In‐Depth Analysis of Computer Memory Acquisition Software for Forensic Purposes

The comparison studies on random access memory (RAM) acquisition tools are either limited in metrics or the selected tools were designed to be executed in older operating systems. Therefore, this study evaluates widely used seven shareware or freeware/open source RAM acquisition forensic tools that are compatible to work with the latest 64‐bit Windows operating systems. These tools' user interface capabilities, platform limitations, reporting capabilities, total execution time, shared and proprietary DLLs, modified registry keys, and invoked files during processing were compared. We observed that Windows Memory Reader and Belkasoft's Live Ram Capturer leaves the least fingerprints in memory when loaded. On the other hand, ProDiscover and FTK Imager perform poor in memory usage, processing time, DLL usage, and not‐wanted artifacts introduced to the system. While Belkasoft's Live Ram Capturer is the fastest to obtain an image of the memory, Pro Discover takes the longest time to do the same job.     

A study of user data integrity during acquisition of Android devices

At the time of this writing, Android devices are widely used, and many studies considering methods of forensic acquisition of data from Android devices have been conducted. Similarly, a diverse collection of smartphone forensic tools has also been introduced. However, studies conducted thus far do not normally guarantee data integrity required for digital forensic investigations. Therefore, this work uses a previously proposed method of Android device acquisition utilizing ‘Recovery Mode’. This work evaluates Android Recovery Mode variables that potentially compromise data integrity at the time of data acquisition. Based on the conducted analysis, an Android data acquisition tool that ensures the integrity of acquired data is developed, which is demonstrated in a case study to test tool's ability to preserve data integrity.     

Design and implementation of FROST: Digital forensic tools for the OpenStack cloud computing platform

We describe the design, implementation, and evaluation of FROST—three new forensic tools for the OpenStack cloud platform. Our implementation for the OpenStack cloud platform supports an Infrastructure-as-a-Service (IaaS) cloud and provides trustworthy forensic acquisition of virtual disks, API logs, and guest firewall logs. Unlike traditional acquisition tools, FROST works at the cloud management plane rather than interacting with the operating system inside the guest virtual machines, thereby requiring no trust in the guest machine. We assume trust in the cloud provider, but FROST overcomes non-trivial challenges of remote evidence integrity by storing log data in hash trees and returning evidence with cryptographic hashes. Our tools are user-driven, allowing customers, forensic examiners, and law enforcement to conduct investigations without necessitating interaction with the cloud provider. We demonstrate how FROST's new features enable forensic investigators to obtain forensically-sound data from OpenStack clouds independent of provider interaction. Our preliminary evaluation indicates the ability of our approach to scale in a dynamic cloud environment. The design supports an extensible set of forensic objectives, including the future addition of other data preservation, discovery, real-time monitoring, metrics, auditing, and acquisition capabilities.     

Cloud forensics–Tool development studies & future outlook

In this work, we describe our experiences in developing cloud forensics tools and use them to support three main points:First, we make the argument that cloud forensics is a qualitatively different problem. In the context of SaaS, it is incompatible with long-established acquisition and analysis techniques, and requires a new approach and forensic toolset. We show that client-side techniques, which are an extension of methods used over the last three decades, have inherent limitations that can only be overcome by working directly with the interfaces provided by cloud service providers.Second, we present our results in building forensic tools in the form of three case studies: kumodd–a tool for cloud drive acquisition, kumodocs–a tool for Google Docs acquisition and analysis, and kumofs–a tool for remote preview and screening of cloud drive data. We show that these tools, which work with the public and private APIs of the respective services, provide new capabilities that cannot be achieved by examining client-side artifacts.Finally, we use current IT trends, and our lessons learned, to outline the emerging new forensic landscape, and the most likely course of tool development over the next five years.     

