FriendlyRoboCopy: A GUI to RoboCopy for computer forensic investigators

One of the most pressing challenges in digital investigations today is the extraction and forensic preservation of a subset of data on computer clusters and other large storage systems. As the number and capacity of computer systems increases, it is no longer feasible to create forensic duplicates of every system in their entirety. Although forensic tools are being developed to cope with such situations, they do not support all file systems. Experienced digital investigators use tools such as RoboCopy to preserve a subset of data on target systems, and take steps to document their process and results. This paper explores the need for these tools in digital investigations, and demonstrates the strengths and weaknesses of using RoboCopy to acquire data on a network share. This paper then introduces FriendlyRoboCopy, which provides an effective, user-friendly interface to RoboCopy that addresses the requirements of forensic preservation.     

A framework for post-event timeline reconstruction using neural networks

Post-event timeline reconstruction plays a critical role in forensic investigation and serves as a means of identifying evidence of the digital crime. We present an artificial neural networks based approach for post-event timeline reconstruction using the file system activities. A variety of digital forensic tools have been developed during the past two decades to assist computer forensic investigators undertaking digital timeline analysis, but most of the tools cannot handle large volumes of data efficiently. This paper looks at the effectiveness of employing neural network methodology for computer forensic analysis by preparing a timeline of relevant events occurring on a computing machine by tracing the previous file system activities. Our approach consists of monitoring the file system manipulations, capturing file system snapshots at discrete intervals of time to characterise the use of different software applications, and then using this captured data to train a neural network to recognise execution patterns of the application programs. The trained version of the network may then be used to generate a post-event timeline of a seized hard disk to verify the execution of different applications at different time intervals to assist in the identification of available evidence.     

Forensic acquisition and analysis of palm webOS on mobile devices

The emergence of webOS on Palm devices has created new challenges and opportunities for digital investigators. With the purchase of Palm by Hewlett Packard, there are plans to use webOS on an increasing number and variety of computer systems. These devices can store substantial amounts of information relevant to an investigation, including digital photographs, videos, call logs, SMS/MMS messages, e-mail, remnants of Web browsing and much more. Although some files can be obtained from such devices with relative ease, the majority of information of forensic interest is stored in databases on a system partition that many mobile forensic tools do not acquire. This paper provides a methodology for acquiring and examining forensic duplicates of user and system partitions from a device running webOS. The primary sources of digital evidence on these devices are covered with illustrative examples. In addition, the recovery of deleted items from various areas on webOS devices is discussed.     

Investigation Delayed Is Justice Denied: Proposals for Expediting Forensic Examinations of Digital Evidence*

Abstract: There is an urgent need to reduce the growing backlog of forensic examinations in Digital Forensics Laboratories (DFLs). Currently, DFLs routinely create forensic duplicates and perform in‐depth forensic examinations of all submitted media. This approach is rapidly becoming untenable as more cases involve increasing quantities of digital evidence. A more efficient and effective three‐tiered strategy for performing forensic examinations will enable DFLs to produce useful results in a timely manner at different phases of an investigation, and will reduce unnecessary expenditure of resources on less serious matters. The three levels of forensic examination are described along with practical examples and suitable tools. Realizing that this is not simply a technical problem, we address the need to update training and establish thresholds in DFLs. Threshold considerations include the likelihood of missing exculpatory evidence and seriousness of the offense. We conclude with the implications of scaling forensic examinations to the investigation.     

OpenLV: Empowering investigators and first-responders in the digital forensics process

The continuing decline in the cost-per-megabyte of hard disk storage has inevitably led to a ballooning volume of data that needs to be reviewed in digital investigations. The result: case backlogs that commonly stretch for months at forensic labs, and per-case processing that occupies days or weeks of analytical effort. Yet speed is critical in situations where delay may render the evidence useless or endanger personal safety, such as when a suspect may flee, a victim is at risk, criminal tactics or control infrastructure may change, etc. In these and other cases, investigators need tools to enable quick triage of computer evidence in order to answer urgent questions, maintain the pace of an investigation and assess the likelihood of acquiring pertinent information from the device.This paper details the design and application of a tool, OpenLV, that not only meets the needs for speedy initial triage, but also can facilitate the review of digital evidence at later stages of investigation. With OpenLV, an investigator can quickly and safely interact with collected evidence, much as if they had sat down at the computer at the time the evidence was collected. Since OpenLV works without modifying the evidence, its use in triage does not preclude subsequent, in-depth forensic analysis. Unlike many popular forensics tools, OpenLV requires little training and facilitates a unprecedented level of interaction with the evidence.     

