Digital Investigation Research Articles

NLP-based digital forensic investigation platform for online communications

Digital (forensic) investigations will be increasingly important in both criminal investigations and civil litigations (e.g., corporate espionage, and intellectual property theft) as more of our communications take place over cyberspace (e.g., e-mail and social media platforms). In this paper, we present our proposed Natural Language Processing (NLP)-based digital investigation platform. The platform comprises the data collection and representation phase, the vectorization phase, the feature selection phase, and the classifier generation and evaluation phase. We then demonstrate the potential of our proposed approach using a real-world dataset, whose findings indicate that it outperforms two other competing approaches, namely: LogAnalysis (published in Expert Systems with Applications, 2014) and SIIMCO (published in IEEE Transactions on Information Forensics and Security, 2016). Specifically, our proposed approach achieves 0.65 in F1-score and 0.83 in precision, whilst LogAnalysis and SIIMCO respectively achieve 0.51 and 0.59 in F1-score and 0.49 and 0.58 in precision.

An efficient digital forensic model for cybercrimes investigation in cloud computing

In recent times, cloud computing adopted numerous organizations and enterprises for offering services with securely certifying that cloud providers against illegitimate activities. However, cost-effective forensics design and implementation for support the cloud-based cybercrimes investigation. To build cloud architecture support forensics is a significant and complex issue such as voluminous intricate legal, organizational, and technical defies due to the virtualization, distributing, and dynamic nature of cloud systems. Therefore, this paper presents an efficient Cloud Forensics Investigation Model (CFIM) to investigate cloud crimes in a forensically sound and timely fashion. Besides, the proposed system supports the concept of Forensic as a Service (FaaS) that provide innumerable benefits of conducting digital forensics through using Forensic Server on the cloud side. The investigational results proved that the proposed system can assist the digital investigators in their mission of investigation of cybercrimes in the cloud in a proficient manner.

A Blockchain-based Forensic Model for Financial Crime Investigation: The Embezzlement Scenario

The financial crime landscape is evolving along with the digitization in financial services. In this context, laws and regulations cannot efficiently cope with a fast-moving industry such as finance, which translates in late adoption of measures and legal voids, providing a fruitful landscape for malicious actors. In parallel, blockchain technology and its promising features such as immutability, verifiability, and authentication, enhance the opportunities of financial forensics. In this paper, we focus on an embezzlement scheme and we provide a forensic-by-design methodology for its investigation. In addition, the feasibility and adaptability of our approach can be extended and embrace digital investigations on other types of schemes. We provide a functional implementation based on smart contracts and we integrate standardized forensic flows and chain of custody preservation mechanisms. Finally, we discuss the benefits and challenges of the symbiotic relationship between blockchain and financial investigations, along with future research directions.

Electromagnetic Side-Channel Analysis for IoT Forensics: Challenges, Framework, and Datasets

Electromagnetic (EM) side-channel radiation from Internet of Things (IoT) devices are shown to be effective at acquiring forensic insights during digital investigations. These EM radiation patterns can be analysed with the help of machine learning algorithms to detect internal behaviours of IoT devices, which can be relevant to an investigation. However, the real-world application of EM side-channel analysis for digital forensic purposes is obstructed by the lack of suitable tools and the technical expertise among law-enforcement communities. Although certain frameworks, such as EMvidence, exist to cater this requirement, the sheer diversity of the IoT ecosystem makes it difficult to support a sufficiently large collection of devices that are commonly encountered in forensic investigations. The work presented in this paper makes multiple contributions towards addressing this problem. Initially, a detailed discussion on the challenges of applying EM side-channel analysis in practical digital forensic purposes is provided, where the practical difficulties are illustrated. Then, it was shown that the existing EM side-channel analysis frameworks, such as EMvidence, can be used to overcome the diversity of IoT devices in forensics by equipping them with extensible plug-ins targeting the internal system-on-chips (SoC) of each device type. These plug-ins are expected to incorporate trained machine learning models, which are capable of recognising patterns of specific IoT device SoCs. However, the development of such plug-ins requires sufficiently diverse EM datasets from IoT devices. Facilitating this requirement, this work presents a comprehensive EM side-channel dataset representing a diverse collection of popular IoT devices and smartphones. The presented dataset is used to demonstrate the potential usage of machine learning models to recognise device behaviour.

