Reconstruction of falsified computer logs for digital forensics investigations

Digital forensics investigations aim to find evidence that helps confirm or disprove a hypothesis about an alleged computer-based crime. However, the ease with which computer-literate criminals can falsify computer event logs makes the prosecutor's job highly challenging. Given a log which is suspected to have been falsified or tampered with, a prosecutor is obliged to provide a convincing explanation for how the log may have been created. Here we focus on showing how a suspect computer event log can be transformed into a hypothesised actual sequence of events, consistent with independent, trusted sources of event orderings. We present two algorithms which allow the effort involved in falsifying logs to be quantified, as a function of the number of `moves' required to transform the suspect log into the hypothesised one, thus allowing a prosecutor to assess the likelihood of a particular falsification scenario. The first algorithm always produces an optimal solution but, for reasons of efficiency, is suitable for short event logs only. To deal with the massive amount of data typically found in computer event logs, we also present a second heuristic algorithm which is considerably more efficient but may not always generate an optimal outcome.

Digital forensics in law enforcement: the case of online victimisation of children

Online victimisation of children is concerned with sexual abuse caused with the help of online technologies. Digital forensics is a powerful methodology to discover, prevent and bring criminals to justice. Digital forensics is dependent on tools and access to information from a variety of sources in digital government. This paper reports from a knowledge enhancement project to gain new insights into offender investigations in law enforcement.

Teaching digital forensics to undergraduate students

Digital forensics isn't commonly a part of an undergraduate university degree, but Deakin University in Australia recently introduced the subject as part of an IT security course. As instructors, we've found that digital forensics complements our other security offerings because it affords insights into why and how security fails. A basic part of this course is an ethics agreement signed by students and submitted to the unit instructor. This agreement, approved by Deakin University's legal office and consistent with Barbara Endicott-Popovsky's approach, requires students to maintain a professional and ethical attitude to the subject matter and its applications. Assignments regularly cast students in the role of forensic professional. Our teaching team emphasizes throughout the course that professional conduct establishes credibility with employers and customers as well as colleagues, and is required to perform the job effectively. This article describes our experiences with this course.

The twofold role of Cloud Computing in Digital Forensics: target of investigations and helping hand to evidence analysis

This PhD thesis discusses the impact of Cloud Computing infrastructures on Digital Forensics in the twofold role of target of investigations and as a helping hand to investigators. The Cloud offers a cheap and almost limitless computing power and storage space for data which can be leveraged to commit either new or old crimes and host related traces. Conversely, the Cloud can help forensic examiners to find clues better and earlier than traditional analysis applications, thanks to its dramatically improved evidence processing capabilities. In both cases, a new arsenal of software tools needs to be made available. The development of this novel weaponry and its technical and legal implications from the point of view of repeatability of technical assessments is discussed throughout the following pages and constitutes the unprecedented contribution of this work

Towards Automation in Digital Investigations : Seeking Efficiency in Digital Forensics in Mobile and Cloud Environments

Cybercrime and related malicious activity in our increasingly digital world has become more prevalent and sophisticated, evading traditional security mechanisms. Digital forensics has been proposed to help investigate, understand and eventually mitigate such attacks. The practice of digital forensics, however, is still fraught with various challenges. Some of the most prominent of these challenges include the increasing amounts of data and the diversity of digital evidence sources appearing in digital investigations. Mobile devices and cloud infrastructures are an interesting specimen, as they inherently exhibit these challenging circumstances and are becoming more prevalent in digital investigations today. Additionally they embody further characteristics such as large volumes of data from multiple sources, dynamic sharing of resources, limited individual device capabilities and the presence of sensitive data. These combined set of circumstances make digital investigations in mobile and cloud environments particularly challenging. This is not aided by the fact that digital forensics today still involves manual, time consuming tasks within the processes of identifying evidence, performing evidence acquisition and correlating multiple diverse sources of evidence in the analysis phase. Furthermore, industry standard tools developed are largely evidence-oriented, have limited support for evidence integration and only automate certain precursory tasks, such as indexing and text searching. In this study, efficiency, in the form of reducing the time and human labour effort expended, is sought after in digital investigations in highly networked environments through the automation of certain activities in the digital forensic process. To this end requirements are outlined and an architecture designed for an automated system that performs digital forensics in highly networked mobile and cloud environments. Part of the remote evidence acquisition activity of this architecture is built and tested on several mobile devices in terms of speed and reliability. A method for integrating multiple diverse evidence sources in an automated manner, supporting correlation and automated reasoning is developed and tested. Finally the proposed architecture is reviewed and enhancements proposed in order to further automate the architecture by introducing decentralization particularly within the storage and processing functionality. This decentralization also improves machine to machine communication supporting several digital investigation processes enabled by the architecture through harnessing the properties of various peer-to-peer overlays. Remote evidence acquisition helps to improve the efficiency (time and effort involved) in digital investigations by removing the need for proximity to the evidence. Experiments show that a single TCP connection client-server paradigm does not offer the required scalability and reliability for remote evidence acquisition and that a multi-TCP connection paradigm is required. The automated integration, correlation and reasoning on multiple diverse evidence sources demonstrated in the experiments improves speed and reduces the human effort needed in the analysis phase by removing the need for time-consuming manual correlation. Finally, informed by published scientific literature, the proposed enhancements for further decentralizing the Live Evidence Information Aggregator (LEIA) architecture offer a platform for increased machine-to-machine communication thereby enabling automation and reducing the need for manual human intervention.