An evaluation platform for forensic memory acquisition software

Memory forensics has gradually moved into the focus of researchers and practitioners alike in recent years. With an increasing effort to extract valuable information from a snapshot of a computer's RAM, the necessity to properly assess the respective solutions rises as well. In this paper, we present an evaluation platform for forensic memory acquisition software. The platform is capable of measuring distinct factors that determine the quality of a generated memory image, specifically its correctness, atomicity, and integrity. Tests are performed for three popular open source applications, win32dd, WinPMEM, and mdd, as well as for different memory sizes.     

Forensic Inspection of Sensitive User Data and Artifacts from Smartwatch Wearable Devices

Wearable devices allow users the ability to leave mobile phones behind while remaining connected to the digital world; however, this creates challenges in the examination, acquisition, identification, and analysis of probative data. This preliminary research aims to provide an enhanced understanding of where sensitive user data and forensic artifacts are stored on smartwatch wearable devices, both through utilization as a connected and standalone device. It also provides a methodology for the forensically sound acquisition of data from a standalone smartwatch wearable device. The results identify significant amounts of data on the Samsung^? Gear S3 Frontier, greater than that stored on the companion mobile phone. An Apple Watch^® Series 3 manual examination method which produces native screenshots was identified; however, the companion mobile phone was found to store the greatest amount of data. As a result of this research, a data extraction tool for the Samsung^? Gear S3 Frontier was created.     

Graph clustering and anomaly detection of access control log for forensic purposes

Attacks on operating system access control have become a significant and increasingly common problem. This type of security threat is recorded in a forensic artifact such as an authentication log. Forensic investigators will generally examine the log to analyze such incidents. An anomaly is highly correlated to an attacker's attempts to compromise the system. In this paper, we propose a novel method to automatically detect an anomaly in the access control log of an operating system. The logs will be first preprocessed and then clustered using an improved MajorClust algorithm to get a better cluster. This technique provides parameter-free clustering so that it automatically can produce an analysis report for the forensic investigators. The clustering results will be checked for anomalies based on a score that considers some factors such as the total members in a cluster, the frequency of the events in the log file, and the inter-arrival time of a specific activity. We also provide a graph-based visualization of logs to assist the investigators with easy analysis. Experimental results compiled on an open dataset of a Linux authentication log show that the proposed method achieved the accuracy of 83.14% in the authentication log dataset.     

Forensic acquisition and analysis of palm webOS on mobile devices

The emergence of webOS on Palm devices has created new challenges and opportunities for digital investigators. With the purchase of Palm by Hewlett Packard, there are plans to use webOS on an increasing number and variety of computer systems. These devices can store substantial amounts of information relevant to an investigation, including digital photographs, videos, call logs, SMS/MMS messages, e-mail, remnants of Web browsing and much more. Although some files can be obtained from such devices with relative ease, the majority of information of forensic interest is stored in databases on a system partition that many mobile forensic tools do not acquire. This paper provides a methodology for acquiring and examining forensic duplicates of user and system partitions from a device running webOS. The primary sources of digital evidence on these devices are covered with illustrative examples. In addition, the recovery of deleted items from various areas on webOS devices is discussed.     

Toward a General Ontology for Digital Forensic Disciplines

Ontologies are widely used in different disciplines as a technique for representing and reasoning about domain knowledge. However, despite the widespread ontology‐related research activities and applications in different disciplines, the development of ontologies and ontology research activities is still wanting in digital forensics. This paper therefore presents the case for establishing an ontology for digital forensic disciplines. Such an ontology would enable better categorization of the digital forensic disciplines, as well as assist in the development of methodologies and specifications that can offer direction in different areas of digital forensics. This includes such areas as professional specialization, certifications, development of digital forensic tools, curricula, and educational materials. In addition, the ontology presented in this paper can be used, for example, to better organize the digital forensic domain knowledge and explicitly describe the discipline's semantics in a common way. Finally, this paper is meant to spark discussions and further research on an internationally agreed ontological distinction of the digital forensic disciplines. Digital forensic disciplines ontology is a novel approach toward organizing the digital forensic domain knowledge and constitutes the main contribution of this paper.     

