Forensic artefacts left by Windows Live Messenger 8.0

Windows Live Messenger – commonly referred by MSN Messenger – is the most used instant messaging client worldwide, and is mostly used on Microsoft Windows XP.Previous examination into MSN Messenger concludes that few traces reside on the hard disk after MSN usage [Dickson M. An examination into MSN Messenger 7.5 contact identification. Digit Investig 2006;3]. In this article the opposite is concluded based on user settings, contact files and log files. With the use of file signatures and known file structures it is possible to recover useful information when deleted. Programs such as Forensic Box can help to analyse artefacts which are left behind after the use of Windows Live Messenger.     

Comments on the Linux FAT32 allocator and file creation order reconstruction [Digit Investig 11(4), 224–233]

Minnaard proposed a novel method that constructs a creation time bound of files recovered without time information. The method exploits a relationship between the creation order of files and their locations on a storage device managed with the Linux FAT32 file system. This creation order reconstruction method is valid only in non-wraparound situations, where the file creation time in a former position is earlier than that in a latter position. In this article, we show that if the Linux FAT32 file allocator traverses the storage space more than once, the creation time of a recovered file is possibly earlier than that of a former file and possibly later than that of a latter file on the Linux FAT32 file system. Also it is analytically verified that there are at most n candidates for the creation time bound of each recovered file where n is the number of traversals by the file allocator. Our analysis is evaluated by examining file allocation patterns of two commercial in-car dashboard cameras.     

DigLA – A Digsby log analysis tool to identify forensic artifacts

Since the inception of Web 2.0, instant messaging, e-mailing, and social networking have emerged as cheap and efficient means of communication over the Web. As a result, a number of communication platforms like Digsby have been developed by various research groups to facilitate access to multiple e-mail, instant messaging, and social networking sites using a single credential. Although such platforms are advantageous for end-users, they present new challenges to digital forensic examiners because of their illegitimate use by anti-social elements. To identify digital artifacts from Digsby log data, an examiner is assumed to have knowledge of the whereabouts of Digsby traces before starting an investigation process. This paper proposes a design for a user-friendly GUI-based forensic tool, DigLA, which provides a unified platform for analyzing Digsby log data at different levels of granularity. DigLA is also equipped with password decryption methods for both machine-specific and portable installation versions of Digsby. By considering Windows registry and Digsby log files as dynamic sources of evidence, specifically when Digsby has been used to commit a cyber crime, this paper presents a systematic approach to analyzing Digsby log data. It also presents an approach to analyzing RAM and swap files to collect relevant traces, specifically the login credentials of Digsby and IM users. An expected insider attack from a server security perspective is also studied and discussed in this paper.     

Forensic analysis of Telegram Messenger for Windows Phone

This article presents a forensic analysis methodology for obtaining the digital evidence generated by one of today's many instant messaging applications, namely “Telegram Messenger” for “Windows Phone”, paying particular attention to the digital forensic artifacts produced. The paper provides an overview of this forensic analysis, while focusing particularly on how the information is structured and the user, chat and conversation data generated by the application are organised, with the goal of extracting related data from the information. The application has several other features (e.g. games, bots, stickers) besides those of an instant messaging application (e.g. messages, images, videos, files). It is therefore necessary to decode and interpret the information, which may relate to criminal offences, and establish the relation of different types of user, chat and conversation.     

The Linux FAT32 allocator and file creation order reconstruction

The allocation algorithm of the Linux FAT32 file system driver positions files on disk in such a way that their relative positions reveal information on the order in which these files have been created. This provides an opportunity to enrich information from (carved) file fragments with time information, even when such file fragments lack the file system metadata in which time-related information is usually to be found.Through source code analysis and experiments the behaviour of the Linux FAT allocator is examined. How an understanding of this allocator can be applied in practice is demonstrated with a case study involving a TomTom GPS car navigation device. In this case, time information played a crucial role. Large amounts of location records could be carved from this device's flash storage, yielding insight into the locations the device has visited—yet the carved records themselves offered no information on when the device had been at the locations. Still, bounds on the records' time of creation could be inferred when making use of filesystem timestamps related to neighbouring on-disk positions.Finally, we perform experiments which contrast the Linux behaviour with that of Windows 7. We show that the latter differs subtly, breaking the strong relation between creation order and position.     

