共查询到18条相似文献,搜索用时 15 毫秒
1.
Evangelos Dragonas MSc Costas Lambrinoudakis PhD Michael Kotsis MSc 《Journal of forensic sciences》2024,69(1):117-130
CCTV surveillance systems are ubiquitous IoT appliances. Their forensic examination has proven critical for investigating crimes. DAHUA Technology is a well-known manufacturer of such products. Despite its global market share, research regarding digital forensics of DAHUA Technology CCTV systems is scarce and currently limited to extracting their video footage, overlooking the potential presence of valuable artifacts within their log records. These pieces of evidence remain unexploited by major commercial forensic software, yet they can hide vital information for an investigation. For instance, these log records document user actions, such as formatting the CCTV system's hard drive or disabling camera recording. This information can assist in attributing nefarious actions to specific users and hence can be invaluable for understanding the sequence of events related to incidents. Therefore, in this paper, several DAHUA Technology CCTV systems are thoroughly analyzed for these unexplored pieces of evidence, and their forensic value is presented. 相似文献
2.
《Digital Investigation》2014,11(3):187-200
A recent increase in the prevalence of embedded systems has led them to become a primary target of digital forensic investigations. Embedded systems with DVR (Digital Video Recorder) capabilities are able to generate multimedia (video/audio) data, and can act as vital pieces of evidence in the field of digital forensics.To counter anti-forensics, it is necessary to derive systematic forensic techniques that can be used on data fragments in unused (unallocated) areas of files or images. Specifically, the techniques should extract meaningful information from various types of data fragments, such as non-sequential fragmentation and missing fragments overwritten by other data.This paper proposes a new digital forensic system for use on video data fragments related to DVRs. We demonstrate in detail special techniques for the classification, reassembly, and extraction of video data fragments, and introduce an integrated framework for data fragment forensics based on techniques described in this paper. 相似文献
3.
The ability to reconstruct the data stored in a database at an earlier time is an important aspect of database forensics. Past research shows that the log file in a database can be useful for reconstruction. However, in many database systems there are various options that control which information is included in the logs. This paper introduces the notion of the ideal log setting necessary for an effective reconstruction process in database forensics. The paper provides a survey of the default logging preferences in some of the popular database management systems and identifies the information that a database log should contain in order to be useful for reconstruction. The challenges that may be encountered in storing the information as well as ways of overcoming the challenges are discussed. Possible logging preferences that may be considered as the ideal log setting for the popular database systems are also proposed. In addition, the paper relates the identified requirements to the three dimensions of reconstruction in database forensics and points out the additional requirements and/or techniques that may be required in the different dimensions. 相似文献
4.
Attacks on operating system access control have become a significant and increasingly common problem. This type of security threat is recorded in a forensic artifact such as an authentication log. Forensic investigators will generally examine the log to analyze such incidents. An anomaly is highly correlated to an attacker's attempts to compromise the system. In this paper, we propose a novel method to automatically detect an anomaly in the access control log of an operating system. The logs will be first preprocessed and then clustered using an improved MajorClust algorithm to get a better cluster. This technique provides parameter-free clustering so that it automatically can produce an analysis report for the forensic investigators. The clustering results will be checked for anomalies based on a score that considers some factors such as the total members in a cluster, the frequency of the events in the log file, and the inter-arrival time of a specific activity. We also provide a graph-based visualization of logs to assist the investigators with easy analysis. Experimental results compiled on an open dataset of a Linux authentication log show that the proposed method achieved the accuracy of 83.14% in the authentication log dataset. 相似文献
5.
首先分析了网络取证的基本概念,然后介绍了网络取证系统的分析过程,最后提出和设计了一个分布式网络实时取证系统的实现模型。 相似文献
6.
7.
8.
As the closed-circuit television (CCTV) security industry transitioned from analog media to digital video recorders (DVRs) with digital storage, the law enforcement community struggled with the means with which to collect the recordings. New guidelines needed to be established to determine the collection method which would be efficient as well as provide the best quality evidence from live DVRs. A test design was developed to measure, quantify, and rank the quality of acquisition methods used on live systems from DVRs typically used in digital CCTV systems. The purpose was to determine guidelines for acquiring the best quality video for investigative purposes. A test pattern which provided multiple quantifiable metrics for comparison between the methods of acquisition was used. The methods of acquisition included direct data download of the proprietary file and open file format as well as recording the video playback from the DVR via the available display monitor connections including the composite video, Video Graphics Array (VGA), and high-definition multimedia interface (HDMI). While some acquisition methods may provide the best quality evidence, other methods of acquisition are not to be discounted depending on the situation and need for efficiency. As an investigator that needs to retrieve video evidence from live digital CCTV systems, the proprietary file format, overall, provides the best quality evidence. However, depending on the circumstance and as recording technology continues to evolve, options other than the proprietary file format may provide quality that is equal to or greater than the proprietary file format. 相似文献
9.
