A semantic methodology for (un)structured digital evidences analysis

Nowadays, more than ever, digital forensics activities are involved in any criminal, civil or military investigation and represent a fundamental tool to support cyber-security. Investigators use a variety of techniques and proprietary software forensic applications to examine the copy of digital devices, searching hidden, deleted, encrypted, or damaged files or folders. Any evidence found is carefully analysed and documented in a "finding report" in preparation for legal proceedings that involve discovery, depositions, or actual litigation. The aim is to discover and analyse patterns of fraudulent activities. In this work, a new methodology is proposed to support investigators during the analysis process, correlating evidences found through different forensic tools. The methodology was implemented through a system able to add semantic assertion to data generated by forensics tools during extraction processes. These assertions enable more effective access to relevant information and enhanced retrieval and reasoning capabilities

A structured approach to malware detection and analysis in digital forensics investigation

A thesis submitted to the University of Bedfordshire in partial fulfilment of the requirement for the degree of PhDWithin the World Wide Web (WWW), malware is considered one of the most serious threats to system security with complex system issues caused by malware and spam. Networks and systems can be accessed and compromised by various types of malware, such as viruses, worms, Trojans, botnet and rootkits, which compromise systems through coordinated attacks. Malware often uses anti-forensic techniques to avoid detection and investigation. Moreover, the results of investigating such attacks are often ineffective and can create barriers for obtaining clear evidence due to the lack of sufficient tools and the immaturity of forensics methodology. This research addressed various complexities faced by investigators in the detection and analysis of malware. In this thesis, the author identified the need for a new approach towards malware detection that focuses on a robust framework, and proposed a solution based on an extensive literature review and market research analysis. The literature review focussed on the different trials and techniques in malware detection to identify the parameters for developing a solution design, while market research was carried out to understand the precise nature of the current problem. The author termed the new approaches and development of the new framework the triple-tier centralised online real-time environment (tri-CORE) malware analysis (TCMA). The tiers come from three distinctive phases of detection and analysis where the entire research pattern is divided into three different domains. The tiers are the malware acquisition function, detection and analysis, and the database operational function. This framework design will contribute to the field of computer forensics by making the investigative process more effective and efficient. By integrating a hybrid method for malware detection, associated limitations with both static and dynamic methods are eliminated. This aids forensics experts with carrying out quick, investigatory processes to detect the behaviour of the malware and its related elements. The proposed framework will help to ensure system confidentiality, integrity, availability and accountability. The current research also focussed on a prototype (artefact) that was developed in favour of a different approach in digital forensics and malware detection methods. As such, a new Toolkit was designed and implemented, which is based on a simple architectural structure and built from open source software that can help investigators develop the skills to critically respond to current cyber incidents and analyses

Software development process mining: discovery, conformance checking and enhancement

