The case for validating ADDIE model as a digital forensic model for peer to peer network investigation

Rapid technological advancement can substantially impact the processes of digital forensic investigation and present a myriad of challenges to the investigator. With these challenges, it is necessary to have a standard digital forensic framework as the foundation of any digital investigation. State-of-the-art digital forensic models assume that it is safe to move from one investigation stage to the next. It guides the investigators with the required steps and procedures. This brings a great stride to validate a non-specific framework to be used in most digital investigation procedures. This paper considers a new technique for detecting active peers that participate in a peer-to-peer (P2P) network. As part of our study, we crawled the μTorrent P2P client over ten days in different instances while logging all participating peers. We then employed digital forensic techniques to analyse the popular users and generate evidence within them with high accuracy. We evaluated our approach against the standard Analysis, Design, Development, Implementation, and Evaluation (ADDIE) model for the digital investigation to achieve the credible digital evidence presented in this paper. Finally, we presented a validation case for the ADDIE model using the United States Daubert Test and the United Kingdom’s Forensic Science Regulator Guidance – 218 (FSR-G-218) and Forensic Science Regulator Guidance – 201 (FSR-G-201) to formulate it as a standard digital forensic model

Can current packet analysis software detect BitTorrent activity or extract files from BTP and μTP traffic streams?

BitTorrent is a peer to peer file sharing protocol used to exchange files over the internet, and is used for both legal and illegal activity. Newer BitTorrent client programs are using proprietary UDP based protocols as well as TCP to transmit traffic, and also have the option of encrypting the traffic. This network forensic research examined a number of packet analysis programs to determine whether they could detect such traffic from a packet captures of a complete file transmitted using one of four protocol options. The four states examined were: TCP without encryption, TCP with encryption, μTP without encryption and μTP with encryption, and the six programs investigated were: Network Miner, Tcpxtract, Honeysnap, OpenDPI, Netwitness Investigator and SPID. Of the six programs investigated, none of them were fully able to fully reconstruct a file, with most not even able to detect that the traffic related to BitTorrent usage. The Netwitness Investigator program was able to extract the announce and scrape files. The signature based SPID was able to partly match TCP based torrent traffic, but could not identify μTP traffic. The conclusion is that until new tools are developed, forensic investigators must continue to rely on artifacts created by the BitTorrent clients themselves in order to locate evidence in the event that a crime has been alleged

CuFA: A More Formal Definition for Digital Forensic Artifacts

The term “artifact” currently does not have a formal definition within the domain of cyber/ digital forensics, resulting in a lack of standardized reporting, linguistic understanding between professionals, and efficiency. In this paper we propose a new definition based on a survey we conducted, literature usage, prior definitions of the word itself, and similarities with archival science. This definition includes required fields that all artifacts must have and encompasses the notion of curation. Thus, we propose using a new term e curated forensic artifact (CuFA) e to address items which have been cleared for entry into a CuFA database (one implementation, the Artifact Genome Project, abbreviated as AGP, is under development and briefly outlined). An ontological model encapsulates these required fields while utilizing a lower-level taxonomic schema. We use the Cyber Observable eXpression (CybOX) project due to its rising popularity and rigorous classifications of forensic objects. Additionally, we suggest some improvements on its integration into our model and identify higher-level location categories to illustrate tracing an object from creation through investigative leads. Finally, a step-wise procedure for researching and logging CuFAs is devised to accompany the model

Resistance commons : file-sharing litigation and the social system of commoning

textThis dissertation is an investigation into the practice of peer-to-peer file-sharing and the litigation campaign targeting individual file-sharers carried out by the Recording Industry Association of America (RIAA) from 2003 to 2008. The competing conceptualizations of social relations which motivate the conflict over peer-to-peer file-sharing are explored using a combination of Autonomist Marxist theory and structuration theory. Peer-to-peer file-sharing is framed as part of the social system of commoning stemming from the recent ascendancy of immaterial labor within that sector of the economy dedicated to the production and distribution of informational and cultural goods. The RIAA litigation campaign is framed as a reaction to the emergence of new forms of social relations which are seen by the content-producing industries as subversive of revenue streams premised on commodity exchange in informational and cultural goods. The history of the RIAA litigation campaign is presented in detail with careful attention given to those instances in which defendants and other interested parties fought back against RIAA legal actions. The acts of resistance within the legal arena affected the ultimate potential of the litigation campaign to control the spread of file-sharing activities. Subsequent legal campaigns which have been based on the RIAA litigation model are also examined. These later file-sharing cases have been met with similar forms of resistance which have likewise mitigated the impact of legal efforts to combat file-sharing. In addition, a survey of file-sharers is included in this research as part of an attempt to understand the relationship between legal actions targeting peer-to-peer systems and individual file-sharers and the technological and social development of peer-to-peer systems. This research argues that file-sharing litigation has proven ineffective in turning back the flood of file-sharing and may have increased the technological sophistication and community ties among file-sharers. In the end, the conflict over peer-to-peer file-sharing is cast as a manifestation of a larger dynamic of capitalist crisis as content-producing industries attempt to come to terms with the contradictory tendencies of immaterial labor and the production of common pools of digital resources.Radio-Television-Fil

