The Need to Support of Data Flow Graph Visualization of Forensic Lucid Programs, Forensic Evidence, and their Evaluation by GIPSY

Lucid programs are data-flow programs and can be visually represented as data flow graphs (DFGs) and composed visually. Forensic Lucid, a Lucid dialect, is a language to specify and reason about cyberforensic cases. It includes the encoding of the evidence (representing the context of evaluation) and the crime scene modeling in order to validate claims against the model and perform event reconstruction, potentially within large swaths of digital evidence. To aid investigators to model the scene and evaluate it, instead of typing a Forensic Lucid program, we propose to expand the design and implementation of the Lucid DFG programming onto Forensic Lucid case modeling and specification to enhance the usability of the language and the system and its behavior. We briefly discuss the related work on visual programming an DFG modeling in an attempt to define and select one approach or a composition of approaches for Forensic Lucid based on various criteria such as previous implementation, wide use, formal backing in terms of semantics and translation. In the end, we solicit the readers' constructive, opinions, feedback, comments, and recommendations within the context of this short discussion.Comment: 11 pages, 7 figures, index; extended abstract presented at VizSec'10 at http://www.vizsec2010.org/posters ; short paper accepted at PST'1

Watchword-Oriented and Time-Stamped Algorithms for Tamper-Proof Cloud Provenance Cognition

Provenance is derivative journal information about the origin and activities of system data and processes. For a highly dynamic system like the cloud, provenance can be accurately detected and securely used in cloud digital forensic investigation activities. This paper proposes watchword oriented provenance cognition algorithm for the cloud environment. Additionally time-stamp based buffer verifying algorithm is proposed for securing the access to the detected cloud provenance. Performance analysis of the novel algorithms proposed here yields a desirable detection rate of 89.33% and miss rate of 8.66%. The securing algorithm successfully rejects 64% of malicious requests, yielding a cumulative frequency of 21.43 for MR

Network Forensics Against Address Resolution Protocol Spoofing Attacks Using Trigger, Acquire, Analysis, Report, Action Method

This study aims to obtain attack evidence and reconstruct commonly used address resolution protocol attacks as a first step to launch a moderately malicious attack. MiTM and DoS are the initiations of ARP spoofing attacks that are used as a follow-up attack from ARP spoofing. The impact is quite severe, ranging from data theft and denial of service to crippling network infrastructure systems. In this study, data collection was conducted by launching an test attack against a real network infrastructure involving 27 computers, one router, and four switches. This study uses a Mikrotik router by building a firewall to generate log files and uses the Tazmen Sniffer Protocol, which is sent to a syslog-ng computer in a different virtual domain in a local area network. The Trigger, Acquire, Analysis, Report, Action method is used in network forensic investigations by utilising Wireshark and network miners to analyze network traffic during attacks. The results of this network forensics obtain evidence that there have been eight attacks with detailed information on when there was an attack on the media access control address and internet protocol address, both from the attacker and the victim. However, attacks carried out with the KickThemOut tool can provide further information about the attacker’s details through a number of settings, in particular using the Gratuitous ARP and ICMP protocols

Frameup: An Incriminatory Attack on Storj: A Peer to Peer Blockchain Enabled Distributed Storage System

In this work we present a primary account of frameup, an incriminatory attack made possible because of existing implementations in distributed peer to peer storage. The frameup attack shows that an adversary has the ability to store unencrypted data on the hard drives of people renting out their hard drive space. This is important to forensic examiners as it opens the door for possibly framing an innocent victim. Our work employs Storj as an example technology, due to its popularity and market size. Storj is a blockchain enabled system that allows people to rent out their hard drive space to other users around the world by employing a cryptocurrency token that is used to pay for the services rendered. It uses blockchain features like a transaction ledger, public/private key encryption, and cryptographic hash functions – but this work is not centered around blockchain. Our work discusses two frameup attacks, a preliminary and an optimized attack, both of which take advantage of Storj\u27s implementation. Results illustrate that Storj allows a potential adversary to store incriminating unencrypted files, or parts of files that are viewable on people\u27s systems when renting out their unused hard drive space. We offer potential solutions to mitigate our discovered attacks, a developed tool to review if a person has been a victim of a frameup attack, and a mechanism for showing that the files were stored on a hard drive without the renter\u27s knowledge. Our hope is that this work will inspire future security and forensics research directions in the exploration of distributed peer to peer storage systems that embrace blockchain and cryptocurrency tokens

Packet analysis for network forensics: A comprehensive survey

Packet analysis is a primary traceback technique in network forensics, which, providing that the packet details captured are sufficiently detailed, can play back even the entire network traffic for a particular point in time. This can be used to find traces of nefarious online behavior, data breaches, unauthorized website access, malware infection, and intrusion attempts, and to reconstruct image files, documents, email attachments, etc. sent over the network. This paper is a comprehensive survey of the utilization of packet analysis, including deep packet inspection, in network forensics, and provides a review of AI-powered packet analysis methods with advanced network traffic classification and pattern identification capabilities. Considering that not all network information can be used in court, the types of digital evidence that might be admissible are detailed. The properties of both hardware appliances and packet analyzer software are reviewed from the perspective of their potential use in network forensics

The role of information systems in the prevention and detection of transnational and international crime

