Robust performance testing for digital forensic tools

In previous work, the authors presented a theoretical lower bound on the required number of testing runs for performance testing of digital forensic tools. However, experimental errors are inevitable in laboratory settings, occurring as measurement errors or as random errors and can result in practical situations where the number of testing runs is far from the theoretical bound. This paper adapts our former work to tolerate such errors in the testing results. The contribution of our new methodology enables the tester to achieve performance testing results of high quality from a manageable number of observations and in a dynamic but controllable way. This is of particular interest to forensic testers who do not have access to sophisticated equipment and who can allocate only a small amount of time to testing.

A lower bound on effective performance testing for digital forensic tools

The increasing complexity and number of digital forensic tasks required in criminal investigations demand the development of an effective and efficient testing methodology, enabling tools of similar functionalities to be compared based on their performance. Assuming that the tool tester is familiar with the underlying testing platform and has the ability to use the tools correctly, we provide a numerical solution for the lower bound on the number of testing cases needed to determine comparative capabilities of any set of digital forensic tools. We also present a case study on the performance testing of password cracking tools, which allows us to confirm that the lower bound on the number of testing runs needed is closely related to the row size of certain orthogonal arrays. We show how to reduce the number of test runs by using knowledge of the underlying system

A performance testing framework for digital forensic tools

This thesis surveys the latest development of digital forensic tools designed for anti-cybercrime purposes. It discusses the necessity of testing the digital forensics tools, and presents a novel testing framework. This new testing framework takes the viewpoint of software vendors rather than traditional software engineering approaches.

Robust correctness testing for digital forensic tools

In previous work, the authors presented a theoretical lower bound on the required number of testing runs for performance testing of digital forensic tools. We also demonstrated a practical method of testing showing how to tolerate both measurement and random errors in order to achieve results close to this bound. In this paper, we extend the previous work to the situation of correctness testing. The contribution of this methodology enables the tester to achieve correctness testing results of high quality from a manageable number of observations and in a dynamic but controllable way. This is of particular interest to forensic testers who do not have access to sophisticated equipment and who can allocate only a small amount of time to testing.

Hypothesis generation and testing in event profiling for digital forensic investigations

The need for an automated approach to forensic digital investigation has been recognized for some years, and several authors have developed frameworks in this direction. The aim of this paper is to assist the forensic investigator with the generation and testing of hypotheses in the analysis phase. In doing so, the authors present a new architecture which facilitates the move to automation of the investigative process; this new architecture draws together several important components of the literature on question and answer methodologies including the concept of ‘pivot’ word and sentence ranking. Their architecture is supported by a detailed case study demonstrating its practicality.

Assisting digital forensic analysis via exploratory information visualisation

Background: Digital forensics is a rapidly expanding field, due to the continuing advances in computer technology and increases in data stage capabilities of devices. However, the tools supporting digital forensics investigations have not kept pace with this evolution, often leaving the investigator to analyse large volumes of textual data and rely heavily on their own intuition and experience. Aim: This research proposes that given the ability of information visualisation to provide an end user with an intuitive way to rapidly analyse large volumes of complex data, such approached could be applied to digital forensics datasets. Such methods will be investigated; supported by a review of literature regarding the use of such techniques in other fields. The hypothesis of this research body is that by utilising exploratory information visualisation techniques in the form of a tool to support digital forensic investigations, gains in investigative effectiveness can be realised. Method:To test the hypothesis, this research examines three different case studies which look at different forms of information visualisation and their implementation with a digital forensic dataset. Two of these case studies take the form of prototype tools developed by the researcher, and one case study utilises a tool created by a third party research group. A pilot study by the researcher is conducted on these cases, with the strengths and weaknesses of each being drawn into the next case study. The culmination of these case studies is a prototype tool which was developed to resemble a timeline visualisation of the user behaviour on a device. This tool was subjected to an experiment involving a class of university digital forensics students who were given a number of questions about a synthetic digital forensic dataset. Approximately half were given the prototype tool, named Insight, to use, and the others given a common open-source tool. The assessed metrics included: how long the participants took to complete all tasks, how accurate their answers to the tasks were, and how easy the participants found the tasks to complete. They were also asked for their feedback at multiple points throughout the task. Results:The results showed that there was a statistically significant increase in accuracy for one of the six tasks for the participants using the Insight prototype tool. Participants also found completing two of the six tasks significantly easier when using the prototype tool. There were no statistically significant different difference between the completion times of both participant groups. There were no statistically significant differences in the accuracy of participant answers for five of the six tasks. Conclusions: The results from this body of research show that there is evidence to suggest that there is the potential for gains in investigative effectiveness when information visualisation techniques are applied to a digital forensic dataset. Specifically, in some scenarios, the investigator can draw conclusions which are more accurate than those drawn when using primarily textual tools. There is also evidence so suggest that the investigators found these conclusions to be reached significantly more easily when using a tool with a visual format. None of the scenarios led to the investigators being at a significant disadvantage in terms of accuracy or usability when using the prototype visual tool over the textual tool. It is noted that this research did not show that the use of information visualisation techniques leads to any statistically significant difference in the time taken to complete a digital forensics investigation.

