Making the Invisible Visible – Techniques for Recovering Deleted SQLite Data Records

Forensic analysis and evidence collection for web browser activity is a recurring problem in digital investigation. It is not unusual for a suspect to cover his traces. Accordingly, the recovery of previously deleted data such as web cookies and browser history are important. Fortunately, many browsers and thousands of apps used the same database system to store their data: SQLite. Reason enough to take a closer look at this product. In this article, we follow the question of how deleted content can be made visible again in an SQLite-database. For this purpose, the technical background of the problem will be examined first. Techniques are presented with which it is possible to carve and recover deleted data records from a database on a binary level. A novel software solution called FQLite is presented that implements the proposed algorithms. The search quality, as well as the performance of the program, is tested using the standard forensic corpus. The results of a performance study are discussed, as well. The article ends with a summary and identifies further research questions

EviPlant: An efficient digital forensic challenge creation, manipulation and distribution solution

Education and training in digital forensics requires a variety of suitable challenge corpora containing realistic features including regular wear-and-tear, background noise, and the actual digital traces to be discovered during investigation. Typically, the creation of these challenges requires overly arduous effort on the part of the educator to ensure their viability. Once created, the challenge image needs to be stored and distributed to a class for practical training. This storage and distribution step requires significant time and resources and may not even be possible in an online/distance learning scenario due to the data sizes involved. As part of this paper, we introduce a more capable methodology and system as an alternative to current approaches. EviPlant is a system designed for the efficient creation, manipulation, storage and distribution of challenges for digital forensics education and training. The system relies on the initial distribution of base disk images, i.e., images containing solely base operating systems. In order to create challenges for students, educators can boot the base system, emulate the desired activity and perform a "diffing" of resultant image and the base image. This diffing process extracts the modified artefacts and associated metadata and stores them in an "evidence package". Evidence packages can be created for different personae, different wear-and-tear, different emulated crimes, etc., and multiple evidence packages can be distributed to students and integrated into the base images. A number of additional applications in digital forensic challenge creation for tool testing and validation, proficiency testing, and malware analysis are also discussed as a result of using EviPlant.Comment: Digital Forensic Research Workshop Europe 201

Auditing database systems through forensic analysis

The majority of sensitive and personal data is stored in a number of different Database Management Systems (DBMS). For example, Oracle is frequently used to store corporate data, MySQL serves as the back-end storage for many webstores, and SQLite stores personal data such as SMS messages or browser bookmarks. Consequently, the pervasive use of DBMSes has led to an increase in the rate at which they are exploited in cybercrimes. After a cybercrime occurs, investigators need forensic tools and methods to recreate a timeline of events and determine the extent of the security breach. When a breach involves a compromised system, these tools must make few assumptions about the system (e.g., corrupt storage, poorly configured logging, data tampering). Since DBMSes manage storage independent of the operating system, they require their own set of forensic tools. This dissertation presents 1) our database-agnostic forensic methods to examine DBMS contents from any evidence source (e.g., disk images or RAM snapshots) without using a live system and 2) applications of our forensic analysis methods to secure data. The foundation of this analysis is page carving, our novel database forensic method that we implemented as the tool DBCarver. We demonstrate that DBCarver is capable of reconstructing DBMS contents, including metadata and deleted data, from various types of digital evidence. Since DBMS storage is managed independently of the operating system, DBCarver can be used for new methods to securely delete data (i.e., data sanitization). In the event of suspected log tampering or direct modification to DBMS storage, DBCarver can be used to verify log integrity and discover storage inconsistencies

The Advanced Framework for Evaluating Remote Agents (AFERA): A Framework for Digital Forensic Practitioners

Digital forensics experts need a dependable method for evaluating evidence-gathering tools. Limited research and resources challenge this process and the lack of multi-endpoint data validation hinders reliability in distributed digital forensics. A framework was designed to evaluate distributed agent-based forensic tools while enabling practitioners to self-evaluate and demonstrate evidence reliability as required by the courts. Grounded in Design Science, the framework features guidelines, data, criteria, and checklists. Expert review enhances its quality and practicality

Distinct Sector Hashes for Target File Detection

Using an alternative approach to traditional file hashing, digital forensic investigators can hash individually sampled subject drives on sector boundaries and then check these hashes against a prebuilt database, making it possible to process raw media without reference to the underlying file system

РАЗРАБОТКА ТЕМПОРАЛЬНОЙ МОДЕЛИ ДАННЫХ ДЛЯ ПОДБОРА СЕЛЬСКОХОЗЯЙСТВЕННОЙ ТЕХНИКИ С УЧЕТОМ ТЕХНОЛОГИЧЕСКИХ СВОЙСТВ ЗЕМЕЛЬНЫХ УЧАСТКОВ

