Automated Digital Forensics and Computer Crime Profiling

Edited version embargoed until 01.12.2017 Full version: Access restricted permanently due to 3rd party copyright restrictions. Restriction set on 08.12.2016 by SC, Graduate SchoolOver the past two decades, technology has developed tremendously, at an almost exponential rate. While this development has served the nation in numerous different positive ways, negatives have also emerged. One such negative is that of computer crime. This criminality has even grown so fast as to leave current digital forensic tools lagging behind in terms of development, and capabilities to manage such increasing and sophisticated types of crime. In essence the time taken to analyse a case is huge and increasing, and cases are not fully or properly investigated. This results in an ever-increasing number of pending and unsolved cases pertaining to computer crime. Digital forensics has become an essential tool in the fight against computer crime, providing both procedures and tools for the acquisition, examination and analysis of digital evidence. However, the use of technology is expanding at an ever-increasing rate, with the number of devices a single user might engage with increasing from a single device to 3 or more, the data capacity of those devices reaching far into the Terabytes, and the nature of the underlying technology evolving (for example, the use of cloud services). This results in an incredible challenge for forensic examiners to process and analyse cases in an efficient and effective manner. This thesis focuses upon the examination and analysis phases of the investigative process and considers whether automation of the process is possible. The investigation begins with researching the current state of the art, and illustrates a wide range of challenges that are facing the digital forensics investigators when analysing a case. Supported by a survey of forensic researchers and practitioners, key challenges were identified and prioritised. It was found that 95% of participants believed that the number of forensic investigations would increase in the coming times, with 75% of participants believing that the time consumed in such cases would increase. With regards to the digital forensic sophistication, 95% of the participants expected a rise in the complexity level and sophistication of digital forensics. To this end, an automated intelligent system that could be used to reduce the investigator’s time and cognitive load was found to be a promising solution. A series of experiments are devised around the use of Self-Organising Maps (SOMs) – a technique well known for unsupervised clustering of objects. The analysis is performed on a range of file system and application-level objects (e.g. email, internet activity) across four forensic cases. Experiment evaluations revealed SOMs are able to successfully cluster forensic artefacts from the remaining files. Having established SOMs are capable of clustering wanted artefacts from the case, a novel algorithm referred to as the Automated Evidence Profiler (AEP), is proposed to encapsulate the process and provide further refinement of the artefact identification process. The algorithm led to achieving identification rates in examined cases of 100% in two cases and 94% in a third. A novel architecture is proposed to support the algorithm in an operational capacity – considering standard forensic techniques such as hashing for known files, file signature analysis, application-level analysis. This provides a mechanism that is capable of utilising the A E P with several other components that are able to filter, prioritise and visualise artefacts of interest to investigator. The approach, known as Automated Forensic Examiner (AFE), is capable of identifying potential evidence in a more efficient and effective manner. The approach was evaluated by a number of experts in the field, and it was unanimously agreed that the chosen research problem was one with great validity. Further to this, the experts all showed support for the Automated Forensic Examiner based on the results of cases analysed

Deleted mobile device's evidences recovery: a review international conference media & information warfare: a global challenge in the 21st century (M-i-war2007) / Yap Lee Fueng and Andy Jones

This paper presents the finding and results obtaineq from using commercial forensic investigation software tools to recover deleted evidences from mobile device's S/M cards, internal and external memories. The results obtained from the investigation are classified and discussed and finally, the paper highlights the limitation of the software based techniques deployed for deleted evidences recovery and presents conclusions

The Impact of Culture and Religion on Digital Forensics: The Study of the Role of Digital Evidence in the Legal Process in Saudi Arabia

This work contributes to the multi-disciplinary community of researchers in computer science, information technology and computer forensics working together with legal enforcement professionals involved in digital forensic investigations. It is focused on the relationship between scientific approaches underpinning digital forensics and the Islamic law underpinning legal enforcement. Saudi Arabia (KSA) is studied as an example of an Islamic country that has adopted international guidelines, such as ACPO, in its legal enforcement procedures. The relationship between Islamic law and scientific ACPO guidelines is examined in detail through the practices of digital forensic practitioners in the process of discovery, preparation and presentation of digital evidence for use in Islamic courts in KSA. In this context, the influence of religion and culture on the role and status of digital evidence throughout the entire legal process has been the main focus of this research. Similar studies in the literature confirm that culture and religion are significant factors in the relationship between law, legal enforcement procedure and digital evidence. Islamic societies, however, have not been extensively studied from this perspective, and this study aims to address issues that arise at both professional and personal levels. Therefore the research questions that this study aims to answer are: in what way and to what extent Islamic religion and Saudi culture affect the status of digital evidence in the KSA legal process and what principles the practitioners have to observe in the way they treat digital evidence in judicial proceedings. The methodology is based on a mixed-method approach where the pilot questionnaire identified legal professionals who come into contact with digital evidence, their educational and professional profiles. Qualitative methods included case studies, interviews and documentary evidence to discover how their beliefs and attitudes influence their trust in digital evidence. The findings show that a KSA judge would trust witnesses more than digital evidence, due to the influence of tradition, which regards justice and law to arise from the relationship between Man and God. Digital evidence, as it arises from the scientific method, is acceptable, but there is underlying lack of trust in its authenticity, reliability and credibility. In the eyes of the legal enforcement professionals working in all areas of the KSA legal process, acceptance of digital evidence in the KSA judicial system can best be improved if knowledge, education and skills of digital forensics specialists is improved also, so that they can be trusted as expert witnesses. This further shows the significance of KSA laws, regulations and education of digital forensic experts as the primary means for establishing trust in digital evidence. Further research following from this study will be focused on comparative studies of other Islamic non-Islamic legal systems as they adopt and adapt western guidelines such as ACPO to their religion, culture and legal systemsSaudi Cultural Bureau,London, U

