USB Storage Device Forensics for Windows 10

Significantly increased use of USB devices due to their user‐friendliness and large storage capacities poses various threats for many users/companies in terms of data theft that becomes easier due to their efficient mobility. Investigations for such data theft activities would require gathering critical digital information capable of recovering digital forensics artifacts like date, time, and device information. This research gathers three sets of registry and logs data: first, before insertion; second, during insertion; and the third, after removal of a USB device. These sets are analyzed to gather evidentiary information from Registry and Windows Event log that helps in tracking a USB device. This research furthers the prior research on earlier versions of Microsoft Windows and compares it with latest Windows 10 system. Comparison of Windows 8 and Windows 10 does not show much difference except for new subkey under USB Key in registry. However, comparison of Windows 7 with latest version indicates significant variances.     

NTFS volume mounts,directory junctions and $Reparse

The NTFS file system underlying modern Windows Versions provides the user with a number of novel ways in which to configure data storage and data paths within the NTFS environment. This article seeks to explain two of these, Volume Mount Points and Directory Junctions, such than when they are encountered the forensic examiner will have some information as to their use and structure.     

A Forensic Exploration of the Microsoft Windows 10 Timeline

The Microsoft Windows operating system continues to dominate the desktop computing market. With such high levels of usage comes an inferred likelihood of digital forensic practitioners encountering this platform during their investigations. As part of any forensic examination of a digital device, operating system artifacts, which support the identification and understanding of how a user has behaved on their system provide a potential source of evidence. Now, following Microsoft's April 2018 build 1803 release with its incorporated “Timeline” feature, the potential for identifying and tracking user activity has increased. This work provides a timely examination of the Windows 10 Timeline feature demonstrating the ability to recover activity‐based content from within its stored database log files. Examination results and underpinning experimental methodologies are offered, demonstrating the ability to recover activity tile and process information in conjunction with the Windows Timeline. Further, an SQL query has been provided to support the interpretation of data stored within the ActivitiesCache.db .     

Reverse engineering of ReFS

File system forensics is an important part of Digital Forensics. Investigators of storage media have traditionally focused on the most commonly used file systems such as NTFS, FAT, ExFAT, Ext2-4, HFS+, APFS, etc. NTFS is the current file system used by Windows for the system volume, but this may change in the future. In this paper we will show the structure of the Resilient File System (ReFS), which has been available since Windows Server 2012 and Windows 8. The main purpose of ReFS is to be used on storage spaces in server systems, but it can also be used in Windows 8 or newer. Although ReFS is not the current standard file system in Windows, while users have the option to create ReFS file systems, digital forensic investigators need to investigate the file systems identified on a seized media. Further, we will focus on remnants of non-allocated metadata structures or attributes. This may allow metadata carving, which means searching for specific attributes that are not allocated. Attributes found can then be used for file recovery. ReFS uses superblocks and checkpoints in addition to a VBR, which is different from other Windows file systems. If the partition is reformatted with another file system, the backup superblocks can be used for partition recovery. Further, it is possible to search for checkpoints in order to recover both metadata and content.Another concept not seen for Windows file systems, is the sharing of blocks. When a file is copied, both the original and the new file will share the same content blocks. If the user changes the copy, new data runs will be created for the modified content, but unchanged blocks remain shared. This may impact file carving, because part of the blocks previously used by a deleted file might still be in use by another file. The large default cluster size, 64 KiB, in ReFS v1.2 is an advantage when carving for deleted files, since most deleted files are less than 64 KiB and therefore only use a single cluster. For ReFS v3.2 this advantage has decreased because the standard cluster size is 4 KiB.Preliminary support for ReFS v1.2 has been available in EnCase 7 and 8, but the implementation has not been documented or peer-reviewed. The same is true for Paragon Software, which recently added ReFS support to their forensic product. Our work documents how ReFS v1.2 and ReFS v3.2 are structured at an abstraction level that allows digital forensic investigation of this new file system. At the time of writing this paper, Paragon Software is the only digital forensic tool that supports ReFS v3.x.It is the most recent version of the ReFS file system that is most relevant for digital forensics, as Windows automatically updates the file system to the latest version on mount. This is why we have included information about ReFS v3.2. However, it is possible to change a registry value to avoid updating. The latest ReFS version observed is 3.4, but the information presented about 3.2 is still valid. In any criminal case, the investigator needs to investigate the file system version found.     

