Digital evidence, 'absence' of data and ambiguous patterns of reasoning

In this paper we discuss the use of digital data by the Swiss Federal Criminal Court in a recent case of attempted homicide. We use this case to examine drawbacks for the defense when the presentation of scientific evidence is partial, especially when the only perspective mentioned is that of the prosecution. We tackle this discussion at two distinct levels. First, we pursue an essentially non-technical presentation of the topic by drawing parallels between the court's summing up of the case and flawed patterns of reasoning commonly seen in other forensic disciplines, such as DNA and particle traces (e.g., gunshot residues). Then, we propose a formal analysis of the case, using elements of probability and graphical probability models, to justify our main claim that the partial presentation of digital evidence poses a risk to the administration of justice in that it keeps vital information from the defense. We will argue that such practice constitutes a violation of general principles of forensic interpretation as established by forensic science literature and current recommendations by forensic science interest groups (e.g., the European Network of Forensic Science Institutes). Finally, we posit that argument construction and analysis using formal methods can help replace digital evidence appropriately into context and thus support a sound evaluation of the evidence.

Digital Forensics AI: on Practicality, Optimality, and Interpretability of Digital Evidence Mining Techniques

Digital forensics as a field has progressed alongside technological advancements over the years, just as digital devices have gotten more robust and sophisticated. However, criminals and attackers have devised means for exploiting the vulnerabilities or sophistication of these devices to carry out malicious activities in unprecedented ways. Their belief is that electronic crimes can be committed without identities being revealed or trails being established. Several applications of artificial intelligence (AI) have demonstrated interesting and promising solutions to seemingly intractable societal challenges. This thesis aims to advance the concept of applying AI techniques in digital forensic investigation. Our approach involves experimenting with a complex case scenario in which suspects corresponded by e-mail and deleted, suspiciously, certain communications, presumably to conceal evidence. The purpose is to demonstrate the efficacy of Artificial Neural Networks (ANN) in learning and detecting communication patterns over time, and then predicting the possibility of missing communication(s) along with potential topics of discussion. To do this, we developed a novel approach and included other existing models. The accuracy of our results is evaluated, and their performance on previously unseen data is measured. Second, we proposed conceptualizing the term “Digital Forensics AI” (DFAI) to formalize the application of AI in digital forensics. The objective is to highlight the instruments that facilitate the best evidential outcomes and presentation mechanisms that are adaptable to the probabilistic output of AI models. Finally, we enhanced our notion in support of the application of AI in digital forensics by recommending methodologies and approaches for bridging trust gaps through the development of interpretable models that facilitate the admissibility of digital evidence in legal proceedings.

Towards Automation in Digital Investigations : Seeking Efficiency in Digital Forensics in Mobile and Cloud Environments

Cybercrime and related malicious activity in our increasingly digital world has become more prevalent and sophisticated, evading traditional security mechanisms. Digital forensics has been proposed to help investigate, understand and eventually mitigate such attacks. The practice of digital forensics, however, is still fraught with various challenges. Some of the most prominent of these challenges include the increasing amounts of data and the diversity of digital evidence sources appearing in digital investigations. Mobile devices and cloud infrastructures are an interesting specimen, as they inherently exhibit these challenging circumstances and are becoming more prevalent in digital investigations today. Additionally they embody further characteristics such as large volumes of data from multiple sources, dynamic sharing of resources, limited individual device capabilities and the presence of sensitive data. These combined set of circumstances make digital investigations in mobile and cloud environments particularly challenging. This is not aided by the fact that digital forensics today still involves manual, time consuming tasks within the processes of identifying evidence, performing evidence acquisition and correlating multiple diverse sources of evidence in the analysis phase. Furthermore, industry standard tools developed are largely evidence-oriented, have limited support for evidence integration and only automate certain precursory tasks, such as indexing and text searching. In this study, efficiency, in the form of reducing the time and human labour effort expended, is sought after in digital investigations in highly networked environments through the automation of certain activities in the digital forensic process. To this end requirements are outlined and an architecture designed for an automated system that performs digital forensics in highly networked mobile and cloud environments. Part of the remote evidence acquisition activity of this architecture is built and tested on several mobile devices in terms of speed and reliability. A method for integrating multiple diverse evidence sources in an automated manner, supporting correlation and automated reasoning is developed and tested. Finally the proposed architecture is reviewed and enhancements proposed in order to further automate the architecture by introducing decentralization particularly within the storage and processing functionality. This decentralization also improves machine to machine communication supporting several digital investigation processes enabled by the architecture through harnessing the properties of various peer-to-peer overlays. Remote evidence acquisition helps to improve the efficiency (time and effort involved) in digital investigations by removing the need for proximity to the evidence. Experiments show that a single TCP connection client-server paradigm does not offer the required scalability and reliability for remote evidence acquisition and that a multi-TCP connection paradigm is required. The automated integration, correlation and reasoning on multiple diverse evidence sources demonstrated in the experiments improves speed and reduces the human effort needed in the analysis phase by removing the need for time-consuming manual correlation. Finally, informed by published scientific literature, the proposed enhancements for further decentralizing the Live Evidence Information Aggregator (LEIA) architecture offer a platform for increased machine-to-machine communication thereby enabling automation and reducing the need for manual human intervention.

