A case study on anonymised sharing platforms and digital traces left by their usage

Non-local forms of file storage and transfer provide investigatory concerns. Whilst mainstream cloud providers offer a well-established challenge to those involved in criminal enquiries, there are also a host of services offering non-account based ‘anonymous’ online temporary file storage and transfer. From the context of a digital forensic investigation, the practitioner examining a suspect device must detect when such services have been utilised by a user, as offending files may not be resident on local storage media. In addition, identifying the use of a service may also expose networks of illegal file distribution, supporting wider investigations into criminal activity. This work examines 16 anonymous file transfer services and identifies and interprets the digital traces left behind on a device following their use to support law enforcement investigations.     

Media analyses based on Microsoft NTFS file ownership

The ever-increasing size of digital media presents a continuous challenge to digital investigators who must rapidly assess computer media to find and identify evidence. To meet this challenge, methods must continuously be sought to expedite the examination process. This paper investigates using the file ownership property as an analytical tool focusing on activity by individuals associated with the computer. Research centered on the New Technology File System (NTFS), which is the default file system in Microsoft Windows Operating System (OS). This was done because Microsoft's worldwide market penetration makes Windows and NTFS the most likely OS and file system to be encountered in digital forensic examinations. Significantly, digital forensic software now allows examination of NTFS file attributes and properties including the ownership property. The paper outlines potential limitations regarding interpreting ownership findings, and suggests areas for further research. Overall, file ownership is seen as a potentially viable new digital forensic tool.     

Privacy regulation cannot be hardcoded. A critical comment on the ‘privacy by design’ provision in data-protection law

‘Privacy by design’ is an increasingly popular paradigm. It is the principle or concept that privacy should be promoted as a default setting of every new ICT system and should be built into systems from the design stage. The draft General Data Protection Regulation embraces ‘privacy by design’ without detailing how it can or should be applied. This paper discusses what the proposed legal obligation for ‘privacy by design’ implies in practice for online businesses. In particular, does it entail hard-coding privacy requirements in system design? First, the ‘privacy by design’ provision in the proposed Regulation is analysed and interpreted. Next, we discuss an extreme interpretation – embedding data protection requirements in system software – and identify five complicating issues. On the basis of these complications, we conclude that ‘privacy by design’ should not be interpreted as trying to achieve rule compliance by techno-regulation. Instead, fostering the right mindset of those responsible for developing and running data processing systems may prove to be more productive. Therefore, in terms of the regulatory tool-box, privacy by design should be approached less from a ‘code’ perspective, but rather from the perspective of ‘communication’ strategies.     

Reverse engineering of ReFS

File system forensics is an important part of Digital Forensics. Investigators of storage media have traditionally focused on the most commonly used file systems such as NTFS, FAT, ExFAT, Ext2-4, HFS+, APFS, etc. NTFS is the current file system used by Windows for the system volume, but this may change in the future. In this paper we will show the structure of the Resilient File System (ReFS), which has been available since Windows Server 2012 and Windows 8. The main purpose of ReFS is to be used on storage spaces in server systems, but it can also be used in Windows 8 or newer. Although ReFS is not the current standard file system in Windows, while users have the option to create ReFS file systems, digital forensic investigators need to investigate the file systems identified on a seized media. Further, we will focus on remnants of non-allocated metadata structures or attributes. This may allow metadata carving, which means searching for specific attributes that are not allocated. Attributes found can then be used for file recovery. ReFS uses superblocks and checkpoints in addition to a VBR, which is different from other Windows file systems. If the partition is reformatted with another file system, the backup superblocks can be used for partition recovery. Further, it is possible to search for checkpoints in order to recover both metadata and content.Another concept not seen for Windows file systems, is the sharing of blocks. When a file is copied, both the original and the new file will share the same content blocks. If the user changes the copy, new data runs will be created for the modified content, but unchanged blocks remain shared. This may impact file carving, because part of the blocks previously used by a deleted file might still be in use by another file. The large default cluster size, 64 KiB, in ReFS v1.2 is an advantage when carving for deleted files, since most deleted files are less than 64 KiB and therefore only use a single cluster. For ReFS v3.2 this advantage has decreased because the standard cluster size is 4 KiB.Preliminary support for ReFS v1.2 has been available in EnCase 7 and 8, but the implementation has not been documented or peer-reviewed. The same is true for Paragon Software, which recently added ReFS support to their forensic product. Our work documents how ReFS v1.2 and ReFS v3.2 are structured at an abstraction level that allows digital forensic investigation of this new file system. At the time of writing this paper, Paragon Software is the only digital forensic tool that supports ReFS v3.x.It is the most recent version of the ReFS file system that is most relevant for digital forensics, as Windows automatically updates the file system to the latest version on mount. This is why we have included information about ReFS v3.2. However, it is possible to change a registry value to avoid updating. The latest ReFS version observed is 3.4, but the information presented about 3.2 is still valid. In any criminal case, the investigator needs to investigate the file system version found.     

