A Case-Based Reasoning Method for Locating Evidence During Digital Forensic Device Triage

The role of triage in digital forensics is disputed, with some practitioners questioning its reliability for identifying evidential data. Although successfully implemented in the field of medicine, triage has not established itself to the same degree in digital forensics. This article presents a novel approach to triage for digital forensics. Case-Based Reasoning Forensic Triager (CBR-FT) is a method for collecting and reusing past digital forensic investigation information in order to highlight likely evidential areas on a suspect operating system, thereby helping an investigator to decide where to search for evidence. The CBR-FT framework is discussed and the results of twenty test triage examinations are presented. CBR-FT has been shown to be a more effective method of triage when compared to a practitioner using a leading commercial application

Digital forensics formats: seeking a digital preservation storage format for web archiving

In this paper we discuss archival storage formats from the point of view of digital curation and preservation. Considering established approaches to data management as our jumping off point, we selected seven format attributes which are core to the long term accessibility of digital materials. These we have labeled core preservation attributes. These attributes are then used as evaluation criteria to compare file formats belonging to five common categories: formats for archiving selected content (e.g. tar, WARC), disk image formats that capture data for recovery or installation (partimage, dd raw image), these two types combined with a selected compression algorithm (e.g. tar+gzip), formats that combine packing and compression (e.g. 7-zip), and forensic file formats for data analysis in criminal investigations (e.g. aff, Advanced Forensic File format). We present a general discussion of the file format landscape in terms of the attributes we discuss, and make a direct comparison between the three most promising archival formats: tar, WARC, and aff. We conclude by suggesting the next steps to take the research forward and to validate the observations we have made

Chip-off Success Rate Analysis Comparing Temperature and Chip Type

Throughout the digital forensic community, chip-off analysis provides examiners with a technique to obtain a physical acquisition from locked or damaged digital device. Thermal based chip-analysis relies upon the application of heat to remove the flash memory chip from the circuit board. Occasionally, a flash memory chip fails to successfully read despite following similar protocols as other flash memory chips. Previous research found the application of high temperatures increased the number of bit errors present in the flash memory chip. The purpose of this study is to analyze data collected from chip-off analyses to determine if a statistical difference exists between the removal temperatures of flash memory chips successfully and unsuccessfully read by using a t-test, F-test and an analysis of variance (ANOVA). The results from the statistical evaluation showed no statistical difference between the groups of memory chips successfully and unsuccessfully read, as well as, between older and newer types of Ball Grid Array (BGA) memory chips

The effect of image pixelation on unfamiliar face matching

Low-resolution, pixelated images from CCTV can be used to compare the perpetrators of crime with high-resolution photographs of potential suspects. The current study investigated the accuracy of person identification under these conditions, by comparing high-resolution and pixelated photographs of unfamiliar faces in a series of matching tasks. Performance decreased gradually with different levels of pixelation and was close to chance with a horizontal image resolution of only 8 pixel bands per face (Experiment 1). Matching accuracy could be improved by reducing the size of pixelated faces (Experiment 2) or by varying the size of the to-be-compared-with high-resolution face image (Experiment 3). In addition, pixelation produced effects that appear to be separable from other factors that might affect matching performance, such as changes in face view (Experiment 4). These findings reaffirm that criminal identifications from CCTV must be treated with caution and provide some basic estimates for identification accuracy with different pixelation levels. This study also highlights potential methods for improving performance in this task

