IT Forensics Research Articles

Methods to acquisition digital evidence for computer forensics

Computer forensics is a key science and competency in meeting the growing risks of cybercrime, as well as for criminal investigation generally. In order to provide irrefutable evidence of a potential crime, a specialist in the incident response team (e.g. an IT forensics specialist) must secure the digital evidence in accordance with the correct procedure. There are no strict guidelines on how to do this. It is known that the authenticity and fidelity of data must be preserved. This article will collect good practices developed by specialists in the field of computer forensics. The process of securing the evidence material from a digital data sources for later analysis will be presented.

Bring2lite: A Structural Concept and Tool for Forensic Data Analysis and Recovery of Deleted SQLite Records

As of today mobile applications such as WhatsApp or Skype make use of the SQLite database format to store its data. From an IT forensics point of view it is therefore essential to extract all information related to an SQLite database. In this paper we focus on digital traces in the scope of SQLite that belong to deleted database data. We suggest to make use of a structural approach: we analyse the deletion behaviour of SQLite depending on different database parameters, which affect the erasure of database data. As SQLite pragmas are an important parameter during deletion, we examine the erasure behaviour dependent on the pragmas in use. Based on the results of our analysis, we develop a concept to parse and process deleted records. Our concept is implemented within our tool bring2lite, which is evaluated with respect to a common dataset of SQLite files. The overall result is that bring2lite achieves the highest recovery rate of approximately 53% compared to eight competing programmes.

Identity theft in the virtual world

The authors provide an overview of IT forensics practices in Hungary.

Identity theft in the virtual world: Analysis of a copyright crime in second life from the perspective of criminal law and IT forensics

In Hungary, there is an active practice for inspecting crimes committed in information technology environments as well as crimes affecting intellectual property as the two areas often overlap. Recently a criminal infringement of copyright occurred in a very special environment — the virtual world of Second Life. In this paper, the questions raised by the above-mentioned case from a legal and IT forensic perspective will be present along with the recommended answers from the authors. The first half of the paper will present the specialties of virtual world environments and how the criminal investigation was started. General criminal procedure norms governing IT forensics will be discussed. The question of how copyright law protects avatars or virtual items in Second Life and how the financial value of a virtual item can be determined will be answered. The remainder of the paper will present, in detail, the IT forensic examination of the concrete criminal case where illegal copies of avatars appeared in Sec...

Using Geolocation for the Strategic Preincident Preparation of an IT Forensics Analysis

Attack traceability and attribution are two of the main tasks of IT forensics. To support this, IT forensics is not limited to investigate data after the attack has taken place. Already before the attack, an optimal environment for a subsequent investigation has to be created. While this is primarily focused on ordinary logging, we propose to set both degree and characteristics of logging, based on geolocation. Thus, for conspicuous locations, more knowledge is gathered and stored in advance (georeputation). Next to this, due to the fact that the distribution of IP addresses is not static, additional information is stored to, e.g., determine the Internet service provider, which was responsible for the IP at the time the crime was committed. This additional data also contains geoinformation that can be used later to reconstruct attack routes and to identify and analyze distributed attacks. For these purposes, however, the IP localization mechanisms, i.e., the underlying method for geolocation, must be very accurate. Therefore, next to highlighting, the benefits of including geobased information and providing our architecture in order to do so, this publication also investigates accuracy and reliability of geoinformation and provides its own geolocation architecture and a corresponding prototype, including an evaluation.

From IT forensics to forensic computing

With the proliferation of digital computers and information systems into all fields of our society the amount of crime involving such systems (cybercrime) is steadily increasing. This involves both more traditional crimes in which digital systems are merely used as tools (e. g., different types of fraud, blackmailing, hidden communication) as well as new forms of crime in which digital systems are the target (e. g., computer abuses, malicious software, malicious remote control networks like botnets). For many years now, computer professionals have attempted to help in fighting cybercrime not only by devising preventive techniques to detect or prevent cyberattacks, but also by supporting the juridical system to investigate cybercrime and (in the long run) to identify, arrest and prosecute cybercriminals. In this feat, computer professionals play various roles: Not only do they support in identifying, preserving and analyzing evidence connected with digital systems, they also have to adapt investigative techniques and tools to the elusive behavior of cybercriminals. This broad field has become known as the field of digital forensics, computer forensics or IT forensics. The emergence of this field was mainly driven by practitioners trying to satisfy immediateneedswithin concretedigital investigations andRogers and Seigfried [3] identified “a disproportional focus on the applied aspects of computer forensics, at the expense of the development of fundamental theories”. Despite the scientific immaturity of the field, many universities (especially in the UK and the US) have started to establish academic degree programs and research labs in this area because of the need of scientific credibility in a court of law, but also partly driven by the enormous popularity of television series like “CSI”. After performing research in this area for almost 10 years, it appears to me as if the field is in many cases pretending to be scientific while it actually is executing best practices. Garfinkel [2] observed a “crisis” of digital forensics, and Casey [1, p. 1],

Forensic analysis of magnetic stripe skimmer devices

At SKL, the number of skimmer cases has increased since 2009. Hence it is important to have a good workflow for the forensic analysis. A successful multidisciplinary collaboration has been developed between DNA, fingerprints and IT forensics. Members of staff from these disciplines perform an initial examination deciding about which parts of the skimmers that are to be analysed for DNA or fingerprints. The combined experience from the different disciplines increases the chances of receiving successful results. For DNA analysis the success rate per case is 69%, which is a relatively high success rate.