Digital traces and physical activities: opportunities,challenges and pitfalls

The strong integration of consumer electronics in everyday life offers many new investigative opportunities. In particular, digital traces from smartphones, smartwatches and activity trackers can now increasingly be used to infer information about actions performed by their users in the physical world that might not be obtainable from any other types of forensic evidence.While potentially very valuable from an investigative perspective, making forensically justifiable statements about such traces can sometimes be more difficult than expected. Requirements for this have not yet received much attention in the digital forensic literature. To help filling this gap, we describe the principles we use in determining the evidential value of such traces, which emphasize the need for experimental verification. For such research, aimed at determining the evidential value of these traces, we coin the term data2activity.In this paper, we devote attention to the potential and limitations of data2activity traces, focusing on challenges and giving two examples to illustrate potential pitfalls in interpreting data. Finally, future research directions into data2activity traces are indicated that, in our opinion, should be given attention. These include development of future-proof data acquisition and storage methodology, enabling division-of-effort and sharing of information, as well as development of labeling methodology for free-living experiments.     

Forensic investigation framework for the document store NoSQL DBMS: MongoDB as a case study

The NoSQL DBMS provides an efficient means of storing and accessing big data because its servers are more easily horizontally scalable and replicable than relational DBMSs. Its data model lacks a fixed schema, so that users can easily dynamically change the data model of applications. These characteristics of the NoSQL DBMS mean that it is increasingly used in real-time analysis, web services such as SNS, mobile apps and the storage of machine generated data such as logs and IoT (Internet of Things) data. Although the increased usage of the NoSQL DBMS increases the possibility of it becoming a target of crime, there are few papers about forensic investigation of NoSQL DBMS.In this paper, we propose a forensic investigation framework for the document store NoSQL DBMS. It is difficult to cover all of the NoSQL DBMS, as 'NoSQL' includes several distinct architectures; our forensic investigation framework, however, is focused on the document store NoSQL DBMS. In order to conduct an evaluative case study, we need to apply it to MongoDB, which is, a widely used document store NoSQL DBMS. For this case study, a crime scenario is created in an experimental environment, and then we propose in detail a forensic procedure and technical methods for MongoDB. We suggested many substantial technical investigation methods for MongoDB, including identifying real servers storing evidences in a distributed environment and transaction reconstruction method, using log analysis and recovering deleted data from the MongoDB data file structure.     

Private browsing: A window of forensic opportunity

The release of Internet Explorer 10 marks a significant change in how browsing artifacts are stored in the Windows file system, moving away from well-understood Index.dat files to use a high performance database, the Extensible Storage Engine. Researchers have suggested that despite this change there remain forensic opportunities to recover InPrivate browsing records from the new browser. The prospect of recovering such evidence, together with its potential forensic significance, prompts questions including where and when such evidence can be recovered, and if it is possible to prove that a recovered artefact originated from InPrivate browsing. This paper reports the results of experiments which answer these questions, and also provides some explanation of the increasingly complex data structures used to record Internet activity from both the desktop and Windows 8 Applications. We conclude that there is a time window between the private browsing session and the next use of the browser in which browsing records may be carved from database log files, after which it is necessary to carve from other areas of disk. It proved possible to recover a substantial record of a user's InPrivate browsing, and to reliably associate such records with InPrivate browsing.     

Automated identification of installed malicious Android applications

Increasingly, Android smartphones are becoming more pervasive within the government and industry, despite the limited ways to detect malicious applications installed to these phones' operating systems. Although enterprise security mechanisms are being developed for use on Android devices, these methods cannot detect previously unknown malicious applications. As more sensitive enterprise information becomes available and accessible on these smartphones, the risk of data loss inherently increases. A malicious application's actions could potentially leave sensitive data exposed with little recourse. Without an effective corporate monitoring solution in place for these mobile devices, organizations will continue to lack the ability to determine when a compromise has occurred. This paper presents research that applies traditional digital forensic techniques to remotely monitor and audit Android smartphones. The smartphone sends changed file system data to a remote server, allowing for expensive forensic processing and the offline application of traditional tools and techniques rarely applied to the mobile environment. The research aims at ascertaining new ways of identifying malicious Android applications and ultimately attempts to improve the state of enterprise smartphone monitoring. An on-phone client, server, database, and analysis framework was developed and tested using real mobile malware. The results are promising that the developed detection techniques identify changes to important system partitions; recognize file system changes, including file deletions; and find persistence and triggering mechanisms in newly installed applications. It is believed that these detection techniques should be performed by enterprises to identify malicious applications affecting their phone infrastructure.     