Digital forensic text string searching: Improving information retrieval effectiveness by thematically clustering search results

Current digital forensic text string search tools use match and/or indexing algorithms to search digital evidence at the physical level to locate specific text strings. They are designed to achieve 100% query recall (i.e. find all instances of the text strings). Given the nature of the data set, this leads to an extremely high incidence of hits that are not relevant to investigative objectives. Although Internet search engines suffer similarly, they employ ranking algorithms to present the search results in a more effective and efficient manner from the user's perspective. Current digital forensic text string search tools fail to group and/or order search hits in a manner that appreciably improves the investigator's ability to get to the relevant hits first (or at least more quickly). This research proposes and empirically tests the feasibility and utility of post-retrieval clustering of digital forensic text string search results – specifically by using Kohonen Self-Organizing Maps, a self-organizing neural network approach.This paper is presented as a work-in-progress. A working tool has been developed and experimentation has begun. Findings regarding the feasibility and utility of the proposed approach will be presented at DFRWS 2007, as well as suggestions for follow-on research.     

Assessing the Psychological Well-being and Coping Mechanisms of Law Enforcement Investigators vs. Digital Forensic Examiners of Child Pornography Investigations

Previous research indicates law enforcement investigators and digital forensic examiners working child exploitation cases are at an increased risk for experiencing psychological distress; however, the roles of digital forensic examiners and investigators often overlap substantially when working child pornography cases. Thus, the current study was the first to compare the psychological well-being, job satisfaction, coping mechanisms, and attitudes toward mental health services for individuals working as either digital forensic examiners and/or investigators of child pornography cases. Law enforcement officers were solicited from the Internet Crimes Against Children task force listserv, and based on their current self-reported duties, 20 were classified as digital forensic examiners-only, 71 as investigators-only, and 38 as both digital forensic examiners and investigators of cases involving Internet child pornography. Results showed significant differences between groups; individuals performing both duties scored significantly higher on secondary traumatic stress, higher on feelings of worthlessness, and lower on concentration compared to digital forensic examiners-only. Individuals performing both duties also reported significantly lower scores on job satisfaction compared to investigators-only. Finally, individuals working both duties were significantly more likely to know someone who sought counseling as a result of work-related stress. The study’s mental health implications and future research suggestions are discussed.     

Registration Data Access Protocol (RDAP) for digital forensic investigators

This paper describes the Registration Data Access Protocol (RDAP) with a focus on relevance to digital forensic investigators. RDAP was developed as the successor to the aging WHOIS system and is intended to eventually replace WHOIS as the authoritative source for registration information on IP addresses, Domain Names, Autonomous Systems, and more. RDAP uses a RESTful interface over HTTP and introduces a number of new features related to security, internationalization, and standardized query/response definitions. It is important for digital forensic investigators to become familiar with RDAP as it will play an increasingly important role in Internet investigations requiring the search and collection of registration data as evidence.     

Digital evidence from peer-to-peer networks

In this paper we examine the legal aspects of the forensic investigation of peer-to-peer networks. Organisations may encounter instances where employees have used peer-to-peer software for a variety of types of computer misuse including the dissemination of copyrighted materials or indecent images, or instances where peer-to-peer software has been involved in the transmission of malware for malicious or criminal purposes. In this paper we examine the process of the forensic investigation of peer-to-peer networks, and the issues relating to obtaining digital evidence from such peer-to-peer networks.     

We are meeting on Microsoft Teams: Forensic analysis in Windows,Android, and iOS operating systems

Microsoft released a new communication platform, Microsoft Teams, in 2017. Due in part to COVID-19, the popularity of communication platforms, like Microsoft Teams, increased exponentially. Given its user base and increased popularity, it seems likely that digital forensic investigators will encounter cases where Microsoft Teams is a relevant component. However, because Microsoft Teams is a relatively new application, there is limited forensic research on the application particularly focusing on mobile operating systems. To address this gap, an analysis of data stored at rest by Microsoft Teams was conducted on the Windows 10 operating system as well as on Android and Apple iOS mobile operating systems. Basic functionalities, such as messaging, sharing files, participating in video conferences, and other functionalities that Teams provides, were performed in an isolated testing environment. Cellebrite UFED Physical Analyzer and Magnet AXIOM Examine tools were used to analyze the mobile devices and the Windows device, respectively. Manual or non-automated investigation recovered, at least partially, the majority of artifacts across all three operating systems. In this study, a total of 77.6% of the populated artifacts were partially or fully recovered in the manual investigation. On the other hand, forensic tools used did not automatically recover many of the artifacts found with the manual investigation. Only 13.8% of artifacts were partially or fully recovered by the forensic tools across all three devices. These discovered artifacts and the results of the investigations are presented in order to aid digital forensic investigations.     

