Insight:an application of information visualisation techniques to digital forensics investigations

As digital devices are becoming ever more ubiquitous in our day to day lives, more of our personal information and behavioural patterns are recorded on these devices. The volume of data held on these devices is substantial, and people investigating these datasets are facing growing backlog as a result. This is worsened by the fact that many software tools used in this area are text based and do not lend themselves to rapid processing by humans.This body of work looks at several case studies in which these datasets were visualised in attempt to expedite processing by humans. A number of different 2D and 3D visualisation methods were trialled, and the results from these case studies fed into the design of a final tool which was tested with the assistance of a group of individuals studying Digital Forensics.The results of this research show some encouraging results which indicate visualisation may assist analysis in some aspects, and indicates useful paths for future work

Forensic Analysis of the exFAT Artifacts

Although keeping some basic concepts inherited from FAT32, the exFAT file system introduces many differences, such as the new mapping scheme of directory entries. The combination of exFAT mapping scheme with the allocation of bitmap files and the use of FAT leads to new forensic possibilities. The recovery of deleted files, including fragmented ones and carving becomes more accurate compared with former forensic processes. Nowadays, the accurate and sound forensic analysis is more than ever needed, as there is a high risk of erroneous interpretation. Indeed, most of the related work in the literature on exFAT structure and forensics, is mainly based on reverse engineering research, and only few of them cover the forensic interpretation. In this paper, we propose a new methodology using of exFAT file systems features to improve the interpretation of inactive entries by using bitmap file analysis and recover the file system metadata information for carved files. Experimental results show how our approach improves the forensic interpretation accuracy

Identification of Clear Text Data Obfuscated Within Active File Slack

Obfuscating text on a hard drive can be done by utilizing the slack space of files. Text can be inserted into the area between the end of the file data and the New Technology File System (NTFS) cluster (the smallest drive space allocated to a file) that in which the file is stored, the data is hidden from traditional methods of viewing. If the hard drive is large, how does a digital forensics expert know where to look to find text that has been obfuscated? Searching through a large hard drive could take up a substantial amount of time that the expert possibly could not justify. If the digital forensics expert lacks the knowledge on how to properly search a hard drive for obfuscated clear text using data carving concepts, how will the obfuscated clear text be located on the drive and identified? To address this, an algorithm was proposed and tested, which resulted in the successful identification of clear text data in slack space with a percentage average of 99.31% identified. This algorithm is a reliable form of slack space analysis which can be used in conjunction with other data extraction methods to see the full scope of evidence on a drive

The Proceedings of 15th Australian Information Security Management Conference, 5-6 December, 2017, Edith Cowan University, Perth, Australia

Conference Foreword The annual Security Congress, run by the Security Research Institute at Edith Cowan University, includes the Australian Information Security and Management Conference. Now in its fifteenth year, the conference remains popular for its diverse content and mixture of technical research and discussion papers. The area of information security and management continues to be varied, as is reflected by the wide variety of subject matter covered by the papers this year. The papers cover topics from vulnerabilities in “Internet of Things” protocols through to improvements in biometric identification algorithms and surveillance camera weaknesses. The conference has drawn interest and papers from within Australia and internationally. All submitted papers were subject to a double blind peer review process. Twenty two papers were submitted from Australia and overseas, of which eighteen were accepted for final presentation and publication. We wish to thank the reviewers for kindly volunteering their time and expertise in support of this event. We would also like to thank the conference committee who have organised yet another successful congress. Events such as this are impossible without the tireless efforts of such people in reviewing and editing the conference papers, and assisting with the planning, organisation and execution of the conference. To our sponsors, also a vote of thanks for both the financial and moral support provided to the conference. Finally, thank you to the administrative and technical staff, and students of the ECU Security Research Institute for their contributions to the running of the conference