Detection and Recovery of Anti-Forensic (VAULT) Applications on Android Devices

Significant number of mobile device users currently employ anti-forensics applications, also known as vault or locker applications, on their mobile devices in order to hide files such as photos. Because of this, investigators are required to spend a large portion of their time manually looking at the applications installed on the device. Currently, there is no automated method of detecting these anti-forensics applications on an Android device. This work presents the creation and testing of a vault application detection system to be used on Android devices. The main goal of this work is twofold: (i) Detecting and reporting the presence of various vault applications installed on given Android devices, and (ii) recovering the files that are hidden by utilizing these vault applications. The testing of our system was performed on six different devices running different versions of Android and in various states of rootedness. The findings show that with a fairly comprehensive list of known vault applications, it is possible to provide a list of the vault applications installed on the Android device and possibly provide extracted hidden files to the investigator unless they are encrypted. Hence, our work greatly reduces the amount of time that the investigators are required to spend examining the applications on the device

Digital Forensic Tools & Cloud-Based Machine Learning for Analyzing Crime Data

Digital forensics is a branch of forensic science in which we can recreate past events using forensic tools for legal measure. Also, the increase in the availability of mobile devices has led to their use in criminal activities. Moreover, the rate at which data is being generated has been on the increase which has led to big data problems. With cloud computing, data can now be stored, processed and analyzed as they are generated. This thesis documents consists of three studies related to data analysis. The first study involves analyzing data from an android smartphone while making a comparison between two forensic tools; Paraben E3: DS and Autopsy. At the end of the study, it was concluded that most of the activities performed on a rooted android device can be found in its internal memory. In the second study, the Snapchat application was analyzed on a rooted Android device to see how well it handles privacy issues. The result of the study shows that some of the predefined activities performed on the Snapchat application as well as user information can be retrieved using Paraben E3: DS forensic tool. The third study, machine learning services on Microsoft Azure and IBM Watson were used in performing predictive analysis to uncover their performance. At the end of the experiments, the Azure machine learning studio was seen to be more user friendly and builds models faster compared to the SSPS Modeler in the IBM Watson Studio. This research is important as data needs to be analyzed in order to generate insights that can aid organizations or police departments in making the best decisions when analyzing crime data

Live Forensics on GPS inactive Smartphone

Google is known to still track the user's location despite the GPS settings and location history in smartphone settings has been turned off by the user. This requires special handling to prove the location on smartphones with inactive GPS and view its Location History previously used by user. The research investigates if Google is still recording its user data location. Live Forensic requires data from the running system or volatile data which is usually found in Random Access Memory (RAM) or transit on the network. Investigations are carried out using a Google account with a method used by live forensics to obtain results from the location history. Smartphones have been checked manually through data backup through custom recovery that has been installed. When checking the backup filesystem, turned out that no location data is stored. Therefore, researchers conducted an analysis on the Google Account which was analyzed using a forensic tool to analyze cloud services to obtain location data results. The results of the analysis carried out obtained a similarity in location from 8-days investigations. Google can still find the location of smartphones with GPS disabled, but the location results are not accurate. Google can store user location data via cellular networks, Wi-Fi, and sensors to help estimate the user's location. The process of extracting the results from the google maps log using a Google account will be analyzed using the Elcomsoft Cloud eXplorer and Oxygen Forensic Cloud Extractor so that the log location results are still available by Google

Advances of mobile forensic procedures in Firefox OS

The advancement of smartphone technology has attracted many companies in developing mobile operating system (OS). Mozilla Corporation recently released Linux-based open source mobile OS, named Firefox OS. The emergence of Firefox OS has created new challenges, concentrations and opportunities for digital investigators. In general, Firefox OS is designed to allow smartphones to communicate directly with HTML5 applications using JavaScript and newly introduced WebAPI. However, the used of JavaScript in HTML5 applications and solely no OS restriction might lead to security issues and potential exploits. Therefore, forensic analysis for Firefox OS is urgently needed in order to investigate any criminal intentions. This paper will present an overview and methodology of mobile forensic procedures in forensically sound manner for Firefox OS

Introductory Computer Forensics

INTERPOL (International Police) built cybercrime programs to keep up with emerging cyber threats, and aims to coordinate and assist international operations for ?ghting crimes involving computers. Although signi?cant international efforts are being made in dealing with cybercrime and cyber-terrorism, ?nding effective, cooperative, and collaborative ways to deal with complicated cases that span multiple jurisdictions has proven dif?cult in practic