Carving contiguous and fragmented files with fast object validation

“File carving” reconstructs files based on their content, rather than using metadata that points to the content. Carving is widely used for forensics and data recovery, but no file carvers can automatically reassemble fragmented files. We survey files from more than 300 hard drives acquired on the secondary market and show that the ability to reassemble fragmented files is an important requirement for forensic work. Next we analyze the file carving problem, arguing that rapid, accurate carving is best performed by a multi-tier decision problem that seeks to quickly validate or discard candidate byte strings – “objects” – from the media to be carved. Validators for the JPEG, Microsoft OLE (MSOLE) and ZIP file formats are discussed. Finally, we show how high speed validators can be used to reassemble fragmented files.     

Predicting the types of file fragments

A problem that arises in computer forensics is to determine the type of a file fragment. An extension to the file name indicating the type is stored in the disk directory, but when a file is deleted, the entry for the file in the directory may be overwritten. This problem is easily solved when the fragment includes the initial header, which contains explicit type-identifying information, but it is more difficult to determine the type of a fragment from the middle of a file.We investigate two algorithms for predicting the type of a fragment: one based on Fisher's linear discriminant and the other based on longest common subsequences of the fragment with various sets of test files. We test the ability of the algorithms to predict a variety of common file types. Algorithms of this kind may be useful in designing the next generation of file-carvers – programs that reconstruct files when directory information is lost or deleted. These methods may also be useful in designing virus scanners, firewalls and search engines to find files that are similar to a given file.     

Bin-Carver: Automatic recovery of binary executable files

File carving is the process of reassembling files from disk fragments based on the file content in the absence of file system metadata. By leveraging both file header and footer pairs, traditional file carving mainly focuses on document and image files such as PDF and JPEG. With the vast amount of malware code appearing in the wild daily, recovery of binary executable files becomes an important problem, especially for the case in which malware deletes itself after compromising a computer. However, unlike image files that usually have both a header and footer pair, executable files only have header information, which makes the carving much harder. In this paper, we present Bin-Carver, a first-of-its-kind system to automatically recover executable files with deleted or corrupted metadata. The key idea is to explore the road map information defined in executable file headers and the explicit control flow paths present in the binary code. Our experiment with thousands of binary code files has shown our Bin-Carver to be incredibly accurate, with an identification rate of 96.3% and recovery rate of 93.1% on average when handling file systems ranging from pristine to chaotic and highly fragmented.     

Treasure and tragedy in kmem_cache mining for live forensics investigation

This paper presents the first deep investigation of the kmem_cache facility in Linux from a forensics perspective. The kmem_cache is used by the Linux kernel to quickly allocate and deallocate kernel structures associated with processes, files, and the network stack. Our focus is on deallocated information that remains in the cache and the major contribution of this paper is to illustrate what forensically relevant information can be retrieved from the kmem_cache and what information is definitively not retrievable. We show that the kmem_cache contains a wealth of digital evidence, much of which was either previously unavailable or difficult to obtain, requiring ad hoc methods for extraction. Previously executed processes, memory mappings, sent and received network packets, NAT translations, accessed file system inodes, and more can all be recovered through examination of the kmem_cache contents. We also discuss portable methods for erasing this information, to ensure that private data is no longer recoverable.     

Testing the National Software Reference Library

The National Software Reference Library (NSRL) is an essential data source for forensic investigators, providing in its Reference Data Set (RDS) a set of hash values of known software. However, the NSRL RDS has not previously been tested against a broad spectrum of real-world data. The current work did this using a corpus of 36 million files on 2337 drives from 21 countries. These experiments answered a number of important questions about the NSRL RDS, including what fraction of files it recognizes of different types. NSRL coverage by vendor/product was also tested, finding 51% of the vendor/product names in our corpus had no hash values at all in NSRL. It is shown that coverage or “recall” of the NSRL can be improved with additions from our corpus such as frequently-occurring files and files whose paths were found previously in NSRL with a different hash value. This provided 937,570 new hash values which should be uncontroversial additions to NSRL. Several additional tests investigated the accuracy of the NSRL data. Experiments testing the hash values saw no evidence of errors. Tests of file sizes showed them to be consistent except for a few cases. On the other hand, the product types assigned by NSRL can be disputed, and it failed to recognize any of a sample of virus-infected files. The file names provided by NSRL had numerous discrepancies with the file names found in the corpus, so the discrepancies were categorized; among other things, there were apparent spelling and punctuation errors. Some file names suggest that NSRL hash values were computed on deleted files, not a safe practice. The tests had the secondary benefit of helping identify occasional errors in the metadata obtained from drive imaging on deleted files in our corpus. This research has provided much data useful in improving NSRL and the forensic tools that depend upon it. It also provides a general methodology and software for testing hash sets against corpora.     

