Leveraging the Windows Amcache.hve File in Forensic Investigations

The Amcache.hve is a registry hive file that is created by Microsoft® Windows® to store the information related to execution of programs. This paper highlights the evidential potential of Amcache.hve file and its application in the area of user activity analysis. The study uncovers numerous artifacts retained in Amcache.hve file when a user performs certain actions such as running host-based applications, installation of new applications, or running portable applications from external devices. The results of experiments demonstrate that Amcache.hve file stores intriguing artifacts related to applications such as timestamps of creation and last modification of any application; name, description, publisher name and version of applications; execution file path, SHA-1 hash of executable files etc. These artifacts are found to persist even after the applications have been deleted from the system. Further experiments were conducted to evaluate forensic usefulness of the information stored in Amcache.hve and it was found that Amcache.hve information is propitious to trace the deleted applications, malware programs and applications run from external devices. Finally, comparison of information in Amcache.hve file with information in other similar sources (IconCache.db, SRUDB.dat and Prefetch files) is shown, in order to provide more useful information to forensic investigators

Computer crimes case simulation and design model : "Kitty" Exploitation and illicit drug activities.

The overall purpose of this graduate project is to provide digital forensics instructors at the University of Central Oklahoma (UCO) with a manually generated computer crimes case simulation that offers students a replicated real-world experience of what it is like being a practicing digital forensic examiner. This simulation offers digital forensic students an opportunity to apply their forensic knowledge and skills in a realistic environment. Secondarily, this project sought to develop a rudimentary computer crimes simulation design model. The case simulation provides scenario/simulation-based learning to future digital forensic students at UCO. The computer crimes simulation design model presents general steps and considerations that should be taken when generating similar digital forensic simulations. The generated simulation portrays typical kitty exploitation and illicit drug activities and consists of two computer crimes case scenarios, two sets of investigative notes, two search warrant affidavits, eight crime scene processing forms, a solution report with associated PowerPoint presentation for the instructors, the digital evidence, a bootable clone of the evidence, and a disk image of the evidence

Investigation of IndexedDB Persistent Storage for Digital Forensics

The dependency on electronic services is increasing at a rapid rate in every aspect of our daily lives. While the Covid-19 virus remolded how we conduct business through remote collaboration applications, social media is rooting its grasp more in our day-in and day-out activities. Every day, a substantial amount of data is left in both desktop and web-based applications. As the size and the sophistication of stored data increases, so does the complexity of the technology that handles it. Consequently, forensic investigators are facing challenges in constantly adapting to emerging technologies. Hence, these technologies constitute the base for handling the vast size and volume of data in the modern era of information technology. In the scope of this dissertation the efficacy of emerging client-side technology, namely IndexedDB, is scrutinized for forensic value, practices of extraction, processing, presentation, and verification. Accordingly, a series of single case pretest-posttest quasi experiments are conducted to populate artifacts in the underlying storage technologies of IndexedDB. Subsequently, the populated artifacts are extracted and processed based on signature patterns and evaluated for their significance. Additionally, the artifacts are characterized, verified, and presented with the help of cornerstone tools that are implemented in this scope. Furthermore, time-frame analysis is constructed where it is possible to display ordered sequences of events for investigators in a suitable format