Context. Modern software projects require the proper allocation of human, technical and financial resources. Very often, project managers make decisions supported only by their personal experience, intuition or simply by mirroring activities performed by others in similar contexts. Most attempts to avoid such practices use models based on lines of code, cyclomatic complexity or effort estimators, thus commonly supported by software repositories which are known to contain several flaws. Objective. Demonstrate the usefulness of process data and mining methods to enhance the software development practices, by assessing efficiency and unveil unknown process insights, thus contributing to the creation of novel models within the software development analytics realm. Method. We mined the development process fragments of multiple developers in three different scenarios by collecting Integrated Development Environment (IDE) events during their development sessions. Furthermore, we used process and text mining to discovery developers’ workflows and their fingerprints, respectively. Results. We discovered and modeled with good quality developers’ processes during programming sessions based on events extracted from their IDEs. We unveiled insights from coding practices in distinct refactoring tasks, built accurate software complexity forecast models based only on process metrics and setup a method for characterizing coherently developers’ behaviors. The latter may ultimately lead to the creation of a catalog of software development process smells. Conclusions. Our approach is agnostic to programming languages, geographic location or development practices, making it suitable for challenging contexts such as in modern global software development projects using either traditional IDEs or sophisticated low/no code platforms.Contexto. Projetos de software modernos requerem a correta alocação de recursos humanos, técnicos e financeiros. Frequentemente, os gestores de projeto tomam decisões suportadas apenas na sua própria experiência, intuição ou simplesmente espelhando atividades executadas por terceiros em contextos similares. As tentativas para evitar tais práticas baseiam-se em modelos que usam linhas de código, a complexidade ciclomática ou em estimativas de esforço, sendo estes tradicionalmente suportados por repositórios de software conhecidos por conterem várias limitações. Objetivo. Demonstrar a utilidade dos dados de processo e respetivos métodos de análise na melhoria das práticas de desenvolvimento de software, colocando o foco na análise da eficiência e revelando aspetos dos processos até então desconhecidos, contribuindo para a criação de novos modelos no contexto de análises avançadas para o desenvolvimento de software. Método. Explorámos os fragmentos de processo de vários programadores em três cenários diferentes, recolhendo eventos durante as suas sessões de desenvolvimento no IDE. Adicionalmente, usámos métodos de descoberta e análise de processos e texto no sentido de modelar o fluxo de trabalho dos programadores e as suas características individuais, respetivamente. Resultados. Descobrimos e modelámos com boa qualidade os processos dos programadores durante as suas sessões de trabalho, usando eventos provenientes dos seus IDEs. Revelámos factos desconhecidos sobre práticas de refabricação, construímos modelos de previsão da complexidade ciclomática usando apenas métricas de processo e criámos um método para caracterizar coerentemente os comportamentos dos programadores. Este último, pode levar à criação de um catálogo de boas/más práticas no processo de desenvolvimento de software. Conclusões. A nossa abordagem é agnóstica em termos de linguagens de programação, localização geográfica ou prática de desenvolvimento, tornando-a aplicável em contextos complexos tal como em projetos modernos de desenvolvimento global que utilizam tanto os IDEs tradicionais como as atuais e sofisticadas plataformas "low/no code"

Educating the effective digital forensics practitioner: academic, professional, graduate and student perspectives

Over the years, digital forensics has become an important and sought-after profession where the gateway of training and education has developed vastly over the past decade. Many UK higher education (HE) institutions now deliver courses that prepare students for careers in digital forensics and, in most recent advances, cyber security. Skills shortages and external influences attributed within the field of cyber security, and its relationship as a discipline with digital forensics, has shifted the dynamic of UK higher education provisions. The implications of this now sees the route to becoming a digital forensic practitioner, be it in law enforcement or business, transform from on-the-job training to university educated, trained analysts. This thesis examined courses within HE and discovered that the delivery of these courses often overlooked areas such as mobile forensics, live data forensics, Linux and Mac knowledge. This research also considered current standards available across HE to understand whether educational programmes are delivering what is documented as relevant curriculum. Cyber security was found to be the central focus of these standards within inclusion of digital forensics, adding further to the debate and lack of distinctive nature of digital forensics as its own discipline. Few standards demonstrated how the topics, knowledge, skills and competences drawn were identified as relevant and effective for producing digital forensic practitioners. Additionally, this thesis analyses and discusses results from 201 participants across five stakeholder groups: graduates, professionals, academics, students and the public. These areas were selected due to being underdeveloped in existing literature and the crucial role they play in the cycle of producing effective practitioners. Analysis on stakeholder views, experiences and thoughts surrounding education and training offer unique insight, theoretical underpinnings and original contributions not seen in existing literature. For example, challenges, costs and initial issues with introducing graduates to employment for the employers and/or supervising practitioners, the lack of awareness and contextualisation on behalf of students and graduates towards what knowledge and skills they have learned and acquired on a course and its practical application on-the-job which often lead to suggestions of a lack of fundamental knowledge and skills. This is evidenced throughout the thesis, but examples include graduates: for their reflections on education based on their new on-the-job experiences and practices; professionals: for their job experiences and requirements, academics: for their educational practices and challenges; students: their initial expectations and views; and, the public: for their general understanding. This research uniquely captures these perspectives, bolstering the development of digital forensics as an academic discipline, along with the importance these diverse views play in the overall approach to delivering skilled practitioners. While the main contribution to knowledge within this thesis is its narrative focusing on the education of effective digital forensic practitioners and its major stakeholders, this thesis also makes additional contributions both academically and professionally; including the discussion, analysis and reflection of: - improvements for education and digital forensics topics for research and curriculum development; - where course offerings can be improved for institutions offering digital forensic degree programmes; - the need for further collaboration between industry and academia to provide students and graduates with greater understanding of the real-life role of a digital forensic practitioner and the expectations in employment; - continuous and unique challenges within both academia and the industry which digital forensics possess and the need for improved facilities and tool development to curate and share problem and scenario-based learning studies

