Analyzing multiple logs for forensic evidence

Information stored in logs of a computer system is of crucial importance to gather forensic evidence of investigated actions or attacks. Analysis of this information should be rigorous and credible, hence it lends itself to formal methods. We propose a model checking approach to the formalization of the forensic analysis of logs. A set of logs is modeled as a tree whose labels are events extracted from the logs. In order to provide a structure to these events, we express each event as a term of algebra. The signature of the algebra is carefully chosen to include all relevant information necessary to conduct the analysis. Properties of the model, attack scenarios, and event sequences are expressed as formulas of a logic having dynamic, linear, temporal, and modal characteristics. Moreover, we provide a tableau-based proof system for this logic upon which a model checking algorithm can be developed. We use our model in a case study to demonstrate how events leading to an SYN attack can be reconstructed from a number of system logs.     

Media analyses based on Microsoft NTFS file ownership

The ever-increasing size of digital media presents a continuous challenge to digital investigators who must rapidly assess computer media to find and identify evidence. To meet this challenge, methods must continuously be sought to expedite the examination process. This paper investigates using the file ownership property as an analytical tool focusing on activity by individuals associated with the computer. Research centered on the New Technology File System (NTFS), which is the default file system in Microsoft Windows Operating System (OS). This was done because Microsoft's worldwide market penetration makes Windows and NTFS the most likely OS and file system to be encountered in digital forensic examinations. Significantly, digital forensic software now allows examination of NTFS file attributes and properties including the ownership property. The paper outlines potential limitations regarding interpreting ownership findings, and suggests areas for further research. Overall, file ownership is seen as a potentially viable new digital forensic tool.     

A comparison of forensic evidence recovery techniques for a windows mobile smart phone

Acquisition, decoding and presentation of information from mobile devices is complex and challenging. Device memory is usually integrated into the device, making isolation prior to recovery difficult. In addition, manufacturers have adopted a variety of file systems and formats complicating decoding and presentation.A variety of tools and methods have been developed (both commercially and in the open source community) to assist mobile forensics investigators. However, it is unclear to what extent these tools can present a complete view of the information held on a mobile device, or the extent the results produced by different tools are consistent.This paper investigates what information held on a Windows Mobile smart phone can be recovered using several different approaches to acquisition and decoding. The paper demonstrates that no one technique recovers all information of potential forensic interest from a Windows Mobile device; and that in some cases the information recovered is conflicting.     

Extracting Windows command line details from physical memory

Current memory forensic tools concentrate mainly on system-related information like processes and sockets. There is a need for more memory forensic techniques to extract user-entered data retained in various Microsoft Windows applications such as the Windows command prompt. The command history is a prime source of evidence in many intrusions and other computer crimes, revealing important details about an offender’s activities on the subject system. This paper dissects the data structures of the command prompt history and gives forensic practitioners a tool for reconstructing the Windows command history from a Windows XP memory capture. At the same time, this paper demonstrates a methodology that can be generalized to extract user-entered data on other versions of Windows.     

Introducing the Microsoft Vista event log file format

Several operating systems provide a central logging service which collects event messages from the kernel and applications, filters them and writes them into log files. Since more than a decade such a system service exists in Microsoft Windows NT. Its file format is well understood and supported by forensic software. Microsoft Vista introduces an event logging service which entirely got newly designed. This confronts forensic examiners and software authors with unfamiliar system behavior and a new, widely undocumented file format.This article describes the history of Windows system loggers, what has been changed over time and for what reason. It compares Vista log files in their native binary form and in a textual form. Based on the results, this paper for the first time publicly describes the key-elements of the new log file format and the proprietary binary encoding of XML. It discusses the problems that may arise during daily work. Finally it proposes a procedure for how to recover information from log fragments. During a criminal investigation this procedure was successfully applied to recover information from a corrupted event log.     

