Lessons learned writing digital forensics tools and managing a 30TB digital evidence corpus

Writing digital forensics (DF) tools is difficult because of the diversity of data types that needs to be processed, the need for high performance, the skill set of most users, and the requirement that the software run without crashing. Developing this software is dramatically easier when one possesses a few hundred disks of other people's data for testing purposes. This paper presents some of the lessons learned by the author over the past 14 years developing DF tools and maintaining several research corpora that currently total roughly 30TB.     

Forensic discovery auditing of digital evidence containers

Current digital forensics methods capture, preserve, and analyze digital evidence in general-purpose electronic containers (typically, plain files) with no dedicated support to help establish that the evidence has been properly handled. Auditing of a digital investigation, from identification and seizure of evidence through duplication and investigation is, essentially, ad hoc, recorded in separate log files or in an investigator's case notebook. Auditing performed in this fashion is bound to be incomplete, because different tools provide widely disparate amounts of auditing information – including none at all – and there is ample room for human error. The latter is a particularly pressing concern given the fast growth of the size of forensic targets.Recently, there has been a serious community effort to develop an open standard for specialized digital evidence containers (DECs). A DEC differs from a general purpose container in that, in addition to the actual evidence, it bundles arbitrary metadata associated with it, such as logs and notes, and provides the basic means to detect evidence-tampering through digital signatures. Current approaches consist of defining a container format and providing a specialized library that can be used to manipulate it. While a big step in the right direction, this approach has some non-trivial shortcomings – it requires the retooling of existing forensic software and, thereby, limits the number of tools available to the investigator. More importantly, however, it does not provide a complete solution since it only records snapshots of the state of the DEC without being able to provide a trusted log of all data operations actually performed on the evidence. Without a trusted log the question of whether a tool worked exactly as advertised cannot be answered with certainty, which opens the door to challenges (both legitimate and frivolous) of the results.In this paper, we propose a complementary mechanism, called the Forensic Discovery Auditing Module (FDAM), aimed at closing this loophole in the discovery process. FDAM can be thought of as a ‘clean-room’ environment for the manipulation of digital evidence, where evidence from containers is placed for controlled manipulation. It functions as an operating system component, which monitors and logs all access to the evidence and enforces policy restrictions. This allows the immediate, safe, and verifiable use of any tool deemed necessary by the examiner. In addition, the module can provide transparent support for multiple DEC formats, thereby greatly simplifying the adoption of open standards.     

Challenges in digital forensics

Abstract

Various terms have been used to describe the intersection between computing technology and violations of the law-including computer crime, electronic crime, and cybercrime. While there remains little agreement on terminology, most experts agree that the use of electronic devices to commit crime has increased dramatically and is now commonplace. It is the role of the digital investigator to bring cybercriminals to justice. Cybercrime however differs from traditional crime and presents a variety of unique challenges including the variety of electronic devices available, amount of data produced by these devices, the absence of standard practices and guidelines for analyzing that data, the lack qualified personnel to perform investigations and the lack of resources to provide on-going training. This paper examines these challenges     

An automated timeline reconstruction approach for digital forensic investigations

Existing work on digital forensics timeline generation focuses on extracting times from a disk image into a timeline. Such an approach can produce several million ‘low-level’ events (e.g. a file modification or a Registry key update) for a single disk. This paper proposes a technique that can automatically reconstruct high-level events (e.g. connection of a USB stick) from this set of low-level events. The paper describes a framework that extracts low-level events to a SQLite backing store which is automatically analysed for patterns. The provenance of any high-level events is also preserved, meaning that from a high-level event it is possible to determine the low-level events that caused its inference, and from those, the raw data that caused the low-level event to be initially created can also be viewed. The paper also shows how such high-level events can be visualised using existing tools.     

Clustering digital forensic string search output

This research comparatively evaluates four competing clustering algorithms for thematically clustering digital forensic text string search output. It does so in a more realistic context, respecting data size and heterogeneity, than has been researched in the past. In this study, we used physical-level text string search output, consisting of over two million search hits found in nearly 50,000 allocated files and unallocated blocks. Holding the data set constant, we comparatively evaluated k-Means, Kohonen SOM, Latent Dirichlet Allocation (LDA) followed by k-Means, and LDA followed by SOM. This enables true cross-algorithm evaluation, whereas past studies evaluated singular algorithms using unique, non-reproducible datasets. Our research shows an LDA + k-Means using a linear, centroid-based user navigation procedure produces optimal results. The winning approach increased information retrieval effectiveness, from the baseline random walk absolute precision rate of 0.04, to an average precision rate of 0.67. We also explored a variety of algorithms for user navigation of search hit results, finding that the performance of k-means clustering can be greatly improved with a non-linear, non-centroid-based cluster and document navigation procedure, which has potential implications for digital forensic tools and use thereof, particularly given the popularity and speed of k-means clustering.     

