Control systems/SCADA forensics,what's the difference?

Immature IT security, increasing network connectivity and unwavering media attention is causing an increase in the number of control system cyber security incidents. For forensic examinations in these environments, knowledge and skills are needed in the field of hardware, networks and data analysis. For forensic examiners, this paper is meant to be a crash course on control systems and their forensic opportunities, focussing on the differences compared to regular IT systems. Assistance from experienced field engineers during forensic acquisition of control systems seems inevitable in order to guarantee process safety, business continuity and examination efficiency. For people working in the control system community, this paper may be helpful to get an idea about specific forensic issues about which they would normally not bother, but may be crucial as soon as their systems are under attack or become part of a law enforcement investigation. For analysis of acquired data, existing tools for network security monitoring have useful functionality for forensic applications but are designed for real-time acquisition and often not directly usable for post-mortem analysis of acquired data in a forensically sound way. The constant and predictable way in which control systems normally behave makes forensic application of anomaly-based threat detection an interesting topic for further research.     

Digital evidence in fog computing systems

Fog Computing provides a myriad of potential societal benefits: personalised healthcare, smart cities, automated vehicles, Industry 4.0, to name just a few. The highly dynamic and complex nature of Fog Computing with its low latency communication networks connecting sensors, devices and actuators facilitates ambient computing at scales previously unimaginable. The combination of Machine Learning, Data Mining, and the Internet of Things, supports endless innovation in our data driven society. Fog computing incurs new threats to security and privacy since these become more difficult when there are an increased number of connected devices, and such devices (for example sensors) typically have limited capacity for in-built security. For law enforcement agencies, the existing models for digital forensic investigations are ill suited to the emerging fog paradigm. In this paper we examine the procedural, technical, legal, and geopolitical challenges associated with digital forensic investigations in Fog Computing. We highlight areas that require further development, and posit a framework to stimulate further consideration and discussion around the challenges associated with extracting digital evidence from Fog Computing systems.     

Digital evidence in cloud computing systems

Cloud computing systems provide a new paradigm to the distributed processing of digital data. Digital forensic investigations involving such systems are likely to involve more complex digital evidence acquisition and analysis. Some public cloud computing systems may involve the storage and processing of digital data in different jurisdictions, and some organisations may choose to encrypt their data before it enters the cloud. Both of these factors in conjunction with cloud architectures may make forensic investigation of such systems more complex and time consuming. There are no established digital forensic guidelines that specifically address the investigation of cloud computing systems. In this paper we examine the legal aspects of digital forensic investigations of cloud computing systems.     

A framework for post-event timeline reconstruction using neural networks

Post-event timeline reconstruction plays a critical role in forensic investigation and serves as a means of identifying evidence of the digital crime. We present an artificial neural networks based approach for post-event timeline reconstruction using the file system activities. A variety of digital forensic tools have been developed during the past two decades to assist computer forensic investigators undertaking digital timeline analysis, but most of the tools cannot handle large volumes of data efficiently. This paper looks at the effectiveness of employing neural network methodology for computer forensic analysis by preparing a timeline of relevant events occurring on a computing machine by tracing the previous file system activities. Our approach consists of monitoring the file system manipulations, capturing file system snapshots at discrete intervals of time to characterise the use of different software applications, and then using this captured data to train a neural network to recognise execution patterns of the application programs. The trained version of the network may then be used to generate a post-event timeline of a seized hard disk to verify the execution of different applications at different time intervals to assist in the identification of available evidence.     

The catalyst-like role of forensic genetics in the developmental process of Hungarian wildlife forensics

The anthropocentric nature of forensic sciences has been changing continuously over the years and this process is continuing today. Due to its universality and multilateral implementation, and the fragmented nature of forensic epistemology, the information provided by forensic genetics can play a pivotal role in forensic science. At the same time, the link between forensic genetics and non-human forensic biological evidence has become unquestionable. It may highlight the modern requirements of forensic science, and this connection is also able to provide useful and sufficient examples for developmental processes in wildlife forensics. Obviously, the local formations, organizations, and operations of wildlife forensics can be different worldwide, but the detection and punishment of wildlife-related criminal behavior, as well as the prevention of further crimes, play a relevant role in these processes everywhere.     