A reference database of Windows artifacts for file-wiping tool execution analysis

Anti-forensic technology can play an effective role in protecting information, but it can make forensic investigations difficult. Specifically, file-wiping permanently erases evidence, making it challenging for investigators to determine whether a file ever existed and prolonging the investigation process. To address this issue, forensic researchers have studied anti-forensic techniques that detect file-wiping activities. Many previous studies have focused on the effects of file-wiping tools on $MFT, $LogFile, and $DATA, rather than on Windows artifacts. Additionally, previous studies that have examined Windows artifacts have considered different artifacts, making it difficult to study them in a comprehensive manner. To address this, we focused on analyzing traces in 13 Windows artifacts of 10 file-wiping tools' operations in the Windows operating system comprehensively. For our experiments, we installed each file-wiping tool on separate virtual machines and checked the traces that the tools left behind in each artifact. We then organized the results in a database format. Our analysis revealed that most of the tools left traces on other artifacts, except for JumpList, Open&SavePidlMRU, and lnk. There were also some cases where traces remained on the other three artifacts. Based on our research, forensic investigators can quickly identify whether a file-wiping tool has been used, and it can assist in decision-making for evidence collection and forensic triage.     

Reverse engineering of ReFS

File system forensics is an important part of Digital Forensics. Investigators of storage media have traditionally focused on the most commonly used file systems such as NTFS, FAT, ExFAT, Ext2-4, HFS+, APFS, etc. NTFS is the current file system used by Windows for the system volume, but this may change in the future. In this paper we will show the structure of the Resilient File System (ReFS), which has been available since Windows Server 2012 and Windows 8. The main purpose of ReFS is to be used on storage spaces in server systems, but it can also be used in Windows 8 or newer. Although ReFS is not the current standard file system in Windows, while users have the option to create ReFS file systems, digital forensic investigators need to investigate the file systems identified on a seized media. Further, we will focus on remnants of non-allocated metadata structures or attributes. This may allow metadata carving, which means searching for specific attributes that are not allocated. Attributes found can then be used for file recovery. ReFS uses superblocks and checkpoints in addition to a VBR, which is different from other Windows file systems. If the partition is reformatted with another file system, the backup superblocks can be used for partition recovery. Further, it is possible to search for checkpoints in order to recover both metadata and content.Another concept not seen for Windows file systems, is the sharing of blocks. When a file is copied, both the original and the new file will share the same content blocks. If the user changes the copy, new data runs will be created for the modified content, but unchanged blocks remain shared. This may impact file carving, because part of the blocks previously used by a deleted file might still be in use by another file. The large default cluster size, 64 KiB, in ReFS v1.2 is an advantage when carving for deleted files, since most deleted files are less than 64 KiB and therefore only use a single cluster. For ReFS v3.2 this advantage has decreased because the standard cluster size is 4 KiB.Preliminary support for ReFS v1.2 has been available in EnCase 7 and 8, but the implementation has not been documented or peer-reviewed. The same is true for Paragon Software, which recently added ReFS support to their forensic product. Our work documents how ReFS v1.2 and ReFS v3.2 are structured at an abstraction level that allows digital forensic investigation of this new file system. At the time of writing this paper, Paragon Software is the only digital forensic tool that supports ReFS v3.x.It is the most recent version of the ReFS file system that is most relevant for digital forensics, as Windows automatically updates the file system to the latest version on mount. This is why we have included information about ReFS v3.2. However, it is possible to change a registry value to avoid updating. The latest ReFS version observed is 3.4, but the information presented about 3.2 is still valid. In any criminal case, the investigator needs to investigate the file system version found.     