Crimes em ambiente digital : Investigação da GNR para a obtenção de prova

O presente Relatório Científico Final do Trabalho de Investigação Aplicada está subordinado ao tema “Crimes em ambiente digital – Investigação da GNR para a obtenção de prova”. O tema enunciado tem como finalidade fazer uma análise da investigação criminal da GNR, no que diz respeito à obtenção de prova digital, em inquéritos delegados pela Autoridade Judiciária. Como objetivo geral pretende-se determinar a importância da prova digital para a investigação criminal da GNR. A investigação tem ainda objetivos específicos como a determinação das capacidades e dificuldades das vertentes operativa e criminalística para a obtenção de prova digital e também a determinação dos principais tipos de crime que se suportaram neste tipo de prova. Ao nível das bases lógicas, a presente investigação apoia-se no método hipotéticodedutivo, como tal, o ponto de partida é a conceção das questões de investigação, respetivos objetivos e hipóteses de investigação. No que diz respeito às técnicas de recolha de dados, a presente investigação é apoiada em conteúdo documental, entrevistas e questionários. A análise e discussão dos resultados obtidos permite tecer as conclusões do trabalho que, por sua vez, permitem verificar a veracidade das hipóteses formuladas na fase inicial da investigação. Como principais resultados conseguimos constatar que a prova digital é um tipo de prova que deve ser priorizada para os inquéritos podendo ser obtida num grande espectro de tipologias criminais que são da competência da GNR, em matéria de investigação criminal. Concluímos também que a Guarda ainda tem uma grande margem de progressão até estar completamente capacitada para a obtenção de prova digital, ainda assim, estão a ser desenvolvidos esforços e competências nesse sentido, sendo que alguns Comandos Territoriais se encontram mais desenvolvidos nesta matéria.

A internet e o sistema de justiça

The subject of study of this Thesis aims to highlight and recognize as an object of reflection the undoubted relationship between the Internet and the Justice System, based on the issue of digital evidence. The simultaneously crossing of the juridical-legal implications and the more technical computer issues is the actual trigger for the discussion of the issues established. The Convention on Cybercrime of the Council of Europe of 23rd November 2001 and the Council Framework Decision n.° 2005/222/JHA of 24th February 2005 were avant-garde in terms of the international work about the crimes in the digital environment. In addition they enabled the harmonization of national legislations on the matter and, consequently, a greater flexibility in international judicial cooperation. Portugal, in compliance with these international studies, ratified, implemented and approved Law n. º 109/2009 of 15th September concerning the Cybercrime Act, establishing a more specific investigation and collection of evidence in electronic support when it comes to combating this type of crime, as it reinforced the Substantive Criminal Law and Procedural Nature. Nevertheless, the constant debates about the New Technologies of Information and Communication have not neglected the positive role of these tools for the user. However, they express a particular concern for their counterproductive effects; a special caution prevails on the part of the judge in assessing the digital evidence, especially circumstantial evidence, due to the its fragility. Indisputably, the practice of crimes through the computer universe, given its inexorable technical complexity, entails many difficulties for the forensic investigation, since the proofs hold temporary, changeable, volatile, and dispersed features. In this pillar, after the consummation of iter criminis, the Fundamental Rights of the suspects may be debated in the course of the investigation and the construction of iter probatorium. The intent of this Thesis is to contribute in a reflective way on the issues presented in order to achieve a bigger technical and legal awareness regarding the collection of digital proof, looking for a much lighter approach to its suitability in terms of evidentiary value.