National Practitioner Data Bank for Adverse Information on Physicians and Other Health Care Practitioners--PHS. Final regulations

This final rule amends the existing regulations governing the National Practitioner Data Bank for Adverse Information on Physicians and Other Health Care Practitioners (the Data Bank), codified at 45 CFR part 60, authorizing the reporting and release of information concerning: (1) Payments made for the benefit of physicians, dentists, and other health care practitioners as a result of medical malpractice actions or claims; and (2) certain adverse actions taken regarding the licenses and clinical privileges of physicians and dentists. This final rule revises section 60.12 to change the process for collecting user fees from eligible individuals and entities requesting disclosure of information from the Data Bank.     

Recovering deleted data from the Windows registry

The Windows registry serves as a primary storage location for system configurations and as such provides a wealth of information to investigators. Numerous researchers have worked to interpret the information stored in the registry from a digital forensic standpoint, but no definitive resource is yet available which describes how Windows deletes registry data structures under NT-based systems. This paper explores this topic and provides an algorithm for recovering deleted keys, values, and other structures in the context of the registry as a whole.     

Recovering deleted data from the Windows registry

The Windows registry serves as a primary storage location for system configurations and as such provides a wealth of information to investigators. Numerous researchers have worked to interpret the information stored in the registry from a digital forensic standpoint, but no definitive resource is yet available which describes how Windows deletes registry data structures under NT-based systems. This paper explores this topic and provides an algorithm for recovering deleted keys, values, and other structures in the context of the registry as a whole.     

Windows系统存储区DPAPI的解密技术研究

目的 在电子数据取证过程中,数据的加解密经常是取证人员关注的重点.数据保护接口(DPAPI)作为Windows系统提供的数据保护接口被广泛使用,目前主要用于保护加密的数据.其特性主要表现在加密和解密必须在同一台计算机上操作,密钥的生成、使用和管理由Windows系统内部完成,如果更换计算机则无法解开DPAPI加密数据....     

Medicare program; removal of the requirements for the cardiac pacemaker registry. Health Care Financing Administration, HHS. Final rule

This final rule eliminates all requirements and references regarding the Cardiac Pacemaker Registry (the Registry) in our regulations. It conforms to the Food and Drug Adminstration's (FDA) recent final rule that required any physician and any provider of services who requests or receives Medicare payment for the implantation, removal, or replacement of permanent cardiac pacemaker devices and pacemaker leads to submit certain information to the Registry. We used the information to administer Medicare payment for these devices. This rule implements an Act to Repeal An Unnecessary Medical Device Reporting Requirement passed by Congress to eliminate duplicative and unnecessary reporting.     

针对进程用户空间的电子数据取证方法研究

进程用户空间中的信息往往与特定用户的特定操作行为直接关联,对于证据链的建立意义重大.从数目繁多的用户空间数据结构中筛选出最重要的三种：进程环境块、线程环境块与虚拟地址描述符,说明其定位方法,并重点讨论其结构格式的电子数据取证特性,为内存空间电子数据取证提供了新的思路与方法.实例分析部分,则以目前广泛使用的Windows 7操作系统为应用背景,说明了所述方法的具体应用.     

Windows系统中文件时间属性的变化及影响因素

目的分析Windows系统中不同因素对文件时间属性的影响,总结文件时间属性的变化规律。方法在FAT32和NTFS两种文件系统中,对文件和文件夹进行各种操作,记录其时间属性的变化情况,总结其规律并分析各种因素的影响。结果文件时间属性的更新与系统环境、操作方法、文件类型等因素有关,而且文件时间属性更新有特定的周期。结论Windows系统中文件时间属性的变化既有特定的规律,又受其它因素影响,在检验中应加以注意。     

Automated Windows event log forensics

This paper proposes methods to automate recovery and analysis of Windows NT5 (XP and 2003) event logs for computer forensics. Requirements are formulated and methods are evaluated with respect to motivation and process models. A new, freely available tool is presented that, based on these requirements, automates the repair of a common type of corruption often observed in data carved NT5 event logs. This tool automates repair of multiple event logs in a single step without user intervention. The tool was initially developed to meet immediate needs of computer forensic engagements.Automating recovery, repair, and correlation of multiple logs make these methods more feasible for consideration in both a wider range of cases and earlier phases of cases, and hopefully, in turn, standard procedures. The tool was developed to fill a gap between capabilities of certain other freely available tools that may recover and correlate large volumes of log events, and consequently permit correlation with various other kinds of Windows artifacts. The methods are examined in the context of an example digital forensic service request intended to illustrate the kinds of civil cases that motivated this work.     