The Piratical Ethos: Textual Activity and Intellectual Property in Digital Environments

The Piratical Ethos: Textual Activity and Intellectual Property in Digital Environments examines the definition, function, and application of intellectual property in contexts of electronically mediated social production. With a focus on immaterial production - or the forms of coordinated social activity employed to produce knowledge and information in the networked information economy - this project ultimately aims to demonstrate how current intellectual property paradigms must be rearticulated for an age of digital (re)production. By considering the themes of Piracy , Intellectual Property , and Distributed Social Production this dissertation provides an overview of the current state of peer production and intellectual property in the Humanities and Writing Studies. Next, this project develops and implements a communicational-mediational research methodology to theorize how both discursive and material data lend themselves to a more nuanced understanding of the ways that technologies of communication and coordination effect attitudes toward intellectual property. After establishing both a methodology and an interdisciplinary grounding for the themes of the work, this dissertation presents a grounded theoretic analysis of piratical discourse to reveal what I call the piratical ethos , or the guiding attitudes of individuals actively contesting intellectual property in piratical acts of distributed social production. Congruently, this work also investigates the material dynamics of piratical activity by analyzing the cultural-historical activity systems wherein piratical subjectivity emerges, emphasizing the agenic capacity of interfacial technologies at the scales of user and system. Exploring the attitudes of piratical subjects and the technological genres that mediate piratical activity, I contend that the conclusions drawn from The Piratical Ethos can assist Writing Studies researchers with developing novel methodologies to study the intersections of intellectual property and distributed social production in digital worlds

INFERENCE-BASED FORENSICS FOR EXTRACTING INFORMATION FROM DIVERSE SOURCES

Digital forensics is tasked with the examination and extraction of evidence from a diverse set of devices and information sources. While digital forensics has long been synonymous with file recovery, this label no longer adequately describes the science’s role in modern investigations. Spurred by evolving technologies and online crime, law enforcement is shifting the focus of digital forensics from its traditional role in the final stages of an investigation to assisting investigators in the earliest phases — often before a suspect has been identified and a warrant served. Investigators need new forensic techniques to investigate online crimes, such as child pornography trafficking on peer-to-peer networks (p2p), and to extract evidence from new information sources, such as mobile phones. The traditional approach of developing tools tailored specifically to each source is no longer tenable given the diversity, volume of storage, and introduction rate of new devices and network applications. Instead, we propose the adoption of flexible, inference-based techniques to extract evidence from any format. Such techniques can be readily applied to a wide variety of different evidence sources without requiring significant manual work on the investigator’s part. The primary contribution of my dissertation is a set of novel forensic techniques for extracting information from diverse data sources. We frame the evaluation using two different, but increasingly important, forensic scenarios: mobile phone triage and network-based investigations. Via probabilistic descriptions of typical data structures, and using a classic dynamic programming algorithm, our phone triage techniques are able to identify user information in phones across varied models and manufacturers. We also show how to incorporate feedback from the investigator to improve the usability of extracted information. For network-based investigations, we quantify and characterize the extent of contraband trafficking on peer-to-peer networks. We suggest various techniques for prioritizing law enforcement’s limited resources. We finally investigate techniques that use system logs to generate and then analyze a finite state model of a protocol’s implementation. The objective is to infer behavior that an investigator can leverage to further law enforcement objectives. We evaluate all of our techniques using the real-world legal constraints and restrictions of investigators

Frameup: An Incriminatory Attack on Storj: A Peer to Peer Blockchain Enabled Distributed Storage System

In this work we present a primary account of frameup, an incriminatory attack made possible because of existing implementations in distributed peer to peer storage. The frameup attack shows that an adversary has the ability to store unencrypted data on the hard drives of people renting out their hard drive space. This is important to forensic examiners as it opens the door for possibly framing an innocent victim. Our work employs Storj as an example technology, due to its popularity and market size. Storj is a blockchain enabled system that allows people to rent out their hard drive space to other users around the world by employing a cryptocurrency token that is used to pay for the services rendered. It uses blockchain features like a transaction ledger, public/private key encryption, and cryptographic hash functions – but this work is not centered around blockchain. Our work discusses two frameup attacks, a preliminary and an optimized attack, both of which take advantage of Storj\u27s implementation. Results illustrate that Storj allows a potential adversary to store incriminating unencrypted files, or parts of files that are viewable on people\u27s systems when renting out their unused hard drive space. We offer potential solutions to mitigate our discovered attacks, a developed tool to review if a person has been a victim of a frameup attack, and a mechanism for showing that the files were stored on a hard drive without the renter\u27s knowledge. Our hope is that this work will inspire future security and forensics research directions in the exploration of distributed peer to peer storage systems that embrace blockchain and cryptocurrency tokens