Documentation of the Body Transformations during the Decomposition Process: From the Crime Scene to the Laboratory

Forensic science is defined as the application of scientific or technical practices to the recognition, collection, analysis, and interpretation of evidence for criminal and civil law or regulatory issues. A combination of computer science in the field of 3D reconstruction and molecular biology science and techniques were employed in this research aims to document and record a complete picture of the body decomposition process including the changes of the microbiome over the decomposition process. In this thesis, the possibility to reconstruct the crime scene and the decomposition process was investigated. In addition, a 3D model aiming to integrate the biological and thanatological information was generated. The possibility of utilising Autodesk 123D Catch software as a new tool for 3D reconstruction of a crime scene was thoroughly evaluated. First experiments demonstrated that the number of photos required to obtain the best result was specified to be from 20 to 30 photos as a minimum. In addition, significant experiments were performed in different conditions of sizes, locations, and different involved materials. The measurements were obtained from the models using the same software were compared with the real measurements of the tested objects. The result of the correlation between real and estimated measurements showed a very strong agreement ranging from 0.994 to 1.000. With reference to the documentation of the decomposition process, there are different factors, intrinsic and extrinsic, have been reported affecting the decomposition of a carrion/body. These factors mainly interact with the rates of the biological and chemical reaction happening after death. The biological reactions are mainly due to the activity of microorganism and insects. Pigs (Sus scrofa domesticus) were used as a model for human studies and the results obtained have been applied to other mammals without considering the effect of fur on the decomposition process and on the insect and microbial colonisation. In order to investigate this point, rabbits (Oryctolagus cuniculus) with and without fur were used in two sets of experiments at Huddersfield in summer 2014 and in spring 2015. The results obtained in this study showed a similarity of the decomposition stages between animals with and without fur. However, the decomposition process was faster during the summer due to the fast of insect colonisation and activity. In addition, the entomological data collected during the summer and spring experiments were demonstrated that the same taxa nearly were present in both seasons, except Hydrotaea (Diptera, Muscidae), which was presented only in the summer experiment, moreover, only one sample of Lucilia sericata (Calliphoridae) was detected in the spring season. Differences in colonisation time were observed only in spring experiment; animals without fur were colonised two days before animals with fur. The season could have affected the insect’s activity and the spread of the decomposition volatiles. The microbial communities during the decomposition process were investigated using BIOLOG EcoPlate™ and the hypervariable V1-3 region of 16S rRNA gene was used for their molecular identification based on pyrosequencing. Eurofins Genomic Operon using 454-GS Junior pyrosequencing platform (Roche) carried out these analyses. The functional diversity of the bacterial communities on all carcasses samples showed a considerable variability depending on the stage of the decomposition and the sampling region (Oral cavity, skin and interface-sand-carrion) in both seasons. Furthermore, over the molecular analyses of bacterial communities at the phylum level, four main phyla of bacteria were detected among analysed carrion during the decomposition process. These phyla were changed significantly during the stages of the decomposition and between sampling regions. While no difference was observed due to presence or absence of fur. On the other hand, the analysis at the family level was able to highlight differences at the temporal scale but as well as carrion with and without fur. The statistical analysis results showed a significant difference in the bacterial community family distribution among the presence of fur and among the decomposition stages, with significant differences among sampling regions and seasons

