Using jump lists to identify fraudulent documents

Jump lists show the file opening activity of a computer user. When a computer user wants to know the most recent file they opened, a jump list can provide that information. Windows 7 displays jump lists for recently used files, but more importantly for investigators, it also records hidden jump list artifacts. These hidden jump list artifacts reveal the complete trail a fraudster follows in creating fraudulent documents or to perform other illegal activities when using their computers. Such jump list artifacts can remain on the computer's drives for years. The paper describes a method that can be used to identify artifacts and their potential for use as forensic evidence in a financial fraud case.     

Study on the tracking revision history of MS Word files for forensic investigation

Document forensics remains an important field of digital forensics. To date, previously existing methods focused on the last saved version of the document file stored on the PC; however, the drawback of this approach is that this provides no indication as to how the contents have been modified. This paper provides a novel method for document forensics based on tracking the revision history of a Microsoft Word file. The proposed method concentrates on the TMP file created when the author saves the file and the ASD file created periodically by Microsoft Word during editing. A process whereby the revision history lists are generated based on metadata of the Word, TMP, and ASD files is presented. Furthermore, we describe a technique developed to link the revision history lists based on similarity. These outcomes can provide considerable assistance to a forensic investigator trying to establish the extent to which document file contents have been changed and when the file was created, modified, deleted, and copied.     

Digital Stratigraphy: Contextual Analysis of File System Traces in Forensic Science

This work introduces novel methods for conducting forensic analysis of file allocation traces, collectively called digital stratigraphy. These in‐depth forensic analysis methods can provide insight into the origin, composition, distribution, and time frame of strata within storage media. Using case examples and empirical studies, this paper illuminates the successes, challenges, and limitations of digital stratigraphy. This study also shows how understanding file allocation methods can provide insight into concealment activities and how real‐world computer usage can complicate digital stratigraphy. Furthermore, this work explains how forensic analysts have misinterpreted traces of normal file system behavior as indications of concealment activities. This work raises awareness of the value of taking the overall context into account when analyzing file system traces. This work calls for further research in this area and for forensic tools to provide necessary information for such contextual analysis, such as highlighting mass deletion, mass copying, and potential backdating.     

Reverse engineering of ReFS

File system forensics is an important part of Digital Forensics. Investigators of storage media have traditionally focused on the most commonly used file systems such as NTFS, FAT, ExFAT, Ext2-4, HFS+, APFS, etc. NTFS is the current file system used by Windows for the system volume, but this may change in the future. In this paper we will show the structure of the Resilient File System (ReFS), which has been available since Windows Server 2012 and Windows 8. The main purpose of ReFS is to be used on storage spaces in server systems, but it can also be used in Windows 8 or newer. Although ReFS is not the current standard file system in Windows, while users have the option to create ReFS file systems, digital forensic investigators need to investigate the file systems identified on a seized media. Further, we will focus on remnants of non-allocated metadata structures or attributes. This may allow metadata carving, which means searching for specific attributes that are not allocated. Attributes found can then be used for file recovery. ReFS uses superblocks and checkpoints in addition to a VBR, which is different from other Windows file systems. If the partition is reformatted with another file system, the backup superblocks can be used for partition recovery. Further, it is possible to search for checkpoints in order to recover both metadata and content.Another concept not seen for Windows file systems, is the sharing of blocks. When a file is copied, both the original and the new file will share the same content blocks. If the user changes the copy, new data runs will be created for the modified content, but unchanged blocks remain shared. This may impact file carving, because part of the blocks previously used by a deleted file might still be in use by another file. The large default cluster size, 64 KiB, in ReFS v1.2 is an advantage when carving for deleted files, since most deleted files are less than 64 KiB and therefore only use a single cluster. For ReFS v3.2 this advantage has decreased because the standard cluster size is 4 KiB.Preliminary support for ReFS v1.2 has been available in EnCase 7 and 8, but the implementation has not been documented or peer-reviewed. The same is true for Paragon Software, which recently added ReFS support to their forensic product. Our work documents how ReFS v1.2 and ReFS v3.2 are structured at an abstraction level that allows digital forensic investigation of this new file system. At the time of writing this paper, Paragon Software is the only digital forensic tool that supports ReFS v3.x.It is the most recent version of the ReFS file system that is most relevant for digital forensics, as Windows automatically updates the file system to the latest version on mount. This is why we have included information about ReFS v3.2. However, it is possible to change a registry value to avoid updating. The latest ReFS version observed is 3.4, but the information presented about 3.2 is still valid. In any criminal case, the investigator needs to investigate the file system version found.     