Brazilian Parliament and digital engagement

ABSTRACT

This paper examines how new technologies are employed by the Brazilian Chamber of Deputies to stimulate experiences of digital engagement. It also evaluates how new technologies are put in practice by the institution, considering its potentialities and limitations in mediating the relationship between the parliament and the citizens. This analysis is anchored in concepts put forth by Polsby about arena parliaments and transformative parliaments, in order to evaluate which of these models of engagement tools have greater potential. The study concludes that the use of digital technologies by the Brazilian Parliament is very diverse, with a variety of tools that allow for the interaction and engagement of citizens, although these tools have the greatest potential for the arena parliament model.     

Fundamental rights and private enforcement in the digital age

This article addresses the shift inthe paradigm of fundamental rights protection on the Internet. More and morethe enforcement of such rights is being delegated to private Internet operators, and the urgent question is how the task of balancing conflicting rights affects the status of Internet Service Providers (ISPs). The article examines the increasing privatisation of fundamental rights enforcementon the Internet, highlighting the impact of this trend. Following the analysisof recent developments, it argues that the pillars governing ISP liability should not be altered. In particular, the early determination that ISPs should not be presumptively saddled with content monitoring tasks should not be called into question. Therefore, the regulatory pressure on ISPs shouldbe lowered, as the spectre of liability, combined with ISPs' increasing role indeciding the proper balance between conflicting rights, unduly burdens the activity of ISPs and generates incentives to delete even lawful content.     

From fragile to smart consumers: Shifting paradigm for the digital era

The use of digital technologies, functioning thanks to data processing, has been conquering many sectors of the world economy and it is possible that, in the near future, only a few markets will still be excluded from this industrial revolution. Therefore, even if one chose unreasonably to disregard the many innovations that the digital economy has brought about, its development seems quite inexorable, although it is true that this new stage in human progress raises some concerns. In particular, many worry about the millions of passive and powerless digital consumers who, facing a few huge and influential companies without any education or awareness, could succumb and find themselves poorer, victimized, and manipulated. The paper proposes to react to this state of affairs without further fueling the fear of the digital revolution and without the thought that regulation can be used only as a shield to protect fragile digital consumers. Rather, by taking inspiration from some regulatory actions undertaken by the European Union, the paper bears in mind that regulation can be used as a sword in the hands of consumers to finally assign them a lead role in digital markets. New rules to empower consumers and to make them take autonomous and independent decisions as to the management of their personal data as well as to the merits of digital firms can be envisaged. After all, one of the cultural roots of Western societies is that every individual should be enabled to be faber ipsius fortunae.     

Eco-systems for young digital innovators

This contribution takes a closer look at innovation in ICT sectors and the failing ability of young innovative firms in Europe to grow into leading world innovators in these sectors. The analysis suggests that Europe might be missing strong digital regional clusters with a symbiotic relationship between young ICT innovators and incumbent ICT leading companies.     

PRECEPT-4-Justice: A bias-neutralising framework for digital forensics investigations

Software invisibly permeates our everyday lives: operating devices in our physical world (traffic lights and cars), effecting our business transactions and powering the vast World Wide Web. We have come to rely on such software to work correctly and efficiently. The generally accepted narrative is that any software errors that do occur can be traced back to a human operator’s mistakes. Software engineers know that this is merely a comforting illusion. Software sometimes has bugs, which might lead to erratic performance: intermittently generating errors. The software, hardware and communication infrastructure can all introduce errors, which are often challenging to isolate and correct. Anomalies that manifest are certainly not always due to an operator’s actions. When the general public and the courts believe the opposite, that errors are usually attributable to some human operator’s actions, it is entirely possible for some hapless innocent individual to be blamed for anomalies and discrepancies whose actual source is a software malfunction. This is what occurred in the Post Office Horizon IT case, where unquestioning belief in the veracity of software-generated evidence led to a decade of wrongful convictions. We will use this case as a vehicle to demonstrate the way biases can influence investigations, and to inform the development of a framework to guide and inform objective digital forensics investigations. This framework, if used, could go some way towards neutralising biases and preventing similar miscarriages of justice in the future.     

