Introductory Computer Forensics

INTERPOL (International Police) built cybercrime programs to keep up with emerging cyber threats, and aims to coordinate and assist international operations for ?ghting crimes involving computers. Although signi?cant international efforts are being made in dealing with cybercrime and cyber-terrorism, ?nding effective, cooperative, and collaborative ways to deal with complicated cases that span multiple jurisdictions has proven dif?cult in practic

On the genesis of computer forensis

This thesis presents a coherent set of research contributions to the new discipline of computer forensis. It analyses emergence of computer forensis and defines challenges facing this discipline, carries forward research advances in conventional methodology, introduces novel approach to using virtual environments in forensis, and systemises the computer forensis body of knowledge leading to the establishment of tertiary curriculum. The emergence of computer forensis as a separate discipline of science was triggered by evolution and growth of computer crime. Computer technology reached a stage when a conventional, mechanistic approach to collecting and analysing data is insufficient: the existing methodology must be formalised, and embrace technologies and methods that will enable the inclusion of transient data and live systems analysis. Further work is crucial to incorporate advances in related disciplines like computer security and information systems audit, as well as developments in operating systems to make computer forensics issues inherent in their design. For example: it is proposed that some of the features offered by persistent systems could be built into conventional operating systems to make illicit activities easier to identify and analyse. The analysis of permanent data storage is fundamental to computer forensics practice. There is very little finalised, and a lot still to be discovered in the conventional computer forensics methodology. This thesis contributes to formalisation and improved integrity of forensic handling of data storage by: formalising methods for data collection and analysis in NTFS (Microsoft file system) environment: presenting safe methodology for handling data backups in order to avoid information loss where Alternate Data Streams (ADS) are present: formalising methods of hiding and extracting hidden and encrypted data. A significant contribution of this thesis is in the field of application of virtualisation, or simulation of the computer in the virtual environment created by the underlying hardware and software, to computer forensics practice. Computer systems are not easily analysed for forensic purpose, and it is demonstrated that virtualisation applied in computer forensics allows for more efficient and accurate identification and analysis of the evidence. A new method is proposed where two environments used in parallel can bring faster and verifiable results not dependent on proprietary, close source tools and may lead to gradual shift from commercial Windows software to open source software (OSS). The final contribution of this thesis is systemising the body of knowledge in computer forensics, which is a necessary condition for it to become an established discipline of science. This systemisation led to design and development of tertiary curriculum in computer forensics illustrated here with a case study of computer forensics major for Bachelor of Computer Science at University of Western Sydney. All genesis starts as an idea. A natural part of scientific research process is replacing previous assumptions, concepts, and practices with new ones which better approximate the truth. This thesis advances computer forensis body of knowledge in the areas which are crucial to further development of this discipline. Please note that the appendices to this thesis consist of separately published items which cannot be made available due to copyright restrictions. These items are listed in the PDF attachment for reference purposes

Identification of Clear Text Data Obfuscated Within Active File Slack

Obfuscating text on a hard drive can be done by utilizing the slack space of files. Text can be inserted into the area between the end of the file data and the New Technology File System (NTFS) cluster (the smallest drive space allocated to a file) that in which the file is stored, the data is hidden from traditional methods of viewing. If the hard drive is large, how does a digital forensics expert know where to look to find text that has been obfuscated? Searching through a large hard drive could take up a substantial amount of time that the expert possibly could not justify. If the digital forensics expert lacks the knowledge on how to properly search a hard drive for obfuscated clear text using data carving concepts, how will the obfuscated clear text be located on the drive and identified? To address this, an algorithm was proposed and tested, which resulted in the successful identification of clear text data in slack space with a percentage average of 99.31% identified. This algorithm is a reliable form of slack space analysis which can be used in conjunction with other data extraction methods to see the full scope of evidence on a drive

SocialStegDisc: Application of steganography in social networks to create a file system

The concept named SocialStegDisc was introduced as an application of the original idea of StegHash method. This new kind of mass-storage was characterized by unlimited space. The design also attempted to improve the operation of StegHash by trade-off between memory requirements and computation time. Applying the mechanism of linked list provided the set of operations on files: creation, reading, deletion and modification. Features, limitations and opportunities were discussed.Comment: 5 pages, 5 figure

Comparison of data recovery techniques on master file table between Aho-Corasick and logical data recovery based on efficiency