A model for digital evidence admissibility assessment

Riding on the tide of the current development in computing and internet technologies, criminals have transitioned to the use of computer systems and digital channels to commit crimes. This transformation of crime requires criminal justice actors to investigate, produce and present digital evidence through a process that is scientifically proven and legally admissible, but also capable of securing successful prosecutions. Even though previous efforts by criminal justice practitioners and researchers have contributed to the standardisation of digital forensics in a manner that has consolidated the scientificity1 of digital forensics as a forensic science, these approaches, processes and techniques have not addressed adequately the issue of admissibility of digital evidence in judicial proceedings. In other words, existing models and standards are generally investigative-focused, which has significantly ensured that digital forensics processes follow a specific scientific order. Despite these advances, the existing techno-legal dilemma pertaining to the admissibility of digital evidence in judicial proceedings remains unresolved. In order to address this techno-legal dilemma, the thesis presents a Harmonised Model for Digital Evidence Admissibility Assessment (HM-DEAA), a model that integrates both technical and legal determinants to establish digital evidence admissibility in judicial proceedings. In order to operationalise the HM-DEAA, this research introduces an algorithm to assess digital evidence admissibility and to determine the evidential weight of a piece of digital evidence, which is tendered in a court of law. This algorithm has been tested on both hypothetical and real cases as part of the HM-DEAA’s evaluation for its potential use in legal proceedings. In addition, an expert system has been introduced to automate the operationalization of the HM-DEAA. In practice, the HM-DEAA framework is expected to provide a harmonised techno-legal foundation for assessing digital evidence admissibility in the criminal justice sector. The model is expected to be used primarily by judges as a judicial tool in legal proceedings. The expert system is also expected to serve as an assessment tool for investigators, prosecutors and defence lawyers to evaluate digital evidence with regard to its potential use in court.Thesis (PhD)--University of Pretoria, 2018.Computer SciencePhDUnrestricte

Digital Forensics Practices: A Road Map for Building Digital Forensics Capability

Identifying the needs for building and managing Digital Forensics Capability (DFC) are important because these can help organisations to stay abreast of criminal’s activities and challenging pace of technological advancement. The field of Digital Forensics (DF) is witnessing rapid development in investigation procedures, tools used, and the types of digital evidence. However, several research publications confirm that a unified standard for building and managing DF capability does not exit. Therefore, this thesis identifies, documents, and analyses existing DF frameworks and the attitudes of organisations for establishing the DF team, staffing and training, acquiring and employing effective tools in practice and establishing effective procedures. First, this thesis looks into the existing practices in the DF community for carrying out digital investigations and more importantly the precise steps taken for setting up the laboratories. Second, the thesis focuses on research data collected from organisations in the United Kingdom and the United Arab Emirates and based on this collection a framework has been developed to understand better the building and managing the capabilities of the DFOs (DFOs). This framework has been developed by applying Grounded Theory as a systematic and comprehensive qualitative methodology in the emerging field of DF research. This thesis, furthermore, provides a systematic guideline to describe the procedures and techniques of using grounded theory in DF research by applying three Grounded Theory coding methods (open, axial, and selective coding) which have been used in this thesis. Also the techniques presented in this thesis provide a thorough critique, making it a valuable contribution to the discussion of methods of analysis in the field of DF. Finally, the thesis proposes a framework in the form of an equation for analysing the capability of DFOs. The proposed framework, called the Digital Forensics Organisation Core Capability Framework, offers an explanation of the factors involved in establishing the capability for a digital forensics organisation. Also software was developed for applying the framework in real lif

Exploring the Perceptions of Accountants on Academic Preparations Related to Occupational Fraud and Internal Control Weaknesses