Digital Forensics Subdomains: The State of the Art and Future Directions

For reliable digital evidence to be admitted in a court of law, it is important to apply scientifically proven digital forensic investigation techniques to corroborate a suspected security incident. Mainly, traditional digital forensics techniques focus on computer desktops and servers. However, recent advances in digital media and platforms have seen an increased need for the application of digital forensic investigation techniques to other subdomains. This includes mobile devices, databases, networks, cloud-based platforms, and the Internet of Things (IoT) at large. To assist forensic investigators to conduct investigations within these subdomains, academic researchers have attempted to develop several investigative processes. However, many of these processes are domain-specific or describe domain-specific investigative tools. Hence, in this paper, we hypothesize that the literature is saturated with ambiguities. To further synthesize this hypothesis, a digital forensic model-orientated Systematic Literature Review (SLR) within the digital forensic subdomains has been undertaken. The purpose of this SLR is to identify the different and heterogeneous practices that have emerged within the specific digital forensics subdomains. A key finding from this review is that there are process redundancies and a high degree of ambiguity among investigative processes in the various subdomains. As a way forward, this study proposes a high-level abstract metamodel, which combines the common investigation processes, activities, techniques, and tasks for digital forensics subdomains. Using the proposed solution, an investigator can effectively organize the knowledge process for digital investigation.

A context-centered methodology for IoT forensic investigations

The weakness of the security measures implemented on Internet of Things (IoT) devices, added to the sensitivity of the data that they handle, has created an attractive environment for cybercriminals to carry out attacks. This has caused a substantial increase in the number of cyberincidents, requiring the opening of digital investigations in order to shed light on what has occurred. However, the characteristics of this new environment, such as its variety of contexts, make it impossible to use the methodology followed until now in conventional analysis. Therefore, a new common procedure is needed to ensure that IoT examinations are carried out in a complete and efficient manner. In this article, after reviewing the methodological requirements of IoT forensics, and studying the suggestions made by the research community, a methodology to perform investigations in a certain context of the IoT environment is proposed. In addition, its practicality is evaluated in three different security incident scenarios, proving its effectiveness and appropriateness to be used in future cases.

Can computer forensic tools be trusted in digital investigations?

This paper investigates whether computer forensic tools (CFTs) can extract complete and credible digital evidence from digital crime scenes in the presence of file system anti-forensic (AF) attacks. The study uses a well-established six stage forensic tool testing methodology based on black-box testing principles to carry out experiments that evaluate four leading CFTs for their potential to combat eleven different file system AF attacks. Results suggest that only a few AF attacks are identified by all the evaluated CFTs, while as most of the attacks considered by the study go unnoticed. These AF attacks exploit basic file system features, can be executed using simple tools, and even attack CFTs to accomplish their task. These results imply that evidences collected by CFTs in digital investigations are not complete and credible in the presence of AF attacks. The study suggests that practitioners and academicians should not absolutely rely on CFTs for evidence extraction from a digital crime scene, highlights the implications of doing so, and makes many recommendations in this regard. The study also points towards immediate and aggressive research efforts that are required in the area of computer forensics to address the pitfalls of CFTs.

