Cloud Data Imager: A unified answer to remote acquisition of cloud storage areas

The pervasive availability of cheap cloud computing services for data storage, either as persistence layer to applications or as mere object store dedicated to final users, is remarkably increasing the chance that cloud platforms potentially host evidence of criminal activity. Once presented a proper court order, cloud providers would be in the best position for extracting relevant data from their platforms in the most reliable and complete way. However, this kind of services are not so widespread to date and, therefore, the need to adopt a structured and forensically sound approach calls for innovative weaponry which leverage the data harvesting capabilities offered by the low level program interfaces exposed by providers. This paper describes the concepts and internals of the Cloud Data Imager Library, a mediation layer that offers a read only access to files and metadata of selected remote folders and currently supports access to Dropbox, Google Drive and Microsoft Skydrive storage facilities. A demo application has been build on top of the library which allows directory browsing, file content view and imaging of folder trees with export to widespread forensic formats.     

File Marshal: Automatic extraction of peer-to-peer data

Digital forensic investigators often find peer-to-peer, or file sharing, software present on the computers, or the images of the disks, that they examine. Investigators must first determine what P2P software is present and where the associated information is stored, retrieve the information from the appropriate directories, and then analyze the results. File Marshal is a tool that will automatically detect and analyze peer-to-peer client use on a disk. The tool automates what is currently a manual and labor intensive process. It will determine what clients currently are or have been installed on a machine, and then extracts per-user usage information, specifically a list of peer servers contacted, and files that were shared and downloaded. The tool was designed to perform its actions in a forensically sound way, including maintaining a detailed audit trail of all actions performed. File Marshal is extensible, using a configuration file to specify details about specific peer-to-peer clients (e.g., location of log files and registry keys indicating installation). This paper describes the general design and features of File Marshal, its current status, and the plans for continued development and release. When complete, File Marshal, a National Institute of Justice funded effort, will be disseminated to law enforcement at no cost.     

Control systems/SCADA forensics,what's the difference?

Immature IT security, increasing network connectivity and unwavering media attention is causing an increase in the number of control system cyber security incidents. For forensic examinations in these environments, knowledge and skills are needed in the field of hardware, networks and data analysis. For forensic examiners, this paper is meant to be a crash course on control systems and their forensic opportunities, focussing on the differences compared to regular IT systems. Assistance from experienced field engineers during forensic acquisition of control systems seems inevitable in order to guarantee process safety, business continuity and examination efficiency. For people working in the control system community, this paper may be helpful to get an idea about specific forensic issues about which they would normally not bother, but may be crucial as soon as their systems are under attack or become part of a law enforcement investigation. For analysis of acquired data, existing tools for network security monitoring have useful functionality for forensic applications but are designed for real-time acquisition and often not directly usable for post-mortem analysis of acquired data in a forensically sound way. The constant and predictable way in which control systems normally behave makes forensic application of anomaly-based threat detection an interesting topic for further research.     

Advanced carving techniques

Carving is the term most often used to indicate the act of recovering a file from unstructured digital forensic images. The term unstructured indicates that the original digital image does not contain useful filesystem information which may be used to assist in this recovery.Typically, forensic analysts resort to carving techniques as an avenue of last resort due to the difficulty of current techniques. Most current techniques rely on manual inspection of the file to be recovered and manually reconstructing this file using trial and error. Manual processing is typically impractical for modern disk images which might contain hundreds of thousands of files.At the same time the traditional process of recovering deleted files using filesystem information is becoming less practical because most modern filesystems purge critical information for deleted files. As such the need for automated carving techniques is quickly arising even when a filesystem does exist on the forensic image.This paper explores the theory of carving in a formal way. We then proceed to apply this formal analysis to the carving of PDF and ZIP files based on the internal structure inherent within the file formats themselves. Specifically this paper deals with carving from the Digital Forensic Research Work-Shop's (DFRWS) 2007 carving challenge.     

Forensic Inspection of Sensitive User Data and Artifacts from Smartwatch Wearable Devices

Wearable devices allow users the ability to leave mobile phones behind while remaining connected to the digital world; however, this creates challenges in the examination, acquisition, identification, and analysis of probative data. This preliminary research aims to provide an enhanced understanding of where sensitive user data and forensic artifacts are stored on smartwatch wearable devices, both through utilization as a connected and standalone device. It also provides a methodology for the forensically sound acquisition of data from a standalone smartwatch wearable device. The results identify significant amounts of data on the Samsung^? Gear S3 Frontier, greater than that stored on the companion mobile phone. An Apple Watch^® Series 3 manual examination method which produces native screenshots was identified; however, the companion mobile phone was found to store the greatest amount of data. As a result of this research, a data extraction tool for the Samsung^? Gear S3 Frontier was created.     