DIGITAL FORENSIC ARTIFACTS OF SQLITE-BASED WINDOWS 1 0 APPLICATIONS

O Windows 10 é um dos Operating System (OS) mais populares e utilizado. Contém vários serviços, como o Windows Push Notification Services (WNS) e o Timeline, que usam bases de dados SQLite. O Windows 10 tem também uma plataforma, Universal Windows Platform (UWP), para suportar o desenvolvimento de aplicações. As aplicações desta plataforma podem guardar os seus dados em bases de dados SQLite, como o Photos da Microsoft e o Messenger do Facebook. Esta dissertação estuda, numa perspetiva de análise digital forense, dois componentes do Windows 10, o ambiente Your Phone, e o WNS. O primeiro consiste de uma aplicação Android, Your Phone Companion (YPC), e uma aplicação UWP, Your Phone. O último é um sistema do Windows 10 que disponibiliza o serviço de notificações. No âmbito desta dissertação foram desenvolvidos scripts para analisar esses componentes, extraindo-se os artefactos forenses considerados mais relevantes. As soluções desenvolvidas estão integradas com o conhecido software de análise forense Autopsy. Para ajudar a desenvolver e manter estas soluções de forense digital que analisam artefactos produzidos por aplicações UWP, foi desenvolvido o UWP scanner. Tratase de um analisador de aplicações focado na deteção de alterações ao nível das bases de dados SQLite empregue por aplicações UWP. Esta ferramenta ajuda a manter um histórico da evolução das bases de dados utilizadas por certas aplicações UWP

SELECTED FORENSIC DATA ACQUISITION FROM ANDROID DEVICES

In recent times, amount of data stored in the smartphones have increased phenomenally. A smartphone is as powerful as a laptop or a desktop where people store their person data or do daily activities, as a result it can act as an important evidence for law enforcement while solving the cases such as, in case of accident, malicious exchange of text messages, photos or videos taken during mass shooting incident. This act as an important forensic interest to the investigator. Some people may be willing to give their phones to the investigator, but they would like to make sure that their privacy and their data privacy have been taken into consideration, meaning that only data relevant to the case under investigation should be analyzed and collected. Even supreme court have passed that ruling to preserve the users and data privacy. In this research study; a new forensic tool is developed which can do selective extraction of data from an android device. The input to this tool is based on the consent form which is filled by the witness/victim who voluntarily hands over his/her phone to law enforcement and investigator extracts data within those limits. This tool does the extraction on metadata and content based filtering and export the extracted data along with the hash values to a bootable drive in a forensically sound manner. State-of the art machine learning models are used to perform content based filtering. As a result, a robust and efficient tool is built to solve the real time cases while preserving the users and data privacy

The Proceedings of 14th Australian Digital Forensics Conference, 5-6 December 2016, Edith Cowan University, Perth, Australia

Conference Foreword This is the fifth year that the Australian Digital Forensics Conference has been held under the banner of the Security Research Institute, which is in part due to the success of the security conference program at ECU. As with previous years, the conference continues to see a quality papers with a number from local and international authors. 11 papers were submitted and following a double blind peer review process, 8 were accepted for final presentation and publication. Conferences such as these are simply not possible without willing volunteers who follow through with the commitment they have initially made, and I would like to take this opportunity to thank the conference committee for their tireless efforts in this regard. These efforts have included but not been limited to the reviewing and editing of the conference papers, and helping with the planning, organisation and execution of the conference. Particular thanks go to those international reviewers who took the time to review papers for the conference, irrespective of the fact that they are unable to attend this year. To our sponsors and supporters a vote of thanks for both the financial and moral support provided to the conference. Finally, to the student volunteers and staff of the ECU Security Research Institute, your efforts as always are appreciated and invaluable. Yours sincerely, Conference Chair Professor Craig Valli Director, Security Research Institut

Digital forensics procedures for apple devices

Os dispositivos móveis estão cada vez mais presentes no dia-a-dia das pessoas. A sua ligação à internet das coisas permite a troca de uma grande quantidade de informação. Dada a sua utilização massiva, estes dispositivos estão cada vez mais envolvidos em crimes e por sua vez em investigações digitais. A ciência digital forense tem como objetivo identificar, obter, preservar, documentar, analisar e apresentar provas digitais obtidas de dispositivos móveis, computadores e redes. A ciência digital forense faz parte das investigações criminais e apesar de haverem algumas barreiras com as leis, está relacionada com todo o processo legal de investigação em vários tipos de crimes. As ferramentas forenses utilizadas têm como objetivo obter o máximo de provas digitais, mantendo a sua integridade, para que estes possam ser utilizados em tribunal e legalmente reconhecidas e validadas. No projeto são apresentados um conjunto de procedimentos forenses para dispositivos móveis Apple e adaptados ao LabCIF (Laboratório de cibersegurança e informática forense). Os procedimentos criados permitem o analista forense passar pelas várias etapas forenses sabendo quais os passos que deve efetuar aumentando assim a qualidade e rapidez dos processos da análise forense. Dada a quantidade de aplicações móveis utilizadas no dia-a-dia o projeto apresenta um caso de estudo em que um conjunto de aplicações de chat são testadas e utilizadas em dispositivos móveis Apple. Foram efetuadas várias aquisições forenses com o software forense XRY. Com esse estudo efetuado foi possível verificar que dados era possível obter e dessa forma retirar conclusões e indicar quais as localizações dos dados mais importantes de determinadas aplicações