Baofeng Energy awards contracts to KBR for Chinese methanol-to- olefins project

This paper investigates whether computer forensic tools (CFTs) can extract complete and credible digital evidence from digital crime scenes in the presence of file system anti-forensic (AF) attacks. The study uses a well-established six stage forensic tool testing methodology based on black-box testing principles to carry out experiments that evaluate four leading CFTs for their potential to combat eleven different file system AF attacks. Results suggest that only a few AF attacks are identified by all the evaluated CFTs, while as most of the attacks considered by the study go unnoticed. These AF attacks exploit basic file system features, can be executed using simple tools, and even attack CFTs to accomplish their task. These results imply that evidences collected by CFTs in digital investigations are not complete and credible in the presence of AF attacks. The study suggests that practitioners and academicians should not absolutely rely on CFTs for evidence extraction from a digital crime scene, highlights the implications of doing so, and makes many recommendations in this regard. The study also points towards immediate and aggressive research efforts that are required in the area of computer forensics to address the pitfalls of CFTs.

Karpinski Score under Digital Investigation: A Fully Automated Segmentation Algorithm to Identify Vascular and Stromal Injury of Donors’ Kidneys

In kidney transplantations, the evaluation of the vascular structures and stromal areas is crucial for determining kidney acceptance, which is currently based on the pathologist’s visual evaluation. In this context, an accurate assessment of the vascular and stromal injury is fundamental to assessing the nephron status. In the present paper, the authors present a fully automated algorithm, called RENFAST (Rapid EvaluatioN of Fibrosis And vesselS Thickness), for the segmentation of kidney blood vessels and fibrosis in histopathological images. The proposed method employs a novel strategy based on deep learning to accurately segment blood vessels, while interstitial fibrosis is assessed using an adaptive stain separation method. The RENFAST algorithm is developed and tested on 350 periodic acid–Schiff (PAS) images for blood vessel segmentation and on 300 Massone’s trichrome (TRIC) stained images for the detection of renal fibrosis. In the TEST set, the algorithm exhibits excellent segmentation performance in both blood vessels (accuracy: 0.8936) and fibrosis (accuracy: 0.9227) and outperforms all the compared methods. To the best of our knowledge, the RENFAST algorithm is the first fully automated method capable of detecting both blood vessels and fibrosis in digital histological images. Being very fast (average computational time 2.91 s), this algorithm paves the way for automated, quantitative, and real-time kidney graft assessments.

Relevance analysis using revision identifier in MS word.

Electronic documents often contain personal or confidential information, which can be used as valuable evidence in criminal investigations. In the digital investigation, special techniques are required for grouping and screening electronic documents, because it is challenging to analyze relationships between numerous documents in storage devices manually. To this end, although techniques such as keyword search, similarity search, topic modeling, metadata analysis, and document clustering are continually being studied, there are still limitations for revealing the relevance of documents. Specifically, metadata used in previous research are not always values present in the documents, and clustering methods with specific keywords may be incomplete because text-based contents (including metadata) can be easily modified or deleted by users. In this work, we propose a novel method to efficiently group Microsoft Office Word 2007+ (MS Word) files by using revision identifier (RSID). Through a thorough understanding of the RSID, examiners can predict organizations to which a specific user belongs, and further, it is likely to discover unexpected interpersonal relationships. An experiment with a public dataset (GovDocs) provides that it is possible to categorize documents more effectively by combining our proposal with previously studied methods. Furthermore, we introduce a new document tracking method to understand the editing history and movement of a file, and then demonstrate its usefulness through an experiment with documents from a real case.

FEMT: a computational approach for fog elimination using multiple thresholds

Refining visibility through haze removal from image becomes an inevitable chore and essential to recognize and track vehicles, traffic signal, and signs clearly under road safety. That can face a recurrent degradation under destitute climatic circumstances for instance fog, rain, cloud, and smog. To diminish this constraint, various methods were designed and implemented, but most were not capable of obtaining the improved quantitative outcomes. Therefore, a new algorithm Fog Elimination using Multiple Thresholds (FEMT) for single image haze eviction that meritoriously obtains the significant results on both gray and colored over real and synthetic images using multiple thresholds is proposed in this paper. The proposed method targets on the light regions by reducing the brightness and increasing the contrast of image at different levels. Finally, by grouping all the obtained resultant images leads to the generation of the resultant defogged image. The qualitative and quantitative analysis is carried out for an assessment of digitalized de-hazed images acquired from the proposed algorithm and compared to the prior techniques. Simulated fallouts entitle high resemblance to the corresponding ground truth, reduction in computation time consumption to 88% and error of 98%. The proposed approach can be applied in the field of robotics, human activity monitoring, smart systems, and digital investigation on the hazy images.

