Distributed filesystem forensics: XtreemFS as a case study

Distributed filesystems provide a cost-effective means of storing high-volume, velocity and variety information in cloud computing, big data and other contemporary systems. These technologies have the potential to be exploited for illegal purposes, which highlights the need for digital forensic investigations. However, there have been few papers published in the area of distributed filesystem forensics. In this paper, we aim to address this gap in knowledge. Using our previously published cloud forensic framework as the underlying basis, we conduct an in-depth forensic experiment on XtreemFS, a Contrail EU-funded project, as a case study for distributed filesystem forensics. We discuss the technical and process issues regarding collection of evidential data from distributed filesystems, particularly when used in cloud computing environments. A number of digital forensic artefacts are also discussed. We then propose a process for the collection of evidential data from distributed filesystems.     

Digital evidence in fog computing systems

Fog Computing provides a myriad of potential societal benefits: personalised healthcare, smart cities, automated vehicles, Industry 4.0, to name just a few. The highly dynamic and complex nature of Fog Computing with its low latency communication networks connecting sensors, devices and actuators facilitates ambient computing at scales previously unimaginable. The combination of Machine Learning, Data Mining, and the Internet of Things, supports endless innovation in our data driven society. Fog computing incurs new threats to security and privacy since these become more difficult when there are an increased number of connected devices, and such devices (for example sensors) typically have limited capacity for in-built security. For law enforcement agencies, the existing models for digital forensic investigations are ill suited to the emerging fog paradigm. In this paper we examine the procedural, technical, legal, and geopolitical challenges associated with digital forensic investigations in Fog Computing. We highlight areas that require further development, and posit a framework to stimulate further consideration and discussion around the challenges associated with extracting digital evidence from Fog Computing systems.     

FriendlyRoboCopy: A GUI to RoboCopy for computer forensic investigators

One of the most pressing challenges in digital investigations today is the extraction and forensic preservation of a subset of data on computer clusters and other large storage systems. As the number and capacity of computer systems increases, it is no longer feasible to create forensic duplicates of every system in their entirety. Although forensic tools are being developed to cope with such situations, they do not support all file systems. Experienced digital investigators use tools such as RoboCopy to preserve a subset of data on target systems, and take steps to document their process and results. This paper explores the need for these tools in digital investigations, and demonstrates the strengths and weaknesses of using RoboCopy to acquire data on a network share. This paper then introduces FriendlyRoboCopy, which provides an effective, user-friendly interface to RoboCopy that addresses the requirements of forensic preservation.     

Cloud forecasting: Legal visibility issues in saturated environments

The advent of cloud computing has brought the computing power of corporate data processing and storage centers to lightweight devices. Software-as-a-service cloud subscribers enjoy the convenience of personal devices along with the power and capability of a service. Using logical as opposed to physical partitions across cloud servers, providers supply flexible and scalable resources. Furthermore, the possibility for multitenant accounts promises considerable freedom when establishing access controls for cloud content. For forensic analysts conducting data acquisition, cloud resources present unique challenges. Inherent properties such as dynamic content, multiple sources, and nonlocal content make it difficult for a standard to be developed for evidence gathering in satisfaction of United States federal evidentiary standards in criminal litigation. Development of such standards, while essential for reliable production of evidence at trial, may not be entirely possible given the guarantees to privacy granted by the Fourth Amendment and the Electronic Communications Privacy Act. Privacy of information on a cloud is complicated because the data is stored on resources owned by a third-party provider, accessible by users of an account group, and monitored according to a service level agreement. This research constructs a balancing test for competing considerations of a forensic investigator acquiring information from a cloud.     

BitTorrent Sync: First Impressions and Digital Forensic Implications

With professional and home Internet users becoming increasingly concerned with data protection and privacy, the privacy afforded by popular cloud file synchronisation services, such as Dropbox, OneDrive and Google Drive, is coming under scrutiny in the press. A number of these services have recently been reported as sharing information with governmental security agencies without warrants. BitTorrent Sync is seen as an alternative by many and has gathered over two million users by December 2013 (doubling since the previous month). The service is completely decentralised, offers much of the same synchronisation functionality of cloud powered services and utilises encryption for data transmission (and optionally for remote storage). The importance of understanding BitTorrent Sync and its resulting digital investigative implications for law enforcement and forensic investigators will be paramount to future investigations. This paper outlines the client application, its detected network traffic and identifies artefacts that may be of value as evidence for future digital investigations.     

