results demonstrate the potential for inter- and intra-exhibit contamination through further contacts.