From crime to court - an experience report of a digital forensics group project module.

This paper discusses the large-scale group project undertaken by BSc Hons Digital Forensics students at Abertay University in their penultimate year. The philosophy of the project is to expose students to the full digital crime "life cycle", from commission through investigation, preparation of formal court report and finally, to prosecution in court. In addition, the project is novel in two aspects; the "crimes" are committed by students, and the moot court proceedings, where students appear as expert witnesses for the prosecution, are led by law students acting as counsels for the prosecution and defence. To support students, assessments are staged across both semesters with staff feedback provided at critical points. Feedback from students is very positive, highlighting particularly the experience of engaging with the law students and culminating in the realistic moot court, including a challenging cross-examination. Students also commented on the usefulness of the final debrief, where the whole process and the student experience is discussed in an informal plenary meeting between DF students and staff, providing an opportunity for the perpetrators and investigators to discuss details of the "crimes", and enabling all groups to learn from all crimes and investigations. We conclude with a reflection on the challenges encountered and a discussion of planned changes.

FIA : an open foresic integration architecture for composing digital evidence

The analysis and value of digital evidence in an investigation has been the domain of discourse in the digital forensic community for several years. While many works have considered different approaches to model digital evidence, a comprehensive understanding of the process of merging different evidence items recovered during a forensic analysis is still a distant dream. With the advent of modern technologies, pro-active measures are integral to keeping abreast of all forms of cyber crimes and attacks. This paper motivates the need to formalize the process of analyzing digital evidence from multiple sources simultaneously. In this paper, we present the forensic integration architecture (FIA) which provides a framework for abstracting the evidence source and storage format information from digital evidence and explores the concept of integrating evidence information from multiple sources. The FIA architecture identifies evidence information from multiple sources that enables an investigator to build theories to reconstruct the past. FIA is hierarchically composed of multiple layers and adopts a technology independent approach. FIA is also open and extensible making it simple to adapt to technological changes. We present a case study using a hypothetical car theft case to demonstrate the concepts and illustrate the value it brings into the field.

A framework for identifying associations in digital evidence using metadata

Digital forensics concerns the analysis of electronic artifacts to reconstruct events such as cyber crimes. This research produced a framework to support forensic analyses by identifying associations in digital evidence using metadata. It showed that metadata based associations can help uncover the inherent relationships between heterogeneous digital artifacts thereby aiding reconstruction of past events by identifying artifact dependencies and time sequencing. It also showed that metadata association based analysis is amenable to automation by virtue of the ubiquitous nature of metadata across forensic disk images, files, system and application logs and network packet captures. The results prove that metadata based associations can be used to extract meaningful relationships between digital artifacts, thus potentially benefiting real-life forensics investigations.

Reproducibility of digital evidence in forensic investigations

We present a three-component model of a digital investigation which comprises: determination of input-output layers, assignment of read and write operations associated with use of forensic tools, and time-stamping of read and write operations. This builds on work of several authors, culminating in the new model presented here which is generic, scalable and compatible with all functions in the system, and which is guaranteed to produce a high quality of reproducibility.

A performance testing framework for digital forensic tools

This thesis surveys the latest development of digital forensic tools designed for anti-cybercrime purposes. It discusses the necessity of testing the digital forensics tools, and presents a novel testing framework. This new testing framework takes the viewpoint of software vendors rather than traditional software engineering approaches.

Robust correctness testing for digital forensic tools

In previous work, the authors presented a theoretical lower bound on the required number of testing runs for performance testing of digital forensic tools. We also demonstrated a practical method of testing showing how to tolerate both measurement and random errors in order to achieve results close to this bound. In this paper, we extend the previous work to the situation of correctness testing. The contribution of this methodology enables the tester to achieve correctness testing results of high quality from a manageable number of observations and in a dynamic but controllable way. This is of particular interest to forensic testers who do not have access to sophisticated equipment and who can allocate only a small amount of time to testing.

Using relationship-building in event profiling for digital forensic investigations

In a forensic investigation, computer profiling is used to capture evidence and to examine events surrounding a crime. A rapid increase in the last few years in the volume of data needing examination has led to an urgent need for automation of profiling. In this paper, we present an efficient, automated event profiling approach to a forensic investigation for a computer system and its activity over a fixed time period. While research in this area has adopted a number of methods, we extend and adapt work of Marrington et al. based on a simple relational model. Our work differs from theirs in a number of ways: our object set (files, applications etc.) can be enlarged or diminished repeatedly during the analysis; the transitive relation between objects is used sparingly in our work as it tends to increase the set of objects requiring investigative attention; our objective is to reduce the volume of data to be analyzed rather than extending it. We present a substantial case study to illuminate the theory presented here. The case study also illustrates how a simple visual representation of the analysis could be used to assist a forensic team.