Optimal selection of agricultural machinery depends on many factors. Among the main ones are traction and coupling properties of tractors and technological properties of land plots. A temporal data model has been developed, and a program for optimal selection of agricultural machinery in the high-level language Python. The program implements user authorization, user’s work with a database of agricultural machinery. At the same time, you use the SOUNDite database, which allows you to store and process data using cloud-based non-client-server technologies.Goal: to develop a temporal data model for optimal selection of agricultural machines through integration with a spatial database.Methods: database design methods, dynamic geoinformation modelling methods, temporal database development methods.Results: A temporal data model has been developed, integrated with the geodata database and with the agricultural machinery database. Information on land plots is structured in the spatial database of geodata ArcGIS 10 and includes information on the area, type of use, technological properties of land plots that affect the traction and coupling properties of tractors. The temporal data model has the time attributes necessary to draw up a daily work plan, calculate economic indicators for mechanized tillage.Field of application of results: methodological approach of creation of temporal database is necessary for dynamic geographic information model, which is necessary for making decisions on optimal selection of equipment, selection of technological operations, solution of logistical and other practical problems. Оптимальный подбор сельскохозяйственной техники зависит от многих факторов. В числе основных выделяют тяглово-сцепные свойства тракторов и технологические свойства земельных участков. Разработана темпоральная модель данных, и программа для оптимального выбора сельскохозяйственной техники на языке высокого уровня Python. В программе реализованы авторизация пользователя, работа пользователя с базой данных сельскохозяйственной техники. При этом использована база данных SQLite, позволяющая хранить и обрабатывать данные с применением облачных не клиент-серверных технологий.Цель: разработка темпоральной модели данных для оптимального подбора сельскохозяйственных машин путем интеграции с пространственной базой данных.Методы работы: методы проектирования баз данных, методы разработки динамических геоинформационных моделей, методы разработки темпоральных баз данных.Результаты: разработана темпоральная модель данных, интегрированная с базой геоданных и с базой данных сельскохозяйственной техники. Информация о земельных участках структурирована в пространственной базе геоданных ArcGIS 10 и включает сведения о площади, типе использования, технологических свойствах земельных участков, влияющих на тяглово-сцепные свойства тракторов. Темпоральная модель данных имеет атрибуты времени, необходимые для составления ежедневного плана работ, расчета экономических показателей по механизированной обработке почвы.Область применения результатов: предложен методический подход создания темпоральной базы данных необходим для динамической геоинформационной модели, необходимой для принятия решений по оптимальному выбору техники, выбору технологических операций, решению логистических и других практических задач.

