A study on the forensic mechanisms of VoIP attacks: Analysis and digital evidence

This paper discusses the use of communication technology to commit crimes, including crime facts and crime techniques. The analysis focuses on the security of voice over Internet protocol (VoIP), a prevention method against VoIP call attack and the attention points for setting up an Internet phone. The importance of digital evidence and digital forensics are emphasised. This paper provides the VoIP digital evidence forensics standard operating procedures (DEFSOP) to help police organisations and establishes an experimental platform to simulate phone calls, hacker attacks and forensic data. Finally, this paper provides a general discussion of a digital evidence strategy that includes VoIP for crime investigators who are interested in digital evidence forensics.     

Blind Detection of Region Duplication Forgery Using Fractal Coding and Feature Matching

Digital image forgery detection is important because of its wide use in applications such as medical diagnosis, legal investigations, and entertainment. Copy–move forgery is one of the famous techniques, which is used in region duplication. Many of the existing copy–move detection algorithms cannot effectively blind detect duplicated regions that are made by powerful image manipulation software like Photoshop. In this study, a new method is proposed for blind detecting manipulations in digital images based on modified fractal coding and feature vector matching. The proposed method not only detects typical copy–move forgery, but also finds multiple copied forgery regions for images that are subjected to rotation, scaling, reflection, and a mixture of these postprocessing operations. The proposed method is robust against tampered images undergoing attacks such as Gaussian blurring, contrast scaling, and brightness adjustment. The experimental results demonstrated the validity and efficiency of the method.     

Passive forensics in image and video using noise features: A review

Due to present of enormous free image and video editing software on the Internet, tampering of digital images and videos have become very easy. Validating the integrity of images or videos and detecting any attempt of forgery without use of active forensic technique such as Digital Signature or Digital Watermark is a big challenge to researchers. Passive forensic techniques, unlike active techniques, do not need any preembeded information about the image or video. The proposed paper presents a comprehensive review of the recent developments in the field of digital image and video forensic using noise features. The previously existing methods of image and video forensics proved the importance of noises and encourage us for the study and perform extensive research in this field. Moreover, in this paper, forensic task cover mainly source identification and forgery detection in the image and video using noise features. Thus, various source identification and forgery detection methods using noise features are reviewed and compared in this paper for image and video. The overall objective of this paper is to give researchers a broad perspective on various aspects of image and video forensics using noise features. Conclusion part of this paper discusses about the importance of noise features and the challenges encountered by different image and video forensic method using noise features.     

A survey of image processing techniques and statistics for ballistic specimens in forensic science

This paper provides a review of recent investigations on the image processing techniques used to match spent bullets and cartridge cases. It is also, to a lesser extent, a review of the statistical methods that are used to judge the uniqueness of fired bullets and spent cartridge cases. We review 2D and 3D imaging techniques as well as many of the algorithms used to match these images. We also provide a discussion of the strengths and weaknesses of these methods for both image matching and statistical uniqueness. The goal of this paper is to be a reference for investigators and scientists working in this field.     

Forensic investigation of OOXML format documents

MS Office documents could be illegally copied by offenders, and forensic investigators still face great difficulty in investigating and tracking the source of these illegal copies. This paper mainly proposes a forensic method based on the unique value of the revision identifier (RI) to determine the source of suspicious electronic documents. This method applies to electronic documents which use Office Open XML (OOXML) format, such as MS Office 2007, Mac Office 2008 and MS Office 2010. According to the uniqueness of the RI extracted from documents, forensic investigators can determine whether the suspicious document and another document are from the same source. Experiments demonstrate that, for a copy of an electronic document, even if all the original characters are deleted or formatted by attackers, forensic examiners can determine that the copy and the original document are from the same source through detecting the RI values. Additionally, the same holds true if attackers just copy some characters from the original document to a newly created document. As long as there is one character left whose original format has not been cleared, forensic examiners can determine that the two documents are from the same source using the same method. This paper also presents methods for OOXML format files to detect the time information and creator information, which can be used to determine who the real copyright holder is when a copyright dispute occurs.     

Advanced carving techniques

Carving is the term most often used to indicate the act of recovering a file from unstructured digital forensic images. The term unstructured indicates that the original digital image does not contain useful filesystem information which may be used to assist in this recovery.Typically, forensic analysts resort to carving techniques as an avenue of last resort due to the difficulty of current techniques. Most current techniques rely on manual inspection of the file to be recovered and manually reconstructing this file using trial and error. Manual processing is typically impractical for modern disk images which might contain hundreds of thousands of files.At the same time the traditional process of recovering deleted files using filesystem information is becoming less practical because most modern filesystems purge critical information for deleted files. As such the need for automated carving techniques is quickly arising even when a filesystem does exist on the forensic image.This paper explores the theory of carving in a formal way. We then proceed to apply this formal analysis to the carving of PDF and ZIP files based on the internal structure inherent within the file formats themselves. Specifically this paper deals with carving from the Digital Forensic Research Work-Shop's (DFRWS) 2007 carving challenge.     