人为删改和破坏的硬盘数据的恢复

随着信息产业的高速发展,计算机的应用已变得越来越普遍。传统的纸张存储信息的方式也被计算机存储所替代。而信息技术本身是一项非常前沿的技术,计算机存储数据的安全性也就很难保证的。通过人为的删改和破坏数据来销毁证据的案例屡屡发生。这也就对公安工作提出了新的挑战。被修改和破坏了的数据统称损坏数据。目前,数据存储体被损坏的类型主要有软损坏和硬损坏。本文针对这两个方面在数据存储原理、恢复原理、恢复方法等内容上进行了深入的探讨。     

Multiple stable isotope characterization as a forensic tool to distinguish acid scavenger samples

Acid scavengers are frequently used as stabilizer compounds in a variety of applications. When used to stabilize volatile compounds such as nerve agents, the lower volatility and higher stability of acid scavengers make them more persistent in a post-event forensic setting. Compound-specific isotope analysis of carbon, nitrogen, and hydrogen in three acid-scavenging compounds (N,N-diethylaniline, tributylamine, and triethylamine) were used as a tool for distinguishing between different samples. Combined analysis of multiple isotopes improved sample resolution, for instance differentiation between triethylamine samples improved from 80% based on carbon alone to 96% when combining with additional isotope data. The compound-specific methods developed here can be applied to instances where these compounds are not pure, such as when mixed with an agent or when found as a residue. Effective sample matching can be crucial for linking compounds at multiple event sites or linking a supply inventory to an event.     

Drugs WorkBook (DWB): A tool for the analysis of illicit drugs in seized materials

Accurate and reliable analytical measurements are essential when data are to be used to assist the Court in deciding whether or not a drug offence has been committed and therefore about either the innocence or guilt of the accused. The Italian law on drugs demands that compliance with specification limits be assessed on the basis of the actual content of controlled substance contained in seized materials. As a consequence, the role of measurement uncertainty, significant figures and rounding errors becomes critical. In order to assist analysts of forensic toxicology laboratories with illicit drug-related cases, a software tool named Drugs WorkBook (DWB) has been developed. The tool is useful for the quantification of illicit drugs in seized materials along with their measurement uncertainties, the assessment of compliance to specification limits, the printing of comprehensive laboratory reports and the organization of case archives. Other quality control topics, such as control charts, are included. The tool's databases can be edited by the user and maintained up to date. The tool is made freely available to the scientific community.     

Forensic acquisition and analysis of palm webOS on mobile devices

The emergence of webOS on Palm devices has created new challenges and opportunities for digital investigators. With the purchase of Palm by Hewlett Packard, there are plans to use webOS on an increasing number and variety of computer systems. These devices can store substantial amounts of information relevant to an investigation, including digital photographs, videos, call logs, SMS/MMS messages, e-mail, remnants of Web browsing and much more. Although some files can be obtained from such devices with relative ease, the majority of information of forensic interest is stored in databases on a system partition that many mobile forensic tools do not acquire. This paper provides a methodology for acquiring and examining forensic duplicates of user and system partitions from a device running webOS. The primary sources of digital evidence on these devices are covered with illustrative examples. In addition, the recovery of deleted items from various areas on webOS devices is discussed.     

The accuracy and validity of the Sheffield Features of Gait Tool

Gait is now widely used in the UK as a contributor to identification, and increasing interest is being shown in its use in both Europe and the US. One of the long standing criticisms of the use of gait as evidence has been the lack of a validated standard methodology. With the publication of the ‘Code of practice for forensic gait analysis’, and the adoption of the code as part of the ‘Codes of Practice and Conduct for forensic science providers and practitioners in the Criminal Justice System’ by the Forensic Science Regulator, forensic gait analysts are now required to provide evidence of the testing of the methods used. The Sheffield Features of Gait Tool is specifically designed to assist observational gait analysis in the forensic context, and was developed by forensic gait analysis practitioners based on their casework and trial experience. Birch et al 2019 reported the findings of a study undertaken to assess the repeatability and reproducibility of the tool. This paper reports the findings of a study undertaken to assess the accuracy with which analysts identified features of gait when using the tool.Fourteen participants, with experience in observational gait analysis, viewed footage of computer generated avatars walking, and completed the features of gait tool on multiple occasions. The results showed a mean accuracy score of 134.92 out of a possible 180 (74.96%), a standard deviation of 9.49 (5.27%) and a coefficient of variation of 7.03%, demonstrating a good degree of consistency between the scores (Cronbach’s alpha <0.90; ANOVA p-value <0.05).The findings of this study, coupled with those of the Birch et al 2019 study which showed there to be good levels of both repeatability and reproducibility of observations of features of gait made by the participants, suggest that the Sheffield Features of Gait Tool is a valid and fit for purpose method of observing and recording features of gait in the forensic context. The use of the tool provides the basis of a standardised methodology for observational gait analysis in the forensic context.     