Data recovery is one of the tools used to obtain digital forensics from various storage media that rely entirely on the file system used to organize files in these media. In this paper, two of the latest techniques of file recovery from file system (new technology file system (NTFS)) logical data recovery, Aho-Corasick data recovery were studied, examined and a practical comparison was made between these two techniques according to the speed and accuracy factors using three global datasets. It was noted that all previous studies in this field completely ignored the time criterion despite the importance of this standard. On the other hand, algorithms developed with other algorithms were not compared. The proposed comparison of this paper aims to detect the weaknesses and strength of both algorithms to develop a new algorithm that is more accurate and faster than both algorithms. The paper concluded that the logical algorithm was superior to the Aho-Corasick algorithm according to the speed criterion, whereas the algorithms gave the same results according to the accuracy criterion. The paper leads to a set of suggestions for future research aimed at achieving a highly efficient and high-speed data recovery algorithm such as the file-carving algorithm

A Survey On Various Methods To Detect Forgery And Computer Crime In Transaction Database

Abstract: A computer forensic method can be used for detecting the different types of forgeries and computer crime. Forgeries and computer crime are the most major concern of the digital world. Lots of techniques and methods have been used to find a proper solution to these problems. Nowadays, digital forensics are an important topic for research articles. In this paper a general survey has been carried out for different methods used in computer forensics to track the evidences which can be useful for detecting the computer crime and forgery. Forensic tools can be used for making any changes to data or tampering of data. Different rules sets or methods are defined to detect the various errors regarding the changes and the tampering of the data in different windows file system. Digital evidence can also be used to detect forgery or computer crime

Data mining Techniques for Digital Forensic Analysis

The computer forensic involve the protection, classification, taking out information and documents the evidence stored as data or magnetically encoded information. But the organizations have an increasing amount of data from many sources like computing peripherals, personal digital assistants (PDA), consumer electronic devices, computer systems, networking equipment and various types of media, among other sources. To find similar kinds of evidences, crimes happened previously, the law enforcement officers, police forces and detective agencies is time consuming and headache. The main motive of this work is by combining a data mining techniques with computer forensic tools to get the data ready for analysis, find crime patterns, understand the mind of the criminal, assist investigation agencies have to be one step ahead of the bad guys, to speed up the process of solving crimes and carry out computer forensics analyses for criminal affairs

EviPlant: An efficient digital forensic challenge creation, manipulation and distribution solution

Education and training in digital forensics requires a variety of suitable challenge corpora containing realistic features including regular wear-and-tear, background noise, and the actual digital traces to be discovered during investigation. Typically, the creation of these challenges requires overly arduous effort on the part of the educator to ensure their viability. Once created, the challenge image needs to be stored and distributed to a class for practical training. This storage and distribution step requires significant time and resources and may not even be possible in an online/distance learning scenario due to the data sizes involved. As part of this paper, we introduce a more capable methodology and system as an alternative to current approaches. EviPlant is a system designed for the efficient creation, manipulation, storage and distribution of challenges for digital forensics education and training. The system relies on the initial distribution of base disk images, i.e., images containing solely base operating systems. In order to create challenges for students, educators can boot the base system, emulate the desired activity and perform a "diffing" of resultant image and the base image. This diffing process extracts the modified artefacts and associated metadata and stores them in an "evidence package". Evidence packages can be created for different personae, different wear-and-tear, different emulated crimes, etc., and multiple evidence packages can be distributed to students and integrated into the base images. A number of additional applications in digital forensic challenge creation for tool testing and validation, proficiency testing, and malware analysis are also discussed as a result of using EviPlant.Comment: Digital Forensic Research Workshop Europe 201

Computer Anti-forensics Methods and their Impact on Computer Forensic Investigation

Electronic crime is very difficult to investigate and prosecute, mainly due to the fact that investigators have to build their cases based on artefacts left on computer systems. Nowadays, computer criminals are aware of computer forensics methods and techniques and try to use countermeasure techniques to efficiently impede the investigation processes. In many cases investigation with such countermeasure techniques in place appears to be too expensive, or too time consuming to carry out. Often a case can end up being abandoned and investigators are left with a sense of personal defeat. The methodologies used against the computer forensics processes are collectively called Anti-Forensics. This paper explores the anti forensics problem in various stages of computer forensic investigation from both a theoretical and practical point of view