Forensic analysis of VMware hard disks

With the advancement in virtualization technology, virtual machines (VMs) are becoming a common and an integral part of datacenters. As the popularity and use of VMs increases, incidents involving them are also on the rise. There is substantial research on using VMs and virtual appliances to aid forensic investigation, but research on collecting evidence from VMs following a forensic procedure is lacking. This thesis studies a forensically sound way to acquire and analyze VM hard disks. It also discusses the development of a tool which assists in forensic analysis of snapshots of virtual hard disks that are used in VMs. This tool analyzes the changes made to a virtual disk by comparing snapshots created at various stages. Comparing the state of the files in the base snapshot which is believed to be clean with the snapshot which is suspected of being tampered with, forensics investigators are able to identify files that have been recently added, deleted, edited, or modified

A comparison of open source and proprietary digital forensic software

Scrutiny of the capabilities and accuracy of computer forensic tools is increasing as the number of incidents relying on digital evidence and the weight of that evidence increase. This thesis describes the capabilities of the leading proprietary and open source digital forensic tools. The capabilities of the tools were tested separately on digital media that had been formatted using Windows and Linux. Experiments were carried out with the intention of establishing whether the capabilities of open source computer forensics are similar to those of proprietary computer forensic tools, and whether these tools could complement one another. The tools were tested with regards to their capabilities to make and analyse digital forensic images in a forensically sound manner. The tests were carried out on each media type after deleting data from the media, and then repeated after formatting the media. The results of the experiments performed demonstrate that both proprietary and open source computer forensic tools have superior capabilities in different scenarios, and that the toolsets can be used to validate and complement one another. The implication of these findings is that investigators have an affordable means of validating their findings and are able to more effectively investigate digital media

Hashes Are Not Suitable to Verify Fixity of the Public Archived Web

Web archives, such as the Internet Archive, preserve the web and allow access to prior states of web pages. We implicitly trust their versions of archived pages, but as their role moves from preserving curios of the past to facilitating present day adjudication, we are concerned with verifying the fixity of archived web pages, or mementos, to ensure they have always remained unaltered. A widely used technique in digital preservation to verify the fixity of an archived resource is to periodically compute a cryptographic hash value on a resource and then compare it with a previous hash value. If the hash values generated on the same resource are identical, then the fixity of the resource is verified. We tested this process by conducting a study on 16,627 mementos from 17 public web archives. We replayed and downloaded the mementos 39 times using a headless browser over a period of 442 days and generated a hash for each memento after each download, resulting in 39 hashes per memento. The hash is calculated by including not only the content of the base HTML of a memento but also all embedded resources, such as images and style sheets. We expected to always observe the same hash for a memento regardless of the number of downloads. However, our results indicate that 88.45% of mementos produce more than one unique hash value, and about 16% (or one in six) of those mementos always produce different hash values. We identify and quantify the types of changes that cause the same memento to produce different hashes. These results point to the need for defining an archive-aware hashing function, as conventional hashing functions are not suitable for replayed archived web pages

Forensic acquisition of file systems with parallel processing of digital artifacts to generate an early case assessment report

A evolução da maneira como os seres humanos interagem e realizam tarefas rotineiras mudou nas últimas décadas e uma longa lista de atividades agora somente são possíveis com o uso de tecnologias da informação – entre essas pode-se destacar a aquisição de bens e serviços, gestão e operações de negócios e comunicações. Essas transformações são visíveis também em outras atividades menos legítimas, permitindo que crimes sejam cometidos através de meios digitais. Em linhas gerais, investigadores forenses trabalham buscando por indícios de ações criminais realizadas por meio de dispositivos digitais para finalmente, tentar identificar os autores, o nível do dano causado e a história atrás que possibilitou o crime. Na sua essência, essa atividade deve seguir normas estritas para garantir que as provas sejam admitidas em tribunal, mas quanto maior o número de novos artefatos e maior o volume de dispositivos de armazenamento disponíveis, maior o tempo necessário entre a identificação de um dispositivo de um suspeito e o momento em que o investigador começa a navegar no mar de informações alojadas no dispositivo. Esta pesquisa, tem como objetivo antecipar algumas etapas do EDRM através do uso do processamento em paralelo adjacente nas unidades de processamento (CPU) atuais para para traduzir multiplos artefactos forenses do sistema operativo Windows 10 e gerar um relatório com as informações mais cruciais sobre o dispositivo adquirido. Permitindo uma análise antecipada do caso (ECA) ao mesmo tempo em que uma aquisição completa do disco está em curso, desse modo causando um impacto mínimo no tempo geral de aquisição

Computer Forensic Projects for Accountants

Digital attacks on organizations are becoming more common and more sophisticated. Firms are interested in providing data security and having an effective means to respond to attacks. Accountants possess important investigative and analytical skills that serve to uncover fraud in forensic investigations. Some accounting students take courses in forensic accounting but few colleges offer a course in computer forensics for accountants. Educators wishing to develop such a course may find developing the curriculum daunting. A major element of such a course is the use of forensic software. This paper argues the importance of computer forensics to accounting students and offers a set of exercises to provide an introduction to obtaining and analyzing data with forensics software that are available free online. In most cases, figures of important steps are provided. Educators will benefit when developing the course learning goals and curriculum

LASER Tech Briefs, February 1995

Topics included in this issue of LASER Tech Briefs are: Electronic Components and Circuits. Electronic Systems, Physical Sciences, Materials, Mechanics, Fabrication, and Mathematics and Information Sciences, an

An FPGA-Based System for Tracking Digital Information Transmitted via Peer-to-Peer Protocols

This thesis addresses the problem of identifying and tracking digital information that is shared using peer-to-peer file transfer and Voice over IP (VoIP) protocols. The goal of the research is to develop a system for detecting and tracking the illicit dissemination of sensitive government information using file sharing applications within a target network, and tracking terrorist cells or criminal organizations that are covertly communicating using VoIP applications. A digital forensic tool is developed using an FPGA-based embedded software application. The tool is designed to process file transfers using the BitTorrent peer-to-peer protocol and VoIP phone calls made using the Session Initiation Protocol (SIP). The tool searches a network for selected peer-to-peer control messages using payload analysis and compares the unique identifier of the file being shared or phone number being used against a list of known contraband files or phone numbers. If the identifier is found on the list, the control packet is added to a log file for later forensic analysis. Results show that the FPGA tool processes peer-to-peer packets of interest 92% faster than a software-only configuration and is 99.0% accurate at capturing and processing BitTorrent Handshake messages under a network traffic load of at least 89.6 Mbps. When SIP is added to the system, the probability of intercept for BitTorrent Handshake messages remains at 99.0% and the probability of intercept for SIP control packets is 97.6% under a network traffic load of at least 89.6 Mbps, demonstrating that the tool can be expanded to process additional peer-to-peer protocols with minimal impact on overall performance

A Disease Tracking EHR for Ghana

The goal of the project was to develop a disease tracking electronic health record (EHR) system for Ghana in order to improve efficiency within medical facilities and to increase the quality of patient care. There are only a few medical facilities that have implemented EHR systems, and even fewer with immunization and disease tracking. Our proposed system, VermaMS, stores a history of patient visits for every patient diagnosed with malaria, tuberculosis, or meningitis. Users of the application are able to view patient data graphically as well as generate a report that contains information on each patient’s visit. VermaMS is intended to be used in conjunction with the current EHR systems, but it could potentially be developed into a full EHR system of its own in the future