Digital Forensic Tools & Cloud-Based Machine Learning for Analyzing Crime Data

Digital forensics is a branch of forensic science in which we can recreate past events using forensic tools for legal measure. Also, the increase in the availability of mobile devices has led to their use in criminal activities. Moreover, the rate at which data is being generated has been on the increase which has led to big data problems. With cloud computing, data can now be stored, processed and analyzed as they are generated. This thesis documents consists of three studies related to data analysis. The first study involves analyzing data from an android smartphone while making a comparison between two forensic tools; Paraben E3: DS and Autopsy. At the end of the study, it was concluded that most of the activities performed on a rooted android device can be found in its internal memory. In the second study, the Snapchat application was analyzed on a rooted Android device to see how well it handles privacy issues. The result of the study shows that some of the predefined activities performed on the Snapchat application as well as user information can be retrieved using Paraben E3: DS forensic tool. The third study, machine learning services on Microsoft Azure and IBM Watson were used in performing predictive analysis to uncover their performance. At the end of the experiments, the Azure machine learning studio was seen to be more user friendly and builds models faster compared to the SSPS Modeler in the IBM Watson Studio. This research is important as data needs to be analyzed in order to generate insights that can aid organizations or police departments in making the best decisions when analyzing crime data

A FORENSICALLY-ENABLED IAAS CLOUD COMPUTING ARCHITECTURE

Cloud computing has been advancing at an intense pace. It has become one of the most important research topics in computer science and information systems. Cloud computing offers enterprise-scale platforms in a short time frame with little effort. Thus, it delivers significant economic benefits to both commercial and public entities. Despite this, the security and subsequent incident management requirements are major obstacles to adopting the cloud. Current cloud architectures do not support digital forensic investigators, nor comply with today’s digital forensics procedures – largely due to the fundamental dynamic nature of the cloud. When an incident has occurred, an organization-based investigation will seek to provide potential digital evidence while minimising the cost of the investigation. Data acquisition is the first and most important process within digital forensics – to ensure data integrity and admissibility. However, access to data and the control of resources in the cloud is still very much provider-dependent and complicated by the very nature of the multi-tenanted operating environment. Thus, investigators have no option but to rely on the Cloud Service Providers (CSPs) to acquire evidence for them. Due to the cost and time involved in acquiring the forensic image, some cloud providers will not provide evidence beyond 1TB despite a court order served on them. Assuming they would be willing or are required to by law, the evidence collected is still questionable as there is no way to verify the validity of evidence and whether evidence has already been lost. Therefore, dependence on the CSPs is considered one of the most significant challenges when investigators need to acquire evidence in a timely yet forensically sound manner from cloud systems. This thesis proposes a novel architecture to support a forensic acquisition and analysis of IaaS cloud-base systems. The approach, known as Cloud Forensic Acquisition and Analysis System (Cloud FAAS), is based on a cluster analysis of non-volatile memory that achieves forensically reliable images at the same level of integrity as the normal “gold standard” computer forensic acquisition procedures with the additional capability to reconstruct the image at any point in time. Cloud FAAS fundamentally, shifts access of the data back to the data owner rather than relying on a third party. In this manner, organisations are free to undertaken investigations at will requiring no intervention or cooperation from the cloud provider. The novel architecture is validated through a proof-of-concept prototype. A series of experiments are undertaken to illustrate and model how Cloud FAAS is capable of providing a richer and more complete set of admissible evidence than what current CSPs are able to provide. Using Cloud FAAS, investigators have the ability to obtain a forensic image of the system after, just prior to or hours before the incident. Therefore, this approach can not only create images that are forensically sound but also provide access to deleted and more importantly overwritten files – which current computer forensic practices are unable to achieve. This results in an increased level of visibility for the forensic investigator and removes any limitations that data carving and fragmentation may introduce. In addition, an analysis of the economic overhead of operating Cloud FAAS is performed. This shows the level of disk change that occurs is well with acceptable limits and is relatively small in comparison to the total volume of memory available. The results show Cloud FAAS has both a technical and economic basis for solving investigations involving cloud computing.Saudi Governmen

