The Advanced Framework for Evaluating Remote Agents (AFERA): A Framework for Digital Forensic Practitioners

Digital forensics experts need a dependable method for evaluating evidence-gathering tools. Limited research and resources challenge this process and the lack of multi-endpoint data validation hinders reliability in distributed digital forensics. A framework was designed to evaluate distributed agent-based forensic tools while enabling practitioners to self-evaluate and demonstrate evidence reliability as required by the courts. Grounded in Design Science, the framework features guidelines, data, criteria, and checklists. Expert review enhances its quality and practicality

Open Forensic Devices

Cybercrime has been a growing concern for the past two decades. What used to be the responsibility of specialist national police has become routine work for regional and district police. Unfortunately, funding for law enforcement agencies is not growing as fast as the amount of digital evidence. In this paper, we present a forensic platform that is tailored for cost effectiveness, extensibility, and ease of use. The software for this platform is open source and can be deployed on practically all commercially available hardware devices such as standard desktop motherboards or embedded systems such as Raspberry Pi and Gizmosphere’s Gizmo board. A novel user interface was designed and implemented, based on Morphological Analysis

Periodic Report (PR1)

Comprehensive report of the first year of the StratusLab project

First Year Infrastructure Operations Report

This document summarizes the achievements of the infrastructure operations activity during the first year of the project. It describes the technical specifications of the infrastructure that has been put into operation, the process that was followed to establish it, the problems encountered and the various solutions that were applied. It also provides statistics about the usage of cloud resources and an assessment of their utilization

Differential virtualization for large-scale system modeling

Today’s computer networks become more complex than ever with a vast number of connected host systems running a variety of different operating systems and services. Academia and industry alike realize that education in managing such complex systems is extremely important for computer professionals because, with computers, there are many levels of detailed configuration. Configuration points can occur during all facets of computer systems including system design, implementation, and maintenance stages. In order to explore various hypotheses regarding configurations, system modeling is employed – computer professionals and researchers build test environments. Modeling environments require observable systems that are easily configurable at an accelerated rate. Observation abilities increase through re-use and preservation of models. Historical modeling solutions do not efficiently utilize computing resources and require high preservation or restoration cost as the number of modeled systems increases. This research compares a workstation-oriented, virtualization modeling solution using system differences to a workstation-oriented, imaging modeling solution using full system states. The solutions are compared based on computing resource utilization and administrative cost with respect to the number of modeled systems. Our experiments have shown that upon increasing the number of models from 30 to 60, the imaging solution requires an additional 75 minutes; whereas, the difference-based virtualization solution requires an additional three (3) minutes. The imaging solution requires 151 minutes to prepare 60 models, while the difference-based, virtualization solution requires 7 minutes to prepare 60 models. Therefore, the cost for model archival and restoration in the difference-based virtualization modeling solution is lower than that in the full system imaging-based modeling solution. In addition, by using a virtualization solution, multiple systems can be modeled on a single workstation, thus increasing workstation resource utilization. Since virtualization abstracts hardware, virtualized models are less dependent on physical hardware. Thus, by lowering hardware dependency, a virtualized model is further re-usable than a traditional system image. If an organization must perform system modeling and the organization has sufficient workstation resources, using a differential virtualization approach will decrease the time required for model preservation, increase resource utilization, and therefore provide an efficient, scalable, and modular modeling solution

An examination of the Asus WL-HDD 2.5 as a nepenthes malware collector

The Linksys WRT54g has been used as a host for network forensics tools for instance Snort for a long period of time. Whilst large corporations are already utilising network forensic tools, this paper demonstrates that it is quite feasible for a non-security specialist to track and capture malicious network traffic. This paper introduces the Asus Wireless Hard disk as a replacement for the popular Linksys WRT54g. Firstly, the Linksys router will be introduced detailing some of the research that was undertaken on the device over the years amongst the security community. It then briefly discusses malicious software and the impact this may have for a home user. The paper then outlines the trivial steps in setting up Nepenthes 0.1.7 (a malware collector) for the Asus WL-HDD 2.5 according to the Nepenthes and tests the feasibility of running the malware collector on the selected device. The paper then concludes on discussing the limitations of the device when attempting to execute Nepenthes