Distributed filesystem forensics: XtreemFS as a case study

Distributed filesystems provide a cost-effective means of storing high-volume, velocity and variety information in cloud computing, big data and other contemporary systems. These technologies have the potential to be exploited for illegal purposes, which highlights the need for digital forensic investigations. However, there have been few papers published in the area of distributed filesystem forensics. In this paper, we aim to address this gap in knowledge. Using our previously published cloud forensic framework as the underlying basis, we conduct an in-depth forensic experiment on XtreemFS, a Contrail EU-funded project, as a case study for distributed filesystem forensics. We discuss the technical and process issues regarding collection of evidential data from distributed filesystems, particularly when used in cloud computing environments. A number of digital forensic artefacts are also discussed. We then propose a process for the collection of evidential data from distributed filesystems.     

Critical incident preparedness and response on post-secondary campuses

Campus-based critical incidents received renewed focus in the aftermath of the Virginia Tech and Northern Illinois University shootings. Legislative bodies, task forces, and professional associations sought to provide campus public safety departments with a range of recommended strategies to prevent and mitigate accidental and intentional critical events. Using data from a national sample of colleges and universities, this study examined the status of critical incident preparedness and response in the spring of 2008. Results indicated a solid base of prevention and response capacity; at the same time, respondents highlighted areas lagging behind recommended practices and barriers limiting achieved changes.     

Major incident response: collecting ante-mortem data

The Asian tsunami of 26 December 2004, which devastated coastal parts of more than 10 countries in and around the Indian Ocean caused over 200,000 casualties. People from more than 58 nationalities were amongst the victims and subsequently an international effort for disaster victim identification (DVI) was set up, coordinated by Interpol. DVI teams from more than 20 countries took part in the identification process which, because of the complexity of the situation, had to be conducted in an internationally agreed upon procedure. Standard operating protocols of post-mortem (PM) procedures were established for fingerprinting, forensic pathology, forensic odontology and DNA profiling and were crucial in the quality of the entire DVI process of the quickly decomposing bodies. A very important and underestimated part of the DVI process is the gathering of the ante-mortem (AM) data of the persons reported missing in their home countries. In the wake of this tsunami event it appeared to be even more problematic as entire families had died and information was difficult to obtain. As dentistry proved to be the most valuable identification mean--up to 85% of the cases--the AM dental records proved to be crucial elements for DVI. Standard operating protocols (SOP) were again established as to who, where, when and what information had to be collected by the dentists by the AM teams abroad. Transcribing the AM dental information by experienced forensic odontologists was another crucial element in the whole identification procedure as the information had to be loaded into the DVI System International (Plass Data, Holbaek, Denmark) for comparison with incoming PM data. The Interpol DVI Standing Committee thus recommends that forward planning, adequate funding, international cooperation and standardisation are essential to guarantee an effective response to any major mass disaster of this kind in the future.     

Infant abductions in health care: Critical incident response

Summary Critical Incident Management provides a coordinated response in which all of the players have both an understanding of their role and its coordination with the overall plan. Continuing operations of the hospital must continue but care and concern needs to be directed to the family which is suffering. The goal of our response is the safe return of the newborn. The Clark Center     

Challenges in digital forensics

Abstract

Various terms have been used to describe the intersection between computing technology and violations of the law-including computer crime, electronic crime, and cybercrime. While there remains little agreement on terminology, most experts agree that the use of electronic devices to commit crime has increased dramatically and is now commonplace. It is the role of the digital investigator to bring cybercriminals to justice. Cybercrime however differs from traditional crime and presents a variety of unique challenges including the variety of electronic devices available, amount of data produced by these devices, the absence of standard practices and guidelines for analyzing that data, the lack qualified personnel to perform investigations and the lack of resources to provide on-going training. This paper examines these challenges     

遗传标记微单倍型在法医学中的研究进展

微单倍型作为一种新型的法医学遗传标记,在国际法医学界已经引起了越来越多的关注。微单倍型是在较短片段内(例如200bp),包含2个或以上个SNP,具有单倍型多态性的序列。相较于STR,微单倍型突变率低,在混合斑鉴定中具有一定优势;与SNP相比较,微单倍型的多态性更高。选择含有祖先信息特征的微单倍型,在种群分析鉴定中具有应用价值。本文就微单倍型的演变,分型方法,命名及群体特征等方面作一综述。     

