Data fragment forensics for embedded DVR systems

A recent increase in the prevalence of embedded systems has led them to become a primary target of digital forensic investigations. Embedded systems with DVR (Digital Video Recorder) capabilities are able to generate multimedia (video/audio) data, and can act as vital pieces of evidence in the field of digital forensics.To counter anti-forensics, it is necessary to derive systematic forensic techniques that can be used on data fragments in unused (unallocated) areas of files or images. Specifically, the techniques should extract meaningful information from various types of data fragments, such as non-sequential fragmentation and missing fragments overwritten by other data.This paper proposes a new digital forensic system for use on video data fragments related to DVRs. We demonstrate in detail special techniques for the classification, reassembly, and extraction of video data fragments, and introduce an integrated framework for data fragment forensics based on techniques described in this paper.     

从一起经济纠纷案看电子证据司法鉴定

随着信息技术的快速发展和普及,电子证据司法鉴定工作的综合性和复杂性特征日益突出。通过以一起经济纠纷案为例,综合论述了某公司商用计算机系统的检验鉴定过程,文中涉及的主要技术包括商用管理软件分析、硬盘阵列重组、数据库检验等,在这类案件司法鉴定工作中具有一定的代表性。     

A case study on anonymised sharing platforms and digital traces left by their usage

Non-local forms of file storage and transfer provide investigatory concerns. Whilst mainstream cloud providers offer a well-established challenge to those involved in criminal enquiries, there are also a host of services offering non-account based ‘anonymous’ online temporary file storage and transfer. From the context of a digital forensic investigation, the practitioner examining a suspect device must detect when such services have been utilised by a user, as offending files may not be resident on local storage media. In addition, identifying the use of a service may also expose networks of illegal file distribution, supporting wider investigations into criminal activity. This work examines 16 anonymous file transfer services and identifies and interprets the digital traces left behind on a device following their use to support law enforcement investigations.     

Characteristics of Forensic Imaging Performance—An Analysis of Forensic Imaging Bottlenecks

Disk imaging involves copying all of the data from a source disk drive to a target. Typically, the target for the copy is another disk drive. Forensic processes developed years ago do not appear to be adequate for current storage technology. For example, with disk drive capacities now exceeding 1 Terabyte, a typical disk imaging can take over 8 hours at typical rates. With disk drive capacities increasing, forensic copying is expected to take even longer. Along with increase in disk capacity, the industry has also seen an increase in data transfer rates. In many cases, forensic imaging is taking longer than necessary. To identify the bottlenecks, an examination of different methods used to transfer data from a source disk was performed. Factors considered were differing disk access technologies. One finding is that the USB disk access technology (version 2.0 and earlier) is a significant bottleneck for data transfer rates, especially when the USB device is a write‐blocker. Other factors that contribute to the efficiency of a forensic copy are the file system used to write a forensic image and the data transfer size used when reading from a disk drive. Optimal parameters for performing a forensic acquisition from a disk drive are identified.     

High-speed search using Tarari content processor in digital forensics

Recently, “Speed” is one of the hot issues in digital forensics. Thanks to a recent advanced technology, today we can get bigger hard drive disks at a lower price than previously. But unfortunately, it means for forensic investigators that they need tremendous time and effort in the sequence of process of creating forensic images, searching into them and analyzing them. In order to solve this problem, some methods have been proposed to improve performance of forensic tools. One of them getting attention is a hardware-based approach. However, such a way is limited in the field of evidence cloning or password cracking while it is rarely used in searching and analysis of the digital evidence. In this paper, we design and implement a high-speed search engine using a Tarari content processor. Furthermore, we show feasibility of our approach by comparing its performance and features to those of a popular forensic tool currently on the market.     