Teachers’ Perspectives on Moving Image as a digital literacy tool in Creative Classrooms

Eight Creative Classroom (CCR) elements are used as a framework for analysing teachers’ current attitudes towards the use of moving images as a tool for teaching digital literacy to pupils aged 11-18 years in the context of ‘Creative Classrooms’. This paper reports on the challenges being faced by innovative teachers willing to adopt moving image (as a new ICT) into their teaching, and highlights the gaps currently present in the systemic support structures in schools which need to be addressed for innovative pedagogical practices to occur in these Creative Classrooms. By ensuring educators learn from their experiences of poor ICT uptake in the past and utilise these lessons for future innovations in classrooms, it is hoped that the transition to moving image, and its associated digital literacy skills, will be smooth and beneficial to the learners.

Using relationship-building in event profiling for digital forensic investigations

In a forensic investigation, computer profiling is used to capture evidence and to examine events surrounding a crime. A rapid increase in the last few years in the volume of data needing examination has led to an urgent need for automation of profiling. In this paper, we present an efficient, automated event profiling approach to a forensic investigation for a computer system and its activity over a fixed time period. While research in this area has adopted a number of methods, we extend and adapt work of Marrington et al. based on a simple relational model. Our work differs from theirs in a number of ways: our object set (files, applications etc.) can be enlarged or diminished repeatedly during the analysis; the transitive relation between objects is used sparingly in our work as it tends to increase the set of objects requiring investigative attention; our objective is to reduce the volume of data to be analyzed rather than extending it. We present a substantial case study to illuminate the theory presented here. The case study also illustrates how a simple visual representation of the analysis could be used to assist a forensic team.

Using relationship-building in event profiling for digital forensic investigations

In a forensic investigation, computer profiling is used to capture evidence and to examine events surrounding a crime. A rapid increase in the last few years in the volume of data needing examination has led to an urgent need for automation of profiling. In this paper, we present an efficient, automated event profiling approach to a forensic investigation for a computer system and its activity over a fixed time period. While research in this area has adopted a number of methods, we extend and adapt work of Marrington et al. based on a simple relational model. Our work differs from theirs in a number of ways: our object set (files, applications etc.) can be enlarged or diminished repeatedly during the analysis; the transitive relation between objects is used sparingly in our work as it tends to increase the set of objects requiring investigative attention; our objective is to reduce the volume of data to be analyzed rather than extending it. We present a substantial case study to illuminate the theory presented here. The case study also illustrates how a simple visual representation of the analysis could be used to assist a forensic team.

Towards a sustainable assessment strategy for digital forensic education and training

In this paper, we show the development and application of a sustainable assessment strategy as an implementation of effective learning for a computer crime and digital forensics unit. The unit is undertaken by undergraduate students as part of an Information Technology Security course at Deakin University. Over a five year period the teaching team has made continuous improvements to the delivery of material and content taking informal student feedback and Faculty review into careful consideration. In addition formal student evaluation of the unit has been extremely positive. As part of reflective teaching practice the teaching team derived a map of the relationship between learning objectives, learning activities, the assessment and the unit outcomes to verify what has led to the favorable student experience and its impact on learning process in order to repeat this strategy for other tertiary courses.