Enhancing security incident response follow-up efforts with lightweight agile retrospectives

Security incidents detected by organizations are escalating in both scale and complexity. As a result, security incident response has become a critical mechanism for organizations in an effort to minimize the damage from security incidents. The final phase within many security incident response approaches is the feedback/follow-up phase. It is within this phase that an organization is expected to use information collected during an investigation in order to learn from an incident, improve its security incident response process and positively impact the wider security environment. However, recent research and security incident reports argue that organizations find it difficult to learn from incidents.A contributing factor to this learning deficiency is that industry focused security incident response approaches, typically, provide very little practical information about tools or techniques that can be used to extract lessons learned from an investigation. As a result, organizations focus on improving technical security controls and not examining or reassessing the effectiveness or efficiency of internal policies and procedures. An additional hindrance, to encouraging improvement assessments, is the absence of tools and/or techniques that organizations can implement to evaluate the impact of implemented enhancements in the wider organization. Hence, this research investigates the integration of lightweight agile retrospectives and meta-retrospectives, in a security incident response process, to enhance feedback and/or follow-up efforts. The research contribution of this paper is twofold. First, it presents an approach based on lightweight retrospectives as a means of enhancing security incident response follow-up efforts. Second, it presents an empirical evaluation of this lightweight approach in a Fortune 500 Financial organization's security incident response team.     

大型居住区突发事件预警与应急机制研究

本文首先对大型居住区内各种突发事件进行了分类,然后分别就每一类突发事件的特点及产生原因进行了归纳与分析。在此基础上,对突发事件应对的组织职责、突发事件发生时的居民心理与行为、突发事件应对的时间序列等进行了较为详尽的分析;对大型居住区突发事件预警与应急机制体系的建立与运作进行了较深入的阐述,并以图表的形式直观明确地给出了不同预警级别大型居住区突发事件的具体处理模式与流程设计。     

手机物证检验及其在刑事侦查中的应用

随着移动通信技术的迅速发展和广泛应用,手机内部包含的信息已经成为犯罪侦查重要的线索和证据来源。采用专门的符合物证鉴定原理要求的技术方法检验手机的SIM卡存储器、主板存储器和闪存卡,可以获得大量的手机使用者个人信息、通信内容信息、通信发生信息、使用者写入存储信息和手机设置信息等大量信息资料。手机检验结果给出的这些信息具有非常高的侦查和证据价值的,手机也因此成为物证鉴定领域内一个新的检验对象。     

Tackling the U3 trend with computer forensics

A new technology has emerged, allowing applications to be stored and run on portable devices, such as flash drives and iPods. Sandisk's U3™ smart technology appears to be becoming the standard in this new realm of portability. With the advent of this technology, questions are arising as to the effects it will have on computer forensic investigations. Probably hundreds of thousands of people have purchased devices with U3 or similar technologies already. The fear is that these people will be able to plug their devices into computers, do their misdeeds and then simply unplug those devices, removing any trace. This article will illustrate that this is not the case and will discuss different artifacts that a device such as this will leave behind. For the purposes of this illustration we have investigated the use of some of the most common applications used on U3 drives. This information will serve as a guide to investigating computer crimes perpetrated via U3 or similar technologies. Investigators must keep in mind during their investigations the possibility that their suspects have used such technology, particularly when their investigations seem to lead to a dead end.     

Treasure and tragedy in kmem_cache mining for live forensics investigation

This paper presents the first deep investigation of the kmem_cache facility in Linux from a forensics perspective. The kmem_cache is used by the Linux kernel to quickly allocate and deallocate kernel structures associated with processes, files, and the network stack. Our focus is on deallocated information that remains in the cache and the major contribution of this paper is to illustrate what forensically relevant information can be retrieved from the kmem_cache and what information is definitively not retrievable. We show that the kmem_cache contains a wealth of digital evidence, much of which was either previously unavailable or difficult to obtain, requiring ad hoc methods for extraction. Previously executed processes, memory mappings, sent and received network packets, NAT translations, accessed file system inodes, and more can all be recovered through examination of the kmem_cache contents. We also discuss portable methods for erasing this information, to ensure that private data is no longer recoverable.     