The long way from electronic traces to electronic evidence

Generally, traces of Internet communications established by a citizen's computer are routinely recorded on and dated by Internet servers in so‐called ‘log files’. As far as the correct dating of the electronic offence is crucial for the potential identification of the author, convincing traces need to be date‐ and time‐stamped by a Trusted Third Party (TTP). Such a time stamp does not give any assurance about the correctness of the data and dates collected, but only proves that the traffic data were in a given state at a given date and time. If the Internet Provider (IP) address appears to be one used by the company, it is foreseeable that the system administrator within the company will be able to identify the computer owning a particular IP address. In others cases, only law enforcement agencies, in the circumstances and the conditions required by the law, are entitled to identify, with the help of Internet Access Providers (IAPs), the communication line suspected to have been used beside a given IP address. Putting together the traces left at the IAP side and in the log files of the attacked server site may lead, in the best cases, to an identified communication terminal. Nevertheless, in many cases, this will not be a formal authentication of a wrongdoer.     

德国社会救助法律制度及其启示——兼论我国行政法学研究领域的拓展

德国社会救助制度作为一项重要的社会保障制度对保障人权、维护人的尊严发挥了重要作用。其历史发展、改革背景、宪法依据和具体制度规定对我国正确认识和定位社会救助、建构适合我国国情的社会救助制度都具有一定的借鉴和启发意义。加强对社会救助法律制度的研究,有助于拓宽我国行政法学的研究范围和视野,有利于在社会管理创新的背景下,建构"回应型"的"新行政法"。     

A framework for post-event timeline reconstruction using neural networks

Post-event timeline reconstruction plays a critical role in forensic investigation and serves as a means of identifying evidence of the digital crime. We present an artificial neural networks based approach for post-event timeline reconstruction using the file system activities. A variety of digital forensic tools have been developed during the past two decades to assist computer forensic investigators undertaking digital timeline analysis, but most of the tools cannot handle large volumes of data efficiently. This paper looks at the effectiveness of employing neural network methodology for computer forensic analysis by preparing a timeline of relevant events occurring on a computing machine by tracing the previous file system activities. Our approach consists of monitoring the file system manipulations, capturing file system snapshots at discrete intervals of time to characterise the use of different software applications, and then using this captured data to train a neural network to recognise execution patterns of the application programs. The trained version of the network may then be used to generate a post-event timeline of a seized hard disk to verify the execution of different applications at different time intervals to assist in the identification of available evidence.     

Quantifying and Ranking Quality for Acquired Recordings on Digital Video Recorders

As the closed-circuit television (CCTV) security industry transitioned from analog media to digital video recorders (DVRs) with digital storage, the law enforcement community struggled with the means with which to collect the recordings. New guidelines needed to be established to determine the collection method which would be efficient as well as provide the best quality evidence from live DVRs. A test design was developed to measure, quantify, and rank the quality of acquisition methods used on live systems from DVRs typically used in digital CCTV systems. The purpose was to determine guidelines for acquiring the best quality video for investigative purposes. A test pattern which provided multiple quantifiable metrics for comparison between the methods of acquisition was used. The methods of acquisition included direct data download of the proprietary file and open file format as well as recording the video playback from the DVR via the available display monitor connections including the composite video, Video Graphics Array (VGA), and high-definition multimedia interface (HDMI). While some acquisition methods may provide the best quality evidence, other methods of acquisition are not to be discounted depending on the situation and need for efficiency. As an investigator that needs to retrieve video evidence from live digital CCTV systems, the proprietary file format, overall, provides the best quality evidence. However, depending on the circumstance and as recording technology continues to evolve, options other than the proprietary file format may provide quality that is equal to or greater than the proprietary file format.     