An Android Communication App Forensic Taxonomy

Due to the popularity of Android devices and applications (apps), Android forensics is one of the most studied topics within mobile forensics. Communication apps, such as instant messaging and Voice over IP (VoIP), are one popular app category used by mobile device users, including criminals. Therefore, a taxonomy outlining artifacts of forensic interest involving the use of Android communication apps will facilitate the timely collection and analysis of evidentiary materials from such apps. In this paper, 30 popular Android communication apps were examined, where a logical extraction of the Android phone images was collected using XRY, a widely used mobile forensic tool. Various information of forensic interest, such as contact lists and chronology of messages, was recovered. Based on the findings, a two‐dimensional taxonomy of the forensic artifacts of the communication apps is proposed, with the app categories in one dimension and the classes of artifacts in the other dimension. Finally, the artifacts identified in the study of the 30 communication apps are summarized using the taxonomy. It is expected that the proposed taxonomy and the forensic findings in this paper will assist forensic investigations involving Android communication apps.     

Detecting file fragmentation point using sequential hypothesis testing

File carving is a technique whereby data files are extracted from a digital device without the assistance of file tables or other disk meta-data. One of the primary challenges in file carving can be found in attempting to recover files that are fragmented. In this paper, we show how detecting the point of fragmentation of a file can benefit fragmented file recovery. We then present a sequential hypothesis testing procedure to identify the fragmentation point of a file by sequentially comparing adjacent pairs of blocks from the starting block of a file until the fragmentation point is reached. By utilizing serial analysis we are able to minimize the errors in detecting the fragmentation points. The performance results obtained from the fragmented test-sets of DFRWS 2006 and 2007 show that the method can be effectively used in recovery of fragmented files.     

Detecting file fragmentation point using sequential hypothesis testing

File carving is a technique whereby data files are extracted from a digital device without the assistance of file tables or other disk meta-data. One of the primary challenges in file carving can be found in attempting to recover files that are fragmented. In this paper, we show how detecting the point of fragmentation of a file can benefit fragmented file recovery. We then present a sequential hypothesis testing procedure to identify the fragmentation point of a file by sequentially comparing adjacent pairs of blocks from the starting block of a file until the fragmentation point is reached. By utilizing serial analysis we are able to minimize the errors in detecting the fragmentation points. The performance results obtained from the fragmented test-sets of DFRWS 2006 and 2007 show that the method can be effectively used in recovery of fragmented files.     

JPEG steganography detection with Benford's Law

In this paper we present a novel approach to the problem of steganography detection in JPEG images by applying a statistical attack. The method is based on the empirical Benford's Law and, more specifically, on its generalized form. We prove and extend the validity of the logarithmic rule in colour images and introduce a blind steganographic method which can flag a file as a suspicious stego-carrier. The proposed method achieves very high accuracy and speed and is based on the distributions of the first digits of the quantized Discrete Cosine Transform coefficients present in JPEGs. In order to validate and evaluate our algorithm, we developed steganographic tools which are able to analyse image files and we subsequently applied them on the popular Uncompressed Colour Image Database. Furthermore, we demonstrate that not only can our method detect steganography but, if certain criteria are met, it can also reveal which steganographic algorithm was used to embed data in a JPEG file.     

Using the HFS+ journal for deleted file recovery

This paper describes research and analysis that were performed to identify a robust and accurate method for identifying and extracting the residual contents of deleted files stored within an HFS+ file system. A survey performed during 2005 of existing tools and techniques for HFS+ deleted file recovery reinforced the need for newer, more accurate techniques.Our research and analysis were based on the premise that a transactional history of file I/O operations is maintained in a Journal on HFS+ file systems, and that this history could be used to reconstruct recent deletions of active files from the file system. Such an approach offered a distinct advantage over other current techniques, including recovery of free/unallocated blocks and “file carving” techniques. If the journal entries contained or referenced file attributes such as the extents that specify which file system blocks were occupied by each file, then a much more accurate identification and recovery of deleted file data would be possible.     