The use of self-organising maps for anomalous behaviour detection in a digital investigation

The dramatic increase in crime relating to the Internet and computers has caused a growing need for digital forensics. Digital forensic tools have been developed to assist investigators in conducting a proper investigation into digital crimes. In general, the bulk of the digital forensic tools available on the market permit investigators to analyse data that has been gathered from a computer system. However, current state-of-the-art digital forensic tools simply cannot handle large volumes of data in an efficient manner. With the advent of the Internet, many employees have been given access to new and more interesting possibilities via their desktop. Consequently, excessive Internet usage for non-job purposes and even blatant misuse of the Internet have become a problem in many organisations. Since storage media are steadily growing in size, the process of analysing multiple computer systems during a digital investigation can easily consume an enormous amount of time. Identifying a single suspicious computer from a set of candidates can therefore reduce human processing time and monetary costs involved in gathering evidence. The focus of this paper is to demonstrate how, in a digital investigation, digital forensic tools and the self-organising map (SOM)--an unsupervised neural network model--can aid investigators to determine anomalous behaviours (or activities) among employees (or computer systems) in a far more efficient manner. By analysing the different SOMs (one for each computer system), anomalous behaviours are identified and investigators are assisted to conduct the analysis more efficiently. The paper will demonstrate how the easy visualisation of the SOM enhances the ability of the investigators to interpret and explore the data generated by digital forensic tools so as to determine anomalous behaviours.     

Can computer forensic tools be trusted in digital investigations?

This paper investigates whether computer forensic tools (CFTs) can extract complete and credible digital evidence from digital crime scenes in the presence of file system anti-forensic (AF) attacks. The study uses a well-established six stage forensic tool testing methodology based on black-box testing principles to carry out experiments that evaluate four leading CFTs for their potential to combat eleven different file system AF attacks. Results suggest that only a few AF attacks are identified by all the evaluated CFTs, while as most of the attacks considered by the study go unnoticed. These AF attacks exploit basic file system features, can be executed using simple tools, and even attack CFTs to accomplish their task. These results imply that evidences collected by CFTs in digital investigations are not complete and credible in the presence of AF attacks. The study suggests that practitioners and academicians should not absolutely rely on CFTs for evidence extraction from a digital crime scene, highlights the implications of doing so, and makes many recommendations in this regard. The study also points towards immediate and aggressive research efforts that are required in the area of computer forensics to address the pitfalls of CFTs.     

A New Anti‐forensic Scheme—Hiding the Single JPEG Compression Trace for Digital Image

To prevent image forgeries, a number of forensic techniques for digital image have been developed that can detect an image's origin, trace its processing history, and can also locate the position of tampering. Especially, the statistical footprint left by JPEG compression operation can be a valuable source of information for the forensic analyst, and some image forensic algorithm have been raised based on the image statistics in the DCT domain. Recently, it has been shown that footprints can be removed by adding a suitable anti‐forensic dithering signal to the image in the DCT domain, this results in invalid for some image forensic algorithms. In this paper, a novel anti‐forensic algorithm is proposed, which is capable of concealing the quantization artifacts that left in the single JPEG compressed image. In the scheme, a chaos‐based dither is added to an image's DCT coefficients to remove such artifacts. Effectiveness of both the scheme and the loss of image quality are evaluated through the experiments. The simulation results show that the proposed anti‐forensic scheme can verify the reliability of the JPEG forensic tools.     

Registration Data Access Protocol (RDAP) for digital forensic investigators

This paper describes the Registration Data Access Protocol (RDAP) with a focus on relevance to digital forensic investigators. RDAP was developed as the successor to the aging WHOIS system and is intended to eventually replace WHOIS as the authoritative source for registration information on IP addresses, Domain Names, Autonomous Systems, and more. RDAP uses a RESTful interface over HTTP and introduces a number of new features related to security, internationalization, and standardized query/response definitions. It is important for digital forensic investigators to become familiar with RDAP as it will play an increasingly important role in Internet investigations requiring the search and collection of registration data as evidence.     

Digital Forensics as a Service: A game changer

How is it that digital investigators are always busy and still never have enough time to actually dig deep into digital evidence? In this paper we will explore the current implementation of the digital forensic process and analyze factors that impact the efficiency of this process. Next we explain how in the Netherlands a Digital Forensics as a Service implementation reduced case backlogs and freed up digital investigators to help detectives better understand the digital material.     