High-speed search using Tarari content processor in digital forensics

Recently, “Speed” is one of the hot issues in digital forensics. Thanks to a recent advanced technology, today we can get bigger hard drive disks at a lower price than previously. But unfortunately, it means for forensic investigators that they need tremendous time and effort in the sequence of process of creating forensic images, searching into them and analyzing them. In order to solve this problem, some methods have been proposed to improve performance of forensic tools. One of them getting attention is a hardware-based approach. However, such a way is limited in the field of evidence cloning or password cracking while it is rarely used in searching and analysis of the digital evidence. In this paper, we design and implement a high-speed search engine using a Tarari content processor. Furthermore, we show feasibility of our approach by comparing its performance and features to those of a popular forensic tool currently on the market.     

Impacts of increasing volume of digital forensic data: A survey and future research challenges

A major challenge to digital forensic analysis is the ongoing growth in the volume of data seized and presented for analysis. This is a result of the continuing development of storage technology, including increased storage capacity in consumer devices and cloud storage services, and an increase in the number of devices seized per case. Consequently, this has led to increasing backlogs of evidence awaiting analysis, often many months to years, affecting even the largest digital forensic laboratories. Over the preceding years, there has been a variety of research undertaken in relation to the volume challenge. Solutions posed range from data mining, data reduction, increased processing power, distributed processing, artificial intelligence, and other innovative methods. This paper surveys the published research and the proposed solutions. It is concluded that there remains a need for further research with a focus on real world applicability of a method or methods to address the digital forensic data volume challenge.     

A forensic examination of four popular cross‐platform file‐sharing apps with Wi‐Fi P2P

File‐sharing apps with Wi‐Fi hotspot or Wi‐Fi Direct functions become more popular. They can work on multiple platforms and allow users to transfer files in a concealed manner. However, when criminals use these apps in illegal activities, it becomes an important issue for investigators to find digital evidence on multiple platforms. At present, there are few studies on this topic, and most of them are limited to the single platform problem. In this paper, we propose a forensic examination method for four popular cross‐platform file‐sharing apps with Wi‐Fi hotspot and Wi‐Fi Direct functions: Zapya, SHAREit, Xender, and Feem. We use 22 static and live forensic tools for 11 platforms to acquire, analyze, and classify the forensic artifacts. In our experiments, we find many useful forensic artifacts and classify them into six categories. The experimental results can support law enforcement investigations of digital evidence and provide information for future studies on other cross‐platform file‐sharing apps.     

FriendlyRoboCopy: A GUI to RoboCopy for computer forensic investigators

One of the most pressing challenges in digital investigations today is the extraction and forensic preservation of a subset of data on computer clusters and other large storage systems. As the number and capacity of computer systems increases, it is no longer feasible to create forensic duplicates of every system in their entirety. Although forensic tools are being developed to cope with such situations, they do not support all file systems. Experienced digital investigators use tools such as RoboCopy to preserve a subset of data on target systems, and take steps to document their process and results. This paper explores the need for these tools in digital investigations, and demonstrates the strengths and weaknesses of using RoboCopy to acquire data on a network share. This paper then introduces FriendlyRoboCopy, which provides an effective, user-friendly interface to RoboCopy that addresses the requirements of forensic preservation.     

Forensic analysis of video file formats

Video file format standards define only a limited number of mandatory features and leave room for interpretation. Design decisions of device manufacturers and software vendors are thus a fruitful resource for forensic video authentication. This paper explores AVI and MP4-like video streams of mobile phones and digital cameras in detail. We use customized parsers to extract all file format structures of videos from overall 19 digital camera models, 14 mobile phone models, and 6 video editing toolboxes. We report considerable differences in the choice of container formats, audio and video compression algorithms, acquisition parameters, and internal file structure. In combination, such characteristics can help to authenticate digital video files in forensic settings by distinguishing between original and post-processed videos, verifying the purported source of a file, or identifying the true acquisition device model or the processing software used for video processing.     