A Holistic Methodology for Profiling Ransomware Through Endpoint Detection

Computer security incident response is a critical capability in light of the growing threat of malware infecting endpoint systems today. Ransomware is one type of malware that is causing increasing harm to organizations. Ransomware infects an endpoint system by encrypting files until a ransom is paid. Ransomware can have a negative impact on an organization’s daily functions if critical business files are encrypted and are not backed up properly. Many tools exist that claim to detect and respond to malware. Organizations and small businesses are often short-staffed and lack the technical expertise to properly configure security tools. One such endpoint detection tool is Sysmon, which logs critical events to the Windows event log. Sysmon is free to download on the Internet. The details contained in Sysmon events can be extremely helpful during an incident response. The author of Sysmon states that the Sysmon configuration needs be iteratively assessed to determine which Sysmon events are most effective. Unfortunately, an organization may not have the time, knowledge, or infrastructure to properly configure and analyze Sysmon events. If configured incorrectly, the organization may have a false sense of security or lack the logs necessary to respond quickly and accurately during a malware incident. This research seeks to answer the question “What methodology can an organization follow to determine which Sysmon events should be analyzed to identify ransomware in a Windows environment?” The answer to this question helps organizations make informed decisions regarding how to configure Sysmon and analyze Sysmon logs. This study uses design science research methods to create three artifacts: a method, an instantiation, and a tool. The artifacts are used to analyze Sysmon logs against a ransomware dataset consisting of publicly available samples from three ransomware families that were major threats in 2017 according to Symantec. The artifacts are built using software that is free to download on the Internet. Step-by-step instructions, source code, and configuration files are provided so that other researchers can replicate and expand on the results. The end goal provides concrete results that organizations can apply directly to their environment to begin leveraging the benefits of Sysmon and understand the analytics needed to identify suspicious activity during an incident response

Electronic Evidence and Electronic Signatures

In this updated edition of the well-established practitioner text, Stephen Mason and Daniel Seng have brought together a team of experts in the field to provide an exhaustive treatment of electronic evidence and electronic signatures. This fifth edition continues to follow the tradition in English evidence text books by basing the text on the law of England and Wales, with appropriate citations of relevant case law and legislation from other jurisdictions. Stephen Mason (of the Middle Temple, Barrister) is a leading authority on electronic evidence and electronic signatures, having advised global corporations and governments on these topics. He is also the editor of International Electronic Evidence (British Institute of International and Comparative Law 2008), and he founded the innovative international open access journal Digital Evidence and Electronic Signatures Law Review in 2004. Daniel Seng (Associate Professor, National University of Singapore) is the Director of the Centre for Technology, Robotics, AI and the Law (TRAIL). He teaches and researches information technology law and evidence law. Daniel was previously a partner and head of the technology practice at Messrs Rajah & Tann. He is also an active consultant to the World Intellectual Property Organization, where he has researched, delivered papers and published monographs on copyright exceptions for academic institutions, music copyright in the Asia Pacific and the liability of Internet intermediaries

Electronic Evidence and Electronic Signatures

In this updated edition of the well-established practitioner text, Stephen Mason and Daniel Seng have brought together a team of experts in the field to provide an exhaustive treatment of electronic evidence and electronic signatures. This fifth edition continues to follow the tradition in English evidence text books by basing the text on the law of England and Wales, with appropriate citations of relevant case law and legislation from other jurisdictions. Stephen Mason (of the Middle Temple, Barrister) is a leading authority on electronic evidence and electronic signatures, having advised global corporations and governments on these topics. He is also the editor of International Electronic Evidence, and he founded the innovative international open access journal Digital Evidence and Electronic Signatures Law Review in 2004. Daniel Seng (Associate Professor, National University of Singapore) is the Director of the Centre for Technology, Robotics, AI and the Law (TRAIL). He teaches and researches information technology law and evidence law. Daniel was previously a partner and head of the technology practice at Messrs Rajah & Tann. He is also an active consultant to the World Intellectual Property Organization, where he has researched, delivered papers and published monographs on copyright exceptions for academic institutions, music copyright in the Asia Pacific and the liability of Internet intermediaries

Jornadas Nacionales de Investigación en Ciberseguridad: actas de las VIII Jornadas Nacionales de Investigación en ciberseguridad: Vigo, 21 a 23 de junio de 2023

Jornadas Nacionales de Investigación en Ciberseguridad (8ª. 2023. Vigo)atlanTTicAMTEGA: Axencia para a modernización tecnolóxica de GaliciaINCIBE: Instituto Nacional de Cibersegurida