Digital camera identification using PRNU: A feature based approach

Source camera identification is one of the emerging field in digital image forensics, which aims at identifying the source camera used for capturing the given image. The technique uses photo response non-uniformity (PRNU) noise as a camera fingerprint, as it is found to be one of the unique characteristic which is capable of distinguishing the images even if they are captured from similar cameras. Most of the existing PRNU based approaches are very sensitive to the random noise components existing in the estimated PRNU, and also they are not robust when some simple manipulations are performed on the images. Hence a new feature based approach of PRNU is proposed for the source camera identification by choosing the features which are robust for image manipulations. The PRNU noise is extracted from the images using wavelet based denoising method and is represented by higher order wavelet statistics (HOWS), which are invariant features for image manipulations and geometric variations. The features are fed to support vector machine classifiers to identify the originating source camera for the given image and the results have been verified by performing ten-fold cross validation technique. The experiments have been carried out using the images captured from various cell phone cameras and it demonstrated that the proposed algorithm is capable of identifying the source camera of the given image with good accuracy. The developed technique can be used for differentiating the images, even if they are captured from similar cameras, which belongs to same make and model. The analysis have also showed that the proposed technique remains robust even if the images are subjected to simple manipulations or geometric variations.     

Data attack of the cybercriminal: Investigating the digital currency of cybercrime

It is increasingly argued that the primary motive of the cybercriminal and the major reason for the continued growth in cyber attacks is financial gain. In addition to the direct financial impact of cybercrime, it can also be argued that the digital data and the information it represents that can be communicated through the Internet, can have additional intrinsic value to the cybercriminal. In response to the perceived value and subsequent demand for illicit data, a sophisticated and self-sufficient underground digital economy has emerged. The aim of this paper is to extend the author’s earlier research that first introduced the concept of the Cybercrime Execution Stack by examining in detail the underlying data objectives of the cybercriminal. Both technical and non-technical law enforcement investigators need the ability to contextualise and structure the illicit activities of the cybercriminal, in order to communicate this understanding amongst the wider law enforcement community. By identifying the potential value of electronic data to the cybercriminal, and discussing this data in the context of data collection, data supply and distribution, and data use, demonstrates the relevance and advantages of utilising an objective data perspective when investigating cybercrime.     

Forensic investigation of peer-to-peer file sharing networks

The investigation of peer-to-peer (p2p) file sharing networks is now of critical interest to law enforcement. P2P networks are extensively used for sharing and distribution of contraband. We detail the functionality of two p2p protocols, Gnutella and BitTorrent, and describe the legal issues pertaining to investigating such networks. We present an analysis of the protocols focused on the items of particular interest to investigators, such as the value of evidence given its provenance on the network. We also report our development of RoundUp, a tool for Gnutella investigations that follows the principles and techniques we detail for networking investigations. RoundUp has experienced rapid acceptance and deployment: it is currently used by 52 Internet Crimes Against Children (ICAC) Task Forces, who each share data from investigations in a central database. Using RoundUp, since October 2009, over 300,000 unique installations of Gnutella have been observed by law enforcement sharing known contraband in the the U.S. Using leads and evidence from RoundUp, a total of 558 search warrants have been issued and executed during that time.     

Advanced Framework for Digital Forensic Technologies and Procedures*

Abstract: Recent trends in global networks are leading toward service‐oriented architectures and sensor networks. On one hand of the spectrum, this means deployment of services from numerous providers to form new service composites, and on the other hand this means emergence of Internet of things. Both these kinds belong to a plethora of realms and can be deployed in many ways, which will pose serious problems in cases of abuse. Consequently, both trends increase the need for new approaches to digital forensics that would furnish admissible evidence for litigation. Because technology alone is clearly not sufficient, it has to be adequately supported by appropriate investigative procedures, which have yet become a subject of an international consensus. This paper therefore provides appropriate a holistic framework to foster an internationally agreed upon approach in digital forensics along with necessary improvements. It is based on a top‐down approach, starting with legal, continuing with organizational, and ending with technical issues. More precisely, the paper presents a new architectural technological solution that addresses the core forensic principles at its roots. It deploys so‐called leveled message authentication codes and digital signatures to provide data integrity in a way that significantly eases forensic investigations into attacked systems in their operational state. Further, using a top‐down approach a conceptual framework for forensics readiness is given, which provides levels of abstraction and procedural guides embellished with a process model that allow investigators perform routine investigations, without becoming overwhelmed by low‐level details. As low‐level details should not be left out, the framework is further evaluated to include these details to allow organizations to configure their systems for proactive collection and preservation of potential digital evidence in a structured manner. The main reason behind this approach is to stimulate efforts on an internationally agreed “template legislation,” similarly to model law in the area of electronic commerce, which would enable harmonized national implementations in the area of digital forensics.     

