Automated evaluation of approximate matching algorithms on real data

Bytewise approximate matching is a relatively new area within digital forensics, but its importance is growing quickly as practitioners are looking for fast methods to screen and analyze the increasing amounts of data in forensic investigations. The essential idea is to complement the use of cryptographic hash functions to detect data objects with bytewise identical representation with the capability to find objects with bytewise similar representations.Unlike cryptographic hash functions, which have been studied and tested for a long time, approximate matching ones are still in their early development stages and evaluation methodology is still evolving. Broadly, prior approaches have used either a human in the loop to manually evaluate the goodness of similarity matches on real world data, or controlled (pseudo-random) data to perform automated evaluation.This work's contribution is to introduce automated approximate matching evaluation on real data by relating approximate matching results to the longest common substring (LCS). Specifically, we introduce a computationally efficient LCS approximation and use it to obtain ground truth on the t5 set. Using the results, we evaluate three existing approximate matching schemes relative to LCS and analyze their performance.     

FRASH: A framework to test algorithms of similarity hashing

Automated input identification is a very challenging, but also important task. Within computer forensics this reduces the amount of data an investigator has to look at by hand. Besides identifying exact duplicates, which is mostly solved using cryptographic hash functions, it is necessary to cope with similar inputs (e.g., different versions of a file), embedded objects (e.g., a JPG within a Word document), and fragments (e.g., network packets), too. Over the recent years a couple of different similarity hashing algorithms were published. However, due to the absence of a definition and a test framework, it is hardly possible to evaluate and compare these approaches to establish them in the community.The paper at hand aims at providing an assessment methodology and a sample implementation called FRASH: a framework to test algorithms of similarity hashing. First, we describe common use cases of a similarity hashing algorithm to motivate our two test classes efficiency and sensitivity & robustness. Next, our open and freely available framework is briefly described. Finally, we apply FRASH to the well-known similarity hashing approaches ssdeep and sdhash to show their strengths and weaknesses.     

On the database lookup problem of approximate matching

Investigating seized devices within digital forensics gets more and more difficult due to the increasing amount of data. Hence, a common procedure uses automated file identification which reduces the amount of data an investigator has to look at by hand. Besides identifying exact duplicates, which is mostly solved using cryptographic hash functions, it is also helpful to detect similar data by applying approximate matching.Let x denote the number of digests in a database, then the lookup for a single similarity digest has the complexity of O(x). In other words, the digest has to be compared against all digests in the database. In contrast, cryptographic hash values are stored within binary trees or hash tables and hence the lookup complexity of a single digest is O(log₂(x)) or O(1), respectively.In this paper we present and evaluate a concept to extend existing approximate matching algorithms, which reduces the lookup complexity from O(x) to O(1). Therefore, instead of using multiple small Bloom filters (which is the common procedure), we demonstrate that a single, huge Bloom filter has a far better performance. Our evaluation demonstrates that current approximate matching algorithms are too slow (e.g., over 21 min to compare 4457 digests of a common file corpus against each other) while the improved version solves this challenge within seconds. Studying the precision and recall rates shows that our approach works as reliably as the original implementations. We obtain this benefit by accuracy–the comparison is now a file-against-set comparison and thus it is not possible to see which file in the database is matched.     

Multi-resolution similarity hashing

Large-scale digital forensic investigations present at least two fundamental challenges. The first one is accommodating the computational needs of a large amount of data to be processed. The second one is extracting useful information from the raw data in an automated fashion. Both of these problems could result in long processing times that can seriously hamper an investigation.In this paper, we discuss a new approach to one of the basic operations that is invariably applied to raw data – hashing. The essential idea is to produce an efficient and scalable hashing scheme that can be used to supplement the traditional cryptographic hashing during the initial pass over the raw evidence. The goal is to retain enough information to allow binary data to be queried for similarity at various levels of granularity without any further pre-processing/indexing.The specific solution we propose, called a multi-resolution similarity hash (or MRS hash), is a generalization of recent work in the area. Its main advantages are robust performance – raw speed comparable to a high-grade block-level crypto hash, scalability – ability to compare targets that vary in size by orders of magnitude, and space efficiency – typically below 0.5% of the size of the target.     

An evaluation of forensic similarity hashes

The fast growth of the average size of digital forensic targets demands new automated means to quickly, accurately and reliably correlate digital artifacts. Such tools need to offer more flexibility than the routine known-file filtering based on crypto hashes. Currently, there are two tools for which NIST has produced reference hash sets–ssdeep and sdhash. The former provides a fixed-sized fuzzy hash based on random polynomials, whereas the latter produces a variable-length similarity digest based on statistically-identified features packed into Bloom filters.This study provides a baseline evaluation of the capabilities of these tools both in a controlled environment and on real-world data. The results show that the similarity digest approach significantly outperforms in terms of recall and precision in all tested scenarios and demonstrates robust and scalable behavior.     