Is characterizing the digital forensic facial reconstruction with hair necessary? A familiar assessors' analysis

Background: In the international scientific literature, there are few studies that emphasize the presence or absence of hair in forensic facial reconstructions. There are neither Brazilian studies concerning digital facial reconstructions without hair, nor research comparing recognition tests between digital facial reconstructions with hair and without hair. The miscegenation of Brazilian people is considerable. Brazilian people, and, in particular, Brazilian women, even if considered as Caucasoid, may present the hair in very different ways: curly, wavy or straight, blonde, red, brown or black, long or short, etc. For this reason, it is difficult to find a correct type of hair for facial reconstruction (unless, in real cases, some hair is recovered with the skeletal remains). Aims and methods: This study focuses on the performance of three different digital forensic facial reconstructions, without hair, of a Brazilian female subject (based on one international database and two Brazilian databases for soft facial-tissue thickness) and evaluates the digital forensic facial reconstructions comparing them to photographs of the target individual and nine other subjects, employing the recognition method. A total of 22 assessors participated in the recognition process; all of them were familiar with the 10 individuals who composed the face pool. Results and conclusions: The target subject was correctly recognized by 41% of the 22 examiners in the International Pattern, by 32% in the Brazilian Magnetic Resonance Pattern and by 32% in the Brazilian Fresh Cadavers Pattern. The facial reconstructions without hair were correctly recognized using the three databases of facial soft-tissue thickness. The observed results were higher than the results obtained using facial reconstructions with hair, from the same skull, which can indicate that it is better to not use hair, at least when there is no information concerning its characteristics. © 2013 Elsevier B.V. All rights reserved.

Digital forensic osteology--possibilities in cooperation with the Virtopsy project

The present study was carried out to check whether classic osteometric parameters can be determined from the 3D reconstructions of MSCT (multislice computed tomography) scans acquired in the context of the Virtopsy project. To this end, four isolated and macerated skulls were examined by six examiners. First the skulls were conventionally (manually) measured using 32 internationally accepted linear measurements. Then the skulls were scanned by the use of MSCT with slice thicknesses of 1.25 mm and 0.63 mm, and the 33 measurements were virtually determined on the digital 3D reconstructions of the skulls. The results of the traditional and the digital measurements were compared for each examiner to figure out variations. Furthermore, several parameters were measured on the cranium and postcranium during an autopsy and compared to the values that had been measured on a 3D reconstruction from a previously acquired postmortem MSCT scan. The results indicate that equivalent osteometric values can be obtained from digital 3D reconstructions from MSCT scans using a slice thickness of 1.25 mm, and from conventional manual examinations. The measurements taken from a corpse during an autopsy could also be validated with the methods used for the digital 3D reconstructions in the context of the Virtopsy project. Future aims are the assessment and biostatistical evaluation in respect to sex, age and stature of all data sets stored in the Virtopsy project so far, as well as of future data sets. Furthermore, a definition of new parameters, only measurable with the aid of MSCT data would be conceivable.

A Study of the Molecular Basis of Microvariants at the FGA and D21S11 Loci Used in Forensic DNA Testing

Microvariant alleles, defined as alleles that contain an incomplete repeat unit, often complicate the process of DNA analysis. Understanding the molecular basis of microvariants would help to catalogue results and improve upon the analytical process involved in DNA testing. The first step is to determine the sequence/cause of a microvariant. This was done by sequencing samples that were determined to have a microvariant at the FGA or D21S11 loci. The results indicate that a .2 microvariant at the D21S11 locus is caused by a -TA- dinucleotide partial repeat before the last full TCTA repeat. The .2 microvariant at the FGA locus is caused by a -TT- dinucleotide partial repeat after the fifth full repeat and before the variable CTTT repeat motif. There are several possibilities for the reason the .2 microvariants are all the same at a locus, each of which carry implications on the forensic community. The first possibility is that the microvariants are identical by descent, which means that the microvariant is an old allele that has been passed down through the generations. The second possibility is that the microvariants are identical by state, which would mean that there is a mechanism selecting for these microvariants. Future research studying the flanking regions of these microvariants is proposed to determine which of these possibilities is the actual cause and to learn more about the molecular basis of microvariants.