Automated computer forensics training in a virtualized environment

The CYber DEfenSe Trainer (CYDEST) is a virtualized training platform for network defense and computer forensics. It uses virtual machines to provide tactical level exercises for personnel such as network administrators, first responders, and digital forensics investigators. CYDEST incorporates a number of features to reduce instructor workload and to improve training realism, including: (1) automated assessment of trainee performance, (2) automated attacks that respond dynamically to the student's actions, (3) a full fidelity training environment, (4) an unrestricted user interface incorporating real tools, and (5) continuous, remote accessibility via the Web.     

Cardiac Implantable Medical Devices forensics: Postmortem analysis of lethal attacks scenarios

Cardiac Implantable Medical devices (IMD) are increasingly being used by patients to benefit from their therapeutic and life-saving functions. These medical devices are surgically implanted into patient's bodies and wirelessly configured by prescribing physicians and healthcare professionals using external programmers. However, these devices are threatened by a set of lethal attacks, due to the use of vulnerable wireless communication and security protocols, and the lack of security protection mechanisms deployed on IMDs.In this paper, we propose a digital investigation system for the postmortem analysis of lethal attack scenarios on cardiac IMDs. After developing a set of techniques allowing the secure storage of digital evidence logs which track the executed sensitive events, we implement an in-depth security solution allowing the protection of cardiac IMDs. An inference system integrating a library of medical rules is proposed to automatically infer potential medical scenarios that caused the patient's death, or that created heart-related emergency situations (through the occurrence of ventricular tachycardia for example). A Model Checking based formal technique to reconstruct potential technical attack scenarios on a cardiac IMD, starting from the collected evidence, is also proposed. The results obtained by the two proposed reasoning techniques (i.e., the inference system and the Model Checking based algorithm) are correlated to prove whether a potential attack scenario is responsible of the occurrence of heart-related emergency situations or the death of a patient. Based on the proposed techniques, we design a decision-support system that reconciles in the same framework the medical and technical investigation aspects.     

An unusual case of cranial image recognition

We encountered an unusual practical case of craniofacial identification recently. The peculiarity of the case was that the skull itself was not available for examination unlike other such common cases. The supplied material exhibits were, a nearly front view photograph of a skeletonized face and a front view face photograph of the suspected victim. Further, the condition of the skull during taking its photograph was such that its lower and the upper jaws were not in a normal closed condition. The procedure involved in dealing with such a complicated craniofacial identification problem would be quite interesting from a forensic investigator's point of view, since standard methods of skull identification like photo/video superimposition techniques were not at all applicable here. As such, the present case report provides the details of the multiphase procedure adapted by us in dealing with this abnormal case. A solution to this unprecedented craniofacial identification problem was worked out by appropriate exploration of a newly introduced digital image processing technique that is based on craniofacial symmetry perception. The procedure leads to the reconstruction of a superimposable cranial image with upper and lower teeth in normal closed condition for establishment of its identity in usual way.     

Alternative light source (polilight) illumination with digital image analysis does not assist in determining the age of bruises

The age of a bruise may be of interest to forensic investigators. Previous research has demonstrated that an alternative light source may assist in the visualisation of faint or non-visible bruises. This project aimed to determine if an alternative light source could be utilised to assist investigators estimate the age of a bruise. Forty braises, sustained from blunt force trauma, were examined from 30 healthy subjects. The age of the bruises ranged from 2 to 231 h (mean = 74.6, median = 69.0). Alternative light source (polilight) illumination at 415 and 450 nm was used. The black and white photographs obtained were assessed using densitometry. A statistical analysis indicated that there was no correlation between time and the mean densitometry values. The alternative light source used in this study was unable to assist in determining the age of a bruise.     

Detection of copy-move forgery using a method based on blur moment invariants

In our society digital images are a powerful and widely used communication medium. They have an important impact on our life. In recent years, due to the advent of high-performance commodity hardware and improved human-computer interfaces, it has become relatively easy to create fake images. Modern, easy to use image processing software enables forgeries that are undetectable by the naked eye. In this work we propose a method to automatically detect and localize duplicated regions in digital images. The presence of duplicated regions in an image may signify a common type of forgery called copy-move forgery. The method is based on blur moment invariants, which allows successful detection of copy-move forgery, even when blur degradation, additional noise, or arbitrary contrast changes are present in the duplicated regions. These modifications are commonly used techniques to conceal traces of copy-move forgery. Our method works equally well for lossy format such as JPEG. We demonstrate our method on several images affected by copy-move forgery.