Rethinking Digital Forensics

© IAER 2019In the modern socially-driven, knowledge-based virtual computing environment in which organisations are operating, the current digital forensics tools and practices can no longer meet the need for scientific rigour. There has been an exponential increase in the complexity of the networks with the rise of the Internet of Things, cloud technologies and fog computing altering business operations and models. Adding to the problem are the increased capacity of storage devices and the increased diversity of devices that are attached to networks, operating autonomously. We argue that the laws and standards that have been written, the processes, procedures and tools that are in common use are increasingly not capable of ensuring the requirement for scientific integrity. This paper looks at a number of issues with current practice and discusses measures that can be taken to improve the potential of achieving scientific rigour for digital forensics in the current and developing landscapePeer reviewe

EviPlant: An efficient digital forensic challenge creation, manipulation and distribution solution

Education and training in digital forensics requires a variety of suitable challenge corpora containing realistic features including regular wear-and-tear, background noise, and the actual digital traces to be discovered during investigation. Typically, the creation of these challenges requires overly arduous effort on the part of the educator to ensure their viability. Once created, the challenge image needs to be stored and distributed to a class for practical training. This storage and distribution step requires significant time and resources and may not even be possible in an online/distance learning scenario due to the data sizes involved. As part of this paper, we introduce a more capable methodology and system as an alternative to current approaches. EviPlant is a system designed for the efficient creation, manipulation, storage and distribution of challenges for digital forensics education and training. The system relies on the initial distribution of base disk images, i.e., images containing solely base operating systems. In order to create challenges for students, educators can boot the base system, emulate the desired activity and perform a "diffing" of resultant image and the base image. This diffing process extracts the modified artefacts and associated metadata and stores them in an "evidence package". Evidence packages can be created for different personae, different wear-and-tear, different emulated crimes, etc., and multiple evidence packages can be distributed to students and integrated into the base images. A number of additional applications in digital forensic challenge creation for tool testing and validation, proficiency testing, and malware analysis are also discussed as a result of using EviPlant.Comment: Digital Forensic Research Workshop Europe 201

Towards an Automated Digital Data Forensic Model with specific reference to Investigation Processes

Existing digital forensics frameworks do not provide clear guidelines for conducting digital forensics investigation. However, had a framework existed, investigations based on known procedures and processes would follow strict prescribed standardisation. This should direct investigations following a set method for comparisons; ensuring future investigation is following one standard. Digital forensics lack confirmed and tested methods; this became obvious when we consider varied interpretations of the same case by participants using different investigation methods. Previous research covered several approaches to setting a forensics framework, which are mere adaptations of previous models. We found that only a few models present a framework that defines or delivers qualified likeness between the different disciplines. From this, possible pattern analysis from different disciplines is possible (Kohn, 2007). This underlines the need to standardise processes, to ensure proven and consistent results. Digital Forensics Science needs a new approach, defining and standardising investigation processes by affirming an investigation framework. Present research does not enough cover how existing forensic frameworks are used as guideline while conduct investigations. As a result, wide general interpretations are possible instead of following a set standard. Investigation processes and in particular how data confirmation is conducted during and after investigation becomes questionable as well. This also challenges data consistency and the legality of investigation processes when a non-standard framework is used without forming a sound theory based on proven models

IoT Forensics: Challenges For The IoA Era

Challenges for IoT-based forensic investigations include the increasing amount of objects of forensic interest, relevance of identified and collected devices, blurry network boundaries, and edgeless networks. As we look ahead to a world of expanding ubiquitous computing, the challenge of forensic processes such as data acquisition (logical and physical) and extraction and analysis of data grows in this space. Containing an IoT breach is increasingly challenging – evidence is no longer restricted to a PC or mobile device, but can be found in vehicles, RFID cards, and smart devices. Through the combination of cloud-native forensics with client-side forensics (forensics for companion devices), we can study and develop the connection to support practical digital investigations and tackle emerging challenges in digital forensics. With the IoT bringing investigative complexity, this enhances challenges for the Internet of Anything (IoA) era. IoA brings anything and everything “online” in a connectedness that generates an explosion of connected devices, from fridges, cars and drones, to smart swarms, smart grids and intelligent buildings. Research to identify methods for performing IoT-based digital forensic analysis is essential. The long-term goal is the development of digital forensic standards that can be used as part of overall IoT and IoA security and aid IoT-based investigations

A non-device specific framework for the development of forensic locational data analysis procedure for consumer grade small and embedded devices

Portable and wearable computing devices such as smart watches, navigation units, mobile phones, and tablet computers commonly ship with Global Navigation Satellite System (GNSS) supported locational awareness. Locational functionality is no longer limited to navigation specific devices such as satellite navigation devices and location tracking systems. Instead the use of these technologies has extended to become secondary functionality on many devices, including mobile phones, cameras, portable computers, and video game consoles. The increase in use of location aware technology is of use to forensic investigators as it has the potential to provide historic locational information. The evidentiary value of these devices to forensic investigators is currently limited due to the lack of available forensic tools and published methods to properly acquire and analyse these data sources. This research addresses this issue through the synthesis of common processes for the development of forensic procedure to acquire and interpret historic locational data from embedded, locationally aware devices. The research undertaken provides a framework for the generation of forensic procedure to enable the forensic extraction of historical locational data. The framework is device agnostic, relying instead on differential analysis and structured testing to produce a validated method for the extraction of locational history. This framework was evaluated against five devices, selected on a basis of market penetration, availability and a stage of deduplication. The examination of the framework took place in a laboratory developed specifically for the research. This laboratory replicates all identified sources of location data for the devices selected. In this case the laboratory is able to simulate cellular (2G and 3G), GNSS (NAVSTAR and GLONASS), and Wi-Fi locationing services. The laboratory is a closed-sky facility, meaning that the laboratory is contained within a faraday cage and all signals are produced and broadcast internally. Each selected device was run through a series of simulations. These simulations involved the broadcast of signals, replicating the travel of a specific path. Control data was established through the use of appropriate data recording systems, for each of the simulated location signals. On completion of the simulation, each device was forensically acquired and analysed in accordance with the proposed framework. For each experiment carried out against the five devices, the control and experimental data were compared. In this examination any divergence less than those expected for GNSS were ignored. Any divergence greater than this was examined to establish cause. Predictable divergence was accepted and non-predictable divergence would have been noted as a limitation. In all instances where data was recovered, all divergences were found to be predictable. Post analysis, the research found that the proposed framework was successful in producing locational forensic procedure in a non-device specific manner. This success was confirmed for all the devices tested

The challenges of seizing and searching the contents of Wi-Fi devices for the modern investigator

To the modern law enforcement investigator, the potential for an offender to have a mobile device on his or her person, who connects to a Wi-Fi network, may afford evidence to place them at a scene, at a particular time. Whilst tools to interrogate mobile devices and Wi-Fi networks, have undergone significant development, little research has been conducted with regards to interrogating Wi-Fi routers and the evidence they may contain. This paper demonstrates that multiple inhibiting factors exist for forensic investigators when attempting to extract data from Wi-Fi routers at the scene. Data volatility means the Wi-Fi router cannot be powered down without losing a substantial quantity of data. Third party Wi-Fi enabled devices may connect to or interact with the access point after an event occurs. Multiple models exist, with varying internal architectures, operating systems, and external interfaces. This paper presents steps and considerations for at scene seizure of Wi-Fi devices for law enforcement, to ensure maximum digital forensic evidence is collected. It also lists a series of recommendations to the manufacturers of Wi-Fi devices to facilitate a standardised mechanism to collect forensic evidence, thus making future acquisitions easier and time efficient