Forensic memory analysis: Files mapped in memory

In this paper we describe a method for recovering files mapped in memory and to link mapped-file information process data. This information is forensically interesting, because it helps determine the origin and usage of the file and because it reduces the amount of unidentified data in a memory dump. To find mapped-file content, we apply several different techniques. Together, these techniques can identify approximately 25% of test memory dumps as being part of a memory-mapped file.     

Forensic memory analysis: Files mapped in memory

In this paper we describe a method for recovering files mapped in memory and to link mapped-file information process data. This information is forensically interesting, because it helps determine the origin and usage of the file and because it reduces the amount of unidentified data in a memory dump. To find mapped-file content, we apply several different techniques. Together, these techniques can identify approximately 25% of test memory dumps as being part of a memory-mapped file.     

NIBRS Data Available for Secondary Analysis

The NIBRS data program currently being implemented by the FBI and local lawenforcement agencies has by now produced sufficient data for archiving anddistribution. Although not representative of crime in the United States, existing NIBRS data can be used to investigate the nature of crimesknown to the police compared to the traditional UCR data. The Bureau ofJustice Statistics has requested the National Archive of Criminal JusticeData to store and make NIBRS data available to interested users. The datafrom 1996 will shortly be available from the NACJD web site. The 1996 datacontain almost 6.5 million records and the FBI's full file includes about 361 Mbytes of data. The data have been disaggregated from the FBI's complex single file into 11 segment levels or record types. This makes theindividual record types easier and faster to analyze than using the fullfile, which more closely resembles a relational database than a hierarchicalfile. However, splitting apart the record types requires that specialprocedures be used to merge files of different record types, which would benecessary if a user were interested in analyzing variables appearing in morethan one record type (e.g., comparing offender and victim ages). These procedures are described, and a test comparing the time to run a simple frequencycount using the full file against the merged files shows that using themerged files is considerably more efficient. Also discussed are some futuredevelopments to facilitate the analysis of NIBRS data.     

The windows IconCache.db: A resource for forensic artifacts from USB connectable devices

This paper investigates the evidential potential of the IconCache database file when tracking activity from USB connectable devices on Windows systems. It focuses on the artifacts which are created and retained on a Windows host when executable files are either present on or run from a USB connectable device. Artifacts left in the IconCache database as a result of running executables from a DVD drive or the host itself, are also examined.It is shown that the IconCache.db stores numerous artifacts of investigative interest. These are created on system boot and added to, both when using host-based executables and when installing or using executables from other media. Executables present on USB devices, whether invoked or not, will create artifacts in the IconCache.db. file. Findings should therefore be interpreted carefully and corroborated against other evidence.     

Digital traces and physical activities: opportunities,challenges and pitfalls

The strong integration of consumer electronics in everyday life offers many new investigative opportunities. In particular, digital traces from smartphones, smartwatches and activity trackers can now increasingly be used to infer information about actions performed by their users in the physical world that might not be obtainable from any other types of forensic evidence.While potentially very valuable from an investigative perspective, making forensically justifiable statements about such traces can sometimes be more difficult than expected. Requirements for this have not yet received much attention in the digital forensic literature. To help filling this gap, we describe the principles we use in determining the evidential value of such traces, which emphasize the need for experimental verification. For such research, aimed at determining the evidential value of these traces, we coin the term data2activity.In this paper, we devote attention to the potential and limitations of data2activity traces, focusing on challenges and giving two examples to illustrate potential pitfalls in interpreting data. Finally, future research directions into data2activity traces are indicated that, in our opinion, should be given attention. These include development of future-proof data acquisition and storage methodology, enabling division-of-effort and sharing of information, as well as development of labeling methodology for free-living experiments.     

Treasure and tragedy in kmem_cache mining for live forensics investigation

This paper presents the first deep investigation of the kmem_cache facility in Linux from a forensics perspective. The kmem_cache is used by the Linux kernel to quickly allocate and deallocate kernel structures associated with processes, files, and the network stack. Our focus is on deallocated information that remains in the cache and the major contribution of this paper is to illustrate what forensically relevant information can be retrieved from the kmem_cache and what information is definitively not retrievable. We show that the kmem_cache contains a wealth of digital evidence, much of which was either previously unavailable or difficult to obtain, requiring ad hoc methods for extraction. Previously executed processes, memory mappings, sent and received network packets, NAT translations, accessed file system inodes, and more can all be recovered through examination of the kmem_cache contents. We also discuss portable methods for erasing this information, to ensure that private data is no longer recoverable.     

