We are meeting on Microsoft Teams: Forensic analysis in Windows,Android, and iOS operating systems

Microsoft released a new communication platform, Microsoft Teams, in 2017. Due in part to COVID-19, the popularity of communication platforms, like Microsoft Teams, increased exponentially. Given its user base and increased popularity, it seems likely that digital forensic investigators will encounter cases where Microsoft Teams is a relevant component. However, because Microsoft Teams is a relatively new application, there is limited forensic research on the application particularly focusing on mobile operating systems. To address this gap, an analysis of data stored at rest by Microsoft Teams was conducted on the Windows 10 operating system as well as on Android and Apple iOS mobile operating systems. Basic functionalities, such as messaging, sharing files, participating in video conferences, and other functionalities that Teams provides, were performed in an isolated testing environment. Cellebrite UFED Physical Analyzer and Magnet AXIOM Examine tools were used to analyze the mobile devices and the Windows device, respectively. Manual or non-automated investigation recovered, at least partially, the majority of artifacts across all three operating systems. In this study, a total of 77.6% of the populated artifacts were partially or fully recovered in the manual investigation. On the other hand, forensic tools used did not automatically recover many of the artifacts found with the manual investigation. Only 13.8% of artifacts were partially or fully recovered by the forensic tools across all three devices. These discovered artifacts and the results of the investigations are presented in order to aid digital forensic investigations.     

Study on the tracking revision history of MS Word files for forensic investigation

Document forensics remains an important field of digital forensics. To date, previously existing methods focused on the last saved version of the document file stored on the PC; however, the drawback of this approach is that this provides no indication as to how the contents have been modified. This paper provides a novel method for document forensics based on tracking the revision history of a Microsoft Word file. The proposed method concentrates on the TMP file created when the author saves the file and the ASD file created periodically by Microsoft Word during editing. A process whereby the revision history lists are generated based on metadata of the Word, TMP, and ASD files is presented. Furthermore, we describe a technique developed to link the revision history lists based on similarity. These outcomes can provide considerable assistance to a forensic investigator trying to establish the extent to which document file contents have been changed and when the file was created, modified, deleted, and copied.     

Forensic investigation of OOXML format documents

MS Office documents could be illegally copied by offenders, and forensic investigators still face great difficulty in investigating and tracking the source of these illegal copies. This paper mainly proposes a forensic method based on the unique value of the revision identifier (RI) to determine the source of suspicious electronic documents. This method applies to electronic documents which use Office Open XML (OOXML) format, such as MS Office 2007, Mac Office 2008 and MS Office 2010. According to the uniqueness of the RI extracted from documents, forensic investigators can determine whether the suspicious document and another document are from the same source. Experiments demonstrate that, for a copy of an electronic document, even if all the original characters are deleted or formatted by attackers, forensic examiners can determine that the copy and the original document are from the same source through detecting the RI values. Additionally, the same holds true if attackers just copy some characters from the original document to a newly created document. As long as there is one character left whose original format has not been cleared, forensic examiners can determine that the two documents are from the same source using the same method. This paper also presents methods for OOXML format files to detect the time information and creator information, which can be used to determine who the real copyright holder is when a copyright dispute occurs.     

“滥用市场支配地位”的经济法思考——以微软黑屏事件为例

微软作为经营者,在滥用市场支配地位的主体上显然是符合的,由于我国对滥用市场支配地位的规定还很不完善,导致出现微软黑屏事件合法而不合理的事例。应通过立法程序规范此类问题,完善这方面的空白。     

从知识产权侵害案件看Microsoft PowerPoint演示文稿鉴定实践

Microsoft PowerPoint演示文稿是电子数据鉴定实践中比较常见的文件类型.从一起真实的知识产权侵害案件为背景,基于Microsoft复合文档结构和Microsoft PowerPoint记录格式的分析,说明追溯演示文稿残余编辑信息的步骤与方法.     

A survey of main memory acquisition and analysis techniques for the windows operating system

Traditional, persistent data-oriented approaches in computer forensics face some limitations regarding a number of technological developments, e.g., rapidly increasing storage capabilities of hard drives, memory-resident malicious software applications, or the growing use of encryption routines, that make an in-time investigation more and more difficult. In order to cope with these issues, security professionals have started to examine alternative data sources and emphasize the value of volatile system information in RAM more recently. In this paper, we give an overview of the prevailing techniques and methods to collect and analyze a computer's memory. We describe the characteristics, benefits, and drawbacks of the individual solutions and outline opportunities for future research in this evolving field of IT security.     

Artifacts of CD burning in the Microsoft Windows master file table

When theft of a physical item occurs it is detectable by the fact that the object is missing, however, when the theft of a digital item occurs it can go unnoticed as exact replicas can be created. The original file is left intact but valuable information has been absconded. One of the challenges facing digital forensic examiners is detecting when files have been copied off of a computer system in some fashion. While certain methods do leave residual evidence behind, CD Burning has long been held as a copying method that cannot be identified. Through testing of the burning process and close examination of the New Technology File System (NTFS), artifacts from the master file table in the various versions of Microsoft Windows, markers have been found that are associated with copying or "burning" files to CD or DVD. Potential evidence that was once overlooked may now be detectable.     

Private browsing: A window of forensic opportunity

The release of Internet Explorer 10 marks a significant change in how browsing artifacts are stored in the Windows file system, moving away from well-understood Index.dat files to use a high performance database, the Extensible Storage Engine. Researchers have suggested that despite this change there remain forensic opportunities to recover InPrivate browsing records from the new browser. The prospect of recovering such evidence, together with its potential forensic significance, prompts questions including where and when such evidence can be recovered, and if it is possible to prove that a recovered artefact originated from InPrivate browsing. This paper reports the results of experiments which answer these questions, and also provides some explanation of the increasingly complex data structures used to record Internet activity from both the desktop and Windows 8 Applications. We conclude that there is a time window between the private browsing session and the next use of the browser in which browsing records may be carved from database log files, after which it is necessary to carve from other areas of disk. It proved possible to recover a substantial record of a user's InPrivate browsing, and to reliably associate such records with InPrivate browsing.     

篡改Microsoft Office办公文件的实验研究

本文利用现有的篡改Microsoft Office办公文件的工具和方法,设计了若干套篡改Microsoft Office办公文件内容、属性的实验方案,使用工具软件对Microsoft Office办公文件的属性进行检验和分析,总结出检验Microsoft Office办公文件的方法。     

The Prevalence of Encoded Digital Trace Evidence in the Nonfile Space of Computer Media,,

Forensically significant digital trace evidence that is frequently present in sectors of digital media not associated with allocated or deleted files. Modern digital forensic tools generally do not decompress such data unless a specific file with a recognized file type is first identified, potentially resulting in missed evidence. Email addresses are encoded differently for different file formats. As a result, trace evidence can be categorized as Plain in File (PF), Encoded in File (EF), Plain Not in File (PNF), or Encoded Not in File (ENF). The tool bulk_extractor finds all of these formats, but other forensic tools do not. A study of 961 storage devices purchased on the secondary market and shows that 474 contained encoded email addresses that were not in files (ENF). Different encoding formats are the result of different application programs that processed different kinds of digital trace evidence. Specific encoding formats explored include BASE64, GZIP, PDF, HIBER, and ZIP.