Analyzing multiple logs for forensic evidence

Information stored in logs of a computer system is of crucial importance to gather forensic evidence of investigated actions or attacks. Analysis of this information should be rigorous and credible, hence it lends itself to formal methods. We propose a model checking approach to the formalization of the forensic analysis of logs. A set of logs is modeled as a tree whose labels are events extracted from the logs. In order to provide a structure to these events, we express each event as a term of algebra. The signature of the algebra is carefully chosen to include all relevant information necessary to conduct the analysis. Properties of the model, attack scenarios, and event sequences are expressed as formulas of a logic having dynamic, linear, temporal, and modal characteristics. Moreover, we provide a tableau-based proof system for this logic upon which a model checking algorithm can be developed. We use our model in a case study to demonstrate how events leading to an SYN attack can be reconstructed from a number of system logs.     

Modelling and refinement of forensic data acquisition specifications

This paper defines a model of a special type of digital forensics tools, known as data acquisition tools, using the formal refinement language Event-B. The complexity and criticality of many types of computer and Cyber crime nowadays combined with improper or incorrect use of digital forensic tools calls for more robust and reliable specifications of the functionality of digital forensics applications. As a minimum, the evidence produced by such tools must meet the minimum admissibility standards the legal system requires, in general implying that it must be generated from reliable and robust tools. Despite the fact that some research and effort has been spent on the validation of digital forensics tools by means of testing, the verification of such tools and the formal specification of their expected behaviour remains largely under-researched. The goal of this work is to provide a formal specification against which implementations of data acquisition procedures can be analysed.     

The stages of cybercrime investigations: Bridging the gap between technology examination and law enforcement investigation

Cybercrime investigation can be argued as still in its infancy. The technical investigation practices and procedures of global law enforcement are also still evolving in response to the growing threat of the cybercriminal. This has led to considerable debate surrounding the adequacy of current technical investigation models, examination tools and the subsequent capability of law enforcement to tackle cybercrime. To bridge the gap between low-level technology recovery and digital forensic examination, and to overcome the many technical challenges now faced by law enforcement; this paper presents an extended cybercrime investigation model capable of guiding the investigative practices of the broader law enforcement community. The Stages of Cybercrime Investigations discussed throughout this paper, demonstrate the logical steps and primary considerations vital to investigating cyber related crime and criminality. The model is intended to provide both technical and non-technical investigative resources, covering mainstream law enforcement, partner agencies and specialist technical services, with a formal and common structure when investigating the complex technical nature of cybercrime. Finally, the model is further aimed at providing cybercrime investigators with a means to consolidate understanding, share knowledge and communicate the resulting outcomes as an investigation moves through each relevant stage.     

Forensic investigation framework for the document store NoSQL DBMS: MongoDB as a case study

The NoSQL DBMS provides an efficient means of storing and accessing big data because its servers are more easily horizontally scalable and replicable than relational DBMSs. Its data model lacks a fixed schema, so that users can easily dynamically change the data model of applications. These characteristics of the NoSQL DBMS mean that it is increasingly used in real-time analysis, web services such as SNS, mobile apps and the storage of machine generated data such as logs and IoT (Internet of Things) data. Although the increased usage of the NoSQL DBMS increases the possibility of it becoming a target of crime, there are few papers about forensic investigation of NoSQL DBMS.In this paper, we propose a forensic investigation framework for the document store NoSQL DBMS. It is difficult to cover all of the NoSQL DBMS, as 'NoSQL' includes several distinct architectures; our forensic investigation framework, however, is focused on the document store NoSQL DBMS. In order to conduct an evaluative case study, we need to apply it to MongoDB, which is, a widely used document store NoSQL DBMS. For this case study, a crime scenario is created in an experimental environment, and then we propose in detail a forensic procedure and technical methods for MongoDB. We suggested many substantial technical investigation methods for MongoDB, including identifying real servers storing evidences in a distributed environment and transaction reconstruction method, using log analysis and recovering deleted data from the MongoDB data file structure.     

