An Evaluation of Windows-Based Computer Forensics Application Software Running on a Macintosh

The two most common computer forensics applications perform exclusively on Microsoft Windows Operating Systems, yet contemporary computer forensics examinations frequently encounter one or more of the three most common operating system environments, namely Windows, OS-X, or some form of UNIX or Linux. Additionally, government and private computer forensics laboratories frequently encounter budget constraints that limit their access to computer hardware. Currently, Macintosh computer systems are marketed with the ability to accommodate these three common operating system environments, including Windows XP in native and virtual environments. We performed a series of experiments to measure the functionality and performance of the two most commonly used Windows-based computer forensics applications on a Macintosh running Windows XP in native mode and in two virtual environments relative to a similarly configured Dell personal computer. The research results are directly beneficial to practitioners, and the process illustrates effective pedagogy whereby students were engaged in applied research

A comparative forensic analysis of privacy enhanced web browsers

Growing concerns regarding Internet privacy has led to the development of enhanced privacy web browsers. The intent of these web browsers is to provide better privacy for users who share a computer by not storing information about what websites are being visited as well as protecting user data from websites that employ tracking tools such as Google for advertisement purposes. As with most tools, users have found an alternative purpose for enhanced privacy browsers, some illegal in nature. This research conducted a digital forensic examination of three enhanced privacy web browsers and three commonly used web browsers in private browsing mode to identify if these browsers produced residual browsers artifacts and if so, if those artifacts provided content about the browsing session. The examination process, designed to simulate common practice of law enforcement digital forensic investigations, found that when comparing browser type by browser and tool combination, out of a possible 60 artifacts, the common web browsers produced 26 artifacts while the enhanced privacy browsers produced 25 for a difference of 2\%. The tool set used also had an impact in this study, with FTK finding a total of 28 artifacts while Autopsy found 23, for a difference of 8\%. The conclusion of this research found that although there was a difference in the number of artifacts produced by the two groups of browsers, the difference was not significant to support the claim that one group of browsers produced fewer browsers than the other. As this study has implications for privacy minded citizens as well as law enforcement and digital forensic practitioners concerned with browser forensics, this study identified a need for future research with respect to internet browser privacy, including expanding this research to include more browsers and tools

Forensic Artifact Finder (ForensicAF): An Approach & Tool for Leveraging Crowd-Sourced Curated Forensic Artifacts

Current methods for artifact analysis and understanding depend on investigator expertise. Experienced and technically savvy examiners spend a lot of time reverse engineering applications while attempting to find crumbs they leave behind on systems. This takes away valuable time from the investigative process, and slows down forensic examination. Furthermore, when specific artifact knowledge is gained, it stays within the respective forensic units. To combat these challenges, we present ForensicAF, an approach for leveraging curated, crowd-sourced artifacts from the Artifact Genome Project (AGP). The approach has the overarching goal of uncovering forensically relevant artifacts from storage media. We explain our approach and construct it as an Autopsy Ingest Module. Our implementation focused on both File and Registry artifacts. We evaluated ForensicAF using systematic and random sampling experiments. While ForensicAF showed consistent results with registry artifacts across all experiments, it also revealed that deeper folder traversal yields more File Artifacts during data source ingestion. When experiments were conducted on case scenario disk images without apriori knowledge, ForensicAF uncovered artifacts of forensic relevance that help in solving those scenarios. We contend that ForensicAF is a promising approach for artifact extraction from storage media, and its utility will advance as more artifacts are crowd-sourced by AGP

Capturing and Processing Born-Digital Files in the STOP AIDS Project Records: A Case Study

In September 2012, the Manuscripts Division of the Stanford University Libraries Department of Special Collections and University Archives completed a one-year National Historical Publications and Records Commission (NHPRC)-funded project to process the records of the STOP AIDS Project, an HIV prevention non-profit organization in San Francisco, California. This project marked the department’s first large-scale processing project to capture and process born-digital records. Building upon the nascent framework outlined by the AIMS white paper and the infrastructure developed by Stanford University Libraries, the project team captured born-digital records and implemented new processing strategies using digital forensics tools. This case study will document the strategies and workflows employed by the project team to capture and process the born-digital component of the STOP AIDS Project records. We will describe the successes, challenges and roadblocks encountered while forensically imaging 3.5 inch floppy disks, Zip disks, and CDs using Forensic Toolkit (FTK) Imager software. We will then outline our approach to processing nearly 30,000 unique digital files captured from the computer media using AccessData Forensic Toolkit (FTK) software, discuss our current delivery strategy, and offer some concluding thoughts

Sixth Annual Users' Conference

Conference papers and presentation outlines which address the use of the Transportable Applications Executive (TAE) and its various applications programs are compiled. Emphasis is given to the design of the user interface and image processing workstation in general. Alternate ports of TAE and TAE subsystems are also covered