La transformation des enquêtes policières due à l’influence des technologies : perspective d’une unité policière spécialisée en analyse judiciaire informatique

La popularité des technologies de l’information et des communications entraîne l’augmentation de la preuve retrouvée sous forme numérique lors d’enquêtes policières. Les organisations policières doivent innover afin d’analyser, gérer et tirer profit de cette preuve numérique. En réponse, elles ont constitué des unités spécialisées en criminalité technologique et en analyse judiciaire informatique. La présente étude utilise les théories de l’innovation afin de déterminer comment l’évolution des technologies et des tendances en matière de criminalité technologique influencent les enquêtes et les organisations policières. Cette recherche vise à augmenter les connaissances sur ces unités spécialisées en quantifiant et en qualifiant leur travail quotidien. Avec la collaboration d’une unité policière canadienne spécialisée en analyse judiciaire informatique, une analyse détaillée des demandes d’expertise adressées à leur service a été effectuée. Les résultats indiquent une augmentation de la preuve numérique avec la prévalence de certaines formes de criminalité et de certains appareils électroniques. Les facteurs influençant le délai de traitement sont soulignés ainsi que les stratégies mises de l’avant afin de gérer efficacement l’accroissement des demandes de service. Finalement, des entrevues ont été menées avec certains membres de l’équipe afin de mettre en lumière les défis et les enjeux relatifs à l’implantation et au fonctionnement d’une telle unité. Les principaux enjeux soulevés concernent les environnements technologiques et juridiques, la formation du personnel, la gestion des ressources et les priorités organisationnelles.

A framework for the forensic analysis of user interaction with social media

The increasing use of social media, applications or platforms that allow users to interact online, ensures that this environment will provide a useful source of evidence for the forensics examiner. Current tools for the examination of digital evidence find this data problematic as they are not designed for the collection and analysis of online data. Therefore, this paper presents a framework for the forensic analysis of user interaction with social media. In particular, it presents an inter-disciplinary approach for the quantitative analysis of user engagement to identify relational and temporal dimensions of evidence relevant to an investigation. This framework enables the analysis of large data sets from which a (much smaller) group of individuals of interest can be identified. In this way, it may be used to support the identification of individuals who might be ‘instigators’ of a criminal event orchestrated via social media, or a means of potentially identifying those who might be involved in the ‘peaks’ of activity. In order to demonstrate the applicability of the framework, this paper applies it to a case study of actors posting to a social media Web site.

Foundational forensic techniques for cellular and ad hoc multi-hop networks

The Internet has become an integral part of our nation’s critical socio-economic infrastructure. With its heightened use and growing complexity however, organizations are at greater risk of cyber crimes. To aid in the investigation of crimes committed on or via the Internet, a network forensics analysis tool pulls together needed digital evidence. It provides a platform for performing deep network analysis by capturing, recording and analyzing network events to find out the source of a security attack or other information security incidents. Existing network forensics work has been mostly focused on the Internet and fixed networks. But the exponential growth and use of wireless technologies, coupled with their unprecedented characteristics, necessitates the development of new network forensic analysis tools. This dissertation fostered the emergence of a new research field in cellular and ad-hoc network forensics. It was one of the first works to identify this problem and offer fundamental techniques and tools that laid the groundwork for future research. In particular, it introduced novel methods to record network incidents and report logged incidents. For recording incidents, location is considered essential to documenting network incidents. However, in network topology spaces, location cannot be measured due to absence of a ‘distance metric’. Therefore, a novel solution was proposed to label locations of nodes within network topology spaces, and then to authenticate the identity of nodes in ad hoc environments. For reporting logged incidents, a novel technique based on Distributed Hash Tables (DHT) was adopted. Although the direct use of DHTs for reporting logged incidents would result in an uncontrollably recursive traffic, a new mechanism was introduced that overcome this recursive process. These logging and reporting techniques aided forensics over cellular and ad-hoc networks, which in turn increased their ability to track and trace attacks to their source. These techniques were a starting point for further research and development that would result in equipping future ad hoc networks with forensic components to complement existing security mechanisms.