应对数字艺术公共安全隐患的立法策略研究

当下数字艺术的产生和迅速崛起从根本上改变了原子艺术长期以来建构起来的艺术生态和艺术秩序,引发了某些引起人们重大关切的公共安全问题,其中突出的有网瘾问题、网络文化低俗化问题、数字谣言问题以及数字艺术知识产权保护问题等。这些问题不同于原子艺术公共安全隐患发生学上的外生性、随机性和个别性,而是呈现为内生性、公共性、流行性和危害性特征。一条比较可行的防控策略是在对数字艺术实施事前立法规范的同时,对数字艺术公共安全机制同步实施事后追溯监管。此外,加强数字艺术公共安全性及其应对机制的科研攻关和科普宣传,尽快提高全社会对数字艺术特殊规律及其公共安全性的认识和了解也是当务之急。     

The use of self-organising maps for anomalous behaviour detection in a digital investigation

The dramatic increase in crime relating to the Internet and computers has caused a growing need for digital forensics. Digital forensic tools have been developed to assist investigators in conducting a proper investigation into digital crimes. In general, the bulk of the digital forensic tools available on the market permit investigators to analyse data that has been gathered from a computer system. However, current state-of-the-art digital forensic tools simply cannot handle large volumes of data in an efficient manner. With the advent of the Internet, many employees have been given access to new and more interesting possibilities via their desktop. Consequently, excessive Internet usage for non-job purposes and even blatant misuse of the Internet have become a problem in many organisations. Since storage media are steadily growing in size, the process of analysing multiple computer systems during a digital investigation can easily consume an enormous amount of time. Identifying a single suspicious computer from a set of candidates can therefore reduce human processing time and monetary costs involved in gathering evidence. The focus of this paper is to demonstrate how, in a digital investigation, digital forensic tools and the self-organising map (SOM)--an unsupervised neural network model--can aid investigators to determine anomalous behaviours (or activities) among employees (or computer systems) in a far more efficient manner. By analysing the different SOMs (one for each computer system), anomalous behaviours are identified and investigators are assisted to conduct the analysis more efficiently. The paper will demonstrate how the easy visualisation of the SOM enhances the ability of the investigators to interpret and explore the data generated by digital forensic tools so as to determine anomalous behaviours.     

A framework for post-event timeline reconstruction using neural networks

Post-event timeline reconstruction plays a critical role in forensic investigation and serves as a means of identifying evidence of the digital crime. We present an artificial neural networks based approach for post-event timeline reconstruction using the file system activities. A variety of digital forensic tools have been developed during the past two decades to assist computer forensic investigators undertaking digital timeline analysis, but most of the tools cannot handle large volumes of data efficiently. This paper looks at the effectiveness of employing neural network methodology for computer forensic analysis by preparing a timeline of relevant events occurring on a computing machine by tracing the previous file system activities. Our approach consists of monitoring the file system manipulations, capturing file system snapshots at discrete intervals of time to characterise the use of different software applications, and then using this captured data to train a neural network to recognise execution patterns of the application programs. The trained version of the network may then be used to generate a post-event timeline of a seized hard disk to verify the execution of different applications at different time intervals to assist in the identification of available evidence.     

Data fragment forensics for embedded DVR systems

A recent increase in the prevalence of embedded systems has led them to become a primary target of digital forensic investigations. Embedded systems with DVR (Digital Video Recorder) capabilities are able to generate multimedia (video/audio) data, and can act as vital pieces of evidence in the field of digital forensics.To counter anti-forensics, it is necessary to derive systematic forensic techniques that can be used on data fragments in unused (unallocated) areas of files or images. Specifically, the techniques should extract meaningful information from various types of data fragments, such as non-sequential fragmentation and missing fragments overwritten by other data.This paper proposes a new digital forensic system for use on video data fragments related to DVRs. We demonstrate in detail special techniques for the classification, reassembly, and extraction of video data fragments, and introduce an integrated framework for data fragment forensics based on techniques described in this paper.     

Defining event reconstruction of digital crime scenes

Event reconstruction plays a critical role in solving physical crimes by explaining why a piece of physical evidence has certain characteristics. With digital crimes, the current focus has been on the recognition and identification of digital evidence using an object's characteristics, but not on the identification of the events that caused the characteristics. This paper examines digital event reconstruction and proposes a process model and procedure that can be used for a digital crime scene. The model has been designed so that it can apply to physical crime scenes, can support the unique aspects of a digital crime scene, and can be implemented in software to automate part of the process. We also examine the differences between physical event reconstruction and digital event reconstruction.     