BrowStEx: A tool to aggregate browser storage artifacts for forensic analysis

Web storage or browser storage, a new client-side data storage feature, was recommended as a part of the HTML5 specifications and now widely adopted by major web browser vendors. Web storage with native browser support has changed the paradigm of web application development unprecedentedly because persistent data storage with increased data size can be realized on the client. Web storage is poised to quickly become an area of particular interest for forensic investigators due to the potential to discover critical information from web browser artifacts at client side. However, the literature work on web browser forensics has traditionally focused on browsing history, browser cache, and cookie files (Oh et al., 2011). Therefore, we first discuss the prevalence of web storage implementation in widely used websites. Then, we compare and contrast the web storage technology currently implemented in the five major web browsers, Google Chrome, Internet Explorer, Mozilla Firefox, Opera, and Apple's Safari. Moreover, in order to provide more insights into web storage and enable unified forensic analysis, a proof-of-concept tool, named as BrowStEx (Browser Storage Extractor), is described with implementation details. The commonalities, differences, and the proof-of-concept tool discussed in this paper can be useful in developing advanced forensic tools that can extract browser storage artifacts.     

Forensic analysis of video file formats

Video file format standards define only a limited number of mandatory features and leave room for interpretation. Design decisions of device manufacturers and software vendors are thus a fruitful resource for forensic video authentication. This paper explores AVI and MP4-like video streams of mobile phones and digital cameras in detail. We use customized parsers to extract all file format structures of videos from overall 19 digital camera models, 14 mobile phone models, and 6 video editing toolboxes. We report considerable differences in the choice of container formats, audio and video compression algorithms, acquisition parameters, and internal file structure. In combination, such characteristics can help to authenticate digital video files in forensic settings by distinguishing between original and post-processed videos, verifying the purported source of a file, or identifying the true acquisition device model or the processing software used for video processing.     

Web Content Management Systems: An Analysis of Forensic Investigatory Challenges

With an increase in the creation and maintenance of personal websites, web content management systems are now frequently utilized. Such systems offer a low cost and simple solution for those seeking to develop an online presence, and subsequently, a platform from which reported defamatory content, abuse, and copyright infringement has been witnessed. This article provides an introductory forensic analysis of the three current most popular web content management systems available, WordPress, Drupal, and Joomla! Test platforms have been created, and their site structures have been examined to provide guidance for forensic practitioners facing investigations of this type. Result's document available metadata for establishing site ownership, user interactions, and stored content following analysis of artifacts including Wordpress's wp_users, and wp_comments tables, Drupal's “watchdog” records, and Joomla!'s _users, and _content tables. Finally, investigatory limitations documenting the difficulties of investigating WCMS usage are noted, and analysis recommendations are offered.     

Automated evaluation of approximate matching algorithms on real data

Bytewise approximate matching is a relatively new area within digital forensics, but its importance is growing quickly as practitioners are looking for fast methods to screen and analyze the increasing amounts of data in forensic investigations. The essential idea is to complement the use of cryptographic hash functions to detect data objects with bytewise identical representation with the capability to find objects with bytewise similar representations.Unlike cryptographic hash functions, which have been studied and tested for a long time, approximate matching ones are still in their early development stages and evaluation methodology is still evolving. Broadly, prior approaches have used either a human in the loop to manually evaluate the goodness of similarity matches on real world data, or controlled (pseudo-random) data to perform automated evaluation.This work's contribution is to introduce automated approximate matching evaluation on real data by relating approximate matching results to the longest common substring (LCS). Specifically, we introduce a computationally efficient LCS approximation and use it to obtain ground truth on the t5 set. Using the results, we evaluate three existing approximate matching schemes relative to LCS and analyze their performance.     