Speech Watermarking: An Approach for the Forensic Analysis of Digital Telephonic Recordings*

Abstract: In this article, the authors discuss the problem of forensic authentication of digital audio recordings. Although forensic audio has been addressed in several articles, the existing approaches are focused on analog magnetic recordings, which are less prevalent because of the large amount of digital recorders available on the market (optical, solid state, hard disks, etc.). An approach based on digital signal processing that consists of spread spectrum techniques for speech watermarking is presented. This approach presents the advantage that the authentication is based on the signal itself rather than the recording format. Thus, it is valid for usual recording devices in police‐controlled telephone intercepts. In addition, our proposal allows for the introduction of relevant information such as the recording date and time and all the relevant data (this is not always possible with classical systems). Our experimental results reveal that the speech watermarking procedure does not interfere in a significant way with the posterior forensic speaker identification.     

BitTorrent Sync: First Impressions and Digital Forensic Implications

With professional and home Internet users becoming increasingly concerned with data protection and privacy, the privacy afforded by popular cloud file synchronisation services, such as Dropbox, OneDrive and Google Drive, is coming under scrutiny in the press. A number of these services have recently been reported as sharing information with governmental security agencies without warrants. BitTorrent Sync is seen as an alternative by many and has gathered over two million users by December 2013 (doubling since the previous month). The service is completely decentralised, offers much of the same synchronisation functionality of cloud powered services and utilises encryption for data transmission (and optionally for remote storage). The importance of understanding BitTorrent Sync and its resulting digital investigative implications for law enforcement and forensic investigators will be paramount to future investigations. This paper outlines the client application, its detected network traffic and identifies artefacts that may be of value as evidence for future digital investigations.     

The Hierarchy of Case Priority (HiCaP):- A proposed method for case prioritisation in digital forensic laboratories

The need for digital forensic science (DFS) services has grown due to widespread and consistent engagement with technology by members of society. Whilst digital evidence often plays an important role in many inquiries, available investigative resources have failed to keep pace with such demand for them. As a result, the use case prioritisation models for backlog/workload management are of increasing importance to ensure the effective deployment of laboratory resources. This work focuses on the concept of ​​case prioritisation in a digital forensic laboratory setting, following the submission of exhibits for examination, where this workflow is described. The challenges of case management and prioritisation in laboratories are discussed, with both ‘case acceptance’ and ‘case prioritisation’ procedures explained. Finally, the ‘Hierarchy of Case Priority’ (HiCaP) - a transparent, risk-based approach for the prioritisation of cases for examination, is proposed and described using examples.     

Design and implementation of FROST: Digital forensic tools for the OpenStack cloud computing platform

We describe the design, implementation, and evaluation of FROST—three new forensic tools for the OpenStack cloud platform. Our implementation for the OpenStack cloud platform supports an Infrastructure-as-a-Service (IaaS) cloud and provides trustworthy forensic acquisition of virtual disks, API logs, and guest firewall logs. Unlike traditional acquisition tools, FROST works at the cloud management plane rather than interacting with the operating system inside the guest virtual machines, thereby requiring no trust in the guest machine. We assume trust in the cloud provider, but FROST overcomes non-trivial challenges of remote evidence integrity by storing log data in hash trees and returning evidence with cryptographic hashes. Our tools are user-driven, allowing customers, forensic examiners, and law enforcement to conduct investigations without necessitating interaction with the cloud provider. We demonstrate how FROST's new features enable forensic investigators to obtain forensically-sound data from OpenStack clouds independent of provider interaction. Our preliminary evaluation indicates the ability of our approach to scale in a dynamic cloud environment. The design supports an extensible set of forensic objectives, including the future addition of other data preservation, discovery, real-time monitoring, metrics, auditing, and acquisition capabilities.     

Reconstruction of ripped-up documents using fragment stack analysis procedures

Reconstruction of ripped-up documents can be a very time-consuming task for forensic experts. Currently, this task is often carried out using various homespun or loosely defined procedures. Under the main assumption that a (partially) ordered set of fragments can be recovered, we propose and discuss a more formal analysis methodology for this type of reconstruction problem. We discuss several complications that can occur in real-life problems and illustrate the efficiency of the proposed methods. Although several avenues for further research remain, we show that the proposed approach offers both a better understanding of the problem, as well as important strategies for devising very fast manual and semi-automatic fragment reassembly procedures.     