Occupational fraud and internal control material weaknesses (ICMWs) have become global issues due to the strong correlation between internal control (IC) and fraud revelation. However, academic education (AE) has a positive influence on deliberative reasoning and ethical decisions. Nevertheless, little is known of how accountants perceive their AE prepared them to detect fraud and respond to ICMWs. Thus, there is a need to explore how accountants perceive the strengths and weaknesses in their AE regarding fraud and ICMWs. The study contains a comprehensive review of articles published by peer-reviewed journals, particularly in the last five years. The conceptual framework included the Agency Theory, the Fraud Triangle Theory, the COSO Model, and the Experiential Learning Model (ELM). The method of the research is qualitative with exploratory multiple-case study design. A guarantee of data saturation appeared by conducting thirteen semi-structured, face-to-face interviews with accountants who encountered fraud or ICMWs in work environments. The participants were recruited through a combination of purposive snowball sampling and criterion sampling techniques. Data analysis techniques included open coding, axial coding, content analysis, and cross-case synthesis. Also, data was triangulated by corroborating the findings with evidence from other sources. There are twenty-eight minor themes under eight main themes. Six unique sub-minor themes provided profound findings regarding: (a) educational topics related to anti-fraud, (b) educational methods associated with anti-fraud, (c) educational topics related to IC, (d) educational methods related to IC, and (d) competencies of accounting students (Ass) related to fraud and ICMWs

Exploring the cybercrime capacity and capability of local law enforcement agencies in the United States

2021 Fall.Includes bibliographical references.The relentless pace of technological innovation has changed how people communicate, interact, and conduct business, creating new pathways and opportunities for people to commit crimes or engage in harmful behavior via the internet or digitally networked devices. Cybercrime is rapidly scaling up, leading many to predict that it will become the next significant global crisis (Krebs, 2021; Viswanathan & Volz, 2021; Zakaria, 2021). In the United States, local law enforcement agencies and their personnel stand at the frontlines of the cybercrime problem (Police Executive Research Forum, 2014). This dissertation project was inspired by several calls to action to explore and evaluate how law enforcement agencies are responding to the cybercrime problem (Holt & Bossler, 2014; Ngo & Jaishankar, 2017). The research conducted in this project aligns with and extends a small body of exploratory and evaluative research focusing on local law enforcement agencies and cybercrime (for example Harkin et al., 2018; Monaghan, 2020; Nowacki & Willits, 2016). By utilizing a mixed methods research design consisting of a survey and series of qualitative interviews this project helped address the research question: What is the current cybercrime capacity and capability of local law enforcement agencies in the United States? Findings from this project advance our knowledge about the cybercrime capacity and capability of local law enforcement agencies and contribute to strengthening law enforcement practice, policy, and future research. In total, 925 county and municipal agencies participated in this research project through a survey instrument called the Cybercrime Capacity and Capability Questionnaire (CCCQ©), with 855 agencies providing data usable for analysis. Additionally, 23 individuals representing 23 distinct agencies, who previously participated in the CCCQ, also participated in a series of semi-structured qualitative interviews. Multiple findings and recommendations were derived as a result of the participation by these agencies and individuals in this project. Several findings from this project aligned with or validated findings and recommendations from other recent studies (for example Harkin et al., 2018). Among the key findings from this project are that the cybercrime capacity and capability of local law enforcement agencies is deficient, despite trends at the local law enforcement agency level to allocate more resources to the cybercrime problem. This deficiency is noted both by response patterns on the CCCQ© and through comments supplied during the qualitative interviews. Lack of financial and personnel resources, especially technologically skilled and competent personnel, limited and/or outdated technological infrastructure, and problems leveraging partnerships and obtaining cooperation from private sector organizations are just a few of the challenges hampering the development of a more robust local law enforcement cybercrime capacity and capability. Results and insights from this research also illuminate the dynamic process of developing cybercrime capacity and capability. Result from this project indicate that caution should be exercised before assuming that cybercrime capacity and capability are solely a function of agency size. While this project substantiates other research that shows larger agencies are more likely to have cybercrime units, and also tend to have more resources, personnel, and equipment for cybercrime investigations, they do not necessarily have greater cybercrime capacity or capability. Cybercrime case volume appears to impact cybercrime capacity and capability such that large local law enforcement agencies, despite specialized cybercrime units and more resources allocated to cybercrime, may not be better off in managing cybercrime incidents or responding to cybercrime related issues than midsize and smaller local agencies. Personnel at larger agencies, despite having dedicated cybercrime units, more resources, and better equipment, may be at higher risk of burnout and other issues as a result. In short, extremely high cybercrime case volumes may undermine the capacity and capability of even the most robustly developed specialized cybercrime units, as well as the best equipped and resourced agencies. Given the pace at which the cybercrime problem is growing, this is a troubling finding. This project also highlights that cybercrime capacity and capability cannot be understood without accounting for the critical differences that external forces and contextual factors produce on local law enforcement agencies that, in turn, impact how those agencies function and adapt to new issues and challenges. For example, qualitative data from this project help us to understand the connections between the defund the police movement and the COVID-19 pandemic, both of which appear to be undermining the capacity and capability of local law enforcement agencies, and thus negatively impacting their cybercrime capacity and capability. As a result, cybercrime administrators and personnel at local law enforcement agencies in the U.S. may be experiencing similar challenges to their peers abroad (see Harkin et al. 2018). A number of directions for future research, improvement of the CCCQ©, and recommendations for improving police practice and policy such as developing uniform, and operationalizable cybercrime best practices and strengthening private sector compliance with law enforcement agency requests for data are also provided

