Digital forensics as a service: Game on

The big data era has a high impact on forensic data analysis. Work is done in speeding up the processing of large amounts of data and enriching this processing with new techniques. Doing forensics calls for specific design considerations, since the processed data is incredibly sensitive. In this paper we explore the impact of forensic drivers and major design principles like security, privacy and transparency on the design and implementation of a centralized digital forensics service.     

A RAM triage methodology for Hadoop HDFS forensics

This paper discusses the challenges of performing a forensic investigation against a multi-node Hadoop cluster and proposes a methodology for examiners to use in such situations. The procedure's aim of minimising disruption to the data centre during the acquisition process is achieved through the use of RAM forensics. This affords initial cluster reconnaissance which in turn facilitates targeted data acquisition on the identified DataNodes. To evaluate the methodology's feasibility, a small Hadoop Distributed File System (HDFS) was configured and forensic artefacts simulated upon it by deleting data originally stored in the cluster. RAM acquisition and analysis was then performed on the NameNode in order to test the validity of the suggested methodology. The results are cautiously positive in establishing that RAM analysis of the NameNode can be used to pinpoint the data blocks affected by the attack, allowing a targeted approach to the acquisition of data from the DataNodes, provided that the physical locations can be determined. A full forensic analysis of the DataNodes was beyond the scope of this project.     

Information assurance in a distributed forensic cluster

When digital forensics started in the mid-1980s most of the software used for analysis came from writing and debugging software. Amongst these tools was the UNIX utility ‘dd’ which was used to create an image of an entire storage device. In the next decade the practice of creating and using ‘an image’ became established as a fundamental base of what we call ‘sound forensic practice’. By virtue of its structure, every file within the media was an integrated part of the image and so we were assured that it was wholesome representation of the digital crime scene. In an age of terabyte media ‘the image’ is becoming increasingly cumbersome to process, simply because of its size. One solution to this lies in the use of distributed systems. However, the data assurance inherent in a single media image file is lost when data is stored in separate files distributed across a system. In this paper we assess current assurance practices and provide some solutions to the need to have assurance within a distributed system.     

Cloud forensics–Tool development studies & future outlook

In this work, we describe our experiences in developing cloud forensics tools and use them to support three main points:First, we make the argument that cloud forensics is a qualitatively different problem. In the context of SaaS, it is incompatible with long-established acquisition and analysis techniques, and requires a new approach and forensic toolset. We show that client-side techniques, which are an extension of methods used over the last three decades, have inherent limitations that can only be overcome by working directly with the interfaces provided by cloud service providers.Second, we present our results in building forensic tools in the form of three case studies: kumodd–a tool for cloud drive acquisition, kumodocs–a tool for Google Docs acquisition and analysis, and kumofs–a tool for remote preview and screening of cloud drive data. We show that these tools, which work with the public and private APIs of the respective services, provide new capabilities that cannot be achieved by examining client-side artifacts.Finally, we use current IT trends, and our lessons learned, to outline the emerging new forensic landscape, and the most likely course of tool development over the next five years.     

Advanced carving techniques

Carving is the term most often used to indicate the act of recovering a file from unstructured digital forensic images. The term unstructured indicates that the original digital image does not contain useful filesystem information which may be used to assist in this recovery.Typically, forensic analysts resort to carving techniques as an avenue of last resort due to the difficulty of current techniques. Most current techniques rely on manual inspection of the file to be recovered and manually reconstructing this file using trial and error. Manual processing is typically impractical for modern disk images which might contain hundreds of thousands of files.At the same time the traditional process of recovering deleted files using filesystem information is becoming less practical because most modern filesystems purge critical information for deleted files. As such the need for automated carving techniques is quickly arising even when a filesystem does exist on the forensic image.This paper explores the theory of carving in a formal way. We then proceed to apply this formal analysis to the carving of PDF and ZIP files based on the internal structure inherent within the file formats themselves. Specifically this paper deals with carving from the Digital Forensic Research Work-Shop's (DFRWS) 2007 carving challenge.     

