Reconstruction of falsified computer logs for digital forensics investigations

Digital forensics investigations aim to find evidence that helps confirm or disprove a hypothesis about an alleged computer-based crime. However, the ease with which computer-literate criminals can falsify computer event logs makes the prosecutor's job highly challenging. Given a log which is suspected to have been falsified or tampered with, a prosecutor is obliged to provide a convincing explanation for how the log may have been created. Here we focus on showing how a suspect computer event log can be transformed into a hypothesised actual sequence of events, consistent with independent, trusted sources of event orderings. We present two algorithms which allow the effort involved in falsifying logs to be quantified, as a function of the number of `moves' required to transform the suspect log into the hypothesised one, thus allowing a prosecutor to assess the likelihood of a particular falsification scenario. The first algorithm always produces an optimal solution but, for reasons of efficiency, is suitable for short event logs only. To deal with the massive amount of data typically found in computer event logs, we also present a second heuristic algorithm which is considerably more efficient but may not always generate an optimal outcome.

Digital forensics in law enforcement: the case of online victimisation of children

Online victimisation of children is concerned with sexual abuse caused with the help of online technologies. Digital forensics is a powerful methodology to discover, prevent and bring criminals to justice. Digital forensics is dependent on tools and access to information from a variety of sources in digital government. This paper reports from a knowledge enhancement project to gain new insights into offender investigations in law enforcement.

A network forensics tool for precise data packet capture and replay in cyber-physical systems

Network data packet capture and replay capabilities are basic requirements for forensic analysis of faults and security-related anomalies, as well as for testing and development. Cyber-physical networks, in which data packets are used to monitor and control physical devices, must operate within strict timing constraints, in order to match the hardware devices' characteristics. Standard network monitoring tools are unsuitable for such systems because they cannot guarantee to capture all data packets, may introduce their own traffic into the network, and cannot reliably reproduce the original timing of data packets. Here we present a high-speed network forensics tool specifically designed for capturing and replaying data traffic in Supervisory Control and Data Acquisition systems. Unlike general-purpose "packet capture" tools it does not affect the observed network's data traffic and guarantees that the original packet ordering is preserved. Most importantly, it allows replay of network traffic precisely matching its original timing. The tool was implemented by developing novel user interface and back-end software for a special-purpose network interface card. Experimental results show a clear improvement in data capture and replay capabilities over standard network monitoring methods and general-purpose forensics solutions.

How useful are databases in environmental and criminal forensics?

Advances in computational and information technologies have facilitated the acquisition of geospatial information for regional and national soil and geology databases. These have been completed for a range of purposes from geological and soil baseline mapping to economic prospecting and land resource assessment, but have become increasingly used for forensic purposes. On the question of provenance of a questioned sample, the geologist or soil scientist will draw invariably on prior expert knowledge and available digital map and database sources in a ‘pseudo Bayesian’ approach. The context of this paper is the debate on whether existing (digital) geology and soil databases are indeed useful and suitable for forensic inferences. Published and new case studies are used to explore issues of completeness, consistency, compatibility and applicability in relation to the use of digital geology and soil databases in environmental and criminal forensics. One key theme that emerges is that, despite an acknowledgement that databases can be neither exhaustive nor precise enough to portray spatial variability at the scene of crime scale, coupled with expert knowledge, they play an invaluable role in providing background or
reference material in a criminal investigation. Moreover databases can offer an independent control set of samples.

Evaluating genetic traceability methods for captive-bred marine fish and their applications in fisheries management and wildlife forensics

Growing demands for marine fish products is leading to increased pressure on already depleted wild populations and a rise in aquaculture production. Consequently, more captive-bred fish are released into the wild through accidental escape or deliberate releases. The increased mixing of captive-bred and wild fish may affect the ecological and/or genetic integrity of wild fish populations. Unambiguous identification tools for captive-bred fish will be highly valuable to manage risks (fisheries management) and tracing of escapees and seafood products (wildlife forensics). Using single nucleotide polymorphism (SNP) data from captive-bred and wild populations of Atlantic cod Gadus morhua L. and sole Solea solea L., we explored the efficiency of population and parentage assignment techniques for the identification and tracing of captive-bred fish. Simulated and empirical data were used to correct for stochastic genetic effects. Overall, parentage assignment performed well when a large effective population size characterized the broodstock and escapees originated from early generations of captive breeding. Consequently, parentage assignments are particularly useful from a fisheries management perspective to monitor the effects of deliberate releases of captive-bred fish on wild populations. Population assignment proved to be more efficient after several generations of captive breeding, which makes it a useful method in forensic applications for well-established aquaculture species. We suggest the implementation of a case-by-case strategy when choosing the best method.

Sediment fingerprinting as an environmental forensics tool explaining cyanobacteria blooms in lakes

Cyanobacteria (blue-green algae) blooms in water bodies present serious public health issues with attendant economic and ecological impacts. Llyn Tegid (Lake Bala) is an important conservation and amenity asset within Snowdonia National Park, Wales which since the mid-1990s has experienced multiple toxic cyanobacteria blooms threatening the ecology and tourism-dependent local economy. Multiple working hypotheses explain the emergence of this problem, including climate change, land management linked to increased nutrient flux, hydromorphological alterations or changing trophic structure - any of which may operate individually or cumulatively to impair lake function. This paper reports the findings of a sedimentfingerprinting study using dated lake cores to explore the linkages between catchment and lake management practices and the emergence of the algal blooms problem. Since 1900 AD lake bed sedimentation rates have varied from 0.06 to 1.07 g cm−2 yr−1, with a pronounced acceleration since the early 1980s. Geochemical analysis revealed increases in the concentrations of total phosphorus (TP), calcium and heavy metals such as zinc and lead consistent with eutrophication and a rising pollution burden, particularly since the late 1970s. An uncertainty-inclusive sedimentfingerprinting approach was used to apportion the relative fluxes from the major catchment land cover types of improved pasture, rough grazing, forestry and channel banks. This showed improved pasture and channel banks are the dominant diffuse sources of sediment in the catchment, though forestry sources were important historically. Conversion of rough grazing to improved grassland, coupled with intensified land management and year-round livestock grazing, is concluded to provide the principal source of rising TP levels. Lake Habitat Survey and particle size analysis of lake cores demonstrate the hydromorphological impact of the River Dee Regulation Scheme, which controls water level and periodically diverts flow into Llyn Tegid from the adjacent Afon Tryweryn catchment. This hydromorphological impact has also been most pronounced since the late 1970s. It is concluded that an integrated approach combining land management to reduce agricultural runoff allied to improved water level regulation enabling recovery of littoral macrophytes offers the greatest chance halting the on-going cyanobacteria issue in Llyn Tegid.