A RAM triage methodology for Hadoop HDFS forensics

This paper discusses the challenges of performing a forensic investigation against a multi-node Hadoop cluster and proposes a methodology for examiners to use in such situations. The procedure's aim of minimising disruption to the data centre during the acquisition process is achieved through the use of RAM forensics. This affords initial cluster reconnaissance which in turn facilitates targeted data acquisition on the identified DataNodes. To evaluate the methodology's feasibility, a small Hadoop Distributed File System (HDFS) was configured and forensic artefacts simulated upon it by deleting data originally stored in the cluster. RAM acquisition and analysis was then performed on the NameNode in order to test the validity of the suggested methodology. The results are cautiously positive in establishing that RAM analysis of the NameNode can be used to pinpoint the data blocks affected by the attack, allowing a targeted approach to the acquisition of data from the DataNodes, provided that the physical locations can be determined. A full forensic analysis of the DataNodes was beyond the scope of this project.     

File fragment encoding classification—An empirical approach

Over the past decade, a substantial effort has been put into developing methods to classify file fragments. Throughout, it has been an article of faith that data fragments, such as disk blocks, can be attributed to different file types. This work is an attempt to critically examine the underlying assumptions and compare them to empirically collected data. Specifically, we focus most of our effort on surveying several common compressed data formats, and show that the simplistic conceptual framework of prior work is at odds with the realities of actual data. We introduce a new tool, zsniff, which allows us to analyze deflate-encoded data, and we use it to perform an empirical survey of deflate-coded text, images, and executables. The results offer a conceptually new type of classification capabilities that cannot be achieved by other means.     

论数字时代的版权补偿金制度及其导入

版权补偿金制度是为了缓解模拟复制技术条件下版权人与使用人之间紧张关系而作的一项制度安排,并且在不同的国家、不同的历史时期其具体内容和作用也不尽相同。在数字复制时代,尽管这一制度面临着前所未有的危机,但它仍具有不可替代的制度价值。从我国版权立法和司法的实际来看,导入版权补偿金制度不仅具有必要性,而且也有可行性,应该得到进一步的研究和关注。     

The Digital Economy Act 2010: subscriber monitoring and the right to privacy under Article 8 of the ECHR

This paper critically assesses the compatibility of s3 Digital Economy Act 2010 (DEA) with Article 8 of the European Convention on Human Rights (1950) (ECHR). The analysis draws on Ofcom’s Initial Obligations and two UK cases, namely: British Telecommunications Plc & Anor, R (on the application of) v The Secretary of State for Business, Innovation and Skills,¹1 British Telecommunications Plc & Anor, R (on the application of) v The Secretary of State for Business, Innovation and Skills [2011] EWHC 1021 (Admin).View all notes and R (British Telecommunications plc and TalkTalk Telecom Group plc) v Secretary of State for Culture, Olympics, Media and Sport and others.²2 R (British Telecommunications plc and TalkTalk Telecom Group plc) v Secretary of State for Culture, Olympics, Media and Sport and others [2012] EWCA Civ 232.View all notes It argues that the implementation of this obligation allows directed surveillance of subscribers’ activities without legal authorisation under the Regulation of Investigatory Powers Act 2000 (RIPA). It also analyses compliance with the Strasbourg Court’s three-part, non-cumulative test, to determine whether s3 of the DEA is, firstly, ‘in accordance with the law’; secondly, pursues one or more legitimate aims contained within Article 8(2) of the Convention; and thirdly, is ‘necessary’ and ‘proportionate’. It concludes that unless the implementation of s3 of the DEA required the involvement of State authorities and was specifically targeted at serious, commercial scale online copyright infringement cases it could infringe part one and part three of the ECtHR’s test, thereby violating subscribers’ Article 8 ECHR rights.     

The different types of reports produced in digital forensic investigations

The importance of ensuring the results of any digital forensic (DF) examination are effectively communicated cannot be understated. In most cases, this communication will be done via written report, yet despite this there is arguably limited best practice guidance available which is specific for this field in regards to report construction. Poor reporting practices in DF are likely to undermine the reliability of evidence provided across this field, where there is a need for formalised guidance regarding the requirements for effective DF report construction; this should not be a task left solely to each individual practitioner to determine without instruction. For this, the field of DF should look to the wider forensic community and the existing work in this area for support. In line with many other ‘traditional’ forensic science types, a DF practitioner can be commissioned to report in one of three ways - ‘technical’, ‘investigative’ or ‘evaluative’, where each reporting type maintains a specific purpose and interpretative-context, determined by the examination workflow undertaken by a practitioner following client instruction. This work draws upon guidance set out in fundamental forensic science reporting literature in order to describe each reporting type in turn, outlining their scope, content and construction requirements in an attempt to provide support for the DF field.     

I shop online – recreationally! Internet anonymity and Silk Road enabling drug use in Australia

Internet technologies are beginning to influence the sale and supply of illicit drugs in Australia. One such technology, an online marketplace known as Silk Road, had dramatically increased in popularity since its worldwide launch in February 2011. This research and paper were completed prior to the Silk Road's founder, Ross Ulbricht being arrested on 2 October 2013 and Silk Road being taken off line. This research paper will consider such factors; as the increasing use of internet by Australians, the popularity of shopping online and the variance in the quality and price of products available on Silk Road to those available in other drug markets. The case study will provide an in-depth look at Silk Road from an Australian perspective and in light of the continuing popularity of illicit drug use in Australia. Though Silk Road is currently off line, ‘Bitcoin’ has survived and it will only be a matter of time before a substitute for Silk Road emerges.     

Impacts of increasing volume of digital forensic data: A survey and future research challenges

A major challenge to digital forensic analysis is the ongoing growth in the volume of data seized and presented for analysis. This is a result of the continuing development of storage technology, including increased storage capacity in consumer devices and cloud storage services, and an increase in the number of devices seized per case. Consequently, this has led to increasing backlogs of evidence awaiting analysis, often many months to years, affecting even the largest digital forensic laboratories. Over the preceding years, there has been a variety of research undertaken in relation to the volume challenge. Solutions posed range from data mining, data reduction, increased processing power, distributed processing, artificial intelligence, and other innovative methods. This paper surveys the published research and the proposed solutions. It is concluded that there remains a need for further research with a focus on real world applicability of a method or methods to address the digital forensic data volume challenge.     

Private browsing: A window of forensic opportunity

The release of Internet Explorer 10 marks a significant change in how browsing artifacts are stored in the Windows file system, moving away from well-understood Index.dat files to use a high performance database, the Extensible Storage Engine. Researchers have suggested that despite this change there remain forensic opportunities to recover InPrivate browsing records from the new browser. The prospect of recovering such evidence, together with its potential forensic significance, prompts questions including where and when such evidence can be recovered, and if it is possible to prove that a recovered artefact originated from InPrivate browsing. This paper reports the results of experiments which answer these questions, and also provides some explanation of the increasingly complex data structures used to record Internet activity from both the desktop and Windows 8 Applications. We conclude that there is a time window between the private browsing session and the next use of the browser in which browsing records may be carved from database log files, after which it is necessary to carve from other areas of disk. It proved possible to recover a substantial record of a user's InPrivate browsing, and to reliably associate such records with InPrivate browsing.