Foundational Forensic Techniques for Cellular and Ad Hoc Multi-hop Networks

The Internet has become an integral part of our nation's critical socio-economic infrastructure. With its heightened use and growing complexity however, organizations are at greater risk of cyber crimes. To aid in the investigation of crimes committed on or via the Internet, a network forensics analysis tool pulls together needed digital evidence. It provides a platform for performing deep network analysis by capturing, recording and analyzing network events to find out the source of a security attack or other information security incidents. Existing network forensics work has been mostly focused on the Internet and fixed networks. But the exponential growth and use of wireless technologies, coupled with their unprecedented characteristics, necessitates the development of new network forensic analysis tools. This dissertation fostered the emergence of a new research field in cellular and ad-hoc network forensics. It was one of the first works to identify this problem and offer fundamental techniques and tools that laid the groundwork for future research. In particular, it introduced novel methods to record network incidents and report logged incidents. For recording incidents, location is considered essential to documenting network incidents. However, in network topology spaces, location cannot be measured due to absence of a 'distance metric'. Therefore, a novel solution was proposed to label locations of nodes within network topology spaces, and then to authenticate the identity of nodes in ad hoc environments. For reporting logged incidents, a novel technique based on Distributed Hash Tables (DHT) was adopted. Although the direct use of DHTs for reporting logged incidents would result in an uncontrollably recursive traffic, a new mechanism was introduced that overcome this recursive process. These logging and reporting techniques aided forensics over cellular and ad-hoc networks, which in turn increased their ability to track and trace attacks to their source. These techniques were a starting point for further research and development that would result in equipping future ad hoc networks with forensic components to complement existing security mechanisms.

A Comparison of Geo-tagging in Mobile Internet Browsing Applications on iOS and Android.

Nowadays there is almost no crime committed without a trace of digital evidence, and since the advanced functionality of mobile devices today can be exploited to assist in crime, the need for mobile forensics is imperative. Many of the mobile applications available today, including internet browsers, will request the user’s permission to access their current location when in use. This geolocation data is subsequently stored and managed by that application's underlying database files. If recovered from a device during a forensic investigation, such GPS evidence and track points could hold major evidentiary value for a case. The aim of this paper is to examine and compare to what extent geolocation data is available from the iOS and Android operating systems. We focus particularly on geolocation data recovered from internet browsing applications, comparing the native Safari and Browser apps with Google Chrome, downloaded on to both platforms. All browsers were used over a period of several days at various locations to generate comparable test data for analysis. Results show considerable differences not only in the storage locations and formats, but also in the amount of geolocation data stored by different browsers and on different operating systems.

Firms in Scottish High Technology Clusters: software, life sciences, microelectronics, optoelectronics and digital media – preliminary evidence and analysis on firm size, growth and optimality

This paper reports on: (a) new primary source evidence on; and (b) statistical and econometric analysis of high technology clusters in Scotland. It focuses on the following sectors: software, life sciences, microelectronics, optoelectronics, and digital media. Evidence on a postal and e-mailed questionnaire is presented and discussed under the headings of: performance, resources, collaboration & cooperation, embeddedness, and innovation. The sampled firms are characterised as being small (viz. micro-firms and SMEs), knowledge intensive (largely graduate staff), research intensive (mean spend on R&D GBP 842k), and internationalised (mainly selling to markets beyond Europe). Preliminary statistical evidence is presented on Gibrat’s Law (independence of growth and size) and the Schumpeterian Hypothesis (scale economies in R&D). Estimates suggest a short-run equilibrium size of just 100 employees, but a long-run equilibrium size of 1000 employees. Further, to achieve the Schumpeterian effect (of marked scale economies in R&D), estimates suggest that firms have to grow to very much larger sizes of beyond 3,000 employees. We argue that the principal way of achieving the latter scale may need to be by takeovers and mergers, rather than by internally driven growth.