Methods and Factors Affecting Digital Forensic Case Management, Allocation and Completion

Modern Digital Forensic (DF) departments/sections are witnessing rapid increase in digital forensic cases through the years. The challenges of DF cases investigation are getting more robust and they are affecting digital forensic investigation processes. Accordingly, understanding different factors affecting Person-Hours of investigation from real cases records, and recognising the context of work with different strategies and practices performed in different departments. It is necessary to create a stable ground to face all the factors affecting the investigative processes. This research detailsthe cases’ trends in the D¬ubai Police. It also identifies the main challenges encountered by DF including rising volumes of data, and case complexity, using real case records from the Dubai Police, this extensive research explains the contribution of several factors to the delay in the DF investigation process. The research also elucidates the context of work of DF departments in other locations and other countries to understand a range of case allocation strategies and case management procedures. The research contributes a set of Decision Tables that could be used by DF managers and supervisors to select best proposed case allocation strategies and case management procedures. The research is accomplished through a series of three studies referred to as Study One, Study Two, and Study Three. Study One (Investigation of the Dubai Police Records) involves a quantitative analysis of secondary data in the form of case records from the Dubai Police (DP) Database and associated reports. This study addresses the first research question (RQ1): “What are the trends and challenges encountered by practitioners faced with large volume/heterogeneity DF investigations?” by measuring the growth of cases and identifying the main factors for the delay in DF investigations. Study Two (Interviews with DF managers) follows a qualitative approach using the phenomenological model, and covers the second research question (RQ2): “What are the effect of different factors behind the delay of DF investigation process?” The study identifies the common factors affecting delay in DF investigations, from the diverse experiences and backgrounds of DF decision makers around the world. Study Three (Confirmation of the Interviews) again uses the phenomenological model, and covers the third research question (RQ3): “What are the different case management procedures and workflow implementation practices currently used?" This study evaluates the efficacy of different case allocation strategies and workflow implementation practices with selected participants and results in a contribution to DF in the form of a series of Decision Tables for case allocation. The main findings of the research explain the main factors that lead to the creation of delay in DF investigation and thereafter affect the DF investigation process. Moreover, this research identifies case management strategies and workflow implementation practices. The research also suggests several Decision Tables to allow managers and people who are in charge to select a case management strategy and workflow implementation depending on several conditions

Virtual reality in anatomy education: advantages and challenges

Introduction: Anatomy education has evolved throughout the centuries. In the latest decade, anatomy educators encountered different challenges from limited number of cadavers, high-priced anatomical plastination and models. Recent COVID-19 pandemic has inevitably mold future anatomy pedagogy to better-adapt with the current digital-savvy generation. Despite the emergence of virtual reality (VR) in anatomy teaching & learning (T&L), there is limited comparative analysis being explored. Hence, this study aims to elucidate the advantages and challenges using VR in anatomy education. Methods: A narrative review was conducted for this study. Research question was formulated and bibliographical search performed using Scopus and Science Direct databases. Experimental studies published between 2010-2022, in English language, discussing on application, advantages or disadvantages of VR in anatomy and medical T&L were analysed. Results: A total of twenty-four research articles were retrieved. The literatures suggest VR in anatomy education is beneficial as it is more realistic, hands-on, enhances visualization and enjoyable self-learning tool that increases leaners’ engagement. This is especially in low-spatial ability learners that has difficulty to visualize the location and dimension of anatomical structures. VR may improve teaching effectiveness and level of anatomy knowledge. However, the disadvantages are high-cost equipment and risk of tools malfunction. Some experiencing extraneous cognitive load in learning new modalities, motion-sickness, and headache after using VR headgear. Conclusion: The advantages of VR in anatomy education are extensive and outweigh the challenges. As VR devices are more affordable, the current challenge has moved to exploring ways to utilize this advancement in anatomy teaching effectively