Exploiting Generational Garbage Collection: Using Data Remnants to Improve Memory Analysis and Digital Forensics

Malware authors employ sophisticated tools and infrastructure to undermine information security and steal data on a daily basis. When these attacks or infrastructure are discovered, digital forensics attempts to reconstruct the events from evidence left over on file systems, network drives, and system memory dumps. In the last several years, malware authors have been observed used the Java managed runtimes to commit criminal theft [1, 2] and conduct espionage [3, 4, 5]. Fortunately for forensic analysts, the most prevalent versions of Java uses generational garbage collection to help improve runtime performance. The memory system allocates me mory fro m a managed heap. When memory is exhausted in this heap, the JVM will sweep over partitions reclaiming memory from dead objects. This memory is not sanitized or zero’ed. Hence, latent secrets and object data persist until it is overwritten. For example, sockets and open file recovery are possible even after resources are closed and purged from the OS kernel memory. This research measures the lifetime of latent data and implements a Python framework that can be used to recover this object data. Latent secret lifetimes are experimentally measured using TLS keys in a Java application. An application is configured to be very active and minimally active. The application also utilizes raw Java sockets and Apache HTTPClient to determine whether or not a Java framework impacts latent secret lifetimes. Depending on the heap size(512MiB to 16GiB), between 10-40% of the TLS keys are recoverable from the heap, which correlates directly to memory pressure. This research also exploi ts prope rties to identify and recover evidence from the Java heap. The RecOOP framework helps locate all the loaded types, identify the managed Java heaps, and scan for potential objects [6]. The framework then lifts these objects into Python where they can be analyzed further. One key findings include the fact that IO streams for processes started from within Java remained in memory, and the data in these buffers could be used to infer the program executed. Socket and data could also be recovered even when the socket structures were missing from the OS’s kernel memory

Archibald Reiss Days : Thematic conference proceedings of international significance : International Scientific Conference, Belgrade, 7-9 November 2017

In front of you is the Thematic Collection of Papers presented at the International Scientific Conference “Archibald Reiss Days”, which was organized by the Academy of Criminalistic and Police Studies in Belgrade, in cooperation with the Ministry of Interior and the Ministry of Education, Science and Technological Development of the Republic of Serbia, School of Criminal Justice, Michigan State University in USA, School of Criminal Justice University of Laussane in Switzerland, National Police Academy in Spain, Police Academy Szczytno in Poland, National Police University of China, Lviv State University of Internal Affairs, Volgograd Academy of the Russian Internal Affairs Ministry, Faculty of Security in Skopje, Faculty of Criminal Justice and Security in Ljubljana, Police Academy “Alexandru Ioan Cuza“ in Bucharest, Academy of Police Force in Bratislava, Faculty of Security Science University of Banja Luka, Faculty for Criminal Justice, Criminology and Security Studies University of Sarajevo, Faculty of Law in Montenegro, Police Academy in Montenegro and held at the Academy of Criminalistic and Police Studies, on 7, 8 and 9 November 2017.The International Scientific Conference “Archibald Reiss Days” is organized for the seventh time in a row, in memory of the founder and director of the first modern higher police school in Serbia, Rodolphe Archibald Reiss, after whom the Conference was named. The Thematic Collection of Papers contains 131 papers written by eminent scholars in the field of law, security, criminalistics, police studies, forensics, informatics, as well as by members of national security system participating in education of the police, army and other security services from Belarus, Bosnia and Herzegovina, Bulgaria, Bangladesh, Abu Dhabi, Greece, Hungary, Macedonia, Romania, Russian Federation, Serbia, Slovakia, Slovenia, Czech Republic, Switzerland, Turkey, Ukraine, Italy, Australia and United Kingdom. Each paper has been double-blind peer reviewed by two reviewers, international experts competent for the field to which the paper is related, and the Thematic Conference Proceedings in whole has been reviewed by five competent international reviewers.The papers published in the Thematic Collection of Papers provide us with the analysis of the criminalistic and criminal justice aspects in solving and proving of criminal offences, police organization, contemporary security studies, social, economic and political flows of crime, forensic linguistics, cybercrime, and forensic engineering. The Collection of Papers represents a significant contribution to the existing fund of scientific and expert knowledge in the field of criminalistic, security, penal and legal theory and practice. Publication of this Collection contributes to improving of mutual cooperation between educational, scientific and expert institutions at national, regional and international level