Digital evidence in cloud computing systems

Cloud computing systems provide a new paradigm to the distributed processing of digital data. Digital forensic investigations involving such systems are likely to involve more complex digital evidence acquisition and analysis. Some public cloud computing systems may involve the storage and processing of digital data in different jurisdictions, and some organisations may choose to encrypt their data before it enters the cloud. Both of these factors in conjunction with cloud architectures may make forensic investigation of such systems more complex and time consuming. There are no established digital forensic guidelines that specifically address the investigation of cloud computing systems. In this paper we examine the legal aspects of digital forensic investigations of cloud computing systems.     

Data fragment forensics for embedded DVR systems

A recent increase in the prevalence of embedded systems has led them to become a primary target of digital forensic investigations. Embedded systems with DVR (Digital Video Recorder) capabilities are able to generate multimedia (video/audio) data, and can act as vital pieces of evidence in the field of digital forensics.To counter anti-forensics, it is necessary to derive systematic forensic techniques that can be used on data fragments in unused (unallocated) areas of files or images. Specifically, the techniques should extract meaningful information from various types of data fragments, such as non-sequential fragmentation and missing fragments overwritten by other data.This paper proposes a new digital forensic system for use on video data fragments related to DVRs. We demonstrate in detail special techniques for the classification, reassembly, and extraction of video data fragments, and introduce an integrated framework for data fragment forensics based on techniques described in this paper.     

Toward a General Ontology for Digital Forensic Disciplines

Ontologies are widely used in different disciplines as a technique for representing and reasoning about domain knowledge. However, despite the widespread ontology‐related research activities and applications in different disciplines, the development of ontologies and ontology research activities is still wanting in digital forensics. This paper therefore presents the case for establishing an ontology for digital forensic disciplines. Such an ontology would enable better categorization of the digital forensic disciplines, as well as assist in the development of methodologies and specifications that can offer direction in different areas of digital forensics. This includes such areas as professional specialization, certifications, development of digital forensic tools, curricula, and educational materials. In addition, the ontology presented in this paper can be used, for example, to better organize the digital forensic domain knowledge and explicitly describe the discipline's semantics in a common way. Finally, this paper is meant to spark discussions and further research on an internationally agreed ontological distinction of the digital forensic disciplines. Digital forensic disciplines ontology is a novel approach toward organizing the digital forensic domain knowledge and constitutes the main contribution of this paper.     

“I couldn't find it your honour,it mustn't be there!” – Tool errors,tool limitations and user error in digital forensics

The field of digital forensics maintains significant reliance on the software it uses to acquire and investigate forms of digital evidence. Without these tools, analysis of digital devices would often not be possible. Despite such levels of reliance, techniques for validating digital forensic software are sparse and research is limited in both volume and depth. As practitioners pursue the goal of producing robust evidence, they face the onerous task of both ensuring the accuracy of their tools and, their effective use. Whilst tool errors provide one issue, establishing a tool's limitations also provides an investigatory challenge leading the potential for practitioner user-error and ultimately a grey area of accountability. This article debates the problems surrounding digital forensic tool usage, evidential reliability and validation.     

Forensic Investigation of Cooperative Storage Cloud Service: Symform as a Case Study

Researchers envisioned Storage as a Service (StaaS) as an effective solution to the distributed management of digital data. Cooperative storage cloud forensic is relatively new and is an under‐explored area of research. Using Symform as a case study, we seek to determine the data remnants from the use of cooperative cloud storage services. In particular, we consider both mobile devices and personal computers running various popular operating systems, namely Windows 8.1, Mac OS X Mavericks 10.9.5, Ubuntu 14.04.1 LTS, iOS 7.1.2, and Android KitKat 4.4.4. Potential artefacts recovered during the research include data relating to the installation and uninstallation of the cloud applications, log‐in to and log‐out from Symform account using the client application, file synchronization as well as their time stamp information. This research contributes to an in‐depth understanding of the types of terrestrial artifacts that are likely to remain after the use of cooperative storage cloud on client devices.     

