Toward a General Ontology for Digital Forensic Disciplines

Ontologies are widely used in different disciplines as a technique for representing and reasoning about domain knowledge. However, despite the widespread ontology‐related research activities and applications in different disciplines, the development of ontologies and ontology research activities is still wanting in digital forensics. This paper therefore presents the case for establishing an ontology for digital forensic disciplines. Such an ontology would enable better categorization of the digital forensic disciplines, as well as assist in the development of methodologies and specifications that can offer direction in different areas of digital forensics. This includes such areas as professional specialization, certifications, development of digital forensic tools, curricula, and educational materials. In addition, the ontology presented in this paper can be used, for example, to better organize the digital forensic domain knowledge and explicitly describe the discipline's semantics in a common way. Finally, this paper is meant to spark discussions and further research on an internationally agreed ontological distinction of the digital forensic disciplines. Digital forensic disciplines ontology is a novel approach toward organizing the digital forensic domain knowledge and constitutes the main contribution of this paper.     

Quantitative evaluation of the results of digital forensic investigations: a review of progress

Unlike conventional forensics, digital forensics does not at present generally quantify the results of its investigations. It is suggested that digital forensics should aim to catch up with other forensic disciplines by using Bayesian and other numerical methodologies to quantify its investigations’ results. Assessing the plausibility of alternative hypotheses (or propositions, or claims) which explain how recovered digital evidence came to exist on a device could assist both the prosecution and the defence sides in criminal proceedings: helping the prosecution to decide whether to proceed to trial and helping defence lawyers to advise a defendant how to plead. This paper reviews some numerical approaches to the goal of quantifying the relative weights of individual items of digital evidence and the plausibility of hypotheses based on that evidence. The potential advantages enabling the construction of cost-effective digital forensic triage schemas are also outlined.

Key points

• The absence of quantified results from digital forensic investigations, unlike those of conventional forensics, is highlighted.
• A number of approaches towards quantitative evaluation of the results of digital forensic investigations are reviewed.
• The significant potential benefits accruing from such approaches are discussed.

     

Taxonomy of Challenges for Digital Forensics

Since its inception, over a decade ago, the field of digital forensics has faced numerous challenges. Despite different researchers and digital forensic practitioners having studied and analysed various known digital forensic challenges, as of 2013, there still exists a need for a formal classification of these challenges. This article therefore reviews existing research literature and highlights the various challenges that digital forensics has faced for the last 10 years. In conducting this research study, however, it was difficult for the authors to review all the existing research literature in the digital forensic domain; hence, sampling and randomization techniques were employed to facilitate the review of the gathered literature. Taxonomy of the various challenges is subsequently proposed in this paper based on our review of the literature. The taxonomy classifies the large number of digital forensic challenges into four well‐defined and easily understood categories. The proposed taxonomy can be useful, for example, in future developments of automated digital forensic tools by explicitly describing processes and procedures that focus on addressing specific challenges identified in this paper. However, it should also be noted that the purpose of this paper was not to propose any solutions to the individual challenges that digital forensics face, but to serve as a survey of the state of the art of the research area.     

OpenLV: Empowering investigators and first-responders in the digital forensics process

The continuing decline in the cost-per-megabyte of hard disk storage has inevitably led to a ballooning volume of data that needs to be reviewed in digital investigations. The result: case backlogs that commonly stretch for months at forensic labs, and per-case processing that occupies days or weeks of analytical effort. Yet speed is critical in situations where delay may render the evidence useless or endanger personal safety, such as when a suspect may flee, a victim is at risk, criminal tactics or control infrastructure may change, etc. In these and other cases, investigators need tools to enable quick triage of computer evidence in order to answer urgent questions, maintain the pace of an investigation and assess the likelihood of acquiring pertinent information from the device.This paper details the design and application of a tool, OpenLV, that not only meets the needs for speedy initial triage, but also can facilitate the review of digital evidence at later stages of investigation. With OpenLV, an investigator can quickly and safely interact with collected evidence, much as if they had sat down at the computer at the time the evidence was collected. Since OpenLV works without modifying the evidence, its use in triage does not preclude subsequent, in-depth forensic analysis. Unlike many popular forensics tools, OpenLV requires little training and facilitates a unprecedented level of interaction with the evidence.     