Ayesha Arshad M.Sc. Waseem Iqbal M.S. Haider Abbas Ph.D. 《Journal of forensic sciences》2018,63(3):856-867
Significantly increased use of USB devices due to their user‐friendliness and large storage capacities poses various threats for many users/companies in terms of data theft that becomes easier due to their efficient mobility. Investigations for such data theft activities would require gathering critical digital information capable of recovering digital forensics artifacts like date, time, and device information. This research gathers three sets of registry and logs data: first, before insertion; second, during insertion; and the third, after removal of a USB device. These sets are analyzed to gather evidentiary information from Registry and Windows Event log that helps in tracking a USB device. This research furthers the prior research on earlier versions of Microsoft Windows and compares it with latest Windows 10 system. Comparison of Windows 8 and Windows 10 does not show much difference except for new subkey under USB Key in registry. However, comparison of Windows 7 with latest version indicates significant variances. 相似文献
10.
Eoghan Casey Ph.D. 《Journal of forensic sciences》2018,63(5):1383-1391
This work introduces novel methods for conducting forensic analysis of file allocation traces, collectively called digital stratigraphy. These in‐depth forensic analysis methods can provide insight into the origin, composition, distribution, and time frame of strata within storage media. Using case examples and empirical studies, this paper illuminates the successes, challenges, and limitations of digital stratigraphy. This study also shows how understanding file allocation methods can provide insight into concealment activities and how real‐world computer usage can complicate digital stratigraphy. Furthermore, this work explains how forensic analysts have misinterpreted traces of normal file system behavior as indications of concealment activities. This work raises awareness of the value of taking the overall context into account when analyzing file system traces. This work calls for further research in this area and for forensic tools to provide necessary information for such contextual analysis, such as highlighting mass deletion, mass copying, and potential backdating. 相似文献
11.
File system forensics is an important part of Digital Forensics. Investigators of storage media have traditionally focused on the most commonly used file systems such as NTFS, FAT, ExFAT, Ext2-4, HFS+, APFS, etc. NTFS is the current file system used by Windows for the system volume, but this may change in the future. In this paper we will show the structure of the Resilient File System (ReFS), which has been available since Windows Server 2012 and Windows 8. The main purpose of ReFS is to be used on storage spaces in server systems, but it can also be used in Windows 8 or newer. Although ReFS is not the current standard file system in Windows, while users have the option to create ReFS file systems, digital forensic investigators need to investigate the file systems identified on a seized media. Further, we will focus on remnants of non-allocated metadata structures or attributes. This may allow metadata carving, which means searching for specific attributes that are not allocated. Attributes found can then be used for file recovery. ReFS uses superblocks and checkpoints in addition to a VBR, which is different from other Windows file systems. If the partition is reformatted with another file system, the backup superblocks can be used for partition recovery. Further, it is possible to search for checkpoints in order to recover both metadata and content.Another concept not seen for Windows file systems, is the sharing of blocks. When a file is copied, both the original and the new file will share the same content blocks. If the user changes the copy, new data runs will be created for the modified content, but unchanged blocks remain shared. This may impact file carving, because part of the blocks previously used by a deleted file might still be in use by another file. The large default cluster size, 64 KiB, in ReFS v1.2 is an advantage when carving for deleted files, since most deleted files are less than 64 KiB and therefore only use a single cluster. For ReFS v3.2 this advantage has decreased because the standard cluster size is 4 KiB.Preliminary support for ReFS v1.2 has been available in EnCase 7 and 8, but the implementation has not been documented or peer-reviewed. The same is true for Paragon Software, which recently added ReFS support to their forensic product. Our work documents how ReFS v1.2 and ReFS v3.2 are structured at an abstraction level that allows digital forensic investigation of this new file system. At the time of writing this paper, Paragon Software is the only digital forensic tool that supports ReFS v3.x.It is the most recent version of the ReFS file system that is most relevant for digital forensics, as Windows automatically updates the file system to the latest version on mount. This is why we have included information about ReFS v3.2. However, it is possible to change a registry value to avoid updating. The latest ReFS version observed is 3.4, but the information presented about 3.2 is still valid. In any criminal case, the investigator needs to investigate the file system version found. 相似文献
12.
Trust has been defined in many ways, but at its core it involves acting without the knowledge needed to act. Trust in records depends on four types of knowledge about the creator or custodian of the records: reputation, past performance, competence, and the assurance of confidence in future performance. For over half a century society has been developing and adopting new computer technologies for business and communications in both the public and private realm. Frameworks for establishing trust have developed as technology has progressed. Today, individuals and organizations are increasingly saving and accessing records in cloud computing infrastructures, where we cannot assess our trust in records solely on the four types of knowledge used in the past. Drawing on research conducted at the University of British Columbia into the nature of digital records and their trustworthiness, this article presents the conceptual archival and digital forensic frameworks of trust in records and data, and explores the common law legal framework within which questions of trust in documentary evidence are being tested. Issues and challenges specific to cloud computing are introduced. 相似文献
13.