Forensic Investigation of Cooperative Storage Cloud Service: Symform as a Case Study

Researchers envisioned Storage as a Service (StaaS) as an effective solution to the distributed management of digital data. Cooperative storage cloud forensic is relatively new and is an under‐explored area of research. Using Symform as a case study, we seek to determine the data remnants from the use of cooperative cloud storage services. In particular, we consider both mobile devices and personal computers running various popular operating systems, namely Windows 8.1, Mac OS X Mavericks 10.9.5, Ubuntu 14.04.1 LTS, iOS 7.1.2, and Android KitKat 4.4.4. Potential artefacts recovered during the research include data relating to the installation and uninstallation of the cloud applications, log‐in to and log‐out from Symform account using the client application, file synchronization as well as their time stamp information. This research contributes to an in‐depth understanding of the types of terrestrial artifacts that are likely to remain after the use of cooperative storage cloud on client devices.     

Forensic investigation framework for the document store NoSQL DBMS: MongoDB as a case study

The NoSQL DBMS provides an efficient means of storing and accessing big data because its servers are more easily horizontally scalable and replicable than relational DBMSs. Its data model lacks a fixed schema, so that users can easily dynamically change the data model of applications. These characteristics of the NoSQL DBMS mean that it is increasingly used in real-time analysis, web services such as SNS, mobile apps and the storage of machine generated data such as logs and IoT (Internet of Things) data. Although the increased usage of the NoSQL DBMS increases the possibility of it becoming a target of crime, there are few papers about forensic investigation of NoSQL DBMS.In this paper, we propose a forensic investigation framework for the document store NoSQL DBMS. It is difficult to cover all of the NoSQL DBMS, as 'NoSQL' includes several distinct architectures; our forensic investigation framework, however, is focused on the document store NoSQL DBMS. In order to conduct an evaluative case study, we need to apply it to MongoDB, which is, a widely used document store NoSQL DBMS. For this case study, a crime scenario is created in an experimental environment, and then we propose in detail a forensic procedure and technical methods for MongoDB. We suggested many substantial technical investigation methods for MongoDB, including identifying real servers storing evidences in a distributed environment and transaction reconstruction method, using log analysis and recovering deleted data from the MongoDB data file structure.     

The use of self-organising maps for anomalous behaviour detection in a digital investigation

The dramatic increase in crime relating to the Internet and computers has caused a growing need for digital forensics. Digital forensic tools have been developed to assist investigators in conducting a proper investigation into digital crimes. In general, the bulk of the digital forensic tools available on the market permit investigators to analyse data that has been gathered from a computer system. However, current state-of-the-art digital forensic tools simply cannot handle large volumes of data in an efficient manner. With the advent of the Internet, many employees have been given access to new and more interesting possibilities via their desktop. Consequently, excessive Internet usage for non-job purposes and even blatant misuse of the Internet have become a problem in many organisations. Since storage media are steadily growing in size, the process of analysing multiple computer systems during a digital investigation can easily consume an enormous amount of time. Identifying a single suspicious computer from a set of candidates can therefore reduce human processing time and monetary costs involved in gathering evidence. The focus of this paper is to demonstrate how, in a digital investigation, digital forensic tools and the self-organising map (SOM)--an unsupervised neural network model--can aid investigators to determine anomalous behaviours (or activities) among employees (or computer systems) in a far more efficient manner. By analysing the different SOMs (one for each computer system), anomalous behaviours are identified and investigators are assisted to conduct the analysis more efficiently. The paper will demonstrate how the easy visualisation of the SOM enhances the ability of the investigators to interpret and explore the data generated by digital forensic tools so as to determine anomalous behaviours.