Defining event reconstruction of digital crime scenes

Event reconstruction plays a critical role in solving physical crimes by explaining why a piece of physical evidence has certain characteristics. With digital crimes, the current focus has been on the recognition and identification of digital evidence using an object's characteristics, but not on the identification of the events that caused the characteristics. This paper examines digital event reconstruction and proposes a process model and procedure that can be used for a digital crime scene. The model has been designed so that it can apply to physical crime scenes, can support the unique aspects of a digital crime scene, and can be implemented in software to automate part of the process. We also examine the differences between physical event reconstruction and digital event reconstruction.     

A glance at digital forensic academic research demographics

Whilst the field of digital forensics is now well established, its research community can be considered relatively emerging in comparison to the associated areas of traditional forensic and computer sciences. As a result, this comment article takes a quick look at the demographics of digital forensics research over the last 20 years, with metadata from 6589 articles being extracted and analysed from Scopus in order to provide a brief insight into this field’s research activity.     

The different types of reports produced in digital forensic investigations

The importance of ensuring the results of any digital forensic (DF) examination are effectively communicated cannot be understated. In most cases, this communication will be done via written report, yet despite this there is arguably limited best practice guidance available which is specific for this field in regards to report construction. Poor reporting practices in DF are likely to undermine the reliability of evidence provided across this field, where there is a need for formalised guidance regarding the requirements for effective DF report construction; this should not be a task left solely to each individual practitioner to determine without instruction. For this, the field of DF should look to the wider forensic community and the existing work in this area for support. In line with many other ‘traditional’ forensic science types, a DF practitioner can be commissioned to report in one of three ways - ‘technical’, ‘investigative’ or ‘evaluative’, where each reporting type maintains a specific purpose and interpretative-context, determined by the examination workflow undertaken by a practitioner following client instruction. This work draws upon guidance set out in fundamental forensic science reporting literature in order to describe each reporting type in turn, outlining their scope, content and construction requirements in an attempt to provide support for the DF field.     

Optical enhancement of fingerprint deposits on brass using digital color mapping

Abstract: The reflection of visible light from α‐phase brass subject to surface oxidation in air at elevated temperatures is investigated. X‐ray photoelectron and auger electron spectroscopy confirm that covered areas of brass (not exposed to air) display dezincification but an absence of significant surface oxidation, confirming a differential oxidation mechanism. Visualization of differential oxidation is shown to be enhanced by selective digital mapping of colors reflected from the surface of the brass using Adobe^® Photoshop^®. Enhancement is optimal when the brass is heated to ～250°C with areas of oxidation having a mirror‐like appearance. The use of this enhancement method to produce a faithful image of fingerprint ridge characteristics is demonstrated on brass shell casings where fingerprints were deposited prefiring.     

电子证据的相关问题

在美国，使用电子证据已经成为法庭上非常普遍的现象。陪审团审案时，试图使用电子证据的检察官要想使得初审法官采纳该电子证据必须克服一些阻碍。一些证据标准被设计来限制陪审团的事实发现过程。检察官可要求法院启动庭前审理程序来决定电子证据是否可以被采纳。建立一个电子证据保管链和专门处理电子证据的既定机构程序是检方工作的关键环节，这样能确保法庭调查中获得陪审团的信任。挑选能认同电子证据重要性的人员担任陪审团成员非常重要，同时还要避免选择那些想要根据自己专业知识来主导陪审团决议的人员。     

Digital evidence strategies for digital forensic science examinations

Given the size and complexity of many digital forensic science device examinations, there is a need for practitioners to formally and strategically determine a course of conduct which allows them to undertake the most robust and efficient examination possible. This work outlines both the need for practitioners to have a digital evidence strategy (DES) when tackling any given examination scenario, how to construct one and the concerns which exist when no formal DES is in place. Approaches to DES development are examined and the context to which they should be deployed are analysed, with focus being on the use of DESs at the examination/processing stage of the investigative workflow. Finally, a ‘DES skeleton’ is offered to guide practitioners as they seek to create their own DES.     

The emerging international framework of business marks in the digital economy

‘A book may be good for nothing; or there may be onlyone thing in it worth knowing; are we to read it all through?’(Samuel Johnson) This section is dedicated to the review ofideas, articles, books, films and other media. It will includereplies (and rejoinders) to articles, the evaluation of newideas or proposals, and reviews of books and articles both directlyand indirectly related to intellectual property law.

Domain Name Law and     

Windows Vista and digital investigations

Several of the new features of Windows Vista may create challenges for digital investigators. However, some also provide opportunities and create interesting new evidential artefacts which can be recovered and analysed. This paper examines several of these new features and describes methods for recovering shadow copies of files from Restore Points, identifying BitLocker on a system, the importance of recovery keys in dealing with BitLocker encrypted volumes and also the problems that User Account Control could cause for live investigations.