Quantifying and Ranking Quality for Acquired Recordings on Digital Video Recorders

As the closed-circuit television (CCTV) security industry transitioned from analog media to digital video recorders (DVRs) with digital storage, the law enforcement community struggled with the means with which to collect the recordings. New guidelines needed to be established to determine the collection method which would be efficient as well as provide the best quality evidence from live DVRs. A test design was developed to measure, quantify, and rank the quality of acquisition methods used on live systems from DVRs typically used in digital CCTV systems. The purpose was to determine guidelines for acquiring the best quality video for investigative purposes. A test pattern which provided multiple quantifiable metrics for comparison between the methods of acquisition was used. The methods of acquisition included direct data download of the proprietary file and open file format as well as recording the video playback from the DVR via the available display monitor connections including the composite video, Video Graphics Array (VGA), and high-definition multimedia interface (HDMI). While some acquisition methods may provide the best quality evidence, other methods of acquisition are not to be discounted depending on the situation and need for efficiency. As an investigator that needs to retrieve video evidence from live digital CCTV systems, the proprietary file format, overall, provides the best quality evidence. However, depending on the circumstance and as recording technology continues to evolve, options other than the proprietary file format may provide quality that is equal to or greater than the proprietary file format.     

NTFS volume mounts,directory junctions and $Reparse

The NTFS file system underlying modern Windows Versions provides the user with a number of novel ways in which to configure data storage and data paths within the NTFS environment. This article seeks to explain two of these, Volume Mount Points and Directory Junctions, such than when they are encountered the forensic examiner will have some information as to their use and structure.     

The deployment of conditional probability distributions for death time estimation

The temperature based algorithm known as the Nomogram Method for the determination of a 95.45% death-time interval can be combined with non-temperature based (NTB) findings in the so called Compound Method (CM). The impact of such integration on the probability yielded by the resulting interval has however neither been described nor exploited. In fact the interval after integration of NTB findings rarely yields 95.45% probability. We present a method, based on the conditional probability distribution that can be calculated if the NTB findings are taken into account, which ensures the probability inside the interval to be 95.45%. The method was successfully applied to a set of 53 cases published by Henssge et al. and led to a reduction of the interval width up to more than 15% compared to the CM interval, whereas in other cases the interval width increased due to probability content of the CM intervals below 95.45%. A spreadsheet file in which the method proposed in this paper is implemented can be obtained upon email request from the authors.     

Forensic artefacts left by Pidgin Messenger 2.0

Pidgin, formerly known as Gaim, is a multi-protocol instant messaging (IM) client that supports communication on most of the popular IM networks. Pidgin is chiefly popular under Linux, and is available for Windows, BSD and other UNIX versions. This article presents a number of traces that are left behind after the use of Pidgin on Linux, enabling digital investigators to search for and interpret instant messaging activities, including online conversations and file transfers. Specifically, the contents and structures of user settings, log files, contact files and the swap partition are discussed. In addition looking for such information in active files on a computer, forensic examiners can recover deleted items by searching a hard drive for file signatures and known file structures detailed in this article.     

Evaluating digital video transcoding for forensic derivative results

Video data received for analysis often come in a variety of file formats and compression schemes. These data are often transcoded to a consistent file format for forensic examination and/or ingesting into a video analytic system. The file format often requested is an MP4 file format. The MP4 file format is a very common and a universally accepted file format. The practical application of this transcoding process, across the analytical community, has generated differences in video quality. This study sought to explore possible origins of the differences and assist the practitioner by defining minimum recommendations to ensure that quality of the video data is maintained through the transcoding process. This study sought to generate real world data by asking participants to transcode provided video files to an MP4 file format using programs they would typically utilize to perform this task. The transcoded results were evaluated based on measurable metrics of quality. As the results were analyzed, determining why these differences might have occurred became less about a particular software application and more about the settings employed by the practitioner or of the capabilities of the program. This study supports the need for any video examiner who is transcoding video data to be cognizant of the settings utilized by the programs employed for transcoding video data, as loss of video quality can affect analytics as well as further analysis.     