A case study on anonymised sharing platforms and digital traces left by their usage

Non-local forms of file storage and transfer provide investigatory concerns. Whilst mainstream cloud providers offer a well-established challenge to those involved in criminal enquiries, there are also a host of services offering non-account based ‘anonymous’ online temporary file storage and transfer. From the context of a digital forensic investigation, the practitioner examining a suspect device must detect when such services have been utilised by a user, as offending files may not be resident on local storage media. In addition, identifying the use of a service may also expose networks of illegal file distribution, supporting wider investigations into criminal activity. This work examines 16 anonymous file transfer services and identifies and interprets the digital traces left behind on a device following their use to support law enforcement investigations.     

Data fragment forensics for embedded DVR systems

A recent increase in the prevalence of embedded systems has led them to become a primary target of digital forensic investigations. Embedded systems with DVR (Digital Video Recorder) capabilities are able to generate multimedia (video/audio) data, and can act as vital pieces of evidence in the field of digital forensics.To counter anti-forensics, it is necessary to derive systematic forensic techniques that can be used on data fragments in unused (unallocated) areas of files or images. Specifically, the techniques should extract meaningful information from various types of data fragments, such as non-sequential fragmentation and missing fragments overwritten by other data.This paper proposes a new digital forensic system for use on video data fragments related to DVRs. We demonstrate in detail special techniques for the classification, reassembly, and extraction of video data fragments, and introduce an integrated framework for data fragment forensics based on techniques described in this paper.     

Intrusion detection: issues and challenges in evidence acquisition

As the dangers of hacking and cyber‐warfare for network security become a reality, the need to be able to generate legally admissible evidence of criminal or other illegal online behaviours has become increasingly important. While technical systems providing intrusion detection and network monitoring are constantly being improved, the security they provide is never absolute. As a result, when assessing the value and nature of the data that these systems produce, it becomes critical to be aware of a number of factors: these systems themselves are susceptible to attack and/or evasion; these systems may collect only a partial data set; and, these data sets may themselves be flawed, erroneous or may already have been tampered with. Additionally, the issue of privacy and data protection is emerging as a central debate in forensic computing research. In this context, this paper examines intrusion detection systems (IDS) and provides the results of a case study on the use of the SNORT IDS on a university department World Wide Web (WWW) server. The case study is analysed and discussed using a forensic computing perspective. This perspective considers the nature of the intrusion detection and network monitoring security provided and evaluates the system in terms of its evidence acquisition (‘forensic’) capabilities and the legal admissibility of the digital evidence generated.     

Forensic analysis of newer TomTom devices

Today many investigations involve TomTom devices due to the wide-spread use of these navigation systems. The process of acquiring a memory dump from the first generation of TomTom devices was relatively easy by utilising the USB-connection and standard forensic tools. Newer devices, however, do not provide this or any other readily available data connection, making the task much more complex. In addition to existing and relatively complex chip-extraction procedures, an easier data acquisition method was developed without the need to de-solder flash memory chips. The presence of new files and the differences in data formats found in these devices meant that new methods of data analysis and decoding also needed to be developed.     

The use of self-organising maps for anomalous behaviour detection in a digital investigation

The dramatic increase in crime relating to the Internet and computers has caused a growing need for digital forensics. Digital forensic tools have been developed to assist investigators in conducting a proper investigation into digital crimes. In general, the bulk of the digital forensic tools available on the market permit investigators to analyse data that has been gathered from a computer system. However, current state-of-the-art digital forensic tools simply cannot handle large volumes of data in an efficient manner. With the advent of the Internet, many employees have been given access to new and more interesting possibilities via their desktop. Consequently, excessive Internet usage for non-job purposes and even blatant misuse of the Internet have become a problem in many organisations. Since storage media are steadily growing in size, the process of analysing multiple computer systems during a digital investigation can easily consume an enormous amount of time. Identifying a single suspicious computer from a set of candidates can therefore reduce human processing time and monetary costs involved in gathering evidence. The focus of this paper is to demonstrate how, in a digital investigation, digital forensic tools and the self-organising map (SOM)--an unsupervised neural network model--can aid investigators to determine anomalous behaviours (or activities) among employees (or computer systems) in a far more efficient manner. By analysing the different SOMs (one for each computer system), anomalous behaviours are identified and investigators are assisted to conduct the analysis more efficiently. The paper will demonstrate how the easy visualisation of the SOM enhances the ability of the investigators to interpret and explore the data generated by digital forensic tools so as to determine anomalous behaviours.     

A review of quality procedures in the UK forensic sciences: What can the field of digital forensics learn?