Forensic touch DNA recovery from metal surfaces – A review

Trace evidence such as touch (also known as contact) DNA has probative value as a vital forensic investigative tool that can lead to the identification and apprehension of a criminal. While the volume of touch DNA evidence items submitted to forensic laboratories has significantly increased, recovery and amplification of DNA from these items, especially from metal surfaces, remains challenging. Currently little is understood with regards to the underlying mechanisms of metal-DNA interactions in the context of forensic science and how this may impact on DNA recovery. An increased understanding of these mechanisms would allow optimisation of methods to improve outcomes when sampling these materials. This paper reviews the basis of DNA binding to metal substrates, the merits and limitations of current methods and future perspectives of improving recovery and amplification of touch DNA from metal surfaces of forensic interest.     

DigLA – A Digsby log analysis tool to identify forensic artifacts

Since the inception of Web 2.0, instant messaging, e-mailing, and social networking have emerged as cheap and efficient means of communication over the Web. As a result, a number of communication platforms like Digsby have been developed by various research groups to facilitate access to multiple e-mail, instant messaging, and social networking sites using a single credential. Although such platforms are advantageous for end-users, they present new challenges to digital forensic examiners because of their illegitimate use by anti-social elements. To identify digital artifacts from Digsby log data, an examiner is assumed to have knowledge of the whereabouts of Digsby traces before starting an investigation process. This paper proposes a design for a user-friendly GUI-based forensic tool, DigLA, which provides a unified platform for analyzing Digsby log data at different levels of granularity. DigLA is also equipped with password decryption methods for both machine-specific and portable installation versions of Digsby. By considering Windows registry and Digsby log files as dynamic sources of evidence, specifically when Digsby has been used to commit a cyber crime, this paper presents a systematic approach to analyzing Digsby log data. It also presents an approach to analyzing RAM and swap files to collect relevant traces, specifically the login credentials of Digsby and IM users. An expected insider attack from a server security perspective is also studied and discussed in this paper.     

The use of self-organising maps for anomalous behaviour detection in a digital investigation

The dramatic increase in crime relating to the Internet and computers has caused a growing need for digital forensics. Digital forensic tools have been developed to assist investigators in conducting a proper investigation into digital crimes. In general, the bulk of the digital forensic tools available on the market permit investigators to analyse data that has been gathered from a computer system. However, current state-of-the-art digital forensic tools simply cannot handle large volumes of data in an efficient manner. With the advent of the Internet, many employees have been given access to new and more interesting possibilities via their desktop. Consequently, excessive Internet usage for non-job purposes and even blatant misuse of the Internet have become a problem in many organisations. Since storage media are steadily growing in size, the process of analysing multiple computer systems during a digital investigation can easily consume an enormous amount of time. Identifying a single suspicious computer from a set of candidates can therefore reduce human processing time and monetary costs involved in gathering evidence. The focus of this paper is to demonstrate how, in a digital investigation, digital forensic tools and the self-organising map (SOM)--an unsupervised neural network model--can aid investigators to determine anomalous behaviours (or activities) among employees (or computer systems) in a far more efficient manner. By analysing the different SOMs (one for each computer system), anomalous behaviours are identified and investigators are assisted to conduct the analysis more efficiently. The paper will demonstrate how the easy visualisation of the SOM enhances the ability of the investigators to interpret and explore the data generated by digital forensic tools so as to determine anomalous behaviours.     