СОЗДАНИЕ БАЗЫ ДАННЫХ СЕЛЬСКОХОЗЯЙСТВЕННОЙ ТЕХНИКИ

Developed database for optimal selection of agricultural machinery. An analytical review of today’s database management systems (DBMS) has shown that an easy-to-use, easy-to-implement DBMS for various software solutions is SBMS ite. Entities have been created in the relational database: land plots, agricultural machines, aggregates. Tables reflecting the traction and coupling properties of modern foreign and domestic tractors and units have been created using DBMSite. The essence of land plots is described by a set of geometric and attributive properties reflecting spatial (area, perimeter) and also technological properties of land plots. Such properties include: the length of the site gon, the soil energy intensity score, soil resistivity, soil rockiness, relief angle, relief inclination coefficient, internal distance, road group coefficient, relief inclination coefficient along the route. Practical implementation was carried out on the example of the economy of the Mirny Kochenevsky district of the Novosibirsk region using the geographic information system ArcGIS 10.6. The developed database allows the selection of agricultural machinery and can be used to compare the selection of different versions of machine-tractor units taking into account the technological properties of land plots.Methods: database design methods.Results: A database of agricultural machinery has been developed with the help of SOUNDite, containing tables of agricultural machinery (tractors and aggregates) and land plots. Information on land plots is structured in the spatial database of geodata ArcGIS 10 and includes information on the area, type of use, as well as technological properties associated with the traction and coupling properties of tractors.Application of the results: the developed database of agricultural machinery will allow further calculation of time costs in soil cultivation on a specific land plot.Разработана база данных сельскохозяйственной техники. Выполненный аналитический обзор современных систем управления базами данных (СУБД) показал, что доступной в использовании, легко внедряемой в различные программные решения является СУБД SQLite. В реляционной базе данных созданы сущности: земельные участки, сельскохозяйственные машины, агрегаты. С использованием СУБД SQLite были созданы таблицы, отражающие тяглово-сцепные свойства современных зарубежных и отечественных тракторов и агрегатов. Сущность земельные участки описана набором геометрических и атрибутивных свойств, отражающих пространственные (площадь, периметр) и также технологические свойства земельных участков. К таким свойствам отнесены: длина гона участка, балл энергоемкости почв, удельное сопротивление почв, каменистость почв, угол наклона рельефа, коэффициент наклона рельефа, внутрихозяйственная удаленность, коэффициент группы дорог, коэффициент наклона рельефа по маршруту следования. Практическая реализация выполнена на примере хозяйства Мирный Коченевского района Новосибирской области с использованием геоинформационной системы ArcGIS 10.6. Разработанная база данных позволяет осуществлять выбор сельскохозяйственной техники и может быть использована для сравнительного анализа подбора разных вариантов машинно-тракторных агрегатов с учетом технологических свойств земельных участков.Цель: разработка базы данных для подбора сельскохозяйственной техники с учетом технологических свойств земельных участков.Методы работы: методы проектирования баз данных.Результаты: разработана база данных сельскохозяйственной техники с помощью SQLite, содержащая таблицы сельскохозяйственной техники (тракторов и агрегатов) и земельные участки. Информация о земельных участках структурирована в пространственной базе геоданных ArcGIS 10 и включает сведения о площади, типе использования, а также технологических свойствах, связанные с тяглово-сцепными свойствами тракторов.Область применения результатов: разработанная база данных сельскохозяйственной техники позволит в дальнейшем осуществлять расчет временных затрат при обработке почвы на конкретном земельном участке

Fool me once: A systematic review of techniques to authenticate digital artefacts

When conducting digital forensic investigations, practitioners are concerned with understanding whether the digital artefacts they encounter are authentic and have not been the subject of tampering activity. This is one factor of investigations which could potentially impact of the reliability of any subsequent findings. Some research into this problem has already been undertaken, however there is currently very little understanding of how effective current technique are. In this paper, a Systematic Review (SR) of existing literature will be undertaken to identify the techniques that currently exist to authenticate digital artefacts. Furthermore, consideration will be given to understanding whether existing techniques are effective in solving the problem of digital artefact authentication and whether they are accessible by the practitioner community. The results of the SR will show that while research effort has been devoted to this problem, there are relatively few techniques which can be generally applied. Additionally, very little effort has been devoted to understanding the effectiveness of these techniques. Furthermore, the lack of standardised datasets for evaluation makes comparison between techniques impossible and none of the identified papers provided publicly available implementations. The shortcomings identified in this SR show that further research effort in this area could benefit the community in its aim to produce more reliable findings in forensic investigations

Effects of the Factory Reset on Mobile Devices

Mobile devices usually provide a “factory-reset” tool to erase user-specific data from the main secondary storage. 9 Apple iPhones, 10 Android devices, and 2 BlackBerry devices were tested in the first systematic evaluation of the effectiveness of factory resets. Tests used the Cellebrite UME-36 Pro with the UFED Physical Analyzer, the Bulk Extractor open-source tool, and our own programs for extracting metadata, classifying file paths, and comparing them between images. Two phones were subjected to more detailed analysis. Results showed that many kinds of data were removed by the resets, but much user-specific configuration data was left. Android devices did poorly at removing user documents and media, and occasional surprising user data was left on all devices including photo images, audio, documents, phone numbers, email addresses, geolocation data, configuration data, and keys. A conclusion is that reset devices can still provide some useful information to a forensic investigation

Design of a Mobile Application for the Control of Pet Care

Activities they perform. A problem that apparently is not very important arises or becomes more evident. Talking about the carelessness that we often, without being intentional, have with our pets, the circumstances force us mostly to have tragic endings with them. Therefore, with the advancement of technology, we have the opportunity to greatly reduce this end and thus give utility to the current resources being presented. The objective of the research work is to develop a prototype of a mobile application using the Balsamiq mockup tool and take as a reference the care model of experts in animal care. In this way, it is possible to have better control and monitoring of the health and other care of our pets. For this use, the Rational Unified Process (RUP) methodology since it is the most appropriate for producing high-quality software, giving us a complete vision in the development of each phase that this methodology presents. Likewise, a positive result is obtained by the expert judgments of the evaluation of the design of our application. As a result, the proposed objective was achieved by obtaining a prototype that can help meet some needs of people who require support in the care of their pets, thus leaving an open the door to continue adding and improving the development of this project