Cybercrime investigation in Finland

Nordic police cooperation concerning cybercrimes has been developed during the last few years, e.g. through the Nordic Computer Forensics Investigators (NCFI) and Nordplus training programmes. More empirical research is needed in order to enhance cybercrime investigation and address the training needs of police officers. There is a knowledge gap concerning organizational models for the police’s cybercrime investigation: How the function is organized, what the professional characteristics of the staff are and how to combine computer forensics with crime investigation? The purpose of this paper was to study the organization of cybercrime investigation in Finland. Data were collected by a questionnaire from all 11 local police districts and the National Bureau of Investigation in July–August 2014. In addition, six thematic interviews of cybercrime investigators were conducted in 2014. Three investigation models of computer integrity crimes were found: (1) Computer forensic investigators conduct the entire pre-trial examination, (2) Computer forensic investigators conduct only the computer forensics, and tactical investigation is done by an occasional investigator, (3) Computer forensic investigators conduct only the computer forensics and tactical investigation is centralized to designated investigators. The recognition of various organizational models and educational backgrounds of investigators will help to develop cybercrime investigation training.     

Modelling and refinement of forensic data acquisition specifications

This paper defines a model of a special type of digital forensics tools, known as data acquisition tools, using the formal refinement language Event-B. The complexity and criticality of many types of computer and Cyber crime nowadays combined with improper or incorrect use of digital forensic tools calls for more robust and reliable specifications of the functionality of digital forensics applications. As a minimum, the evidence produced by such tools must meet the minimum admissibility standards the legal system requires, in general implying that it must be generated from reliable and robust tools. Despite the fact that some research and effort has been spent on the validation of digital forensics tools by means of testing, the verification of such tools and the formal specification of their expected behaviour remains largely under-researched. The goal of this work is to provide a formal specification against which implementations of data acquisition procedures can be analysed.     

A forensic examination of four popular cross‐platform file‐sharing apps with Wi‐Fi P2P

File‐sharing apps with Wi‐Fi hotspot or Wi‐Fi Direct functions become more popular. They can work on multiple platforms and allow users to transfer files in a concealed manner. However, when criminals use these apps in illegal activities, it becomes an important issue for investigators to find digital evidence on multiple platforms. At present, there are few studies on this topic, and most of them are limited to the single platform problem. In this paper, we propose a forensic examination method for four popular cross‐platform file‐sharing apps with Wi‐Fi hotspot and Wi‐Fi Direct functions: Zapya, SHAREit, Xender, and Feem. We use 22 static and live forensic tools for 11 platforms to acquire, analyze, and classify the forensic artifacts. In our experiments, we find many useful forensic artifacts and classify them into six categories. The experimental results can support law enforcement investigations of digital evidence and provide information for future studies on other cross‐platform file‐sharing apps.     

Clustering digital forensic string search output

This research comparatively evaluates four competing clustering algorithms for thematically clustering digital forensic text string search output. It does so in a more realistic context, respecting data size and heterogeneity, than has been researched in the past. In this study, we used physical-level text string search output, consisting of over two million search hits found in nearly 50,000 allocated files and unallocated blocks. Holding the data set constant, we comparatively evaluated k-Means, Kohonen SOM, Latent Dirichlet Allocation (LDA) followed by k-Means, and LDA followed by SOM. This enables true cross-algorithm evaluation, whereas past studies evaluated singular algorithms using unique, non-reproducible datasets. Our research shows an LDA + k-Means using a linear, centroid-based user navigation procedure produces optimal results. The winning approach increased information retrieval effectiveness, from the baseline random walk absolute precision rate of 0.04, to an average precision rate of 0.67. We also explored a variety of algorithms for user navigation of search hit results, finding that the performance of k-means clustering can be greatly improved with a non-linear, non-centroid-based cluster and document navigation procedure, which has potential implications for digital forensic tools and use thereof, particularly given the popularity and speed of k-means clustering.     

A study on the forensic mechanisms of VoIP attacks: Analysis and digital evidence

This paper discusses the use of communication technology to commit crimes, including crime facts and crime techniques. The analysis focuses on the security of voice over Internet protocol (VoIP), a prevention method against VoIP call attack and the attention points for setting up an Internet phone. The importance of digital evidence and digital forensics are emphasised. This paper provides the VoIP digital evidence forensics standard operating procedures (DEFSOP) to help police organisations and establishes an experimental platform to simulate phone calls, hacker attacks and forensic data. Finally, this paper provides a general discussion of a digital evidence strategy that includes VoIP for crime investigators who are interested in digital evidence forensics.     