A Forensic Examination of Online Search Facility URL Record Structures

The use of search engines and associated search functions to locate content online is now common practice. As a result, a forensic examination of a suspect's online search activity can be a critical aspect in establishing whether an offense has been committed in many investigations. This article offers an analysis of online search URL structures to support law enforcement and associated digital forensics practitioners interpret acts of online searching during an investigation. Google, Bing, Yahoo!, and DuckDuckGo searching functions are examined, and key URL attribute structures and metadata have been documented. In addition, an overview of social media searching covering Twitter, Facebook, Instagram, and YouTube is offered. Results show the ability to extract embedded metadata from search engine URLs which can establish online searching behaviors and the timing of searches.     

Reverse engineering of ReFS

File system forensics is an important part of Digital Forensics. Investigators of storage media have traditionally focused on the most commonly used file systems such as NTFS, FAT, ExFAT, Ext2-4, HFS+, APFS, etc. NTFS is the current file system used by Windows for the system volume, but this may change in the future. In this paper we will show the structure of the Resilient File System (ReFS), which has been available since Windows Server 2012 and Windows 8. The main purpose of ReFS is to be used on storage spaces in server systems, but it can also be used in Windows 8 or newer. Although ReFS is not the current standard file system in Windows, while users have the option to create ReFS file systems, digital forensic investigators need to investigate the file systems identified on a seized media. Further, we will focus on remnants of non-allocated metadata structures or attributes. This may allow metadata carving, which means searching for specific attributes that are not allocated. Attributes found can then be used for file recovery. ReFS uses superblocks and checkpoints in addition to a VBR, which is different from other Windows file systems. If the partition is reformatted with another file system, the backup superblocks can be used for partition recovery. Further, it is possible to search for checkpoints in order to recover both metadata and content.Another concept not seen for Windows file systems, is the sharing of blocks. When a file is copied, both the original and the new file will share the same content blocks. If the user changes the copy, new data runs will be created for the modified content, but unchanged blocks remain shared. This may impact file carving, because part of the blocks previously used by a deleted file might still be in use by another file. The large default cluster size, 64 KiB, in ReFS v1.2 is an advantage when carving for deleted files, since most deleted files are less than 64 KiB and therefore only use a single cluster. For ReFS v3.2 this advantage has decreased because the standard cluster size is 4 KiB.Preliminary support for ReFS v1.2 has been available in EnCase 7 and 8, but the implementation has not been documented or peer-reviewed. The same is true for Paragon Software, which recently added ReFS support to their forensic product. Our work documents how ReFS v1.2 and ReFS v3.2 are structured at an abstraction level that allows digital forensic investigation of this new file system. At the time of writing this paper, Paragon Software is the only digital forensic tool that supports ReFS v3.x.It is the most recent version of the ReFS file system that is most relevant for digital forensics, as Windows automatically updates the file system to the latest version on mount. This is why we have included information about ReFS v3.2. However, it is possible to change a registry value to avoid updating. The latest ReFS version observed is 3.4, but the information presented about 3.2 is still valid. In any criminal case, the investigator needs to investigate the file system version found.     

Modelling and refinement of forensic data acquisition specifications

This paper defines a model of a special type of digital forensics tools, known as data acquisition tools, using the formal refinement language Event-B. The complexity and criticality of many types of computer and Cyber crime nowadays combined with improper or incorrect use of digital forensic tools calls for more robust and reliable specifications of the functionality of digital forensics applications. As a minimum, the evidence produced by such tools must meet the minimum admissibility standards the legal system requires, in general implying that it must be generated from reliable and robust tools. Despite the fact that some research and effort has been spent on the validation of digital forensics tools by means of testing, the verification of such tools and the formal specification of their expected behaviour remains largely under-researched. The goal of this work is to provide a formal specification against which implementations of data acquisition procedures can be analysed.