Digital investigators for solving digital dilemmas in the internet world.

Digital investigators for solving digital dilemmas in the internet world.

Digital Evidence Object Model for Situation Awareness and Decision Making in Digital Forensics Investigation

The aim of a forensic investigation is to provide situation awareness in terms of identification and preservation of digital evidence, extraction of information, and analysis of extracted information to facilitate time-critical decision making. Digital forensic investigation is a process of collecting, examining, and analyzing digital data from various places such as digital devices, networks, and big data in the cloud. Here we propose a novel digital evidence object (DEO) model for the reduction of forensics data in digital forensic investigation and describe its application. The proposed DEO model is based on the synergy of category theory and integration of 5Ws (Who, What, When, Where, and Why) of digital investigation analysis techniques for digital evidence acquisition. We present a real-life case study to demonstrate its suitability for assisting computer forensics experts in the digital evidence investigation. Our results demonstrate that the application of the DEO model can noticeably decrease the number of false positive evidence objects submitted to a forensics expert, thus reducing his/her workload and improving decision making performance in a time-critical setting.

Hunting Cyber Criminals: A Hacker's Guide to Online Intelligence Gathering Tools and Techniques

Vinny Troia. Published by Wiley. ISBN: 9781119540922. Price £30.99, paperback and ebook. There are many how-to hacking books that seem remote from the reality of digital investigation. Many are little more than a list of well-known tools and a superficial introduction in how to apply them. This one is a little different.

Establishing a criminal justice cyber lab to develop and enhance professional and educational opportunities

AbstractLaw enforcement agencies face increasing backlogs in their digital evidence processing. Most agencies utilize federal or private companies to process this evidence, however, recently, universities have begun to establish their own cyber forensics labs to aid law enforcement in reducing the time it takes for them to obtain digital evidence. Specifically, examiners in these labs use digital investigation and analysis techniques to determine what could be legally permissible evidence on devices ranging from computers to cell phones to cameras. This paper is the first to provide a general overview of one university's experience in building a cyber‐forensics lab from the ground up for the purpose of providing services to community partners as well as educational and training opportunities. We utilize data obtained from 59 Texas law enforcement agencies to explore the needs and abilities of law enforcement in processing digital evidence as a supporting argument for the development of a university cyber‐lab.

Structured decision making in investigations involving digital and multimedia evidence

Practitioners in all forensic disciplines are under growing pressure to meet the rising demand for interpretation of forensic observations based on strong scientific foundations. Following principles of scientific interpretation increases the reliability and defensibility of decisions throughout an investigation, not only in the final expert testimony phase. Such formalization of decision making is particularly valuable when dealing with digital and multimedia evidence, due to the potential for information overload, inaccuracy, error and bias. To confront these challenges consistently and to reduce the risk of mistakes, this paper extends a well-established logical framework for structured decision making to all phases of a digital investigation. Using examples derived from real world cases, this work demonstrates how the principles of scientific interpretation can strengthen all phases of the investigative process.