Cognitive forensics and experimental research about bias in forensic casework

Understanding and coping with cognitive bias in forensic science requires multiple studies, utilizing both laboratory-based experiments and data from casework. Neither type of studies has ever been conducted to examine bias in mixture DNA interpretations. A study that includes both types of data has recently been published in Science and Justice. The data and statistical analysis clearly — at the very least — suggest that bias may potentially influence DNA mixture interpretation. This is due, in part, to the subjective elements in interpretation of mixture DNA. The issue of bias and other cognitive influences is of a sensitive nature and presents complex experimental challenges. Our study takes a step in examining these issues and calls for more research.     

DNA forensics and the poaching of wildlife in Italy: a case study

DNA molecular techniques were used in a forensic investigation involving the poaching of wildlife in a national park of Italy. A poacher, after having snared a wild boar (Sus scrofa) sow, knifed it to death. The animal was retrieved by conservation officers at the scene before the poacher could remove the carcass. Subsequently, the suspect denied the charges. During a search of his home, a bloodstained knife was confiscated. A method to identify the species from the DNA extracted from the stains revealed the blood to be that of the non-domestic form of Sus scrofa. Further DNA typing for individual identity using species-specific single tandem repeats or microsatellites (STRs) showed that the DNA on the knife matched that of the poached boar. Based upon the forensic evidence obtained, the suspect was convicted of poaching and of cruelty to animals.     

Automated computer forensics training in a virtualized environment

The CYber DEfenSe Trainer (CYDEST) is a virtualized training platform for network defense and computer forensics. It uses virtual machines to provide tactical level exercises for personnel such as network administrators, first responders, and digital forensics investigators. CYDEST incorporates a number of features to reduce instructor workload and to improve training realism, including: (1) automated assessment of trainee performance, (2) automated attacks that respond dynamically to the student's actions, (3) a full fidelity training environment, (4) an unrestricted user interface incorporating real tools, and (5) continuous, remote accessibility via the Web.     

Study on the standard components of digital forensics laboratory

Recently, digital forensics has become increasingly important as it is used by investigation agencies, corporate, and private sector. To supplement the limitations of evidence capacity and be recognized in court, it is essential to establish an environment that ensures the integrity of the entire process ranging from collecting and analyzing to submitting digital evidence to court. In this study, common elements were extracted by comparing and analyzing ISO/IEC 17025, 27001 standards and Interpol and Council of Europe (CoE) guidelines to derive the necessary components for building a digital forensic laboratory. Subsequently, based on 21 digital forensic experts in the field, Delphi survey and verifications were conducted in three rounds. As a result, 40 components from seven areas were derived. The research results are based on the establishment, operation, management, and authentication of a digital forensics laboratory suitable for the domestic environment, with added credibility through collection of the opinions of 21 experts in the field of digital forensics in Korea. This study can be referred to in establishing digital forensic laboratories in national, public, and private digital forensic organizations as well as for employing as competency measurement criteria in courts to evaluate the reliability of the analysis results.     

High-speed search using Tarari content processor in digital forensics

Recently, “Speed” is one of the hot issues in digital forensics. Thanks to a recent advanced technology, today we can get bigger hard drive disks at a lower price than previously. But unfortunately, it means for forensic investigators that they need tremendous time and effort in the sequence of process of creating forensic images, searching into them and analyzing them. In order to solve this problem, some methods have been proposed to improve performance of forensic tools. One of them getting attention is a hardware-based approach. However, such a way is limited in the field of evidence cloning or password cracking while it is rarely used in searching and analysis of the digital evidence. In this paper, we design and implement a high-speed search engine using a Tarari content processor. Furthermore, we show feasibility of our approach by comparing its performance and features to those of a popular forensic tool currently on the market.