手机物证检验及其在刑事侦查中的应用

随着移动通信技术的迅速发展和广泛应用,手机内部包含的信息已经成为犯罪侦查重要的线索和证据来源。采用专门的符合物证鉴定原理要求的技术方法检验手机的SIM卡存储器、主板存储器和闪存卡,可以获得大量的手机使用者个人信息、通信内容信息、通信发生信息、使用者写入存储信息和手机设置信息等大量信息资料。手机检验结果给出的这些信息具有非常高的侦查和证据价值的,手机也因此成为物证鉴定领域内一个新的检验对象。     

A case study on anonymised sharing platforms and digital traces left by their usage

Non-local forms of file storage and transfer provide investigatory concerns. Whilst mainstream cloud providers offer a well-established challenge to those involved in criminal enquiries, there are also a host of services offering non-account based ‘anonymous’ online temporary file storage and transfer. From the context of a digital forensic investigation, the practitioner examining a suspect device must detect when such services have been utilised by a user, as offending files may not be resident on local storage media. In addition, identifying the use of a service may also expose networks of illegal file distribution, supporting wider investigations into criminal activity. This work examines 16 anonymous file transfer services and identifies and interprets the digital traces left behind on a device following their use to support law enforcement investigations.     

When finding nothing may be evidence of something: Anti-forensics and digital tool marks

There are an abundance of measures available to the standard digital device users which provide the opportunity to act in an anti-forensic manner and conceal any potential digital evidence denoting a criminal act. Whilst there is a lack of empirical evidence which evaluates the scale of this threat to digital forensic investigations leaving the true extent of engagement with such tools unknown, arguably the field should take proactive steps to examine and record the capabilities of these measures. Whilst forensic science has long accepted the concept of toolmark analysis as part of criminal investigations, ‘digital tool marks’ (DTMs) are a notion rarely acknowledged and considered in digital investigations. DTMs are the traces left behind by a tool or process on a suspect system which can help to determine what malicious behaviour has occurred on a device. This article discusses and champions the need for DTM research in digital forensics highlighting the benefits of doing so.     

Design and implementation of FROST: Digital forensic tools for the OpenStack cloud computing platform

We describe the design, implementation, and evaluation of FROST—three new forensic tools for the OpenStack cloud platform. Our implementation for the OpenStack cloud platform supports an Infrastructure-as-a-Service (IaaS) cloud and provides trustworthy forensic acquisition of virtual disks, API logs, and guest firewall logs. Unlike traditional acquisition tools, FROST works at the cloud management plane rather than interacting with the operating system inside the guest virtual machines, thereby requiring no trust in the guest machine. We assume trust in the cloud provider, but FROST overcomes non-trivial challenges of remote evidence integrity by storing log data in hash trees and returning evidence with cryptographic hashes. Our tools are user-driven, allowing customers, forensic examiners, and law enforcement to conduct investigations without necessitating interaction with the cloud provider. We demonstrate how FROST's new features enable forensic investigators to obtain forensically-sound data from OpenStack clouds independent of provider interaction. Our preliminary evaluation indicates the ability of our approach to scale in a dynamic cloud environment. The design supports an extensible set of forensic objectives, including the future addition of other data preservation, discovery, real-time monitoring, metrics, auditing, and acquisition capabilities.     

I shop online – recreationally! Internet anonymity and Silk Road enabling drug use in Australia

Internet technologies are beginning to influence the sale and supply of illicit drugs in Australia. One such technology, an online marketplace known as Silk Road, had dramatically increased in popularity since its worldwide launch in February 2011. This research and paper were completed prior to the Silk Road's founder, Ross Ulbricht being arrested on 2 October 2013 and Silk Road being taken off line. This research paper will consider such factors; as the increasing use of internet by Australians, the popularity of shopping online and the variance in the quality and price of products available on Silk Road to those available in other drug markets. The case study will provide an in-depth look at Silk Road from an Australian perspective and in light of the continuing popularity of illicit drug use in Australia. Though Silk Road is currently off line, ‘Bitcoin’ has survived and it will only be a matter of time before a substitute for Silk Road emerges.     

File fragment encoding classification—An empirical approach

Over the past decade, a substantial effort has been put into developing methods to classify file fragments. Throughout, it has been an article of faith that data fragments, such as disk blocks, can be attributed to different file types. This work is an attempt to critically examine the underlying assumptions and compare them to empirically collected data. Specifically, we focus most of our effort on surveying several common compressed data formats, and show that the simplistic conceptual framework of prior work is at odds with the realities of actual data. We introduce a new tool, zsniff, which allows us to analyze deflate-encoded data, and we use it to perform an empirical survey of deflate-coded text, images, and executables. The results offer a conceptually new type of classification capabilities that cannot be achieved by other means.     

That tool is rubbish!…or is it?

Digital forensic practitioners often utilise a range of tools throughout their casework in order to access, identify and analyse relevant data, making them a vital part of conducting thorough, efficient and accurate digital examinations of device content and datasets. Whilst their importance cannot be understated, there is also no guarantee that their functionality is free from error, where similarly, no practitioner can 100% assure that their performance is flawless. Should an error occur during an investigation, assuming that it has been identified, then determining the cause of it is important for the purposes of ensuring quality control in both the immediate investigation and for longer-term practice improvements. Perhaps anecdotally, a starting position in any postmortem review of an error may be to suspect that any tools used may be at fault, where recent narratives and initiatives have enforced the need to evaluate all tools prior to them being used in any live investigation. Yet, in addition, an error may occur as a result of a practitioner’s investigative conduct. This work discusses the concept of ‘fault-attribution’, focusing on the roles of the forensic tool and practitioner, and proposes a series of principles for determining responsibility for an investigative error.     

Digital forensics as a service: Game on

The big data era has a high impact on forensic data analysis. Work is done in speeding up the processing of large amounts of data and enriching this processing with new techniques. Doing forensics calls for specific design considerations, since the processed data is incredibly sensitive. In this paper we explore the impact of forensic drivers and major design principles like security, privacy and transparency on the design and implementation of a centralized digital forensics service.