With a reliance on the various forms of forensic science evidence in complex criminal investigations, the measures for ensuring its quality are facing increasing scrutiny. Improvements to quality management systems, to ensure both the robust application of scientific principles and the accurate interpretation and reporting of results, have arisen as a consequence of high-profile rebuttals of forensic science evidence, combined with process improvements driven by evaluation of current practice. These improvements are crucial to ensure validity of results as well as providing assurance for all those involved in the Criminal Justice System. This work first examines the quality management systems utilised for the examination and analysis of fingerprint, body fluid and DNA evidence. It then proceeds to highlight an apparent lack of comparable quality assurance mechanisms within the field of digital forensics, one of the newest branches of forensic science. Proposals are provided for the improvement of quality assurance for the digital forensics arena, drawing on the experiences of, and more well-established practices within, other forensic disciplines.     

Impacts of increasing volume of digital forensic data: A survey and future research challenges

A major challenge to digital forensic analysis is the ongoing growth in the volume of data seized and presented for analysis. This is a result of the continuing development of storage technology, including increased storage capacity in consumer devices and cloud storage services, and an increase in the number of devices seized per case. Consequently, this has led to increasing backlogs of evidence awaiting analysis, often many months to years, affecting even the largest digital forensic laboratories. Over the preceding years, there has been a variety of research undertaken in relation to the volume challenge. Solutions posed range from data mining, data reduction, increased processing power, distributed processing, artificial intelligence, and other innovative methods. This paper surveys the published research and the proposed solutions. It is concluded that there remains a need for further research with a focus on real world applicability of a method or methods to address the digital forensic data volume challenge.     

Automated event and social network extraction from digital evidence sources with ontological mapping

The sharp rise in consumer computing, electronic and mobile devices and data volumes has resulted in increased workloads for digital forensic investigators and analysts. The number of crimes involving electronic devices is increasing, as is the amount of data for each job. This is becoming unscaleable and alternate methods to reduce the time trained analysts spend on each job are necessary.This work leverages standardised knowledge representations techniques and automated rule-based systems to encapsulate expert knowledge for forensic data. The implementation of this research can provide high-level analysis based on low-level digital artefacts in a way that allows an understanding of what decisions support the facts. Analysts can quickly make determinations as to which artefacts warrant further investigation and create high level case data without manually creating it from the low-level artefacts. Extraction and understanding of users and social networks and translating the state of file systems to sequences of events are the first uses for this work.A major goal of this work is to automatically derive ‘events’ from the base forensic artefacts. Events may be system events, representing logins, start-ups, shutdowns, or user events, such as web browsing, sending email. The same information fusion and homogenisation techniques are used to reconstruct social networks. There can be numerous social network data sources on a single computer; internet cache can locate Facebook, LinkedIn, Google Plus caches; email has address books and copies of emails sent and received; instant messenger has friend lists and call histories. Fusing these into a single graph allows a more complete, less fractured view for an investigator.Both event creation and social network creation are expected to assist investigator-led triage and other fast forensic analysis situations.     

The conversion of coroner systems to medical examiner systems in the United States: a lull in the action

Coroner and medical examiner systems in the United States conduct death investigations for most deaths that are sudden and unexplained, or which involve external causes such as injury and poisoning. They play a very important role in the criminal justice, public health, public safety, and medical communities, and they also contribute a substantial portion of autopsy-based mortality data to the state and federal mortality statistics systems. Death investigations often involve complex medical issues and necessarily require the involvement of appropriately trained physicians. Over the years, there has been a trend to replace the elected lay coroner systems with systems run by appointed, physician medical examiners. Presently, about 31% of counties in the United States are served by a medical examiners at the county, district, or state level. Between 1960 and 1989, there was considerable conversion to medical examiner systems, but this trend slowed in the 1990s. Since 2000, only 6 counties in the United States have converted to a medical examiner system, no states have converted since 1996, and 1 county has reverted to a sheriff-coroner system. Possible reasons for this decline are discussed, including legislative, political, geographical, financial, population-based, and physician manpower distribution factors. It is important to ensure that all death investigation systems have appropriate access to medically educated and trained physicians such as forensic pathologists.     

Trust in digital records: An increasingly cloudy legal area

Trust has been defined in many ways, but at its core it involves acting without the knowledge needed to act. Trust in records depends on four types of knowledge about the creator or custodian of the records: reputation, past performance, competence, and the assurance of confidence in future performance. For over half a century society has been developing and adopting new computer technologies for business and communications in both the public and private realm. Frameworks for establishing trust have developed as technology has progressed. Today, individuals and organizations are increasingly saving and accessing records in cloud computing infrastructures, where we cannot assess our trust in records solely on the four types of knowledge used in the past. Drawing on research conducted at the University of British Columbia into the nature of digital records and their trustworthiness, this article presents the conceptual archival and digital forensic frameworks of trust in records and data, and explores the common law legal framework within which questions of trust in documentary evidence are being tested. Issues and challenges specific to cloud computing are introduced.     