Impacts of increasing volume of digital forensic data: A survey and future research challenges

A major challenge to digital forensic analysis is the ongoing growth in the volume of data seized and presented for analysis. This is a result of the continuing development of storage technology, including increased storage capacity in consumer devices and cloud storage services, and an increase in the number of devices seized per case. Consequently, this has led to increasing backlogs of evidence awaiting analysis, often many months to years, affecting even the largest digital forensic laboratories. Over the preceding years, there has been a variety of research undertaken in relation to the volume challenge. Solutions posed range from data mining, data reduction, increased processing power, distributed processing, artificial intelligence, and other innovative methods. This paper surveys the published research and the proposed solutions. It is concluded that there remains a need for further research with a focus on real world applicability of a method or methods to address the digital forensic data volume challenge.     

A study on the forensic mechanisms of VoIP attacks: Analysis and digital evidence

This paper discusses the use of communication technology to commit crimes, including crime facts and crime techniques. The analysis focuses on the security of voice over Internet protocol (VoIP), a prevention method against VoIP call attack and the attention points for setting up an Internet phone. The importance of digital evidence and digital forensics are emphasised. This paper provides the VoIP digital evidence forensics standard operating procedures (DEFSOP) to help police organisations and establishes an experimental platform to simulate phone calls, hacker attacks and forensic data. Finally, this paper provides a general discussion of a digital evidence strategy that includes VoIP for crime investigators who are interested in digital evidence forensics.     

Digital traces and physical activities: opportunities,challenges and pitfalls

The strong integration of consumer electronics in everyday life offers many new investigative opportunities. In particular, digital traces from smartphones, smartwatches and activity trackers can now increasingly be used to infer information about actions performed by their users in the physical world that might not be obtainable from any other types of forensic evidence.While potentially very valuable from an investigative perspective, making forensically justifiable statements about such traces can sometimes be more difficult than expected. Requirements for this have not yet received much attention in the digital forensic literature. To help filling this gap, we describe the principles we use in determining the evidential value of such traces, which emphasize the need for experimental verification. For such research, aimed at determining the evidential value of these traces, we coin the term data2activity.In this paper, we devote attention to the potential and limitations of data2activity traces, focusing on challenges and giving two examples to illustrate potential pitfalls in interpreting data. Finally, future research directions into data2activity traces are indicated that, in our opinion, should be given attention. These include development of future-proof data acquisition and storage methodology, enabling division-of-effort and sharing of information, as well as development of labeling methodology for free-living experiments.     

Advanced Framework for Digital Forensic Technologies and Procedures*

Abstract: Recent trends in global networks are leading toward service‐oriented architectures and sensor networks. On one hand of the spectrum, this means deployment of services from numerous providers to form new service composites, and on the other hand this means emergence of Internet of things. Both these kinds belong to a plethora of realms and can be deployed in many ways, which will pose serious problems in cases of abuse. Consequently, both trends increase the need for new approaches to digital forensics that would furnish admissible evidence for litigation. Because technology alone is clearly not sufficient, it has to be adequately supported by appropriate investigative procedures, which have yet become a subject of an international consensus. This paper therefore provides appropriate a holistic framework to foster an internationally agreed upon approach in digital forensics along with necessary improvements. It is based on a top‐down approach, starting with legal, continuing with organizational, and ending with technical issues. More precisely, the paper presents a new architectural technological solution that addresses the core forensic principles at its roots. It deploys so‐called leveled message authentication codes and digital signatures to provide data integrity in a way that significantly eases forensic investigations into attacked systems in their operational state. Further, using a top‐down approach a conceptual framework for forensics readiness is given, which provides levels of abstraction and procedural guides embellished with a process model that allow investigators perform routine investigations, without becoming overwhelmed by low‐level details. As low‐level details should not be left out, the framework is further evaluated to include these details to allow organizations to configure their systems for proactive collection and preservation of potential digital evidence in a structured manner. The main reason behind this approach is to stimulate efforts on an internationally agreed “template legislation,” similarly to model law in the area of electronic commerce, which would enable harmonized national implementations in the area of digital forensics.     