Specifying digital forensics: A forensics policy approach

In this paper we present an approach to digital forensics specification based on forensic policy definition. Our methodology borrows from computer security policy specification, which has accumulated a significant body of research over the past 30 years. We first define the process of specifying forensics properties through a forensics policy and then present an example application of the process. This approach lends itself to formal policy specification and verification, which would allow for more clarity and less ambiguity in the specification process.     

Study on the standard components of digital forensics laboratory

Recently, digital forensics has become increasingly important as it is used by investigation agencies, corporate, and private sector. To supplement the limitations of evidence capacity and be recognized in court, it is essential to establish an environment that ensures the integrity of the entire process ranging from collecting and analyzing to submitting digital evidence to court. In this study, common elements were extracted by comparing and analyzing ISO/IEC 17025, 27001 standards and Interpol and Council of Europe (CoE) guidelines to derive the necessary components for building a digital forensic laboratory. Subsequently, based on 21 digital forensic experts in the field, Delphi survey and verifications were conducted in three rounds. As a result, 40 components from seven areas were derived. The research results are based on the establishment, operation, management, and authentication of a digital forensics laboratory suitable for the domestic environment, with added credibility through collection of the opinions of 21 experts in the field of digital forensics in Korea. This study can be referred to in establishing digital forensic laboratories in national, public, and private digital forensic organizations as well as for employing as competency measurement criteria in courts to evaluate the reliability of the analysis results.     

Data fragment forensics for embedded DVR systems

A recent increase in the prevalence of embedded systems has led them to become a primary target of digital forensic investigations. Embedded systems with DVR (Digital Video Recorder) capabilities are able to generate multimedia (video/audio) data, and can act as vital pieces of evidence in the field of digital forensics.To counter anti-forensics, it is necessary to derive systematic forensic techniques that can be used on data fragments in unused (unallocated) areas of files or images. Specifically, the techniques should extract meaningful information from various types of data fragments, such as non-sequential fragmentation and missing fragments overwritten by other data.This paper proposes a new digital forensic system for use on video data fragments related to DVRs. We demonstrate in detail special techniques for the classification, reassembly, and extraction of video data fragments, and introduce an integrated framework for data fragment forensics based on techniques described in this paper.     

BrowStExPlus: A Tool to Aggregate IndexedDB Artifacts for Forensic Analysis

As the Internet and World Wide Web have rapidly evolved and revolutionized the applications in everyday life, it is a demanding challenge for investigators to keep up with the emerging technologies for forensic analyses. Investigating web browser usages for criminal activities, also known as web browser forensics, is a significant part of digital forensics as crucial browsing information of the suspect can be discovered. Particularly, in this study, an emerging web storage technology, called IndexedDB, is examined. Characteristics of IndexedDB technology in five major web browsers under three major operating systems are scrutinized. Also, top 15 US websites ranked by Alexa are investigated for their data storage in IndexedDB. User screen names, ids, and records of conversations, permissions, and image locations are some of the data found in IndexedDB. Furthermore, BrowStEx, a proof‐of‐concept tool previously developed, is extended and cultivated into BrowStExPlus, with which aggregating IndexedDB artifacts is demonstrated.     

The Kodak Syndrome: Risks and Opportunities Created by Decentralization of Forensic Capabilities

Forensic science laboratories are being challenged by the expanding decentralization of forensic capabilities, particularly for digital traces. This study recommends laboratories undertake digital transformations to capitalize on the decentralization movement, develop a more comprehensive understanding of crime and security‐relevant problems, and play a more central role in problem‐solving collaboratively with law enforcement organizations and other stakeholders. A framework for the bilateral transfer of information and knowledge is proposed to magnify the impact of forensic science laboratories on abating crime, strengthening security, and reinforcing the criminal justice system. To accomplish digital transformations, laboratories require personnel with different expertise, including investigative reasoning, knowledge codification, data analytics, and forensic intelligence. Ultimately, this study encourages managers, educators, researchers, and policymakers to look beyond the usefulness of forensic results for solving individual investigations, and to realize the value of combined forensic knowledge and intelligence for developing broader strategies to deal with crime in digitalized society.     