The legal classification of identity-based signatures

Identity-based cryptography has attracted attention in the cryptographic research community in recent years. Despite the importance of cryptographic schemes for applications in business and law, the legal implications of identity-based cryptography have not yet been discussed. We investigate how identity-based signatures fit into the legal framework. We focus on the European Signature Directive, but also take the UNCITRAL Model Law on Electronic Signatures into account. In contrast to previous assumptions, identity-based signature schemes can, in principle, be used even for qualified electronic signatures, which can replace handwritten signatures in the member states of the European Union. We derive requirements to be taken into account in the development of future identity-based signature schemes.     

Digital forensic text string searching: Improving information retrieval effectiveness by thematically clustering search results

Current digital forensic text string search tools use match and/or indexing algorithms to search digital evidence at the physical level to locate specific text strings. They are designed to achieve 100% query recall (i.e. find all instances of the text strings). Given the nature of the data set, this leads to an extremely high incidence of hits that are not relevant to investigative objectives. Although Internet search engines suffer similarly, they employ ranking algorithms to present the search results in a more effective and efficient manner from the user's perspective. Current digital forensic text string search tools fail to group and/or order search hits in a manner that appreciably improves the investigator's ability to get to the relevant hits first (or at least more quickly). This research proposes and empirically tests the feasibility and utility of post-retrieval clustering of digital forensic text string search results – specifically by using Kohonen Self-Organizing Maps, a self-organizing neural network approach.This paper is presented as a work-in-progress. A working tool has been developed and experimentation has begun. Findings regarding the feasibility and utility of the proposed approach will be presented at DFRWS 2007, as well as suggestions for follow-on research.     

The persistence of memory: Forensic identification and extraction of cryptographic keys

The increasing popularity of cryptography poses a great challenge in the field of digital forensics. Digital evidence protected by strong encryption may be impossible to decrypt without the correct key. We propose novel methods for cryptographic key identification and present a new proof of concept tool named Interrogate that searches through volatile memory and recovers cryptographic keys used by the ciphers AES, Serpent and Twofish. By using the tool in a virtual digital crime scene, we simulate and examine the different states of systems where well known and popular cryptosystems are installed. Our experiments show that the chances of uncovering cryptographic keys are high when the digital crime scene are in certain well-defined states. Finally, we argue that the consequence of this and other recent results regarding memory acquisition require that the current practices of digital forensics should be guided towards a more forensically sound way of handling live analysis in a digital crime scene.     

Changing Frames in Buddhist Thought: The Concept of Ākāra in Abhidharma and in Buddhist Epistemological Analysis

It has been argued that the use of the concept of ākāra—a mental “form,” “appearance” or “aspect”—in Buddhist epistemological analysis or pramā?a exhibits continuities with earlier Buddhist thinking about mental processes, in particular in Abhidharma. A detailed inquiry into uses of the term ākāra in pertinent contexts in Vasubandhu’s Abhidharmako?abhā?ya brings to light different semantic nuances and functions of this term. The characteristic use of ākāra in Buddhist epistemological discourse turns out to be continuous with only some of the nuances it has in Abhidharma. Moreover, ākāra becomes associated with novel explanatory functions in Buddhist pramā?a. These discoveries underscore the need to pay closer attention to the reuse of terms and concepts, ideas and arguments in Buddhist philosophy, and to the often subtle adaptations and transformations that formed an integral part of its history.     

Testing the National Software Reference Library

The National Software Reference Library (NSRL) is an essential data source for forensic investigators, providing in its Reference Data Set (RDS) a set of hash values of known software. However, the NSRL RDS has not previously been tested against a broad spectrum of real-world data. The current work did this using a corpus of 36 million files on 2337 drives from 21 countries. These experiments answered a number of important questions about the NSRL RDS, including what fraction of files it recognizes of different types. NSRL coverage by vendor/product was also tested, finding 51% of the vendor/product names in our corpus had no hash values at all in NSRL. It is shown that coverage or “recall” of the NSRL can be improved with additions from our corpus such as frequently-occurring files and files whose paths were found previously in NSRL with a different hash value. This provided 937,570 new hash values which should be uncontroversial additions to NSRL. Several additional tests investigated the accuracy of the NSRL data. Experiments testing the hash values saw no evidence of errors. Tests of file sizes showed them to be consistent except for a few cases. On the other hand, the product types assigned by NSRL can be disputed, and it failed to recognize any of a sample of virus-infected files. The file names provided by NSRL had numerous discrepancies with the file names found in the corpus, so the discrepancies were categorized; among other things, there were apparent spelling and punctuation errors. Some file names suggest that NSRL hash values were computed on deleted files, not a safe practice. The tests had the secondary benefit of helping identify occasional errors in the metadata obtained from drive imaging on deleted files in our corpus. This research has provided much data useful in improving NSRL and the forensic tools that depend upon it. It also provides a general methodology and software for testing hash sets against corpora.     