14.
Minnaard proposed a novel method that constructs a creation time bound of files recovered without time information. The method exploits a relationship between the creation order of files and their locations on a storage device managed with the Linux FAT32 file system. This creation order reconstruction method is valid only in non-wraparound situations, where the file creation time in a former position is earlier than that in a latter position. In this article, we show that if the Linux FAT32 file allocator traverses the storage space more than once, the creation time of a recovered file is possibly earlier than that of a former file and possibly later than that of a latter file on the Linux FAT32 file system. Also it is analytically verified that there are at most n candidates for the creation time bound of each recovered file where n is the number of traversals by the file allocator. Our analysis is evaluated by examining file allocation patterns of two commercial in-car dashboard cameras. 相似文献
15.
16.
This review discusses microbial forensics as an emerging science that finds application in protecting human health. It is important to distinguish naturally acquired infections from those caused by the intentional release of microorganisms to the environment. This information is crucial in formulating procedures against the spread of infectious diseases and prosecuting persons who may be involved in acts of biocrime, bioterrorism, or biowarfare. A comparison between epidemiological investigations and microbial forensic investigations is provided. In addition, a discussion on how microbial forensics strengthens health systems is included in this review. Microbial forensic investigations and epidemiologic examinations employ similar concepts and involve identifying and characterising the microbe of interest. Both fields require formulating an appropriate case definition, determining a pathogen’s mode of transmission, and identifying the source(s) of infection. However, the two subdisciplines differ in their objectives. An epidemiological investigation aims to identify the pathogen’s source to prevent the spread of the disease. Microbial forensics focuses on source-tracking to facilitate the prosecution of persons responsible for the spread of a pathogen. Both fields use molecular techniques in analysing and comparing DNA, gene products, and biomolecules to identify and characterise the microorganisms of interest. We included case studies to show methods used in microbial forensic investigations, a brief discussion of the public significance of microbial forensic systems, and a roadmap for establishing a system at a national level. This system is expected to strengthen a country’s capacity to respond to public health emergencies. Several factors must be considered in establishing national microbial forensic systems. First is the inherent ubiquity, diversity, and adaptability of microorganisms that warrants the use of robust and accurate molecular typing systems. Second, the availability of facilities and scientists who have been trained in epidemiology, molecular biology, bioinformatics, and data analytics. Human resources and infrastructure are critical requirements because formulating strategies and allocating resources in times of infectious disease outbreaks must be data-driven. Establishing and maintaining a national microbial forensic system to strengthen capacities in conducting forensic and epidemiological investigations should be prioritised by all countries, accompanied by a national policy that sets the legislative framework and provides for the system’s financial requirements. 相似文献
17.
The PowerPlex 16 System from Promega Corporation allows single tube multiplex amplification of sixteen short tandem repeat (STR) loci including all 13 core combined DNA index system STRs. This report presents an updated validation of the PowerPlex 16 System on Applied Biosystem's 96 capillary 3730xl DNA Analyzer. The validation protocol developed in our laboratory allows for the analysis of 1536 loci (96 x 16) in c. 50 min. We have further optimized the assay by decreasing the reaction volume to one-quarter that recommended by the manufacturer thereby substantially reducing the total cost per sample without compromising reproducibility or specificity. This reduction in reaction volume has the ancillary benefit of dramatically increasing the sensitivity of the assay allowing for accurate analysis of lower quantities of DNA. Due to its substantially increased throughput capability, this extended validation of the PowerPlex 16 System should be useful in reducing the backlog of unanalyzed DNA samples currently facing public DNA forensic laboratories. 相似文献
18.
Security incidents such as targeted distributed denial of service (DDoS) attacks on power grids and hacking of factory industrial control systems (ICS) are on the increase. This paper unpacks where emerging security risks lie for the industrial internet of things, drawing on both technical and regulatory perspectives. Legal changes are being ushered by the European Union (EU) Network and Information Security (NIS) Directive 2016 and the General Data Protection Regulation 2016 (GDPR) (both to be enforced from May 2018). We use the case study of the emergent smart energy supply chain to frame, scope out and consolidate the breadth of security concerns at play, and the regulatory responses. We argue the industrial IoT brings four security concerns to the fore, namely: appreciating the shift from offline to online infrastructure; managing temporal dimensions of security; addressing the implementation gap for best practice; and engaging with infrastructural complexity. Our goal is to surface risks and foster dialogue to avoid the emergence of an Internet of Insecure Industrial Things. 相似文献