Forensic Examination of Electronic Documents

[Purpose] The purpose of the study is to reveal the concept and essence of forensic prevention of crimes of forgery of electronic documents, to identify problems in the use of information to establish a system of countering crime and document management. [Methodology] The following approaches were used in the work: system-structural, dialectical, empirical. Forgery of electronic documents and their use is investigated not only within the framework of a single criminal case but also by a set of crimes committed depending on the mechanism that is the main one in the structure of criminal technologies. [Findings] Lack of skills and knowledge about the latest forms of documents, methods of their forgery and use in the field of forensic investigations determine the reasons for the development of this condition. The analysis of investigative and judicial practice shows that cases of forgery of electronic documents are moved to separate proceedings due to the inability to fix the person who committed the crime. In some cases, court procedures are returned for additional investigation, since investigators cannot establish mechanisms for falsification tools and bring appropriate charges. [Practical Implications] The practical significance lies in the formation of proposals for improving or making changes to the legislation, effectively improving the activities of law enforcement agencies involved in countering or combating the forgery of documents.[Purpose] The purpose of the study is to reveal the concept and essence of forensic prevention of crimes of forgery of electronic documents, to identify problems in the use of information to establish a system of countering crime and document management. [Methodology] The following approaches were used in the work: system-structural, dialectical, empirical. Forgery of electronic documents and their use is investigated not only within the framework of a single criminal case but also by a set of crimes committed depending on the mechanism that is the main one in the structure of criminal technologies. [Findings] Lack of skills and knowledge about the latest forms of documents, methods of their forgery and use in the field of forensic investigations determine the reasons for the development of this condition. The analysis of investigative and judicial practice shows that cases of forgery of electronic documents are moved to separate proceedings due to the inability to fix the person who committed the crime. In some cases, court procedures are returned for additional investigation, since investigators cannot establish mechanisms for falsification tools and bring appropriate charges. [Practical Implications] The practical significance lies in the formation of proposals for improving or making changes to the legislation, effectively improving the activities of law enforcement agencies involved in countering or combating the forgery of documents.[Purpose] The purpose of the study is to reveal the concept and essence of forensic prevention of crimes of forgery of electronic documents, to identify problems in the use of information to establish a system of countering crime and document management. [Methodology] The following approaches were used in the work: system-structural, dialectical, empirical. Forgery of electronic documents and their use is investigated not only within the framework of a single criminal case but also by a set of crimes committed depending on the mechanism that is the main one in the structure of criminal technologies. [Findings] Lack of skills and knowledge about the latest forms of documents, methods of their forgery and use in the field of forensic investigations determine the reasons for the development of this condition. The analysis of investigative and judicial practice shows that cases of forgery of electronic documents are moved to separate proceedings due to the inability to fix the person who committed the crime. In some cases, court procedures are returned for additional investigation, since investigators cannot establish mechanisms for falsification tools and bring appropriate charges. [Practical Implications] The practical significance lies in the formation of proposals for improving or making changes to the legislation, effectively improving the activities of law enforcement agencies involved in countering or combating the forgery of documents.[Purpose] The purpose of the study is to reveal the concept and essence of forensic prevention of crimes of forgery of electronic documents, to identify problems in the use of information to establish a system of countering crime and document management. [Methodology] The following approaches were used in the work: system-structural, dialectical, empirical. Forgery of electronic documents and their use is investigated not only within the framework of a single criminal case but also by a set of crimes committed depending on the mechanism that is the main one in the structure of criminal technologies. [Findings] Lack of skills and knowledge about the latest forms of documents, methods of their forgery and use in the field of forensic investigations determine the reasons for the development of this condition. The analysis of investigative and judicial practice shows that cases of forgery of electronic documents are moved to separate proceedings due to the inability to fix the person who committed the crime. In some cases, court procedures are returned for additional investigation, since investigators cannot establish mechanisms for falsification tools and bring appropriate charges. [Practical Implications] The practical significance lies in the formation of proposals for improving or making changes to the legislation, effectively improving the activities of law enforcement agencies involved in countering or combating the forgery of documents

Container and VM Visualization for Rapid Forensic Analysis

Cloud-hosted software such as virtual machines and containers are notoriously difficult to access, observe, and inspect during ongoing security events. This research describes a new, out-of-band forensic tool for rapidly analyzing cloud based software. The proposed tool renders two-dimensional visualizations of container contents and virtual machine disk images. The visualizations can be used to identify container / VM contents, pinpoint instances of embedded malware, and find modified code. The proposed new forensic tool is compared against other forensic tools in a double-blind experiment. The results confirm the utility of the proposed tool. Implications and future research directions are also described