微生物物证检验

面对21世纪生物犯罪或生物恐怖活动的新挑战,物证鉴定的新专业--微生物物证检验将成为执法部门侦查和起诉生物犯罪必不可少的手段。微生物物证检验以用作犯罪武器的各种微生物为检验对象,获得微生物种类和能够提供来源信息的菌毒株细致分型结果,达到提供犯罪侦查线索和法庭证据的目的。本文综述了微生物物证检验的定义、特征、技术应用以及美国近年来在微生物物证检验的实践和值得借鉴的成功经验。并建议我国物证鉴定实验室应积极开展研究,建立能够满足生物犯罪侦查需求的微生物物证检验能力。     

Distributed filesystem forensics: XtreemFS as a case study

Distributed filesystems provide a cost-effective means of storing high-volume, velocity and variety information in cloud computing, big data and other contemporary systems. These technologies have the potential to be exploited for illegal purposes, which highlights the need for digital forensic investigations. However, there have been few papers published in the area of distributed filesystem forensics. In this paper, we aim to address this gap in knowledge. Using our previously published cloud forensic framework as the underlying basis, we conduct an in-depth forensic experiment on XtreemFS, a Contrail EU-funded project, as a case study for distributed filesystem forensics. We discuss the technical and process issues regarding collection of evidential data from distributed filesystems, particularly when used in cloud computing environments. A number of digital forensic artefacts are also discussed. We then propose a process for the collection of evidential data from distributed filesystems.     

A Novel Application of a Cryosectioning Technique to Aid Scat Hair Microanalysis

Scat hair presents a diverse profile of hairs for morphological assessment that may find versatile applications in wildlife forensic investigations. Successful morphological assessment of scat hair microstructure, however, depends on a robust sectioning methodology. We assessed the feasibility and efficacy of a cryosectioning technique compared to that of a gold standard hand‐sectioning technique. Scat hairs were embedded in paraffin wax and hand‐sectioned, while cryopreserved scat hairs were sectioned with a cryostat. The results showed that cryosectioning preserved the pristine morphology of the scat hair and provided cross sections more amenable to high‐resolution imaging of hair internal microstructure than hand‐sectioning. The cryosectioning technique may find novel applications as a more reliable and robust technique to aid (i) scat hair internal microstructure analysis for cross‐referencing with species identification keys in wildlife forensic studies and (ii) downstream toxicological analysis in wildlife forensic studies as hair biochemistry is not altered during cryopreservation.     

Applying a forensic approach to incident response,network investigation and system administration using Digital Evidence Bags

This paper questions the current approach to forensic incident response and network investigations. Although claiming to be ‘forensic’ in nature it shows that the basic processes and mechanisms used in traditional computer forensics are rarely applied in the live incident investigation arena. This paper demonstrates how the newly proposed Digital Evidence Bag (DEB) storage format can be applied to a dynamic environment. A DEB is a universal container for digital evidence from any source. It allows the provenance to be recorded and continuity to be maintained throughout the life of the investigation. With a small amount of forethought a forensically rigorous approach can be applied to incident response, network investigations and system administration with minimal overhead.     

An Android Communication App Forensic Taxonomy

Due to the popularity of Android devices and applications (apps), Android forensics is one of the most studied topics within mobile forensics. Communication apps, such as instant messaging and Voice over IP (VoIP), are one popular app category used by mobile device users, including criminals. Therefore, a taxonomy outlining artifacts of forensic interest involving the use of Android communication apps will facilitate the timely collection and analysis of evidentiary materials from such apps. In this paper, 30 popular Android communication apps were examined, where a logical extraction of the Android phone images was collected using XRY, a widely used mobile forensic tool. Various information of forensic interest, such as contact lists and chronology of messages, was recovered. Based on the findings, a two‐dimensional taxonomy of the forensic artifacts of the communication apps is proposed, with the app categories in one dimension and the classes of artifacts in the other dimension. Finally, the artifacts identified in the study of the 30 communication apps are summarized using the taxonomy. It is expected that the proposed taxonomy and the forensic findings in this paper will assist forensic investigations involving Android communication apps.     