The relationship between b2b branding and industrial buying in the digital era: evidence from Finnish gas industry

The aim of this study is to understand the importance of b2b brands in different phases of the industrial buying process in the digital era. The research problem is approached by examining a b2b supplier brand in the context of gas supplier selection. The data was collected by interviewing individuals from ten different companies. The findings contribute to previous theory by showing that as industrial buying behaviour is eventually individual behaviour, brands can influence decision making. The relevance of a brand depends on individual’s personality and preferences. Digital media cannot be ignored in managing brand image as buyers are present in the online environment. The results reveal that traditional personal selling is, nevertheless, in a key role in brand image building and is a source of added value. The salesperson influences buyers’ perceived associations of a brand and gives the brand a face.

The twofold role of Cloud Computing in Digital Forensics: target of investigations and helping hand to evidence analysis

This PhD thesis discusses the impact of Cloud Computing infrastructures on Digital Forensics in the twofold role of target of investigations and as a helping hand to investigators. The Cloud offers a cheap and almost limitless computing power and storage space for data which can be leveraged to commit either new or old crimes and host related traces. Conversely, the Cloud can help forensic examiners to find clues better and earlier than traditional analysis applications, thanks to its dramatically improved evidence processing capabilities. In both cases, a new arsenal of software tools needs to be made available. The development of this novel weaponry and its technical and legal implications from the point of view of repeatability of technical assessments is discussed throughout the following pages and constitutes the unprecedented contribution of this work

Does digital competence and occupational setting influence MOOC participation? Evidence from a cross-course survey.

While MOOCs are recognized nowadays as a potential format for professional development and lifelong learning, little research has been conducted on the factors that influence MOOC participation of professionals and unemployed in MOOCs. Based on a framework developed earlier, we conducted a study, which focused on the influence of background variables such us digital competence, age, gender and educational level on MOOC participation. Occupational setting was considered as a moderator in the analysis of the impact of digital skills. Results of the study showed that MOOCs were an important tool for unemployed participants who were more likely to enroll in MOOCs than employed learners. MOOCs were also a way for workers who do not received employer support for other training activities to get professional development training. Results of the regression analysis showed that a person’s level of digital competence was an important predictor for enrolment in MOOCs and that specifically interaction skills were more important than information skills for participating in the MOOC context.

ENGINEERING DIGITAL SHARING PLATFORM TO CREATE SOCIAL CONTAGION: EVIDENCE FROM LARGE SCALE RANDOMIZED FIELD EXPERIMENTS

Peer-to-peer information sharing has fundamentally changed customer decision-making process. Recent developments in information technologies have enabled digital sharing platforms to influence various granular aspects of the information sharing process. Despite the growing importance of digital information sharing, little research has examined the optimal design choices for a platform seeking to maximize returns from information sharing. My dissertation seeks to fill this gap. Specifically, I study novel interventions that can be implemented by the platform at different stages of the information sharing. In collaboration with a leading for-profit platform and a non-profit platform, I conduct three large-scale field experiments to causally identify the impact of these interventions on customers’ sharing behaviors as well as the sharing outcomes. The first essay examines whether and how a firm can enhance social contagion by simply varying the message shared by customers with their friends. Using a large randomized field experiment, I find that i) adding only information about the sender’s purchase status increases the likelihood of recipients’ purchase; ii) adding only information about referral reward increases recipients’ follow-up referrals; and iii) adding information about both the sender’s purchase as well as the referral rewards increases neither the likelihood of purchase nor follow-up referrals. I then discuss the underlying mechanisms. The second essay studies whether and how a firm can design unconditional incentive to engage customers who already reveal willingness to share. I conduct a field experiment to examine the impact of incentive design on sender’s purchase as well as further referral behavior. I find evidence that incentive structure has a significant, but interestingly opposing, impact on both outcomes. The results also provide insights about senders’ motives in sharing. The third essay examines whether and how a non-profit platform can use mobile messaging to leverage recipients’ social ties to encourage blood donation. I design a large field experiment to causally identify the impact of different types of information and incentives on donor’s self-donation and group donation behavior. My results show that non-profits can stimulate group effect and increase blood donation, but only with group reward. Such group reward works by motivating a different donor population. In summary, the findings from the three studies will offer valuable insights for platforms and social enterprises on how to engineer digital platforms to create social contagion. The rich data from randomized experiments and complementary sources (archive and survey) also allows me to test the underlying mechanism at work. In this way, my dissertation provides both managerial implication and theoretical contribution to the phenomenon of peer-to-peer information sharing.