Digital imaging methods as an aid in dental identification of human remains

The physical comparison of known (K) and questioned (Q) evidence samples is an accepted tool in numerous forensic identification disciplines (1). A subset of this process is the use of antemortem and postmortem dental radiographs to identify unidentified human remains. This method has been generally accepted for decades (2). The outcome is performed with a considerable degree of accuracy, due in part to a finite pool of possible candidates for identification derived via the NCIC database, passenger lists, and law enforcement Missing Persons reports. This paper describes a dental identification comparison protocol that incorporated digital imaging technology in this process. The computer was used to create digital exemplars of the K and Q evidence that were spatially and quantitatively compared (3). The digital mode allowed direct metric and morphologic comparison through the aid of a digital camera, desktop computer, monitor, and printer. The well-known computer program Adobe Photoshop 5.0 (4) was used to process the digital information in two forensic cases described in this paper. It is a commercially available digital imaging editing program that is operated on laptop and desktop computers possessing sufficient chip speed and RAM (Pentium II or equivalent and at least 76MB RAM) to open the large-size files generated by high-resolution digital capture devices. This program accepts raster-based image formats (e.g. .JPG, .BMP). Photoshop is noted for its diverse imaging functions, which allow the computer monitor to be used as a comparison microscope when Q and K sample images are tiled side-by-side and/or superimposed. Two and three-dimensional Q and K evidence samples can be individually digitized and then independently resized to allow two-dimensional comparison. The investigator also has the ability to create magnified images (200% to 300%) when the original digital image has been captured at near photoquality resolution (300 dpi). The visual comparison of physical features on the computer monitor permits a large field of view and robust digital control over image quality. Photographic measurement and enhancement features of Adobe Photoshop mimics and in some circumstances surpasses the historic use of conventional photographic manipulation in forensic casework. This paper presents two cases processed via routine forensic odontology identification protocols. These protocols had minimal results due to limitations described in the case histories. The additional application of digital methods proved useful in the ultimate identification of these human remains.     

On statistical analysis of forensic DNA: theory, methods and computer programs

Statistics plays an important role in evaluating the evidential weight of forensic DNA. In this paper, general statistical principles for forensic DNA analysis are presented. We introduce the theory and methods for the statistical assessment in kinship determination and DNA mixture evaluation. In particular, analytical formulas for testing for biological relationship among three individuals and for assessing the DNA mixture evidence in the case of multiple subdivided ethnic groups are developed. Two user-friendly computer programs are demonstrated to exhibit their wide applicability in tackling with complex kinship/paternity and mixture problems. The EasyDNA program can solve a complicated paternity case in 1 min.     

Persistent systems techniques in forensic acquisition of memory

In this paper we discuss how operating system design and implementation influence the methodology for computer forensics investigations, with the focus on forensic acquisition of memory. In theory the operating system could support such investigations both in terms of tools for analysis of data and by making the system data readily accessible for analysis. Conventional operating systems such as Windows and UNIX derivatives offer some memory-related tools that are geared towards the analysis of system crashes, rather than forensic investigations. In this paper we demonstrate how techniques developed for persistent operating systems, where lifetime of data is independent of the method of its creation and storage, could support computer forensics investigations delivering higher efficiency and accuracy. It is proposed that some of the features offered by persistent systems could be built into conventional operating systems to make illicit activities easier to identify and analyse. We further propose a new technique for forensically sound acquisition of memory based on the persistence paradigm.     

The Influence of Evidence on Animal Cruelty Prosecution and Case Outcomes: Results of a Survey

Two hundred prosecuting attorneys completed a survey concerning priorities in taking on animal cruelty cases and the factors that help or hinder prosecuting such cases. Respondents commented on the priority given such cases. Questions also addressed specific kinds of evidence that had been used to decide whether to take on a cruelty case and were used in court. Results showed that prosecutors most frequently relied upon “traditional” sources of evidence, including detailed medical and crime scene reports and good quality photographic evidence. Other sources of forensic evidence such as DNA, computer forensics, forensic accounting, blood, and trace evidence were rarely employed. Veterinary forensic evidence, including forensic necropsies and detailed medical reports, was viewed as an important factor by a majority of prosecutors in deciding whether to accept a case for prosecution and in achieving a successful outcome, but a need for additional training for investigators was indicated.