The need for Internet of Things digital forensic black‐boxes

AbstractIn our interconnected cyber‐physical world, the types and number of Internet of Things (IoT) will also increase. Such devices are also generally capable of capturing a broad range of information, including digital artifacts that can facilitate a digital investigation during a cyber security incident (e.g., data breach). In other words, IoT devices are potential evidence acquisition sources. We posit the importance of having a digital forensic black‐box, conceptually similar to the cockpit voice recorder (also known as a flight recorder) on aircrafts, to facilitate digital investigations. Using a smart home comprising many different IoT devices (e.g., smart home devices, smart vehicles, and smart wearables) as an example, we discuss where such a black‐box can reside and what sort of artifacts can be collected. This black‐box can also complement other existing digital forensic readiness strategies, such as those described in ISO/IEC 27043:2015. We also explore the associated design requirements such as data provenance. There are changes required to the organization's current computing architecture in order to deploy our proposed black‐box, as explained in this paper. In addition, we will explore the potential privacy implications and potential research opportunities (e.g., blockchain‐based digital forensic black‐box).This article is categorized under: Digital and Multimedia Science > Cloud Forensics Digital and Multimedia Science > IoT Forensics

Holistic digital forensic readiness framework for IoT-enabled organizations

Internet of Things (IoT) are becoming commonplace in homes, buildings, cities, and nations, and IoT networks are also getting more complex and interconnected. The complexity, interconnectivity, and heterogeneity of IoT systems, however, complicate digital (forensic) investigations. The challenge is compounded due to the lack of holistic and standardized approaches. Hence, building on the ISO/IEC 27043 international standard, we present a holistic digital forensic readiness (DFR) framework. We also qualitatively evaluate the utility of the proposed DFR framework.

Memory Analysis of macOS Page Queues

Memory forensics is the examination of volatile memory (RAM) for artifacts related to a digital investigation. Memory forensics has become mainstream in recent years because it allows recovery of a wide variety of artifacts that are never written to the file system and are therefore not available when performing traditional filesystem forensics. To analyze memory samples, an investigator can use one of several available memory analysis frameworks, which are responsible for parsing and presenting the raw data in a meaningful way. A core task of these frameworks is the discovery and reordering of non-contiguous physical pages in a memory sample into the ordered virtual address spaces used by the operating system and running processes to organize their code and data. Commonly referred to as address translation, this task requires a thorough understanding of the memory management mechanisms of the hardware architecture and operating system version of the device from which the memory sample was acquired. Given its critical role in memory analysis, there has been significant interest in studying the operating system mechanisms responsible for allocating and managing physical pages so that they can be accurately modeled by memory analysis frameworks. The more thoroughly the page handling mechanisms are modeled in memory forensics tools, the more pages can be scrutinized during memory analysis. This leads to more artifacts being reconstructed and made available to an investigator. In this paper, we present the results of our analysis of the macOS page queues subsystem. macOS tracks pages in a number of different states using a set of queues and as we will illustrate, the reconstruction of data from these queues allows a significant number of memory pages to be analyzed that are currently ignored by memory forensics tools. Through incorporation of these artifacts into analysis, memory analysis frameworks can present an even richer set of artifacts and data to investigators than ever before.

Facilitating Electromagnetic Side-Channel Analysis for IoT Investigation: Evaluating the EMvidence Framework

The Internet of Things (IoT) has opened up new opportunities for digital forensics by providing new sources of evidence. However, acquiring data from IoT is not a straightforward task for multiple reasons including the diversity of manufacturers, the lack of standard interfaces, the use of light-weight data encryption, e.g. elliptic curve cryptography (ECC), etc. Electromagnetic side-channel analysis (EM-SCA) has been proposed as a new approach to acquire forensically useful data from IoT devices. However, performing successful EM-SCA attacks on IoT devices requires domain knowledge and specialised equipment that are not available to most digital forensic investigators. This work presents the methodology behind and an evaluation of a framework, EMvidence, that enables forensic investigators to acquire evidence from IoT devices through EM-SCA. This framework helps to automate and perform electromagnetic side-channel evidence collection for forensic purposes. An evaluation of the framework is performed by applying it to multiple realistic digital investigation scenarios. In the case of attacking ECC cryptographic operations, the evaluation demonstrates that the volume of EM data that needs to be stored and processed can be significantly reduced using the framework's machine learning based approach.