The role of psychological testing in forensic assessment

Despite the apparent widespread use of psychological tests in evaluations performed by psychologists to assist legal decision makers, there has been little critical but balanced examination of the appropriate parameters for the forensic use of such tests. The following discussion examines the nature of legal decision making, and concludes that the primary legal criterion for the adminissibility of psychological testing isrelevance to the immediate legal issue or to some underlying psychological construct. Assuming thataccuracy is a more consistent concern for psychologists performing such evaluations, the criticisms of various commentators are discussed. Some criticisms appear appropriate and are incorporated into a set of proposed guidelines for the use of psychological tests in forensic contexts. Other criticisms appear misplaced, however, and the call for a whole sale ban on psychological testing in the forensic context is rejected.     

Can One Prove that Something Exists Beyond Consciousness? A ?aiva Criticism of the Sautr??ntika Inference of External Objects

This article examines how the Kashmiri non-dualistic ?aiva philosophers Utpaladeva (tenth century) and Abhinavagupta (10th?C11th centuries) present and criticize a theory expounded by certain Buddhist philosophers, identified by the two ?aiva authors as Sautr??ntikas. According to this theory, no entity external to consciousness can ever be perceived since perceived objects are nothing but internal aspects (??k??ra) of consciousness. Nonetheless we must infer the existence of external entities so as to account for the fact that consciousness is aware of a variety of objects: just as a mirror takes on a variegated appearance only by reflecting a multiplicity of objects that remain external to it, in the same way, phenomenal variety can be explained only by assuming the existence of various objects external to consciousness. In ???varapratyabhij???k??rik??s I, 5, 8?C9 and their commentaries, Utpaladeva and Abhinavagupta endeavour to criticize this theory, which challenges their own idealistic principles: according to them, the Sautr??ntikas?? inference is neither legitimate nor even possible. The passage is particularly telling as regards the strategy developed by Pratyabhij??? philosophers with respect to their Buddhist opponents: they make use of certain arguments propounded by Dharmak??rti in defense of Vij???nav??da in order to criticize the Sautr??ntikas?? inference, but they also exploit this discussion to underline the superiority of their idealism over that of the Vij???nav??dins.     

Sex determination by discriminant analysis of patella measurements

The authors have analyzed 80 skeletons (40 males and 40 females) from the collection at the Institute of Legal Medicine of the University of Bari belonging to a known contemporary Southern Italian population; time of death was around 1970 and ages ranged from 25 to 80 years. Seven measurements taken on 80 intact, undeformed right patellae (max height, max width, thickness, height and width of the external facies articularis, height and width of the internal facies articularis) were used to determine sex by multivariate discriminant analysis. One function associating two parameters (max width and thickness) obtained the highest value of correct sex determination with a rate of 83.8%; other functions showed a higher percentage of misclassification (up to 17.5%). This study tests the success rate of correct sex prediction based exclusively on patellar dimensions. The discriminant functions carried out by statistical analysis may aid the forensic anthropologist when no other human skeletal remains suitable for sex determination are available.     

Metrological framework for selecting morphological characters to identify species and estimate developmental maturity of forensically significant insect specimens

Accurate age estimates of immature necrophagous insects associated with a human or animal body can provide evidence of how long the body has been dead. These estimates are based on species-specific details of the insects’ aging processes, and therefore require accurate species identification and developmental stage estimation. Many professionals who produce or use identified organisms as forensic evidence have little training in taxonomy or metrology, and appreciate the availability of formalized principles and standards for biological identification. Taxonomic identifications are usually most readily and economically made using categorical and qualitative morphological characters, but it may be necessary to use less convenient and potentially more ambiguous characters that are continuous and quantitative if two candidate species are closely related, or if identifying developmental stages within a species. Characters should be selected by criteria such as taxonomic specificity and metrological repeatability and relative error. We propose such a hierarchical framework, critique various measurements of immature insects, and suggest some standard approaches to determine the reliability of organismal identifications and measurements in estimating postmortem intervals. Relevant criteria for good characters include high repeatability (including low scope for ambiguity or parallax effects), pronounced discreteness, and small relative error in measurements. These same principles apply to individuation of unique objects in general.

Key points

• Metrological rigour can increase in forensic entomology by selecting measurements based on their metrological qualities.
• Selection of high-quality features for morphological identification of organisms should consider these criteria: (1) pronounced discreteness of features (minimising group overlap or maximizing interval); (2) high repeatability of assessment (such as symmetrical width rather than asymmetrical length); (3) small relative error in measurement (selecting the physically largest continuous rigid feature for measurement).
• These metrological principles also apply to individuation of unique objects in general.

