Validating digital forensic evidence

This thesis was submitted for the degree of Doctor of Philosophy and awarded by Brunel University.This dissertation focuses on the forensic validation of computer evidence. It is a burgeoning field, by necessity, and there have been significant advances in the detection and gathering of evidence related to electronic crimes. What makes the computer forensics field similar to other forensic fields is that considerable emphasis is placed on the validity of the digital evidence. It is not just the methods used to collect the evidence that is a concern. What is also a problem is that perpetrators of digital crimes may be engaged in what is called anti-forensics. Digital forensic evidence techniques are deliberately thwarted and corrupted by those under investigation. In traditional forensics the link between evidence and perpetrator's actions is often straightforward: a fingerprint on an object indicates that someone has touched the object. Anti-forensic activity would be the equivalent of having the ability to change the nature of the fingerprint before, or during the investigation, thus making the forensic evidence collected invalid or less reliable. This thesis reviews the existing security models and digital forensics, paying particular attention to anti-forensic activity that affects the validity of data collected in the form of digital evidence. This thesis will build on the current models in this field and suggest a tentative first step model to manage and detect possibility of anti-forensic activity. The model is concerned with stopping anti-forensic activity, and thus is not a forensic model in the normal sense, it is what will be called a “meta-forensic” model. A meta-forensic approach is an approach intended to stop attempts to invalidate digital forensic evidence. This thesis proposes a formal procedure and guides forensic examiners to look at evidence in a meta-forensic way

A descriptive model of the offence chain for imprisoned adult male firesetters (descriptive model of adult male firesetting)

Purpose: Firesetting has devastating consequences. Although some theoretical efforts have been made to explain firesetting (i.e., a small number of multi- and single-factor theories), little effort has been devoted to understand how deliberate firesetting unfolds across time (i.e., micro or offence chain theories). This research aimed to produce the first descriptive offence chain theory for incarcerated adult male firesetters.Methods: Thirty-eight adult male firesetters—recruited from prison establishments in England and Wales—were interviewed about the events, thoughts and feelings leading up to, surrounding, and immediately following a deliberate incident of firesetting. Results: Using Grounded Theory analysis, the Descriptive Model of Adult male Firesetting (DMAF) was developed documenting the cognitive, behavioural, affective and contextual factors leading to a single incident of deliberate firesetting. Conclusions: New information generated from the DMAF is presented and its contributions to the current evidence base are highlighted. Clinical implications, limitations and future research directions are also discussed

A Framework for the Systematic Evaluation of Malware Forensic Tools

Following a series of high profile miscarriages of justice linked to questionable expert evidence, the post of the Forensic Science Regulator was created in 2008 with a remit to improve the standard of practitioner competences and forensic procedures. It has since moved to incorporate a greater level of scientific practice in these areas, as used in the production of expert evidence submitted to the UK Criminal Justice System. Accreditation to their codes of practice and conduct will become mandatory for all forensic practitioners by October 2017. A variety of challenges with expert evidence are explored and linked to a lack of a scientific methodology underpinning the processes followed. In particular, the research focuses upon investigations where malicious software (‘malware’) has been identified. A framework, called the ‘Malware Analysis Tool Evaluation Framework’ (MATEF), has been developed to address this lack of methodology to evaluate software tools used during investigations involving malware. A prototype implementation of the framework was used to evaluate two tools against a population of over 350,000 samples of malware. Analysis of the findings indicated that the choice of tool could impact on the number of artefacts observed in malware forensic investigations as well as identifying the optimal execution time for a given tool when observing malware artefacts. Three different measures were used to evaluate the framework. The first of these evaluated the framework against the requirements and determined that these were largely met. Where the requirements were not met these are attributed to matters either outside scope or the fledgling nature of the research. Another measure used to evaluate the framework was to consider its performance in terms of speed and resource utilisation. This identified scope for improvement in terms of the time to complete a test and the need for more economical use of disk space. Finally, the framework provides a scientific means to evaluate malware analysis tools, hence addressing the Research Question subject to the level at which ground truth is established. A number of contributions are produced as the output of this work. First there is confirmation for the case for a lack of trusted practice in the field of malware forensics. Second, the MATEF itself, as it facilitates the production of empirical evidence of a tool’s ability to detect malware artefacts. A third contribution is a set of requirements for establishing trusted practice in the use of malware artefact detection tools. Finally, empirical evidence that supports both the notion that the choice of tool can impact on the number of artefacts observed in malware forensic investigations as well as identifying the optimal execution time for a given tool when observing malware artefacts

Forensic examination and analysis of the Prefetch files on the banking Trojan malware incidents

Whenever a program runs within the operating system, there will be data or artefacts created on the system. This condition applies to the malicious software (malware). Although they intend to obscure their presence on the system with anti-forensic techniques, still they have to run on the victim’s system to acquire their objective. Modern malware creates a significant challenge to the digital forensic community since they are being designed to leave limited traces and misdirect the examiner. Therefore, every examiner should consider performing all the forensics approaches such as memory forensic, live-response and Windows file analysis in the related malware incidents to acquire all the potential evidence on a victim’s system. There is a challenge when an examiner only has an option to perform post-mortem forensic approach. It leads to a question: what is a forensic examination and analysis that available to obtain evidence in such incidents? The paper shows how the Prefetching process works on a system, common characteristics and the differences in the Prefetching process related to the various versions of Windows. Thus, the paper shows how the Prefetch files contain the evidentiary value which could answer what, how, where and when the banking Trojan malware infects the system. Finally, the paper shows that forensic examination and analysis of the Prefetch files can find the data remnants of banking Trojan malware incidents

Identifying bugs in digital forensic tools

Bugs can be found in all code and the consequences are usually managed through up-grade releases, patches, and restarting operating systems and applications. However, in mission critical systems complete fall over systems are built to assure service continuity. In our research we asked the question, what are the professional risks of bugs in digital forensic tools? Our investigation reviewed three high use professional proprietary digital forensic tools, one in which we identified six bugs and evaluated these bug in terms of potential impacts on an investigator\u27s work. The findings show that yes major brand name digital forensic tools have software bugs and there is room for improvement. These bugs had potential to frustrate an investigator, to cost time, to lose evidence and to require compensatory strategies. Such software bugs also have the potential for malicious exploitation and anti-forensic use