Automated Digital Forensics and Computer Crime Profiling

Edited version embargoed until 01.12.2017 Full version: Access restricted permanently due to 3rd party copyright restrictions. Restriction set on 08.12.2016 by SC, Graduate SchoolOver the past two decades, technology has developed tremendously, at an almost exponential rate. While this development has served the nation in numerous different positive ways, negatives have also emerged. One such negative is that of computer crime. This criminality has even grown so fast as to leave current digital forensic tools lagging behind in terms of development, and capabilities to manage such increasing and sophisticated types of crime. In essence the time taken to analyse a case is huge and increasing, and cases are not fully or properly investigated. This results in an ever-increasing number of pending and unsolved cases pertaining to computer crime. Digital forensics has become an essential tool in the fight against computer crime, providing both procedures and tools for the acquisition, examination and analysis of digital evidence. However, the use of technology is expanding at an ever-increasing rate, with the number of devices a single user might engage with increasing from a single device to 3 or more, the data capacity of those devices reaching far into the Terabytes, and the nature of the underlying technology evolving (for example, the use of cloud services). This results in an incredible challenge for forensic examiners to process and analyse cases in an efficient and effective manner. This thesis focuses upon the examination and analysis phases of the investigative process and considers whether automation of the process is possible. The investigation begins with researching the current state of the art, and illustrates a wide range of challenges that are facing the digital forensics investigators when analysing a case. Supported by a survey of forensic researchers and practitioners, key challenges were identified and prioritised. It was found that 95% of participants believed that the number of forensic investigations would increase in the coming times, with 75% of participants believing that the time consumed in such cases would increase. With regards to the digital forensic sophistication, 95% of the participants expected a rise in the complexity level and sophistication of digital forensics. To this end, an automated intelligent system that could be used to reduce the investigator’s time and cognitive load was found to be a promising solution. A series of experiments are devised around the use of Self-Organising Maps (SOMs) – a technique well known for unsupervised clustering of objects. The analysis is performed on a range of file system and application-level objects (e.g. email, internet activity) across four forensic cases. Experiment evaluations revealed SOMs are able to successfully cluster forensic artefacts from the remaining files. Having established SOMs are capable of clustering wanted artefacts from the case, a novel algorithm referred to as the Automated Evidence Profiler (AEP), is proposed to encapsulate the process and provide further refinement of the artefact identification process. The algorithm led to achieving identification rates in examined cases of 100% in two cases and 94% in a third. A novel architecture is proposed to support the algorithm in an operational capacity – considering standard forensic techniques such as hashing for known files, file signature analysis, application-level analysis. This provides a mechanism that is capable of utilising the A E P with several other components that are able to filter, prioritise and visualise artefacts of interest to investigator. The approach, known as Automated Forensic Examiner (AFE), is capable of identifying potential evidence in a more efficient and effective manner. The approach was evaluated by a number of experts in the field, and it was unanimously agreed that the chosen research problem was one with great validity. Further to this, the experts all showed support for the Automated Forensic Examiner based on the results of cases analysed

CeFF: A Frameword for Forensics Enabled Cloud Investigation

Today, cloud computing has developed a transformative model for the organization, business, governments that brings huge potentials and turn into popular for pay as you go, on-demand service, scalability and efficient services. However, cloud computing has made the concern for forensic data because of the architecture of cloud system is not measured appropriately. Due to the distributed nature of the cloud system, many aspects relating to the forensic investigation such as data collection, data storage, crime target, data violation are difficult to achieve. Investigating the incidents in the cloud environment is a challenging task because the forensics investigator still needs to relay on the third party such as cloud service provider for performing their investigation tasks. It makes the overall forensic process difficult to complete with a duration and presented it to the court. Recently, there are some cloud forensics studies to address the challenges such as evidence collection, data acquisition, identifying the incidents and so on. However, still, there is a research gap in terms of consistency of analysing forensic evidence from distributed environment and methodology to analyse the forensic data in the cloud. This thesis contributes towards the direction of addressing the research gaps. In particular, this work proposes a forensic investigation framework CeFF: A framework for forensics enabled cloud investigation to investigate evidence in the cloud computing environment. The framework includes a set of concepts from organisational, technical and legal perspectives, which gives a holistic view of analysing cybercrime from organisation context where the crime has occurred through technical context and legal impact. The CeFF also includes a systematic process that uses the concept for performing the investigation. The cloud-enabled forensics framework meets all the forensics related requirement such as data collection, examination, presents the report, and identifies the potential risks that can consider while investigating the evidence in the cloud-computing environment. Finally, the proposed CeFF is applied to a real-life example to validate its applicability. The result shows that CeFF supports analysing the forensic data for a crime occurred in cloud-based system in a systematic way