Co-option,coercion and compromise: challenges of restorative justice in Victoria,Australia

Restorative justice (RJ) encompasses a widely diverging set of practices whereby those most affected by crime are encouraged to meet, to discuss the effects of harms caused by one party to another, and to agree upon the best possible redress of harms when appropriate. In its inception in the late 1970s, RJ was conceptualized and developed as an alternative to formal criminal justice practices. Since this time, however, RJ has largely moved from being an alternative to criminal justice practices to an ‘alternative’ practice within criminal justice systems. This institutionalization has resulted in the significant growth of RJ practices, but has also resulted in RJ being used for criminal justice system goals that are at odds with the needs of victims or offenders. This paper examines the use of the Youth Justice Group Conferencing Program in Victoria, Australia. Drawing from interviews with conference conveners, our research highlights problems related to administrative ‘constraints’ and ‘co-options’ in conferencing in terms of referrals, preparation of conference participants, and victim participation. Following presentation of findings, we conclude with a discussion of implications for the use of RJ within a highly institutionalized setting.     

The Legal Image’s Forgotten Aesthetics

Aesthetics and communications theories are often applied to art, media and popular culture but not within legal empirical (audiovisual) material—despite the fact that a judicial and legal process comprises a palpable utilisation of the visual as evidence of an historical reality. Based on four distinct Swedish cases, this study analyses the court’s reasoning, interpretation and use of (audio)visual evidence. Inspired by an embodied film theory, Benjamin’s thoughts on the technical-dramaturgical components of the camera and the later Barthes’ notion of the ‘punctum’, the article discusses how (audio)visual evidence cannot be disconnected from affective and aesthetic significances that ultimately can be taken to affect the perception of truth and (the crime’s) reality. The gap between theory and practice is debated and argued as beginning to co-exist; instead of seeing (visual) theory and (judicial) practice as a dichotomy, an attempt should be made for a conversation between seemingly different but in practice related areas of knowledge. The author’s aim is to suggest that photographic and filmic evidence has a particular significance in itself, which means that the relation between (judicial) interpretation and outcome should be considered within an affective and aesthetic dimension, rather than being placed and/or theorized outside of it.     

MPs and the Internet – An Empirically Based Typology

In recent years, both an increase in and a process of differentiation of ‘new’, digital media devices, including rising numbers of citizens turning to them, have stimulated recurring speculation about a readjustment of the communicative relationship between political representatives and the people. The debate about ‘electronic democracy’ has so far focused predominantly on technical potentials on the one hand and citizens' exposure to interactive political communication channels on the other. By contrast, the ‘supply side’, that is, the internet activities of political actors and especially their motives, has been investigated relatively rarely. Against this backdrop, two representative surveys were conducted among German and Austrian members of parliament that investigated their attitudes towards the internet. The results demonstrate similarities and differences in internet-related competences and assessments which are explained by micro- and meso-level factors. Foremost, an age-related ‘digital divide’ was found crossing the parliamentarian rows in both countries.     

Toward a general collection methodology for Android devices

The Android platform has been deployed across a wide range of devices, predominately mobile phones, bringing unprecedented common software features to a diverse set of devices independent of carrier and manufacturer. Modern digital forensics processes differentiate collection and analysis, with collection ideally only occurring once and the subsequent analysis relying upon proper collection. After exploring special device boot modes and Android’s partitioning schema we detail the composition of an Android bootable image and discuss the creation of such an image designed for forensic collection. The major contribution of this paper is a general process for data collection of Android devices and related results of experiments carried out on several specific devices.     

The NHS Information Revolution: ‘Choice of Control’ to ‘Choice’ and ‘Control’

This paper provides a novel and critical analysis of the necessary and important balance between ‘individual privacy’ and ‘collective transparency’. We suggest that the onset of the Information Revolution has created a dilemma for the National Health Service (NHS) in terms of how it addresses its obligation to use information to improve best practice in healthcare for society (‘collective transparency’) whilst also keeping sensitive personal information confidential (‘individual privacy’). There is clearly a need to consider both whether the NHS is balancing this critically important informational relationship and whether its approach is fit for purpose. We argue that the NHS's ‘proxy-individual’ information guardian role could inadvertently mask individuals' intended roles, effectively circumventing autonomy-based laws by limiting the power of individuals to be autonomous. In this article we have identified three issues – first the prevailing ‘Mindset’ (the ‘M’) of ‘privacy’, which is viewed as individualistic, resulting in an overpowering concept of confidentiality; second, the quality and control of Information (the first ‘I’); and third, the concept of innovation (the second ‘i’), which is being used as a ‘solution’ rather than a vehicle for transparency. Indeed, transparency is our target of ‘best practice,’ and we suggest that individual privacy and collective transparency are best embedded within a complementary privacy framework that offers a better fit than the current split of control between the roles of the NHS and the roles of the individual. It is suggested that when facilitated by transparency, ‘control’ and ‘privacy’ form a continuum, aligning through the desire for choice. Therefore, the choice of control could facilitate control and choice. Together, they could replace the concept of privacy by empowering ‘informed patients’ to support the NHS's ‘No decision about me, without me’ pledge.     