Structure and application of IconCache.db files for digital forensics

Anti-forensics has developed to prevent digital forensic investigations, thus forensic investigations to prevent anti-forensic behaviors have been studied in various area. In the area of user activity analysis, “IconCache.db” files contain icon cache information related to applications, which can yield meaningful information for digital forensic investigations such as the traces of deleted files. A previous study investigated the general artifacts found in the IconCache.db file. In the present study, further features and structures of the IconCache.db file are described. We also propose methods for analyzing anti-forensic behaviors (e.g., time information related to the deletion of files). Finally, we introduce an analytical tool that was developed based on the file structure of IconCache.db. The tool parses out strings from the IconCache.db to assist an analyst. Therefore, an analyst can more easily analyze the IconCache.db file using the tool.     

A case study on anonymised sharing platforms and digital traces left by their usage

Non-local forms of file storage and transfer provide investigatory concerns. Whilst mainstream cloud providers offer a well-established challenge to those involved in criminal enquiries, there are also a host of services offering non-account based ‘anonymous’ online temporary file storage and transfer. From the context of a digital forensic investigation, the practitioner examining a suspect device must detect when such services have been utilised by a user, as offending files may not be resident on local storage media. In addition, identifying the use of a service may also expose networks of illegal file distribution, supporting wider investigations into criminal activity. This work examines 16 anonymous file transfer services and identifies and interprets the digital traces left behind on a device following their use to support law enforcement investigations.     

Business Development Capabilities in Information Technology SMEs in a Regional Economy: An Exploratory Study

“Business development” is a corporate entrepreneurial capability (or competence) that has emerged in the Information Technology industry to support that industry’s practice of co-creation of value with customers and complementors. As a set of practices that link the firm’s value creating processes with its external environment, business development capabilities are a key factor in the success of IT SMEs. This article examines business development functions and business developer attributes in SMEs in the Information Technology Industry in Eastern Canada. The principal business development functions are finding profitable opportunities in business networks, developing and maintaining partnerships, providing support for new product development, and recognizing and responding to customer needs. The regional market and export markets require different business development capabilities.     

Forensic analysis of Telegram Messenger on Android smartphones

In this paper we present a methodology for the forensic analysis of the artifacts generated on Android smartphones by Telegram Messenger, the official client for the Telegram instant messaging platform, which provides various forms of secure individual and group communication, by means of which both textual and non-textual messages can be exchanged among users, as well as voice calls.Our methodology is based on the design of a set of experiments suitable to elicit the generation of artifacts and their retention on the device storage, and on the use of virtualized smartphones to ensure the generality of the results and the full repeatability of the experiments, so that our findings can be reproduced and validated by a third-party.In this paper we show that, by using the proposed methodology, we are able (a) to identify all the artifacts generated by Telegram Messenger, (b) to decode and interpret each one of them, and (c) to correlate them in order to infer various types of information that cannot be obtained by considering each one of them in isolation.As a result, in this paper we show how to reconstruct the list of contacts, the chronology and contents of the messages that have been exchanged by users, as well as the contents of files that have been sent or received. Furthermore, we show how to determine significant properties of the various chats, groups, and channels in which the user has been involved (e.g., the identifier of the creator, the date of creation, the date of joining, etc.). Finally, we show how to reconstruct the log of the voice calls made or received by the user.Although in this paper we focus on Telegram Messenger, our methodology can be applied to the forensic analysis of any application running on the Android platform.     

Confronting Government After Welfare Reform: Moralists, Reformers, and Narratives of (Ir)responsibility at Administrative Fair Hearings

Almost 40 years ago, the Supreme Court, in the landmark case Goldberg v. Kelly (1970) , provided welfare participants with a potentially potent tool for challenging the government welfare bureaucracy by requiring pre-termination hearings before welfare benefits were discontinued or reduced. In 1996, with the passage of the Personal Responsibility Work Opportunity Reconciliation Act (PRWORA) , the rights talk of Kelly was officially replaced with the discourse of individual responsibility. Using observational data of administrative hearings and interviews with administrative law judges and appellants, this study explores how fair hearings have been affected by this official reconceptualization of rights. I find that hearings are not a panacea for challenging the more punitive aspects of welfare reform, but nor are they devoid of the possibility of justice. While hearings can replicate in style and substance the inequities, rigid adherence to rules, and moral judgments that characterize welfare relationships under the PRWORA, they can also be used as a mechanism for creating counternarratives to the dominant discourse about welfare. This study identifies two types of judges—moralist judges and reformer judges—and examines how their differing approaches determine which narrative emerges in the hearing room.     