Fighting forensics

Since crime began, the bad guys have tried to cover their tracks. For every advance in forensics and criminal detection, there has been a countermeasure. When fingerprinting was invented, burglars started wearing gloves. When hackers gain root on a remote system, they take care to delete log files to mask what they've done. And as IT forensics methods have improved, so have the anti-forensics techniques designed to defeat them.

Suspect sciences? Evidentiary Problems with Emerging Technologies

This article examines the standards governing the admission of new types of expert evidence. Based on the rules of evidence and procedure in Australia, it explains how judges have been largely uninterested in the reliability of expert opinion evidence. Focused on the use of CCTV images and covert sound recordings for the purposes of identification, but relevant to other forensic sciences, the article explains the need for interest in the reliability of incriminating expert opinion evidence. It also explains why many of the traditional trial safeguards may not be particularly useful for identifying or explaining problems and complexities with scientific and technical evidence. In closing, the article argues that those developing new types of evidence and new techniques, whether identification-based or derived from IT, camera or computer forensics, need to be able to explain why it is that the court can have confidence in any opinions expressed.

Seeking student safety

Ex-police officer of 13 years, Andrea Bradley, now heads up an IT forensics team that works with police forces and in education. Here she explains the trends her team is noticing in student internet use

A Swedish IT forensics course – expert opinions

There is mounting pressure for institutes of higher education to fill society's need for qualified IT forensics practitioners. Despite that pressure, it is not clear how that need should be filled, for whom, and by whom. There are many published texts available on which one might base a course, though they are primarily written for English speaking countries. Given the differences in legal practices in different countries, and forensic's dependency on legal procedures, it is not clear how applicable such texts are to Swedish education in the subject. This paper summarises some of the ongoing work at the Department of Computer and Systems Sciences at Stockholm University where we seek to define what the primary elements of a Swedish IT forensics education should be. Interviews conducted with specialists in IT law and IT forensics indicate that there are discrepancies between how representatives from on the one hand the public legal system and on the other private enterprise view the need and the subject matter.

Leaving a trace

IT forensics is seen by many in the industry as something of a black art. But it's actually a highly professional discipline, with professional software to assist, Steve Gold discovers

Guest Editorial: Information Security South Africa (ISSA) 2013

This special issue of the SAIEE Africa Research Journal is devoted to selected papers from the Information Security South Africa (ISSA) 2013 Conference which was held in Johannesburg, South Africa from 14 to 16 August 2013. The aim of the annual ISSA conference is to provide information security practitioners and researchers, from all over the globe, an opportunity to share their knowledge and research results with their peers. The 2013 conference focused on a wide spectrum of aspects in the information security domain. The fact that issues covering the functional, business, managerial, human, theoretical and technological aspects were addressed emphasizes the wide multi-disciplinary nature of modern-day information security. With the assistance of the original reviewers, twelve conference papers that received good overall reviews were identified. At the conference, I attended the presentation of each of these twelve papers and based on the reviewer reports and the presentations I selected six of these papers for possible publication in this Special Edition. The authors of these six selected papers were asked to rework their papers by expanding and/or further formalizing the research conducted. Each of these papers was subsequently reviewed again by a minimum of four international subject specialists. In some cases, where conflicting reviews were received, further reviews were requested. In some cases five reviews were requested to enable objective and quality decisions to be made. In all cases the reviews were conducted by members of the Technical Committee (TC) 11 of the International Federation of Information Processing (IFIP) or some subject experts suggested by them. Thus, in all cases the reviews were conducted by reputable subject experts and enough reviews were received to make a confident decision as well as to improve the relevant papers. In the end three papers were selected to get published in this Special Edition after the reviewer comments were attended to satisfactorily. The three papers cover various aspects of information security. The one paper identifies some new ideas in the user authentication arena; one paper focuses on the very important area of IT forensics and the third paper on the ever-present cloud and associated issues. This Special Edition includes three very diverse papers in the discipline of information security, giving a true reflection of the multi-disciplinary nature field of study. Lastly, I would like to express my appreciation to IEEE Xplore, who originally published the ISSA conference papers, for granting permission that these reworked papers can be published in this Special Edition.