Using the HFS+ journal for deleted file recovery

This paper describes research and analysis that were performed to identify a robust and accurate method for identifying and extracting the residual contents of deleted files stored within an HFS+ file system. A survey performed during 2005 of existing tools and techniques for HFS+ deleted file recovery reinforced the need for newer, more accurate techniques.Our research and analysis were based on the premise that a transactional history of file I/O operations is maintained in a Journal on HFS+ file systems, and that this history could be used to reconstruct recent deletions of active files from the file system. Such an approach offered a distinct advantage over other current techniques, including recovery of free/unallocated blocks and “file carving” techniques. If the journal entries contained or referenced file attributes such as the extents that specify which file system blocks were occupied by each file, then a much more accurate identification and recovery of deleted file data would be possible.     

Introducing the Microsoft Vista event log file format

Several operating systems provide a central logging service which collects event messages from the kernel and applications, filters them and writes them into log files. Since more than a decade such a system service exists in Microsoft Windows NT. Its file format is well understood and supported by forensic software. Microsoft Vista introduces an event logging service which entirely got newly designed. This confronts forensic examiners and software authors with unfamiliar system behavior and a new, widely undocumented file format.This article describes the history of Windows system loggers, what has been changed over time and for what reason. It compares Vista log files in their native binary form and in a textual form. Based on the results, this paper for the first time publicly describes the key-elements of the new log file format and the proprietary binary encoding of XML. It discusses the problems that may arise during daily work. Finally it proposes a procedure for how to recover information from log fragments. During a criminal investigation this procedure was successfully applied to recover information from a corrupted event log.     

Windows系统中文件时间属性的变化及影响因素

目的分析Windows系统中不同因素对文件时间属性的影响,总结文件时间属性的变化规律。方法在FAT32和NTFS两种文件系统中,对文件和文件夹进行各种操作,记录其时间属性的变化情况,总结其规律并分析各种因素的影响。结果文件时间属性的更新与系统环境、操作方法、文件类型等因素有关,而且文件时间属性更新有特定的周期。结论Windows系统中文件时间属性的变化既有特定的规律,又受其它因素影响,在检验中应加以注意。     

Advanced carving techniques

Carving is the term most often used to indicate the act of recovering a file from unstructured digital forensic images. The term unstructured indicates that the original digital image does not contain useful filesystem information which may be used to assist in this recovery.Typically, forensic analysts resort to carving techniques as an avenue of last resort due to the difficulty of current techniques. Most current techniques rely on manual inspection of the file to be recovered and manually reconstructing this file using trial and error. Manual processing is typically impractical for modern disk images which might contain hundreds of thousands of files.At the same time the traditional process of recovering deleted files using filesystem information is becoming less practical because most modern filesystems purge critical information for deleted files. As such the need for automated carving techniques is quickly arising even when a filesystem does exist on the forensic image.This paper explores the theory of carving in a formal way. We then proceed to apply this formal analysis to the carving of PDF and ZIP files based on the internal structure inherent within the file formats themselves. Specifically this paper deals with carving from the Digital Forensic Research Work-Shop's (DFRWS) 2007 carving challenge.     

A forensic examination of four popular cross‐platform file‐sharing apps with Wi‐Fi P2P

File‐sharing apps with Wi‐Fi hotspot or Wi‐Fi Direct functions become more popular. They can work on multiple platforms and allow users to transfer files in a concealed manner. However, when criminals use these apps in illegal activities, it becomes an important issue for investigators to find digital evidence on multiple platforms. At present, there are few studies on this topic, and most of them are limited to the single platform problem. In this paper, we propose a forensic examination method for four popular cross‐platform file‐sharing apps with Wi‐Fi hotspot and Wi‐Fi Direct functions: Zapya, SHAREit, Xender, and Feem. We use 22 static and live forensic tools for 11 platforms to acquire, analyze, and classify the forensic artifacts. In our experiments, we find many useful forensic artifacts and classify them into six categories. The experimental results can support law enforcement investigations of digital evidence and provide information for future studies on other cross‐platform file‐sharing apps.