Patching the patchwork: appraising the EU regulatory framework on cyber security breaches

Breaches of security, a.k.a. security and data breaches, are on the rise, one of the reasons being the well-known lack of incentives to secure services and their underlying technologies, such as cloud computing. In this article, I question whether the patchwork of six EU instruments addressing breaches is helping to prevent or mitigate breaches as intended. At a lower level of abstraction, the question concerns appraising the success of each instrument separately. At a higher level of abstraction, since all laws converge on the objective of network and information security – one of the three pillars of the EU cyber security policy – the question is whether the legal ‘patchwork’ is helping to ‘patch’ the underlying insecurity of network and information systems thus contributing to cyber security. To answer the research question, I look at the regulatory framework as a whole, from the perspective of network and information security and consequently I use the expression cyber security breaches. I appraise the regulatory patchwork by using the three goals of notification identified by the European Commission as a benchmark, enriched by policy documents, legal analysis, and academic literature on breaches legislation, and I elaborate my analysis by reasoning on the case of cloud computing. The analysis, which is frustrated by the lack of adequate data, shows that the regulatory framework on cyber security breaches may be failing to provide the necessary level of mutual learning on the functioning of security measures, awareness of both regulatory authorities and the public on how entities fare in protecting data (and the related network and information systems), and enforcing self-improvement of entities dealing with information and services. I conclude with some recommendations addressing the causes, rather than the symptoms, of network and information systems insecurity.     

Automated identification of installed malicious Android applications

Increasingly, Android smartphones are becoming more pervasive within the government and industry, despite the limited ways to detect malicious applications installed to these phones' operating systems. Although enterprise security mechanisms are being developed for use on Android devices, these methods cannot detect previously unknown malicious applications. As more sensitive enterprise information becomes available and accessible on these smartphones, the risk of data loss inherently increases. A malicious application's actions could potentially leave sensitive data exposed with little recourse. Without an effective corporate monitoring solution in place for these mobile devices, organizations will continue to lack the ability to determine when a compromise has occurred. This paper presents research that applies traditional digital forensic techniques to remotely monitor and audit Android smartphones. The smartphone sends changed file system data to a remote server, allowing for expensive forensic processing and the offline application of traditional tools and techniques rarely applied to the mobile environment. The research aims at ascertaining new ways of identifying malicious Android applications and ultimately attempts to improve the state of enterprise smartphone monitoring. An on-phone client, server, database, and analysis framework was developed and tested using real mobile malware. The results are promising that the developed detection techniques identify changes to important system partitions; recognize file system changes, including file deletions; and find persistence and triggering mechanisms in newly installed applications. It is believed that these detection techniques should be performed by enterprises to identify malicious applications affecting their phone infrastructure.     

Defence against the dark artefacts: Smart home cybercrimes and cybersecurity standards

This paper analyses the assumptions underpinning a range of emerging EU and UK smart home cybersecurity standards. We use internet of things (IoT) case studies (such as the Mirai Botnet affair) and the criminological concept of ‘routine activity theory’ to situate our critique. Our study shows that current cybersecurity standards mainly assume smart home environments are (and will continue to be) underpinned by cloud architectures. This is a shortcoming in the longevity of standards. This paper argues that edge computing approaches, such as personal information management systems, are emerging for the IoT and challenge the cloud focused assumptions of these standards. In edge computing, data can be stored in a decentralised manner, locally and analysed on the client using federated learning. This can have advantages for security, privacy and legal compliance, over centralised cloud-based approaches, particularly around cross border data flows and edge based security analytics. As a consequence, standards should start to reflect the increased interest in this trend to make them more aspirational and responsive for the long term; as ultimately, current IoT architectures are a choice, as opposed to inherent. Our paper unpacks the importance of the adoption of edge computing models which could enable better management of external cyber-criminality threats in smart homes. We also briefly discuss challenges of building smart homes that can accommodate the complex nature of everyday life in the home. In addition to technical aspects, the social and interactional complexities of the home mean internal threats can also emerge. As these human factors remain unresolved in current approaches to smart home cybersecurity, a user's security can be impacted by such technical design choices.     