Integrating Behavioural Analysis within the Digital Forensics Investigation Process

This programme of research focused on incorporating Behavioural Analysis (BA) within the digital forensics investigation process. A review of previously developed digital forensics investigation models indicated a lack of sufficient consideration of the behavioural and motivational dimensions of offending, and the way in which digital evidence can be used to address these issues during the investigation process. This programme of research aimed to build on previous work by scientific researchers and investigators by developing a digital forensics investigation model which incorporates greater consideration of the behavioural and motivational implications of case-related digital evidence based on current theoretical understandings of these aspects of offending from forensic psychology. This can aid with understanding of the crime events and reconstruction, and lead to the development of more detailed models and guidelines for examining computer-facilitated interpersonal crimes. The first study employed an abductive approach to forensically analyse individual cases (real cases obtained from the Dubai Police archives) applying BA to the online Sexually Exploitative Imagery of Children (SEIC) and cyberstalking. Its aim was to investigate what BA could contribute to the digital forensics investigation of cases within these crime categories. It identified five benefits: (1) providing focus, speed and investigative directions, (2) inferring victim/offender behaviours, (3) inferring offender motivation(s), (4) identifying potential victims, and (5) eliminating suspects. This was followed by a survey study empirically examining the perceptions of national and international digital forensics practitioners regarding the use and utility of BA during the process of investigating SEIC and cyberstalking cases. The results indicated that while the majority believed that BA has potential to contribute to many aspects of digital forensics investigations, their daily investigative activities involved a limited use of this technique. The implications of the study were outlined, and emphasised the need to design a digital forensics investigation model that provides guiding steps and illustrations on how to utilise BA in digital forensics investigations. Based on the findings from the conducted studies, a digital forensics investigation model that incorporates aspects of BA was designed. It aimed to provide a pragmatic, structured, multidisciplinary approach to performing a post mortem examination, analysis, and interpretation of the content of the digital devices associated with computer-facilitated interpersonal crimes. Two comprehensive case studies were also used to illustrate the investigative importance of the model in investigating computer-facilitated interpersonal crimes

A Survey of Social Network Forensics

Social networks in any form, specifically online social networks (OSNs), are becoming a part of our everyday life in this new millennium especially with the advanced and simple communication technologies through easily accessible devices such as smartphones and tablets. The data generated through the use of these technologies need to be analyzed for forensic purposes when criminal and terrorist activities are involved. In order to deal with the forensic implications of social networks, current research on both digital forensics and social networks need to be incorporated and understood. This will help digital forensics investigators to predict, detect and even prevent any criminal activities in different forms. It will also help researchers to develop new models / techniques in the future. This paper provides literature review of the social network forensics methods, models, and techniques in order to provide an overview to the researchers for their future works as well as the law enforcement investigators for their investigations when crimes are committed in the cyber space. It also provides awareness and defense methods for OSN users in order to protect them against to social attacks

Implementation of Middleware for Internet of Things in Asset Tracking Applications: In-lining Approach

ThesisInternet of Things (IoT) is a concept that involves giving objects a digital identity and limited artificial intelligence, which helps the objects to be interactive, process data, make decisions, communicate and react to events virtually with minimum human intervention. IoT is intensified by advancements in hardware and software engineering and promises to close the gap that exists between the physical and digital worlds. IoT is paving ways to address complex phenomena, through designing and implementation of intelligent systems that can monitor phenomena, perform real-time data interpretation, react to events, and swiftly communicate observations. The primary goal of IoT is ubiquitous computing using wireless sensors and communication protocols such as Bluetooth, Wireless Fidelity (Wi-Fi), ZigBee and General Packet Radio Service (GPRS). Insecurity, of assets and lives, is a problem around the world. One application area of IoT is tracking and monitoring; it could therefore be used to solve asset insecurity. A preliminary investigation revealed that security systems in place at Central University of Technology, Free State (CUT) are disjointed; they do not instantaneously and intelligently conscientize security personnel about security breaches using real time messages. As a result, many assets have been stolen, particularly laptops. The main objective of this research was to prove that a real-life application built over a generic IoT architecture that innovatively and intelligently integrates: (1) wireless sensors; (2) radio frequency identification (RFID) tags and readers; (3) fingerprint readers; and (4) mobile phones, can be used to dispel laptop theft. To achieve this, the researcher developed a system, using the heterogeneous devices mentioned above and a middleware that harnessed their unique capabilities to bring out the full potential of IoT in intelligently curbing laptop theft. The resulting system has the ability to: (1) monitor the presence of a laptop using RFID reader that pro-actively interrogates a passive tag attached to the laptop; (2) detect unauthorized removal of a laptop under monitoring; (3) instantly communicate security violations via cell phones; and (4) use Windows location sensors to track the position of a laptop using Googlemaps. The system also manages administrative tasks such as laptop registration, assignment and withdrawal which used to be handled manually. Experiments conducted using the resulting system prototype proved the hypothesis outlined for this research