Form follows function: Applying photographic content analysis to forensic firearm identification

Drawing forensic conclusions from an image or a video is known as “photographic content analysis.” It involves the analysis of an image, as well as objects, actions, and events depicted in images or video. In recent years, photographic depictions of objects suspected as illegal firearms have substantially increased, appearing on CCTV surveillance footage, captured by mobile phones and shared on social media. However, the law in Israel states that a person can be charged with illegally possessing a firearm only if it can be proven that the object is capable of shooting with lethal bullet energy. This becomes more challenging in cases where the firearm was not physically seized, and the evidence exclusively consists of images and video. In this study, photographic content analysis was applied to images and video where objects suspected as commercial or improvised firearms had been depicted. An image and event sequence reconstruction video databases of both firearms and replicas were created in order to better define firearm-specific functional morphological features. We demonstrate that it is possible to classify an object as a firearm by analyzing the functional, and not only the esthetic, morphology in images and video. It is also shown that event sequence reconstruction in video may be used to infer that an object suspected as a firearm has the capacity to shoot by confirming the occurrence of a shooting act or shooting process. Thus, photographic content analysis may be used to forensically establish that an object depicted in an image or a video is a firearm by ruling out other known scenarios, and without physically seizing it.     

Forensic analysis of social networking applications on mobile devices

The increased use of social networking applications on smartphones makes these devices a goldmine for forensic investigators. Potential evidence can be held on these devices and recovered with the right tools and examination methods. This paper focuses on conducting forensic analyses on three widely used social networking applications on smartphones: Facebook, Twitter, and MySpace. The tests were conducted on three popular smartphones: BlackBerrys, iPhones, and Android phones. The tests consisted of installing the social networking applications on each device, conducting common user activities through each application, acquiring a forensically sound logical image of each device, and performing manual forensic analysis on each acquired logical image. The forensic analyses were aimed at determining whether activities conducted through these applications were stored on the device's internal memory. If so, the extent, significance, and location of the data that could be found and retrieved from the logical image of each device were determined. The results show that no traces could be recovered from BlackBerry devices. However, iPhones and Android phones store a significant amount of valuable data that could be recovered and used by forensic investigators.     

Minimum velocity necessary for nonconventional projectiles to penetrate the eye: an experimental study using pig eyes

To satisfy the Criminal Code of Canada's definition of a firearm, a barreled weapon must be capable of causing serious bodily injury or death to a person. Canadian courts have accepted the forensically established criteria of "penetration or rupture of an eye" as serious bodily injury. The minimal velocity of nonconventional ammunition required to penetrate the eye including airsoft projectiles has yet to be established. To establish minimal threshold requirements for eye penetration, empirical tests were conducted using a variety of airsoft projectiles. Using the data obtained from these tests, and previous research using "air gun" projectiles, an "energy density" parameter was calculated for the minimum penetration threshold of an eye. Airsoft guns capable of achieving velocities in excess of 99 m/s (325 ft/s) using conventional 6-mm airsoft ammunition will satisfy the forensically established criteria of "serious bodily injury." The energy density parameter for typical 6-mm plastic airsoft projectiles is 4.3 to 4.8 J/cm2. This calculation also encompasses 4.5-mm steel BBs.     

Information assurance in a distributed forensic cluster

When digital forensics started in the mid-1980s most of the software used for analysis came from writing and debugging software. Amongst these tools was the UNIX utility ‘dd’ which was used to create an image of an entire storage device. In the next decade the practice of creating and using ‘an image’ became established as a fundamental base of what we call ‘sound forensic practice’. By virtue of its structure, every file within the media was an integrated part of the image and so we were assured that it was wholesome representation of the digital crime scene. In an age of terabyte media ‘the image’ is becoming increasingly cumbersome to process, simply because of its size. One solution to this lies in the use of distributed systems. However, the data assurance inherent in a single media image file is lost when data is stored in separate files distributed across a system. In this paper we assess current assurance practices and provide some solutions to the need to have assurance within a distributed system.     