Forging a Stable Relationship?: Bridging the Law and Forensic Science Divide in the Academy

The marriage of law and science has most often been represented as discordant. While the law/science divide meme is hardly novel, concerns over the potentially deleterious coupling within the criminal justice system may have reached fever pitch. There is a growing chorus of disapproval addressed to ‘forensic science’, accompanied by the denigration of legal professionals for being unable or unwilling to forge a symbiotic relationship with forensic scientists. The 2009 National Academy of Sciences Report on forensic science heralds the latest call for greater collaboration between ‘law’ and ‘science’, particularly in Higher Education Institutions (HEIs) yet little reaction has been apparent amid law and science faculties. To investigate the potential for interdisciplinary cooperation, the authors received funding for a project: ‘Lowering the Drawbridges: Forensic and Legal Education in the 21st Century’, hoping to stimulate both law and forensic science educators to seek mutually beneficial solutions to common educational problems and build vital connections in the academy. A workshop held in the UK, attended by academics and practitioners from scientific, policing, and legal backgrounds marked the commencement of the project. This paper outlines some of the workshop conclusions to elucidate areas of dissent and consensus, and where further dialogue is required, but aims to strike a note of optimism that the ‘cultural divide’ should not be taken to be so wide as to be beyond the legal and forensic science academy to bridge. The authors seek to demonstrate that legal and forensic science educators can work cooperatively to respond to critics and forge new paths in learning and teaching, creating an opportunity to take stock and enrich our discipline as well as answer critics. As Latham (2010:34) exhorts, we are not interested in turning lawyers into scientists and vice versa, but building a foundation upon which they can build during their professional lives: “Instead of melding the two cultures, we need to establish conditions of cooperation, mutual respect, and mutual reliance between them.” Law and forensic science educators should, and can assist with the building of a mutual understanding between forensic scientists and legal professionals, a significant step on the road to answering calls for the professions to minimise some of the risks associated with the use of forensic science in the criminal process. REFERENCES Latham, S.R. 2010, ‘Law between the cultures: C.P.Snow’s The Two Cultures and the problem of scientific illiteracy in law’ 32 Technology in Society, 31-34. KEYWORDS forensic science education legal education law/science divid

Facial fatness as a complicating factor in facial reconstruction

Includes bibliographical referencesAlthough it is a reasonable assumption that a significant proportion of the variation in facial tissue thicknesses comes from anatomical differences between populations, we do not know how much of normal variation is caused by including the full range of individual obesity or slimness. Current population standard soft tissue thickness data used in facial reconstructions ignores the variation between individuals which, in theory, could be greater than the variation between populations or sexes. The aim of this study was to test if facial tissue thickness is due to the amount of sub - cutaneous fat, sex or racial origins. Methods currently used do not give a true reflection of the individual because they ignore the variation in fatness. An initial study determined if a corrective value for the non - linear distortion found between radiographic images and the physical tissues was needed. This was done by imaging cadaver heads and taking measurements from the images and the physical heads. The results demonstrated that measurements taken from LODOX® images are analogous with soft tissue measurements. Volunteers were then sought from the student body and had physical measurements and X - rays taken. The measurements allowed for both BMI and body fat percentage to be calculated. Analysis showed that body fat percentage had less of an impact than BMI, with the areas of the face most affected by change in fatness being around the chin, jaw and cheek. Analysis of the variances showed that fatness has a low impact on the soft tissues of the different ancestry groups, while having a greater impact on the soft tissues of the different sexes. The effect of changing fatness on the soft tissues is not seen in all areas of the face, but to ignore it in facial reconstruction ignores that the success of a reconstruction is not exactness but in its ability to incite recognition and lead to potential identification of the unknown target individual