© Cambridge University Press 2014. All around the world criminal activity remains at the forefront of governmental concerns, not only as a problem that distorts the very fabric of society within the confines of national jurisdictions, but also as a problem that cuts across national borders to exhibit a global dimension. The international dimension of criminal activity remains critical and is generally characterized by a complexity that is unique and requires action on many different levels. Criminals set out to mask their illegal activities and deliberately generate complexity as a means of concealment. In doing so, they exploit new developments in technology that assist them in achieving their ends. This criminality exhibits forms of innovation that stretch far beyond traditional criminal activity (e.g., drug and human trafficking) and manages to attach itself within the broader fabric of society by exploiting the very latest developments. This evolution is necessary as criminals seek not only to escape arrest, prosecution and conviction, but also to enjoy the fruits of their criminality (mostly financial gains). Thus, they seek to develop ways of exploiting the various diffuse norms of social interaction (e.g., trust), financial modes of conduct (e.g., cash-based economies), technological and communication developments (e.g., Internet), and thereby minimize the possibility for detection. By limiting the resources that can be made available for prevention (or making them obsolete when developing new criminal behaviour), they participate in this co-evolution actively; and this they achieve by generating complexity

CopAS: A Big Data Forensic Analytics System

With the advancing digitization of our society, network security has become one of the critical concerns for most organizations. In this paper, we present CopAS, a system targeted at Big Data forensics analysis, allowing network operators to comfortably analyze and correlate large amounts of network data to get insights about potentially malicious and suspicious events. We demonstrate the practical usage of CopAS for insider threat detection on a publicly available PCAP dataset and show how the system can be used to detect insiders hiding their malicious activity in the large amounts of networking data streams generated during the daily activities of an organization

Spectroscopic Characterization and Bioanalytical Applications of Benzophenoxazine Derivatives and the Use of Dyes and Dye-Encapsulated Silica Nanoparticles for Fingerprint Detection

The use of benzophenoxazine dyes such as Nile red and Nile blue in various applications has received increasing attention in recent years. Due to the limitations of using the two dyes in aqueous media because of their poor solubility, extensive efforts have been made to synthesize new benzophenoxazine analogues. Therefore, the first part of the work aims to characterize modified structures of benzophenoxazine derivatives as well as Nile red and Nile blue using spectroscopic techniques. The optical properties of the dyes involve the determination of molar absorptivity and quantum yield values as well as photostability studies. The absorbance and emission wavelengths are in the visible and near-infrared region of the electromagnetic spectrum which is the most useful region for bioanalytical applications due to the reduced autofluorescence from biomolecules. The first part also includes the interactions between benzophenoxazine derivatives and human serum albumin. The affinity of the dye to the protein is hydrophobicity-dependent, but other parameters such as steric hindrance and electrostatic interaction play a role too as confirmed by binding constant values. Detection of fingerprints is considered one of the most valuable pieces of evidence in forensic investigations. The second part of the work aims to use benzophenoxazine derivatives for fingerprint detection on porous surfaces. The factors affecting the ability of Nile red and Nile blue derivatives to develop luminescent and visible fingerprints with good background contrast are discussed. The second part also contains the application of silica nanoparticles encapsulating some benzophenoxazine derivatives as well as fluorescein isothiocyanate as fingerprint reagents. The efficiency to develop fingerprints is governed by the nature of the encapsulated dye and organosilicate precursors

A Sketch-based Rapid Modeling Method for Crime Scene Presentation

The reconstruction of crime scene plays an important role in digital forensic application. This article integrates computer graphics, sketch-based retrieval and virtual reality (VR) techniques to develop a low-cost and rapid 3D crime scene presentation approach, which can be used by investigators to analyze and simulate the criminal process. First, we constructed a collection of 3D models for indoor crime scenes using various popular techniques, including laser scanning, image-based modeling and geometric modeling. Second, to quickly obtain an object of interest from the 3D model database, a sketch-based retrieval method was proposed. Finally, a rapid modeling system that integrates our database and retrieval algorithm was developed to quickly build a digital crime scene. For practical use, an interactive real-time virtual roaming application was developed in Unity 3D and a low-cost VR head-mounted display (HMD). Practical cases have been implemented to demonstrate the feasibility and availability of our method

Investigating the Potential and Pitfalls of EV-Encapsulated MicroRNAs as Circulating Biomarkers of Breast Cancer

Extracellular vesicles (EVs) shuttle microRNA (miRNA) throughout the circulation and are believed to represent a fingerprint of the releasing cell. We isolated and characterized serum EVs of breast tumour-bearing animals, breast cancer (BC) patients, and healthy controls. EVs were characterized using transmission electron microscopy (TEM), protein quantification, western blotting, and nanoparticle tracking analysis (NTA). Absolute quantitative (AQ)-PCR was employed to analyse EV-miR-451a expression. Isolated EVs had the appropriate morphology and size. Patient sera contained significantly more EVs than did healthy controls. In tumour-bearing animals, a correlation between serum EV number and tumour burden was observed. There was no significant relationship between EV protein yield and EV quantity determined by NTA, highlighting the requirement for direct quantification. Using AQ-PCR to relate miRNA copy number to EV yield, a significant increase in miRNA-451a copies/EV was detected in BC patient sera, suggesting potential as a novel biomarker of breast cancer