Windows 7 Antiforensics: A Review and a Novel Approach

In this paper, we review literature on antiforensics published between 2010 and 2016 and reveal the surprising lack of up‐to‐date research on this topic. This research aims to contribute to this knowledge gap by investigating different antiforensic techniques for devices running Windows 7, one of the most popular operating systems. An approach which allows for removal or obfuscation of most forensic evidence is then presented. Using the Trojan software DarkComet RAT as a case study, we demonstrate the utility of our approach and that a Trojan Horse infection may be a legitimate possibility, even if there is no evidence of an infection on a seized computer's hard drive. Up‐to‐date information regarding how forensic artifacts can be compromised will allow relevant stakeholders to make informed decisions when deciding the outcome of legal cases involving digital evidence.     

Can computer forensic tools be trusted in digital investigations?

This paper investigates whether computer forensic tools (CFTs) can extract complete and credible digital evidence from digital crime scenes in the presence of file system anti-forensic (AF) attacks. The study uses a well-established six stage forensic tool testing methodology based on black-box testing principles to carry out experiments that evaluate four leading CFTs for their potential to combat eleven different file system AF attacks. Results suggest that only a few AF attacks are identified by all the evaluated CFTs, while as most of the attacks considered by the study go unnoticed. These AF attacks exploit basic file system features, can be executed using simple tools, and even attack CFTs to accomplish their task. These results imply that evidences collected by CFTs in digital investigations are not complete and credible in the presence of AF attacks. The study suggests that practitioners and academicians should not absolutely rely on CFTs for evidence extraction from a digital crime scene, highlights the implications of doing so, and makes many recommendations in this regard. The study also points towards immediate and aggressive research efforts that are required in the area of computer forensics to address the pitfalls of CFTs.     

Study on the tracking revision history of MS Word files for forensic investigation

Document forensics remains an important field of digital forensics. To date, previously existing methods focused on the last saved version of the document file stored on the PC; however, the drawback of this approach is that this provides no indication as to how the contents have been modified. This paper provides a novel method for document forensics based on tracking the revision history of a Microsoft Word file. The proposed method concentrates on the TMP file created when the author saves the file and the ASD file created periodically by Microsoft Word during editing. A process whereby the revision history lists are generated based on metadata of the Word, TMP, and ASD files is presented. Furthermore, we describe a technique developed to link the revision history lists based on similarity. These outcomes can provide considerable assistance to a forensic investigator trying to establish the extent to which document file contents have been changed and when the file was created, modified, deleted, and copied.     

A comprehensive micro unmanned aerial vehicle (UAV/Drone) forensic framework

In the early 1990s, unmanned aerial vehicles (UAV) were used exclusively in military applications by various developed countries. Now with its ease of availability and affordability in the electronic device market, this aerial vehicular technology has augmented its familiarity in public and has expanded its usage to countries all over the world. However, expanded use of UAVs, colloquially known as drones, is raising understandable security concerns. With the increasing possibility of drones' misuse and their abilities to get close to critical targets, drones are prone to potentially committing crimes and, therefore, investigation of such activities is a much-needed facet. This motivated us to devise a comprehensive drone forensic framework that includes hardware/physical and digital forensics, proficient enough for the post-flight investigation of drone's activity. For hardware/physical forensics, we propose a model for investigating drone components at the crime scene. Additionally, we propose a robust digital drone forensic application with a primary focus on analyzing the essential log parameters of drones through a graphical user interface (GUI) developed using JavaFX 8.0. This application interface would allow users to extract and examine onboard flight information. It also includes a file converter created for easy and effective 3D flight trajectory visualization. We used two popular drones for conducting this research; namely, DJI Phantom 4 and Yuneec Typhoon H. The interface also provides a visual representation of the sensor recordings from which pieces of evidence could be acquired. Our research is intended to offer the forensic science community a powerful approach for investigating drone-related crimes effectively.