Digital Stratigraphy: Contextual Analysis of File System Traces in Forensic Science

This work introduces novel methods for conducting forensic analysis of file allocation traces, collectively called digital stratigraphy. These in‐depth forensic analysis methods can provide insight into the origin, composition, distribution, and time frame of strata within storage media. Using case examples and empirical studies, this paper illuminates the successes, challenges, and limitations of digital stratigraphy. This study also shows how understanding file allocation methods can provide insight into concealment activities and how real‐world computer usage can complicate digital stratigraphy. Furthermore, this work explains how forensic analysts have misinterpreted traces of normal file system behavior as indications of concealment activities. This work raises awareness of the value of taking the overall context into account when analyzing file system traces. This work calls for further research in this area and for forensic tools to provide necessary information for such contextual analysis, such as highlighting mass deletion, mass copying, and potential backdating.     

Narratives about privacy and forgetting in English law

This paper examines narratives about the right of privacy in the UK. It argues that until relatively recently the dominant narrative was one that associated privacy with celebrity claimants and media defendants. Other narratives, such as those concerned with digital privacy and data protection, did not feature as prominently. But changing technological and social contexts mean that these narratives are now understood to be of immense importance too. This paper explores these narratives against the backdrop of the European Commission's proposals for a ‘right to be forgotten’ (now relabelled a ‘right to erasure’), the subject-matter of this special issue, as well as the 2014 Google Spain judgment. The paper emphasises the importance of forgetting as an aspect of the right to privacy and argues that while the UK legislator and courts have been slow to give effect to erasure remedies, they must now start exploring the bounds of legal possibility in order to meet the challenges of the digital age.     

Advanced carving techniques

Carving is the term most often used to indicate the act of recovering a file from unstructured digital forensic images. The term unstructured indicates that the original digital image does not contain useful filesystem information which may be used to assist in this recovery.Typically, forensic analysts resort to carving techniques as an avenue of last resort due to the difficulty of current techniques. Most current techniques rely on manual inspection of the file to be recovered and manually reconstructing this file using trial and error. Manual processing is typically impractical for modern disk images which might contain hundreds of thousands of files.At the same time the traditional process of recovering deleted files using filesystem information is becoming less practical because most modern filesystems purge critical information for deleted files. As such the need for automated carving techniques is quickly arising even when a filesystem does exist on the forensic image.This paper explores the theory of carving in a formal way. We then proceed to apply this formal analysis to the carving of PDF and ZIP files based on the internal structure inherent within the file formats themselves. Specifically this paper deals with carving from the Digital Forensic Research Work-Shop's (DFRWS) 2007 carving challenge.     

An automated timeline reconstruction approach for digital forensic investigations

Existing work on digital forensics timeline generation focuses on extracting times from a disk image into a timeline. Such an approach can produce several million ‘low-level’ events (e.g. a file modification or a Registry key update) for a single disk. This paper proposes a technique that can automatically reconstruct high-level events (e.g. connection of a USB stick) from this set of low-level events. The paper describes a framework that extracts low-level events to a SQLite backing store which is automatically analysed for patterns. The provenance of any high-level events is also preserved, meaning that from a high-level event it is possible to determine the low-level events that caused its inference, and from those, the raw data that caused the low-level event to be initially created can also be viewed. The paper also shows how such high-level events can be visualised using existing tools.     

IoT forensics: Exploiting unexplored log records from the HIKVISION file system

CCTV surveillance systems are IoT products that can be found almost everywhere. Their digital forensic analysis often plays a key role in solving crimes. However, it is common for these devices to use proprietary file systems, which frequently hinders a complete examination. HIKVISION is a well-known manufacturer of such devices that typically ships its products with its proprietary file system. The HIKVISION file system has been analyzed before but that research has focused on the recovery of video footage. In this paper, the HIKVISION file system is being revisited regarding the log records it stores. More specifically, these log records are thoroughly examined to uncover both their structure and meaning. These unexplored pieces of evidence remain unexploited by major commercial forensic software, yet they can contain critical information for an investigation. To further assist digital forensic examiners with their analysis, a Python utility, namely the Hikvision Log Analyzer, was developed as part of this study that can automate part of the process.