Tests of one Brazilian facial reconstruction method using three soft tissue depth sets and familiar assessors

Facial reconstruction is a method that seeks to recreate a person's facial appearance from his/her skull. This technique can be the last resource used in a forensic investigation, when identification techniques such as DNA analysis, dental records, fingerprints and radiographic comparison cannot be used to identify a body or skeletal remains. To perform facial reconstruction, the data of facial soft tissue thickness are necessary. Scientific literature has described differences in the thickness of facial soft tissue between ethnic groups. There are different databases of soft tissue thickness published in the scientific literature. There are no literature records of facial reconstruction works carried out with data of soft tissues obtained from samples of Brazilian subjects. There are also no reports of digital forensic facial reconstruction performed in Brazil. There are two databases of soft tissue thickness published for the Brazilian population: one obtained from measurements performed in fresh cadavers (fresh cadavers' pattern), and another from measurements using magnetic resonance imaging (Magnetic Resonance pattern). This study aims to perform three different characterized digital forensic facial reconstructions (with hair, eyelashes and eyebrows) of a Brazilian subject (based on an international pattern and two Brazilian patterns for soft facial tissue thickness), and evaluate the digital forensic facial reconstructions comparing them to photos of the individual and other nine subjects. The DICOM data of the Computed Tomography (CT) donated by a volunteer were converted into stereolitography (STL) files and used for the creation of the digital facial reconstructions. Once the three reconstructions were performed, they were compared to photographs of the subject who had the face reconstructed and nine other subjects. Thirty examiners participated in this recognition process. The target subject was recognized by 26.67% of the examiners in the reconstruction performed with the Brazilian Magnetic Resonance Pattern, 23.33% in the reconstruction performed with the Brazilian Fresh Cadavers Pattern and 20.00% in the reconstruction performed with the International Pattern, in which the target-subject was the most recognized subject in the first two patterns. The rate of correct recognitions of the target subject indicate that the digital forensic facial reconstruction, conducted with parameters used in this study, may be a useful tool.     

Forensic Significance of Gunshot Impact Marks on Inanimate Objects: The Need for Translational Research

Wherever an impact mark is found, either on the surface or on the recovered projectile, it is important for forensic investigators to extract useful information in solving shooting-related cases. This article reviews a collection of works on examination of impact marks upon striking of projectiles on inanimate objects, emphasizing on the retrievable information from a shooting scene and their forensic significance in shooting event reconstruction. Literature suggested that impact marks on target surfaces and the degree of deformation on striking projectiles vary according to different combinations of ammunition and surface materials. It was noted that conditions in real-case scenarios further differed unpredictably in comparison with controlled studies, where forensic investigation should be treated as case-specific basis. Furthermore, the way forensic science is researched and applied operationally has to be reconsidered to reduce the gap via translational approach for more effective use of forensic evidence.     

Automated event and social network extraction from digital evidence sources with ontological mapping

The sharp rise in consumer computing, electronic and mobile devices and data volumes has resulted in increased workloads for digital forensic investigators and analysts. The number of crimes involving electronic devices is increasing, as is the amount of data for each job. This is becoming unscaleable and alternate methods to reduce the time trained analysts spend on each job are necessary.This work leverages standardised knowledge representations techniques and automated rule-based systems to encapsulate expert knowledge for forensic data. The implementation of this research can provide high-level analysis based on low-level digital artefacts in a way that allows an understanding of what decisions support the facts. Analysts can quickly make determinations as to which artefacts warrant further investigation and create high level case data without manually creating it from the low-level artefacts. Extraction and understanding of users and social networks and translating the state of file systems to sequences of events are the first uses for this work.A major goal of this work is to automatically derive ‘events’ from the base forensic artefacts. Events may be system events, representing logins, start-ups, shutdowns, or user events, such as web browsing, sending email. The same information fusion and homogenisation techniques are used to reconstruct social networks. There can be numerous social network data sources on a single computer; internet cache can locate Facebook, LinkedIn, Google Plus caches; email has address books and copies of emails sent and received; instant messenger has friend lists and call histories. Fusing these into a single graph allows a more complete, less fractured view for an investigator.Both event creation and social network creation are expected to assist investigator-led triage and other fast forensic analysis situations.     

Introducing the Microsoft Vista event log file format

Several operating systems provide a central logging service which collects event messages from the kernel and applications, filters them and writes them into log files. Since more than a decade such a system service exists in Microsoft Windows NT. Its file format is well understood and supported by forensic software. Microsoft Vista introduces an event logging service which entirely got newly designed. This confronts forensic examiners and software authors with unfamiliar system behavior and a new, widely undocumented file format.This article describes the history of Windows system loggers, what has been changed over time and for what reason. It compares Vista log files in their native binary form and in a textual form. Based on the results, this paper for the first time publicly describes the key-elements of the new log file format and the proprietary binary encoding of XML. It discusses the problems that may arise during daily work. Finally it proposes a procedure for how to recover information from log fragments. During a criminal investigation this procedure was successfully applied to recover information from a corrupted event log.     