Passive forensics in image and video using noise features: A review

Due to present of enormous free image and video editing software on the Internet, tampering of digital images and videos have become very easy. Validating the integrity of images or videos and detecting any attempt of forgery without use of active forensic technique such as Digital Signature or Digital Watermark is a big challenge to researchers. Passive forensic techniques, unlike active techniques, do not need any preembeded information about the image or video. The proposed paper presents a comprehensive review of the recent developments in the field of digital image and video forensic using noise features. The previously existing methods of image and video forensics proved the importance of noises and encourage us for the study and perform extensive research in this field. Moreover, in this paper, forensic task cover mainly source identification and forgery detection in the image and video using noise features. Thus, various source identification and forgery detection methods using noise features are reviewed and compared in this paper for image and video. The overall objective of this paper is to give researchers a broad perspective on various aspects of image and video forensics using noise features. Conclusion part of this paper discusses about the importance of noise features and the challenges encountered by different image and video forensic method using noise features.     

Trust in digital records: An increasingly cloudy legal area

Trust has been defined in many ways, but at its core it involves acting without the knowledge needed to act. Trust in records depends on four types of knowledge about the creator or custodian of the records: reputation, past performance, competence, and the assurance of confidence in future performance. For over half a century society has been developing and adopting new computer technologies for business and communications in both the public and private realm. Frameworks for establishing trust have developed as technology has progressed. Today, individuals and organizations are increasingly saving and accessing records in cloud computing infrastructures, where we cannot assess our trust in records solely on the four types of knowledge used in the past. Drawing on research conducted at the University of British Columbia into the nature of digital records and their trustworthiness, this article presents the conceptual archival and digital forensic frameworks of trust in records and data, and explores the common law legal framework within which questions of trust in documentary evidence are being tested. Issues and challenges specific to cloud computing are introduced.     

Taxonomy of Challenges for Digital Forensics

Since its inception, over a decade ago, the field of digital forensics has faced numerous challenges. Despite different researchers and digital forensic practitioners having studied and analysed various known digital forensic challenges, as of 2013, there still exists a need for a formal classification of these challenges. This article therefore reviews existing research literature and highlights the various challenges that digital forensics has faced for the last 10 years. In conducting this research study, however, it was difficult for the authors to review all the existing research literature in the digital forensic domain; hence, sampling and randomization techniques were employed to facilitate the review of the gathered literature. Taxonomy of the various challenges is subsequently proposed in this paper based on our review of the literature. The taxonomy classifies the large number of digital forensic challenges into four well‐defined and easily understood categories. The proposed taxonomy can be useful, for example, in future developments of automated digital forensic tools by explicitly describing processes and procedures that focus on addressing specific challenges identified in this paper. However, it should also be noted that the purpose of this paper was not to propose any solutions to the individual challenges that digital forensics face, but to serve as a survey of the state of the art of the research area.     

Modelling and refinement of forensic data acquisition specifications

This paper defines a model of a special type of digital forensics tools, known as data acquisition tools, using the formal refinement language Event-B. The complexity and criticality of many types of computer and Cyber crime nowadays combined with improper or incorrect use of digital forensic tools calls for more robust and reliable specifications of the functionality of digital forensics applications. As a minimum, the evidence produced by such tools must meet the minimum admissibility standards the legal system requires, in general implying that it must be generated from reliable and robust tools. Despite the fact that some research and effort has been spent on the validation of digital forensics tools by means of testing, the verification of such tools and the formal specification of their expected behaviour remains largely under-researched. The goal of this work is to provide a formal specification against which implementations of data acquisition procedures can be analysed.     

Detecting data theft using stochastic forensics

We present a method to examine a filesystem and determine if and when files were copied from it. We develop this method by stochastically modeling filesystem behavior under both routine activity and copying, and identifying emergent patterns in MAC timestamps unique to copying. These patterns are detectable even months afterwards. We have successfully used this method to investigate data exfiltration in the field. Our method presents a new approach to forensics: by looking for stochastically emergent patterns, we can detect silent activities that lack artifacts.