Proceedings of the 12th International Conference on Digital Preservation

The 12th International Conference on Digital Preservation (iPRES) was held on November 2-6, 2015 in Chapel Hill, North Carolina, USA. There were 327 delegates from 22 countries. The program included 12 long papers, 15 short papers, 33 posters, 3 demos, 6 workshops, 3 tutorials and 5 panels, as well as several interactive sessions and a Digital Preservation Showcase

Proceedings of the 12th International Conference on Digital Preservation

The 12th International Conference on Digital Preservation (iPRES) was held on November 2-6, 2015 in Chapel Hill, North Carolina, USA. There were 327 delegates from 22 countries. The program included 12 long papers, 15 short papers, 33 posters, 3 demos, 6 workshops, 3 tutorials and 5 panels, as well as several interactive sessions and a Digital Preservation Showcase

Digital forensics: an integrated approach for the investigation of cyber/computer related crimes

A thesis submitted to the University of Bedfordshire in partial fulfilment of the requirements for the degree of Doctor of PhilosophyDigital forensics has become a predominant field in recent times and courts have had to deal with an influx of related cases over the past decade. As computer/cyber related criminal attacks become more predominant in today’s technologically driven society the need for and use of, digital evidence in courts has increased. There is the urgent need to hold perpetrators of such crimes accountable and successfully prosecuting them. The process used to acquire this digital evidence (to be used in cases in courts) is digital forensics. The procedures currently used in the digital forensic process were developed focusing on particular areas of the digital evidence acquisition process. This has resulted in very little regard being made for the core components of the digital forensics field, for example the legal and ethical along with other integral aspects of investigations as a whole. These core facets are important for a number of reasons including the fact that other forensic sciences have included them, and to survive as a true forensics discipline digital forensics must ensure that they are accounted for. This is because, digital forensics like other forensics disciplines must ensure that the evidence (digital evidence) produced from the process is able to withstand the rigors of a courtroom. Digital forensics is a new and developing field still in its infancy when compared to traditional forensics fields such as botany or anthropology. Over the years development in the field has been tool centered, being driven by commercial developers of the tools used in the digital investigative process. This, along with having no set standards to guide digital forensics practitioners operating in the field has led to issues regarding the reliability, verifiability and consistency of digital evidence when presented in court cases. Additionally some developers have neglected the fact that the mere mention of the word forensics suggests courts of law, and thus legal practitioners will be intimately involved. Such omissions have resulted in the digital evidence being acquired for use in various investigations facing major challenges when presented in a number of cases. Mitigation of such issues is possible with the development of a standard set of methodologies flexible enough to accommodate the intricacies of all fields to be considered when dealing with digital evidence. This thesis addresses issues regarding digital forensics frameworks, methods, methodologies and standards for acquiring digital evidence using the grounded theory approach. Data was gathered using literature surveys, questionnaires and interviews electronically. Collecting data using electronic means proved useful when there is need to collect data from different jurisdictions worldwide. Initial surveys indicated that there were no existing standards in place and that the terms models/frameworks and methodologies were used interchangeably to refer to methodologies. A framework and methodology have been developed to address the identified issues and represent the major contribution of this research. The dissertation outlines solutions to the identified issues and presents the 2IR Framework of standards which governs the 2IR Methodology supported by a mobile application and a curriculum of studies. These designs were developed using an integrated approach incorporating all four core facets of the digital forensics field. This research lays the foundation for a single integrated approach to digital forensics and can be further developed to ensure the robustness of process and procedures used by digital forensics practitioners worldwide