     

A quasi-experimental test of the effects of criminal justice involvement on later mental health

Objectives

While many criminological theories posit causal hypotheses, many studies fail to use methods that adequately address the three criteria of causality. This is particularly important when assessing the impact of criminal justice involvement on later outcomes. Due to practical and ethical concerns, it is challenging to randomize criminal sanctions, so quasi-experimental methods such as propensity score matching are often used to approximate a randomized design. Based on longitudinal data from the Cambridge Study in Delinquent Development, the current study used propensity score matching to investigate the extent to which convictions and/or incarcerations in the first two decades of life were related to adverse mental health during middle adulthood.

Methods

Propensity scores were utilized to match those with and without criminal justice involvement on a wide range of risk factors for offending.

Results

The results indicated that there were no significant differences in mental health between those involved in the criminal justice system and those without such involvement.

Conclusions

The results did not detect a relationship between justice system involvement and later mental health suggesting that the consequences of criminal justice involvement may only be limited to certain domains.

     

Feasibility of a computerized intervention for offenders with substance use disorders: a research note

Objectives

Despite evidence that treatment is effective in reducing recidivism among inmates with substance use problems, scarce resources mean that few of those in need of treatment actually receive it. Computerized substance abuse interventions could be used to expand access to treatment in prisons without placing an undue burden on resources. The major aim of the study was to compare treatment conditions in terms of their service utilization, skills acquisition, and treatment satisfaction.

Methods

The study recruited men and women with substance use disorders from 10 prisons in 4 states. In an open label clinical trial, 494 subjects were randomly assigned either to the Experimental condition, a computerized drug treatment intervention, the Therapeutic Education System (TES; n?=?249), or to the Control condition, Standard Care (n?=?245). Chi-square tests compared groups on categorical variables and independent samples t tests were used for interval level continuous variables.

Results

Initial evidence demonstrated: (1) comparable group rates of session attendance and high rates of TES module completion for experimental subjects; (2) comparable group gains in the development of coping skills; and (3) a more favorable view of TES than of Standard Care.

Conclusions

Collectively, these results show that a computerized intervention, such as TES, can be implemented successfully in prison. Given the barriers to the delivery of substance abuse treatment typically encountered in correctional settings, computerized interventions have the potential to fill a significant treatment gap and are particularly well suited to inmates with mild to moderate substance use disorders who often are not treated.     

The transfer of touch DNA from hands to glass, fabric and wood

The transfer of DNA from hands to objects by holding or touching has been examined in the past. The main purpose of this study was to examine the variation in the amount of DNA transferred from hands to glass, fabric and wood. The study involved 300 volunteers (100 for glass, 100 for fabric and 100 for wood) 50% of which were male and 50% female. The volunteers held the material for 60 s. The DNA was recovered from the objects using a minitape lift, quantified using the Quantifiler kit assay, extracted using a ‘Qiagen^® QIAamp DNA mini kit’ and amplified using the AmpFlSTR^® SGM Plus™ Amplification Kit at 28 cycles. The results show that using ANOVA there was a significant difference (F = 8.2, p < 0.05) between the three object types in the amount of DNA recovered. In terms of DNA transfer and recovery, wood gave the best yield, followed by fabric and then glass. The likelihood of success of obtaining a profile indicative of the holder was approximately 9% for glass samples, 23% for fabric and 36% for wood. There was no significant difference between the amount of DNA transferred by male or female volunteers. In this study good shedder status, as defined by obtaining useful profiles of 6 or more alleles, is estimated at approximately 22% of the population. The phenomenon of secondary transfer was observed when mixed DNA profiles were obtained but the incidence was low at approximately 10% of the total number of samples. DNA profiles corresponding to more than one person were found on objects which had been touched by only one volunteer. Although secondary transfer is possible the profiles obtained from touched objects are more likely to be as a result of primary transfer rather than a secondary source.     

Resurrecting the Dodo: Positive control DNA for species identification

Positive controls are necessary standards for inclusion in forensic tests. When working as expected they demonstrate that methods have been applied correctly, and therefore results can be interpreted with confidence. However, the requirement for positive controls can also introduce problems. For species identification in wildlife DNA forensic testing, it is possible that the DNA sequence of the case sample will be a 100% match to the positive control. Whilst clear results for negative controls will indicate that cross-contamination is unlikely, it would be preferable to have a positive control that will not appear in casework. In addition, for many endangered species, obtaining positive control DNA for species-specific testing can be problematic. Here we present a simple method to use artificially generated positive control DNA from the extinct Dodo, Raphus cucullatus, for four species-identification tests run routinely in UK wildlife forensic casework.