Automated event and social network extraction from digital evidence sources with ontological mapping

The sharp rise in consumer computing, electronic and mobile devices and data volumes has resulted in increased workloads for digital forensic investigators and analysts. The number of crimes involving electronic devices is increasing, as is the amount of data for each job. This is becoming unscaleable and alternate methods to reduce the time trained analysts spend on each job are necessary.This work leverages standardised knowledge representations techniques and automated rule-based systems to encapsulate expert knowledge for forensic data. The implementation of this research can provide high-level analysis based on low-level digital artefacts in a way that allows an understanding of what decisions support the facts. Analysts can quickly make determinations as to which artefacts warrant further investigation and create high level case data without manually creating it from the low-level artefacts. Extraction and understanding of users and social networks and translating the state of file systems to sequences of events are the first uses for this work.A major goal of this work is to automatically derive ‘events’ from the base forensic artefacts. Events may be system events, representing logins, start-ups, shutdowns, or user events, such as web browsing, sending email. The same information fusion and homogenisation techniques are used to reconstruct social networks. There can be numerous social network data sources on a single computer; internet cache can locate Facebook, LinkedIn, Google Plus caches; email has address books and copies of emails sent and received; instant messenger has friend lists and call histories. Fusing these into a single graph allows a more complete, less fractured view for an investigator.Both event creation and social network creation are expected to assist investigator-led triage and other fast forensic analysis situations.     

FriendlyRoboCopy: A GUI to RoboCopy for computer forensic investigators

One of the most pressing challenges in digital investigations today is the extraction and forensic preservation of a subset of data on computer clusters and other large storage systems. As the number and capacity of computer systems increases, it is no longer feasible to create forensic duplicates of every system in their entirety. Although forensic tools are being developed to cope with such situations, they do not support all file systems. Experienced digital investigators use tools such as RoboCopy to preserve a subset of data on target systems, and take steps to document their process and results. This paper explores the need for these tools in digital investigations, and demonstrates the strengths and weaknesses of using RoboCopy to acquire data on a network share. This paper then introduces FriendlyRoboCopy, which provides an effective, user-friendly interface to RoboCopy that addresses the requirements of forensic preservation.     

Reputation in a dark network of online criminals

This paper focuses on criminals who could easily be labelled as entrepreneurs and who deal in compromised computer systems. Known as botmasters, these individuals use their technical skills to take over and control personal, business and governmental computers. These networks of hijacked computers are known as botnets in the security industry. With this massive computing power, these criminals can send large amounts of spam, attack web servers or steal financial data – all for a fee. As entrepreneurs, the botmasters' main goal is to achieve the highest level of success possible. In their case, this achievement can be measured in the illegitimate revenues they earn from the leasing of their botnet. Based on the evidence gathered in literature on legitimate and illegitimate markets, this paper sets to understand how reputation could relate to criminal achievement as well as what factors impact a heightened level of reputation in a criminal market.     

The use of self-organising maps for anomalous behaviour detection in a digital investigation

The dramatic increase in crime relating to the Internet and computers has caused a growing need for digital forensics. Digital forensic tools have been developed to assist investigators in conducting a proper investigation into digital crimes. In general, the bulk of the digital forensic tools available on the market permit investigators to analyse data that has been gathered from a computer system. However, current state-of-the-art digital forensic tools simply cannot handle large volumes of data in an efficient manner. With the advent of the Internet, many employees have been given access to new and more interesting possibilities via their desktop. Consequently, excessive Internet usage for non-job purposes and even blatant misuse of the Internet have become a problem in many organisations. Since storage media are steadily growing in size, the process of analysing multiple computer systems during a digital investigation can easily consume an enormous amount of time. Identifying a single suspicious computer from a set of candidates can therefore reduce human processing time and monetary costs involved in gathering evidence. The focus of this paper is to demonstrate how, in a digital investigation, digital forensic tools and the self-organising map (SOM)--an unsupervised neural network model--can aid investigators to determine anomalous behaviours (or activities) among employees (or computer systems) in a far more efficient manner. By analysing the different SOMs (one for each computer system), anomalous behaviours are identified and investigators are assisted to conduct the analysis more efficiently. The paper will demonstrate how the easy visualisation of the SOM enhances the ability of the investigators to interpret and explore the data generated by digital forensic tools so as to determine anomalous behaviours.     