Variation in decomposition stages and carrion insect succession in a dry tropical climate and its effect on estimating postmortem interval

Insects have an important role in minimum postmortem interval (PMI_min) estimation. An accurate PMI_min estimation relies on a comprehensive study of the development and succession of local carrion insects. No published research on carrion insect succession exists for tropical north Queensland. To address this, we aimed to obtain preliminary observational data concerning the rate of decomposition and insect succession on pig carcasses in Townsville and compare these with other regions of Australia and overseas. Adult insects were collected daily from three pig carcasses for 30 d during summer and identified to family level. Observations of decomposition rate were made each day and progression through the stages of decomposition were recorded. Adult insects were identified to family and their presence/absence used as a proxy for arrival at/departure from the remains, respectively. These preliminary data highlight several interesting trends that may be informative for forensic PMI_min estimation. Decomposition was rapid: all carcasses were at the dry/remains stage by Day 5, which was substantially quicker than all other regions in the comparison. Differences were also observed in the presence/absence of insect families and their arrival and departure times. Given the rapid progression through early decomposition, we argue that later-arriving coleopteran taxa may be more forensically informative in tropical Australia, in contrast with temperate regions where Diptera appear most useful. This research contributes preliminary observational data to understanding insect succession patterns in tropical Australia and demonstrates the critical need for comprehensive local succession data for each climatic region of Australia to enable accurate PMI_min estimation. These data will inform future research targeted at gaining a more comprehensive understanding of insect succession in the Australian tropics.

Key points:

• We obtained preliminary observational data concerning the rate of decomposition and insect succession on pig carcasses in tropical Australia.
• Decomposition was rapid: all carcasses were at the dry/remains stage by Day 5.
• Coleopteran taxa may be more forensically informative in tropical Australia than dipterans.

     

Carving contiguous and fragmented files with fast object validation

“File carving” reconstructs files based on their content, rather than using metadata that points to the content. Carving is widely used for forensics and data recovery, but no file carvers can automatically reassemble fragmented files. We survey files from more than 300 hard drives acquired on the secondary market and show that the ability to reassemble fragmented files is an important requirement for forensic work. Next we analyze the file carving problem, arguing that rapid, accurate carving is best performed by a multi-tier decision problem that seeks to quickly validate or discard candidate byte strings – “objects” – from the media to be carved. Validators for the JPEG, Microsoft OLE (MSOLE) and ZIP file formats are discussed. Finally, we show how high speed validators can be used to reassemble fragmented files.     

An Examination of the Relationship Between Media Exposure and Fear of Victimization: Implications of the Superpredator Narrative on Juvenile Justice Policies

The media allow crime to infiltrate the public’s consciousness in every conceivable way, thereby playing a major role in shaping the public’s opinion and attitude toward crime and crime issues (Barak, 1995; Fields & Jerin, 1996; Kappeler & Potter, 2005). Reporters constantly talk about crime, and crime related stories dominate the headlines of local and national newspaper outlets (Dowler, 2003; Pizarro et al, 2007). Some of the most highly rated television programs are based on crime plots and people across social, political, and racial demographics are constantly engaged in crime dialogue generated from local or national news stories. When the focus of these mediums is on youth they become even more profound and contentious. The images portrayed conjure up stereotypes that lead to fear and inflammatory remarks that become entrenched into the national lexicon. The current study uses data from the National Opinion Survey of Crime and Justice to test the relationship between crime-related media viewership and fear of victimization within a nationally representative adult sample. Approximately 42.67% of respondents reported regularly watching crime shows and about the same proportion (42.83%) believed their local media paid too much attention to violent crime. In addition to regular crime-show viewership, confidence in the police, gender, and recent contact with the police were associated with fear of victimization. This article adds to an existing body of research through a largely unexplored area in the administration of justice. It does so within the context of the U.S. juvenile justice system.     

Copy Me Happy: The Metaphoric Expansion of Copyright in a Digital Society

The article uses conceptual metaphor theory to analyse how the concept of “copy” in copyright law is expanding in a digital society to cover more phenomena than originally intended. For this purpose, the legally accepted model for valuing media files in the case against The Pirate Bay (TPB) is used in the analysis. When four men behind TPB were convicted in the District Court of Stockholm, Sweden, on 17 April 2009, to many, it marked a victory over online piracy for the American and Swedish media corporations. The convicted men were jointly liable for the damages of roughly EUR 3.5 million. But how do you calculate damages of file sharing? For example, what is the value of a copy? The article uses a model for valuating files in monetary numbers, suggested by the American plaintiffs and sanctioned by the District Court in the case against the BitTorrent site TPB, in order to calculate the total value of an entire, and in this anonymous other, BitTorrent site. These calculated hypothetical figures are huge—EUR 53 billion—and grow click by click which, on its face, questions some of the key assumptions in the copy-by-copy valuation that are sprung from analogue conceptions of reality, and transferred into a digital context. This signals a (legal) conceptual expansion of the meaning of “copy” in copyright that does not seem to fit with how the phenomenon is conceptualised by the younger generation of media consumers.