An ontology-based approach for the reconstruction and analysis of digital incidents timelines

Due to the democratisation of new technologies, computer forensics investigators have to deal with volumes of data which are becoming increasingly large and heterogeneous. Indeed, in a single machine, hundred of events occur per minute, produced and logged by the operating system and various software. Therefore, the identification of evidence, and more generally, the reconstruction of past events is a tedious and time-consuming task for the investigators. Our work aims at reconstructing and analysing automatically the events related to a digital incident, while respecting legal requirements. To tackle those three main problems (volume, heterogeneity and legal requirements), we identify seven necessary criteria that an efficient reconstruction tool must meet to address these challenges. This paper introduces an approach based on a three-layered ontology, called ORD2I, to represent any digital events. ORD2I is associated with a set of operators to analyse the resulting timeline and to ensure the reproducibility of the investigation.     

Analyzing Data Remnant Remains on User Devices to Determine Probative Artifacts in Cloud Environment

Cloud storage service allows users to store their data online, so that they can remotely access, maintain, manage, and back up data from anywhere via the Internet. Although helpful, this storage creates a challenge to digital forensic investigators and practitioners in collecting, identifying, acquiring, and preserving evidential data. This study proposes an investigation scheme for analyzing data remnants and determining probative artifacts in a cloud environment. Using pCloud as a case study, this research collected the data remnants available on end‐user device storage following the storing, uploading, and accessing of data in the cloud storage. Data remnants are collected from several sources, including client software files, directory listing, prefetch, registry, network PCAP, browser, and memory and link files. Results demonstrate that the collected remnants data are beneficial in determining a sufficient number of artifacts about the investigated cybercrime.     

A reference database of Windows artifacts for file-wiping tool execution analysis

Anti-forensic technology can play an effective role in protecting information, but it can make forensic investigations difficult. Specifically, file-wiping permanently erases evidence, making it challenging for investigators to determine whether a file ever existed and prolonging the investigation process. To address this issue, forensic researchers have studied anti-forensic techniques that detect file-wiping activities. Many previous studies have focused on the effects of file-wiping tools on $MFT, $LogFile, and $DATA, rather than on Windows artifacts. Additionally, previous studies that have examined Windows artifacts have considered different artifacts, making it difficult to study them in a comprehensive manner. To address this, we focused on analyzing traces in 13 Windows artifacts of 10 file-wiping tools' operations in the Windows operating system comprehensively. For our experiments, we installed each file-wiping tool on separate virtual machines and checked the traces that the tools left behind in each artifact. We then organized the results in a database format. Our analysis revealed that most of the tools left traces on other artifacts, except for JumpList, Open&SavePidlMRU, and lnk. There were also some cases where traces remained on the other three artifacts. Based on our research, forensic investigators can quickly identify whether a file-wiping tool has been used, and it can assist in decision-making for evidence collection and forensic triage.     

Medicolegal death investigator workplace safety hazards: A scoping review of the literature

In the United States, medicolegal death investigation practices and policies pertaining to sudden unexpected deaths are mandated by state government. Practices vary across states, which contributes to inconsistency in job prerequisites and training. In preparation for a study focused on occupational safety and health of medicolegal death investigators in their on-scene and follow-up activities, a scoping review was conducted to document known occupational safety risks and health-related conditions associated with death investigation. Searches used Boolean and subject heading operators both broad and narrow in scope, and search terms included scene responder, hazard, investigator, forensic pathology, injury, and safety. Twenty-five articles met inclusion criteria, which included seventeen survey-mixed method designs, two systematic reviews, five quasi-experimental designs, and one case study. Twelve articles addressed mental health and eleven focused on risks associated with infectious disease. One article addressed the risk of chemical exposure from cyanide among autopsy personnel (including forensic pathologists) and nine included a wide range of employees within the setting of medical examiner or coroner offices. One article, addressing burnout, included employees in a forensic science laboratory setting as well as medicolegal death investigators and two articles included forensic pathologists and medicolegal death investigators. Only one article addressed medicolegal death investigators specifically. Articles addressing occupational and environmental hazards of medicolegal death investigators associated with musculoskeletal, respiratory, cardiovascular, radiological, nuclear, electrical, or explosive threats were not identified. There is little published about safety risks inherent in conducting death investigations. Research is needed to adequately inform health promotion and injury prevention strategies.