An efficient technique for enhancing forensic capabilities of Ext2 file system

As electronic documents become more important and valuable in the modern era, attempts are invariably made to take undue-advantage by tampering with them. Tampering with the modification, access and creation date and time stamps (MAC DTS) of digital documents pose a great threat and proves to be a major handicap in digital forensic investigation. Authentic date and time stamps (ADTS) can provide crucial evidence in linking crime to criminal in cases of Computer Fraud and Cyber Crimes (CFCC) through reliable time lining of digital evidence. But the ease with which the MAC DTS of stored digital documents can be changed raises some serious questions about the integrity and admissibility of digital evidence, potentially leading to rejection of acquired digital evidence in the court of Law. MAC DTS procedures of popular operating systems are inherently flawed and were created only for the sake of convenience and not necessarily keeping in mind the security and digital forensic aspects. This paper explores these issues in the context of the Ext2 file system and also proposes one solution to tackle such issues for the scenario where systems have preinstalled plug-ins in the form of Loadable Kernel Modules, which provide the capability to preserve ADTS.     

Expanding forensic science through forensic intelligence

Research and Development (‘R&D’) in forensic science currently focuses on innovative technologies improving the efficiency of existing forensic processes, from the detection of marks and traces at the scene, to their presentation in Court. R&D approached from this perspective provides no response to doubts raised by recent criminological studies, which question the effective contribution of forensic science to crime reduction, and to policing in general.Traces (i.e. forensic case data), as remnants of criminal activity are collected and used in various forms of crime monitoring and investigation. The aforementioned doubts therefore need to be addressed by expressing how information is conveyed by traces in these processes. Modelling from this standpoint expands the scope of forensic science and provides new R&D opportunities. Twelve propositions for R&D are stated in order to pave the way.     

Digital forensic text string searching: Improving information retrieval effectiveness by thematically clustering search results

Current digital forensic text string search tools use match and/or indexing algorithms to search digital evidence at the physical level to locate specific text strings. They are designed to achieve 100% query recall (i.e. find all instances of the text strings). Given the nature of the data set, this leads to an extremely high incidence of hits that are not relevant to investigative objectives. Although Internet search engines suffer similarly, they employ ranking algorithms to present the search results in a more effective and efficient manner from the user's perspective. Current digital forensic text string search tools fail to group and/or order search hits in a manner that appreciably improves the investigator's ability to get to the relevant hits first (or at least more quickly). This research proposes and empirically tests the feasibility and utility of post-retrieval clustering of digital forensic text string search results – specifically by using Kohonen Self-Organizing Maps, a self-organizing neural network approach.This paper is presented as a work-in-progress. A working tool has been developed and experimentation has begun. Findings regarding the feasibility and utility of the proposed approach will be presented at DFRWS 2007, as well as suggestions for follow-on research.     

Forensic analysis of smart TV: A current issue and call to arms

A number of new entertainment systems have appeared on the market that have embedded computing capabilities. Smart Televisions have the ability to connect to networks, browse the web, purchase applications and play games. Early versions were based on proprietary operating systems; newer versions released from 2012 are based on existing operating systems such as Linux and Android. The question arises as to what sort of challenges and opportunities they present to the forensics examiner. Are these new platforms or simply new varieties of existing forms of devices? What data do they retain and how easy is it to access this data? This paper explores this as a future forensic need and asks if we are missing potential sources of forensic data and to what degree we are ready to process these systems as part of an investigation.     

DNA甲基化在法医学中的应用前景及其检测方法新进展

DNA甲基化是一种重要的表观遗传标记。新近的一些研究表明,DNA甲基化在二联体亲权鉴定、同卵双生子法医学个体甄别等案例中可能具有一定的应用前景,可作为STR或SNP等经典遗传标记的有益补充。目前基于甲基化敏感的限制性核酸内切酶、重亚硫酸盐转化以及甲基化CpG结合蛋白等原理已建立了一系列的DNA甲基化检测方法。甲基化敏感的单核苷酸引物延伸、实时荧光PCR、甲基化特异性PCR、甲基化特异性多重连接反应依赖性探针扩增、光纤微珠芯片等位点特异性DNA甲基化检测方法都可用于已知CpG位点甲基化状态的检测并可能在法医学实验室具有一定的应用前景;AIMS、HELP、COMPARE-MS等通过对基因组范围内的DNA甲基化扫描分析,可发现具有潜在法医学应用价值的DNA甲基化位点。     

论信息化背景下的侦查工作

随着计算机技术和现代通信技术的发展，信息网络延伸至社会生活的各个角落，作为社会副产品的犯罪也随之演变出多种新的犯罪表现，使传统侦查工作在证据获取和破案模式上面临挑战。基于此，信息化背景下的侦查工作，可从侦查模式、工作方法、侦查观念和提高侦查力水平上寻求突破，以期顺应时代要求，更好地履行职责。