Automatic forensic face recognition from digital images.

Digital image evidence is now widely available from criminal investigations and surveillance operations, often captured by security and surveillance CCTV. This has resulted in a growing demand from law enforcement agencies for automatic person-recognition based on image data. In forensic science, a fundamental requirement for such automatic face recognition is to evaluate the weight that can justifiably be attached to this recognition evidence in a scientific framework. This paper describes a pilot study carried out by the Forensic Science Service (UK) which explores the use of digital facial images in forensic investigation. For the purpose of the experiment a specific software package was chosen (Image Metrics Optasia). The paper does not describe the techniques used by the software to reach its decision of probabilistic matches to facial images, but accepts the output of the software as though it were a 'black box'. In this way, the paper lays a foundation for how face recognition systems can be compared in a forensic framework. The aim of the paper is to explore how reliably and under what conditions digital facial images can be presented in evidence.     

Digital evidence in cloud computing systems

Cloud computing systems provide a new paradigm to the distributed processing of digital data. Digital forensic investigations involving such systems are likely to involve more complex digital evidence acquisition and analysis. Some public cloud computing systems may involve the storage and processing of digital data in different jurisdictions, and some organisations may choose to encrypt their data before it enters the cloud. Both of these factors in conjunction with cloud architectures may make forensic investigation of such systems more complex and time consuming. There are no established digital forensic guidelines that specifically address the investigation of cloud computing systems. In this paper we examine the legal aspects of digital forensic investigations of cloud computing systems.     

IoT forensics: Exploiting unexplored log records from the HIKVISION file system

CCTV surveillance systems are IoT products that can be found almost everywhere. Their digital forensic analysis often plays a key role in solving crimes. However, it is common for these devices to use proprietary file systems, which frequently hinders a complete examination. HIKVISION is a well-known manufacturer of such devices that typically ships its products with its proprietary file system. The HIKVISION file system has been analyzed before but that research has focused on the recovery of video footage. In this paper, the HIKVISION file system is being revisited regarding the log records it stores. More specifically, these log records are thoroughly examined to uncover both their structure and meaning. These unexplored pieces of evidence remain unexploited by major commercial forensic software, yet they can contain critical information for an investigation. To further assist digital forensic examiners with their analysis, a Python utility, namely the Hikvision Log Analyzer, was developed as part of this study that can automate part of the process.     

Media analyses based on Microsoft NTFS file ownership

The ever-increasing size of digital media presents a continuous challenge to digital investigators who must rapidly assess computer media to find and identify evidence. To meet this challenge, methods must continuously be sought to expedite the examination process. This paper investigates using the file ownership property as an analytical tool focusing on activity by individuals associated with the computer. Research centered on the New Technology File System (NTFS), which is the default file system in Microsoft Windows Operating System (OS). This was done because Microsoft's worldwide market penetration makes Windows and NTFS the most likely OS and file system to be encountered in digital forensic examinations. Significantly, digital forensic software now allows examination of NTFS file attributes and properties including the ownership property. The paper outlines potential limitations regarding interpreting ownership findings, and suggests areas for further research. Overall, file ownership is seen as a potentially viable new digital forensic tool.     

Forensic acquisition and analysis of palm webOS on mobile devices

The emergence of webOS on Palm devices has created new challenges and opportunities for digital investigators. With the purchase of Palm by Hewlett Packard, there are plans to use webOS on an increasing number and variety of computer systems. These devices can store substantial amounts of information relevant to an investigation, including digital photographs, videos, call logs, SMS/MMS messages, e-mail, remnants of Web browsing and much more. Although some files can be obtained from such devices with relative ease, the majority of information of forensic interest is stored in databases on a system partition that many mobile forensic tools do not acquire. This paper provides a methodology for acquiring and examining forensic duplicates of user and system partitions from a device running webOS. The primary sources of digital evidence on these devices are covered with illustrative examples. In addition, the recovery of deleted items from various areas on webOS devices is discussed.     

Digital provenance – interpretation,verification and corroboration

This paper defines the attributes that are required to provide ‘good’ provenance. The various sources that may be used to verify the provenance of digital information during the investigation of a Microsoft^® Windows^® based computer system are presented. This paper shows how provenance can be corroborated by artefacts which indicate how a computer system was connected to the outside world and the capabilities that it provided to a user. Finally consideration is given to a number of commonly used forensic tools and shows how they represent the provenance of information to an investigator.