Forensic artefacts left by Windows Live Messenger 8.0

Windows Live Messenger – commonly referred by MSN Messenger – is the most used instant messaging client worldwide, and is mostly used on Microsoft Windows XP.Previous examination into MSN Messenger concludes that few traces reside on the hard disk after MSN usage [Dickson M. An examination into MSN Messenger 7.5 contact identification. Digit Investig 2006;3]. In this article the opposite is concluded based on user settings, contact files and log files. With the use of file signatures and known file structures it is possible to recover useful information when deleted. Programs such as Forensic Box can help to analyse artefacts which are left behind after the use of Windows Live Messenger.     

Copyright in the blockchain era: Promises and challenges

The paper focuses on various legal-related aspects of the application of blockchain technologies in the copyright sphere. Specifically, it outlines the existing challenges for distribution of copyrighted works in the digital environment, how they can be solved with blockchain, and what associated issues need to be addressed in this regard. It is argued that blockchain can introduce long-awaited transparency in matters of copyright ownership chain; substantially mitigate risks of online piracy by enabling control over digital copy and creating a civilized market for “used” digital content. It also allows to combine the simplicity of application of creative commons/open source type of licenses with revenue streams, and thus facilitate fair compensation of authors by means of cryptocurrency payments and Smart contracts. However, these benefits do not come without a price: many new issues will need to be resolved to enable the potential of blockchain technologies. Among them are: where to store copyrighted content (on blockchain or “off-chain”) and the associated need to adjust the legal status of online intermediaries; how to find a right balance between immutable nature of blockchain records and the necessity to adjust them due to the very nature of copyright law, which assigns ownership based on a set of informal facts, not visible to the public. Blockchain as a kind of time stamping service cannot itself ensure the trustworthiness of facts, which originate “off-chain”. More work needs to be done on the legal side: special provisions aimed at facilitating user's trust in blockchain records and their good faith usage of copyrighted works based on them need to be introduced and transactions with cryptocurrencies have to be legalized as well as the status of Smart contracts and their legal consequences. Finally, the economics of blockchain copyright management systems need to be carefully considered in order to ensure that they will have necessary network effects. If those issues are resolved in a satisfactory way, blockchain has the potential to rewrite how the copyright industry functions and digital content is distributed.     

Forensic memory analysis: Files mapped in memory

In this paper we describe a method for recovering files mapped in memory and to link mapped-file information process data. This information is forensically interesting, because it helps determine the origin and usage of the file and because it reduces the amount of unidentified data in a memory dump. To find mapped-file content, we apply several different techniques. Together, these techniques can identify approximately 25% of test memory dumps as being part of a memory-mapped file.     

Forensic memory analysis: Files mapped in memory

In this paper we describe a method for recovering files mapped in memory and to link mapped-file information process data. This information is forensically interesting, because it helps determine the origin and usage of the file and because it reduces the amount of unidentified data in a memory dump. To find mapped-file content, we apply several different techniques. Together, these techniques can identify approximately 25% of test memory dumps as being part of a memory-mapped file.     

Power Dynamics in an Experimental Game

We introduce a new experimental method for studying power. Drawing from multiple theoretical perspectives, we conceptualize power as relational and structural, as well as comprised of different forms through which basic human needs can be met. Thus, the method we introduce examines how, when faced with a particular need, people use multiple forms of power concurrently and within a “field of influence,” namely, the other players in a game. This enabled us to examine how one form of power is transformed into another and how power is transferred from one player to another through interaction, as well as to measure power as behavior, as the exercise of choice, as potential, and as outcomes. Two experiments using egalitarian start conditions and a survivable ecology demonstrated that participants used power to gain more power, creating inequality. Being the target of force made some players unable to “survive” in the local ecology. Theoretical and methodological issues in the study of power are discussed and the application of our game method to the study of power in other fields is considered.     

Corruption prevention: A course for police officers fighting organised crime

In literature one often finds education and training are given as possible prevention methods to cope with corruption but with little evidence or information on how to deal with the problem of how to set up such a course. This article is about the course set up by the College for Criminal Investigation and Crime Control, the Netherlands, concerning corruption prevention training for police officers. The aim of this course is for participants to gain insight into their own decision process; that they decide, what they decide and what the consequences of their decisions can be. Gaining insight is intended to make them less vulnerable to corruption. It is a three-day course in which corruption prevention is approached from an individual point of view. The article will start with a theoretical framework,after which the course is described. It offers a practical means of addressing an issue that attracts much attention but little guidance on its resolution. This revised version was published online in July 2006 with corrections to the Cover Date.