A Forensic Exploration of the Microsoft Windows 10 Timeline

The Microsoft Windows operating system continues to dominate the desktop computing market. With such high levels of usage comes an inferred likelihood of digital forensic practitioners encountering this platform during their investigations. As part of any forensic examination of a digital device, operating system artifacts, which support the identification and understanding of how a user has behaved on their system provide a potential source of evidence. Now, following Microsoft's April 2018 build 1803 release with its incorporated “Timeline” feature, the potential for identifying and tracking user activity has increased. This work provides a timely examination of the Windows 10 Timeline feature demonstrating the ability to recover activity‐based content from within its stored database log files. Examination results and underpinning experimental methodologies are offered, demonstrating the ability to recover activity tile and process information in conjunction with the Windows Timeline. Further, an SQL query has been provided to support the interpretation of data stored within the ActivitiesCache.db .     

Acquiring forensic evidence from infrastructure-as-a-service cloud computing: Exploring and evaluating tools,trust, and techniques

We expose and explore technical and trust issues that arise in acquiring forensic evidence from infrastructure-as-a-service cloud computing and analyze some strategies for addressing these challenges. First, we create a model to show the layers of trust required in the cloud. Second, we present the overarching context for a cloud forensic exam and analyze choices available to an examiner. Third, we provide for the first time an evaluation of popular forensic acquisition tools including Guidance EnCase and AccesData Forensic Toolkit, and show that they can successfully return volatile and non-volatile data from the cloud. We explain, however, that with those techniques judge and jury must accept a great deal of trust in the authenticity and integrity of the data from many layers of the cloud model. In addition, we explore four other solutions for acquisition—Trusted Platform Modules, the management plane, forensics-as-a-service, and legal solutions, which assume less trust but require more cooperation from the cloud service provider. Our work lays a foundation for future development of new acquisition methods for the cloud that will be trustworthy and forensically sound. Our work also helps forensic examiners, law enforcement, and the court evaluate confidence in evidence from the cloud.     

We are meeting on Microsoft Teams: Forensic analysis in Windows,Android, and iOS operating systems

Microsoft released a new communication platform, Microsoft Teams, in 2017. Due in part to COVID-19, the popularity of communication platforms, like Microsoft Teams, increased exponentially. Given its user base and increased popularity, it seems likely that digital forensic investigators will encounter cases where Microsoft Teams is a relevant component. However, because Microsoft Teams is a relatively new application, there is limited forensic research on the application particularly focusing on mobile operating systems. To address this gap, an analysis of data stored at rest by Microsoft Teams was conducted on the Windows 10 operating system as well as on Android and Apple iOS mobile operating systems. Basic functionalities, such as messaging, sharing files, participating in video conferences, and other functionalities that Teams provides, were performed in an isolated testing environment. Cellebrite UFED Physical Analyzer and Magnet AXIOM Examine tools were used to analyze the mobile devices and the Windows device, respectively. Manual or non-automated investigation recovered, at least partially, the majority of artifacts across all three operating systems. In this study, a total of 77.6% of the populated artifacts were partially or fully recovered in the manual investigation. On the other hand, forensic tools used did not automatically recover many of the artifacts found with the manual investigation. Only 13.8% of artifacts were partially or fully recovered by the forensic tools across all three devices. These discovered artifacts and the results of the investigations are presented in order to aid digital forensic investigations.     

Design and implementation of FROST: Digital forensic tools for the OpenStack cloud computing platform

We describe the design, implementation, and evaluation of FROST—three new forensic tools for the OpenStack cloud platform. Our implementation for the OpenStack cloud platform supports an Infrastructure-as-a-Service (IaaS) cloud and provides trustworthy forensic acquisition of virtual disks, API logs, and guest firewall logs. Unlike traditional acquisition tools, FROST works at the cloud management plane rather than interacting with the operating system inside the guest virtual machines, thereby requiring no trust in the guest machine. We assume trust in the cloud provider, but FROST overcomes non-trivial challenges of remote evidence integrity by storing log data in hash trees and returning evidence with cryptographic hashes. Our tools are user-driven, allowing customers, forensic examiners, and law enforcement to conduct investigations without necessitating interaction with the cloud provider. We demonstrate how FROST's new features enable forensic investigators to obtain forensically-sound data from OpenStack clouds independent of provider interaction. Our preliminary evaluation indicates the ability of our approach to scale in a dynamic cloud environment. The design supports an extensible set of forensic objectives, including the future addition of other data preservation, discovery, real-time monitoring, metrics, auditing, and acquisition capabilities.