FORENSIC RECOVERY ANALYSIS OF LOST RAID 0 CONFIGURATION ON NETWORK ATTACHED STORAGE AS EVIDENCE IN COURT

In the modern world of globalization, Digital Forensic science has emerged as a pivotal investigative tool for solving complex cases. This discipline proves particularly effective in deciphering digital evidence. In this study, we ventured to examine a Network Area Storage (NAS) device, specifically one containing three hard disks. Our objective was to validate that the Hash value generated before the duplication process matches identically with the Hash value post-imaging or duplication. Our findings demonstrate that through reconfiguration and recovery of RAID 0, previously deleted files can be restored using the methods outlined in our research. In essence, this study establishes that: (1) Reconstruction of RAID configurations is feasible, (2) Recovery of deleted files from a RAID 0 system is achievable, and (3) Such restored data can serve as admissible evidence in court

Generation and Handling of Hard Drive Duplicates as Piece of Evidence

An important area in digital forensics is images of hard disks. The correct production of the images as well as the integrity and authenticity of each hard disk image is essential for the probative force of the image to be used at court. Integrity and authenticity are under suspicion as digital evidence is stored and used by software based systems. Modifications to digital objects are hard or even impossible to track and can occur even accidentally. Even worse, vulnerabilities occur for all current computing systems. Therefore, it is difficult to guarantee a secure environment for forensic investigations. But intended deletions of dedicated data of disk images are often required because of legal issues in many countries. This article provides a technical framework on the protection of the probative force of hard disk images by ensuring the integrity and authenticity using state of the art technology. It combines hardware-based security, cryptographic hash functions and digital signatures to achieve a continuous protection of the image together with a reliable documentation of the status of the device that was used for image creation. The framework presented allows to detect modifications and to pinpoint the exact area of the modification to the digital evidence protecting the probative force of the evidence at a whole. In addition, it also supports the deletion of parts of images without invalidating the retained data blocks. Keywords: digital evidence, probative force hard disk image, verifiable deletion of image data, trusted imaging softwar

Towards collaborative forensics: Preliminary framework

Digital forensic analysis techniques have been sig-nificantly improved and evolved in past decade but we still face a lack of effective forensic analysis tools to tackle diverse incidents caused by emerging technolo-gies and the advances in cyber crime. In this paper, we propose a comprehensive framework to address the effi-cacious deficiencies of current practices in digital foren-sics. Our framework, called Collaborative Forensic Framework (CUFF), provides scalable forensic services for practitioners who are from different organizations and have diverse forensic skills. In other words, our framework helps forensic practitioners collaborate with each other, instead of learning and struggling with new forensic techniques. Also, CUFF uses and augments current and emerging standards, including DFXML and EDRM XML for concise file representation and efficient resource transmission. In addition, we describe funda-mental building blocks for our framework and corre-sponding system requirements. 1

The Forensic Curator: Digital Forensics as a Solution to Addressing the Curatorial Challenges Posed by Personal Digital Archives

The growth of computing technology during the previous three decades has resulted in a large amount of content being created in digital form. As their creators retire or pass away, an increasing number of personal data collections, in the form of digital media and complete computer systems, are being offered to the academic institutional archive. For the digital curator or archivist, the handling and processing of such digital material represents a considerable challenge, requiring development of new processes and procedures. This paper outlines how digital forensic methods, developed by the law enforcement and legal community, may be applied by academic digital archives. It goes on to describe the strategic and practical decisions that should be made to introduce forensic methods within an existing curatorial infrastructure and how different techniques, such as forensic hashing, timeline analysis and data carving, may be used to collect information of a greater breadth and scope than may be gathered through manual activities

Advanced Techniques for Improving the Efficacy of Digital Forensics Investigations

Digital forensics is the science concerned with discovering, preserving, and analyzing evidence on digital devices. The intent is to be able to determine what events have taken place, when they occurred, who performed them, and how they were performed. In order for an investigation to be effective, it must exhibit several characteristics. The results produced must be reliable, or else the theory of events based on the results will be flawed. The investigation must be comprehensive, meaning that it must analyze all targets which may contain evidence of forensic interest. Since any investigation must be performed within the constraints of available time, storage, manpower, and computation, investigative techniques must be efficient. Finally, an investigation must provide a coherent view of the events under question using the evidence gathered. Unfortunately the set of currently available tools and techniques used in digital forensic investigations does a poor job of supporting these characteristics. Many tools used contain bugs which generate inaccurate results; there are many types of devices and data for which no analysis techniques exist; most existing tools are woefully inefficient, failing to take advantage of modern hardware; and the task of aggregating data into a coherent picture of events is largely left to the investigator to perform manually. To remedy this situation, we developed a set of techniques to facilitate more effective investigations. To improve reliability, we developed the Forensic Discovery Auditing Module, a mechanism for auditing and enforcing controls on accesses to evidence. To improve comprehensiveness, we developed ramparser, a tool for deep parsing of Linux RAM images, which provides previously inaccessible data on the live state of a machine. To improve efficiency, we developed a set of performance optimizations, and applied them to the Scalpel file carver, creating order of magnitude improvements to processing speed and storage requirements. Last, to facilitate more coherent investigations, we developed the Forensic Automated Coherence Engine, which generates a high-level view of a system from the data generated by low-level forensics tools. Together, these techniques significantly improve the effectiveness of digital forensic investigations conducted using them

Botnet Forensic Investigation Techniques and Cost Evaluation

Botnets are responsible for a large percentage of damages and criminal activity on the Internet. They have shifted attacks from push activities to pull techniques for the distribution of malwares and continue to provide economic advantages to the exploiters at the expense of other legitimate Internet service users. In our research we asked; what is the cost of the procedural steps for forensically investigating a Botnet attack? The research method applies investigation guidelines provided by other researchers and evaluates these guidelines in terms of the cost to a digital forensic investigator. We conclude that investigation of Botnet attacks is both possible and procedurally feasible for a forensic investigator; but that scope management is critical for controlling the cost of investigation. We recommend quantifying Botnet investigations into five levels of cost based on time, complexity and technical requirements. Keywords: Botnets, Cybercrime, Investigating, Techniques, Costs, Researc

Software Piracy Forensics: Impact and Implications of Post‐Piracy Modifications

Piracy is potentially possible at any stage of the lifetime of the software. In a post-piracy situation, however, the growth of the respective versions of the software (both the original and pirated) is expected to be in different directions as a result of expectedly different implementation strategies. This paper shows how such post-piracy modifications are of special interest to a cyber crime expert investigating software piracy and suggests that the present software piracy forensic (or software copyright infringement investigation) approaches require amendments to take in such modifications. For this purpose, the paper also presents a format that is jargon-free, so as to present the findings in a more intelligible form to the judicial authorities. Keywords: Piracy, post-piracy modifications, software piracy, source code, copyright, software copyright infringement, software piracy forensics, database forensics, MIS forensics, AFC, SCAP, technical expert, substantial similarity test, CDA

The Advanced Framework for Evaluating Remote Agents (AFERA): A Framework for Digital Forensic Practitioners

Digital forensics experts need a dependable method for evaluating evidence-gathering tools. Limited research and resources challenge this process and the lack of multi-endpoint data validation hinders reliability in distributed digital forensics. A framework was designed to evaluate distributed agent-based forensic tools while enabling practitioners to self-evaluate and demonstrate evidence reliability as required by the courts. Grounded in Design Science, the framework features guidelines, data, criteria, and checklists. Expert review enhances its quality and practicality