Forensic analysis of Telegram Messenger for Windows Phone

This article presents a forensic analysis methodology for obtaining the digital evidence generated by one of today's many instant messaging applications, namely “Telegram Messenger” for “Windows Phone”, paying particular attention to the digital forensic artifacts produced. The paper provides an overview of this forensic analysis, while focusing particularly on how the information is structured and the user, chat and conversation data generated by the application are organised, with the goal of extracting related data from the information. The application has several other features (e.g. games, bots, stickers) besides those of an instant messaging application (e.g. messages, images, videos, files). It is therefore necessary to decode and interpret the information, which may relate to criminal offences, and establish the relation of different types of user, chat and conversation.     

Public Law and Popular Justice

Group litigation is becoming commonplace. Rules of standing have been relaxed to allow groups to bring representative actions on behalf of their members or to act 'in the public interest'. Groups increasingly intervene in actions between third parties, presenting amicus briefs. This article traces the origins of group action in courts and speculates on the possible effects of changes which blur traditional distinctions between legal and political process, concluding that the legal process must be kept broadly within traditional boundaries, if the qualities of independence, rationality and finality for which it is valued are to be maintained.     

Surveying the user space through user allocations

Previous research into memory forensics has focused on understanding the structure and contents of the kernel space portions of physical memory, and mostly ignored the contents of the user space. This paper describes the results of a survey of user space virtual address allocations in the Windows XP and Windows 7 operating systems, comprehensively identifying the kernel and user space metadata required to identify such allocations. New techniques for determining the role and content of those allocations are identified, significantly increasing the proportion of allocations for which the role and function is understood. The validity of this approach is evaluated and a detailed analysis of the data structures involved provided. An implementation of this approach is presented which is capable of identifying all user space allocations, and for those allocations identifying for a high percentage, the role of those allocations, even for complex applications.     

Forensic artefacts left by Windows Live Messenger 8.0

Windows Live Messenger – commonly referred by MSN Messenger – is the most used instant messaging client worldwide, and is mostly used on Microsoft Windows XP.Previous examination into MSN Messenger concludes that few traces reside on the hard disk after MSN usage [Dickson M. An examination into MSN Messenger 7.5 contact identification. Digit Investig 2006;3]. In this article the opposite is concluded based on user settings, contact files and log files. With the use of file signatures and known file structures it is possible to recover useful information when deleted. Programs such as Forensic Box can help to analyse artefacts which are left behind after the use of Windows Live Messenger.     

IoT forensics: Exploiting log records from the DAHUA technology CCTV systems

CCTV surveillance systems are ubiquitous IoT appliances. Their forensic examination has proven critical for investigating crimes. DAHUA Technology is a well-known manufacturer of such products. Despite its global market share, research regarding digital forensics of DAHUA Technology CCTV systems is scarce and currently limited to extracting their video footage, overlooking the potential presence of valuable artifacts within their log records. These pieces of evidence remain unexploited by major commercial forensic software, yet they can hide vital information for an investigation. For instance, these log records document user actions, such as formatting the CCTV system's hard drive or disabling camera recording. This information can assist in attributing nefarious actions to specific users and hence can be invaluable for understanding the sequence of events related to incidents. Therefore, in this paper, several DAHUA Technology CCTV systems are thoroughly analyzed for these unexplored pieces of evidence, and their forensic value is presented.     

Extracting Windows command line details from physical memory

Current memory forensic tools concentrate mainly on system-related information like processes and sockets. There is a need for more memory forensic techniques to extract user-entered data retained in various Microsoft Windows applications such as the Windows command prompt. The command history is a prime source of evidence in many intrusions and other computer crimes, revealing important details about an offender’s activities on the subject system. This paper dissects the data structures of the command prompt history and gives forensic practitioners a tool for reconstructing the Windows command history from a Windows XP memory capture. At the same time, this paper demonstrates a methodology that can be generalized to extract user-entered data on other versions of Windows.     

信息产权理论与知识产权制度之正当性

知识产权的客体知识产品可以被看成是一种无形的信息。这种信息的生产对社会具有极为重要的意义。从信息产权的理论看,建立知识产权制度的合理性应当解决新信息的足够生产、信息的消费者(用户)对信息的足够而合理的分享,以及信息专有与信息自由和分享矛盾的调适等问题。知识产权制度通过一系列制度设计和安排特别是其中的利益平衡机制,妥善地解决了信息产权理论上信息垄断与信息分享之间的悖论,从而使其存在和运行具有充分的正当性。