Experimental Analysis of Web Browser Sessions Using Live Forensics Method

In today's digital era almost every aspect of life requires the internet, one way to access the internet is through a web browser. For security reasons, one developed is private mode. Unfortunately, some users using this feature do it for cybercrime. The use of this feature is to minimize the discovery of digital evidence. The standard investigative techniques of NIST need to be developed to uncover an ever-varied cybercrime. Live Forensics is an investigative development model for obtaining evidence of computer usage. This research provides a solution in forensic investigation effectively and efficiently by using live forensics. This paper proposes a framework for web browser analysis. Live Forensics allows investigators to obtain data from RAM that contains computer usage sessions.

Forensic Analysis of Encrypted Volumes Using Hibernation File

Abstract -Nowadays, software tools are commonly used to encrypt data on hard disk. Those tools keep encryption keys in system memory to provide the user easy access to plain text of encrypted files. Key possesion enables data decryption. A procedure that includes usage of hibernation file as a source of memory content is described. Publicly available tools are used to perform the procedure. The procedure is successfully tested on a system that uses current encryption program

Technical and legal perspectives on forensics scenario

The dissertation concerns digital forensic. The expression digital forensic (sometimes called digital forensic science) is the science that studies the identification, storage, protection, retrieval, documentation, use, and every other form of computer data processing in order to be evaluated in a legal trial. Digital forensic is a branch of forensic science. First of all, digital forensic represents the extension of theories, principles and procedures that are typical and important elements of the forensic science, computer science and new technologies. From this conceptual viewpoint, the logical consideration concerns the fact that the forensic science studies the legal value of specific events in order to contrive possible sources of evidence. The branches of forensic science are: physiological sciences, social sciences, forensic criminalistics and digital forensics. Moreover, digital forensic includes few categories relating to the investigation of various types of devices, media or artefacts. These categories are: - computer forensic: the aim is to explain the current state of a digital artefact; such as a computer system, storage medium or electronic document; - mobile device forensic: the aim is to recover digital evidence or data from mobile device, such as image, log call, log sms and so on; - network forensic: the aim is related to the monitoring and analysis of network traffic (local, WAN/Internet, UMTS, etc.) to detect intrusion more in general to find network evidence; - forensic data analysis: the aim is examine structured data to discover evidence usually related to financial crime; - database forensic: the aim is related to databases and their metadata. The origin and historical development of the discipline of study and research of digital forensic are closely related to progress in information and communication technology in the modern era. In parallel with the changes in society due to new technologies and, in particular, the advent of the computer and electronic networks, there has been a change in the mode of collection, management and analysis of evidence. Indeed, in addition to the more traditional, natural and physical elements, the procedures have included further evidence that although equally capable of identifying an occurrence, they are inextricably related to a computer or a computer network or electronic means. The birth of computer forensics can be traced back to 1984, when the FBI and other American investigative agencies have began to use software for the extraction and analysis of data on a personal computer. At the beginning of the 80s, the CART(Computer Analysis and Response Team) was created within the FBI, with the express purpose of seeking the so-called digital evidence. This term is used to denote all the information stored or transmitted in digital form that may have some probative value. While the term evidence, more precisely, constitutes the judicial nature of digital data, the term forensic emphasizes the procedural nature of matter, literally, "to be presented to the Court". Digital forensic have a huge variety of applications. The most common applications are related to crime or cybercrime. Cybercrime is a growing problem for government, business and private. - Government: security of the country (terrorism, espionage, etc.) or social problems (child pornography, child trafficking and so on). - Business: purely economic problems, for example industrial espionage. - Private: personal safety and possessions, for example phishing, identity theft. Often many techniques, used in digital forensics, are not formally defined and the relation between the technical procedure and the law is not frequently taken into consideration. From this conceptual perspective, the research work intends to define and optimize the procedures and methodologies of digital forensic in relation to Italian regulation, testing, analysing and defining the best practice, if they are not defined, concerning common software. The research questions are: 1. The problem of cybercrime is becoming increasingly significant for governments, businesses and citizens. - In relation to governments, cybercrime involves problems concerning national security, such as terrorism and espionage, and social questions, such as trafficking in children and child pornography. - In relation to businesses, cybercrime entails problems concerning mainly economic issues, such as industrial espionage. - In relation to citizens, cybercrime involves problems concerning personal security, such as identity thefts and fraud. 2. Many techniques, used within the digital forensic, are not formally defined. 3. The relation between procedures and legislation are not always applied and taken into consideratio

Forensic analysis of linux physical memory: Extraction and resumption of running processes.

Traditional digital forensics’ procedures to recover and analyze digital data were focused on media-type storage devices like hard drives, hoping to acquire evidence or traces of malicious behavior in stored files. Usually, investigators would image the data and explore it in a somewhat “safe” environment; this is meant to reduce as much as possible the amount of loss and corruption that might occur when analysis tools are used. Unfortunately, techniques developed by intruders to attack machines without leaving files on the disks and the ever dramatically increasing size of hard drives make the discovery of evidence difficult. These increased interest in research on live forensics (attempting to obtain evidence while the system is running) and on volatile memory forensic analysis. Because of the important role they play in computing systems, volatile memory is a source of information about running processes, network connections, opened files and/or loaded kernel modules that might be valuable to forensic investigations. In this thesis we show that when provided with an image of the physical memory of a Linux system, it is possible to extract data about a specific running process, enough to be able to resume its execution on a prepared environment. We also describe two proof-of-concept tools gettsk and memexec developed for this purpose. This would allow investigators to not only obtain information about a suspicious running task from a RAM dump, but also to perform further inquiry through techniques such as malware analysis

Technical and legal perspectives on forensics scenario

The dissertation concerns digital forensic. The expression digital forensic (sometimes called digital forensic science) is the science that studies the identification, storage, protection, retrieval, documentation, use, and every other form of computer data processing in order to be evaluated in a legal trial. Digital forensic is a branch of forensic science. First of all, digital forensic represents the extension of theories, principles and procedures that are typical and important elements of the forensic science, computer science and new technologies. From this conceptual viewpoint, the logical consideration concerns the fact that the forensic science studies the legal value of specific events in order to contrive possible sources of evidence. The branches of forensic science are: physiological sciences, social sciences, forensic criminalistics and digital forensics. Moreover, digital forensic includes few categories relating to the investigation of various types of devices, media or artefacts. These categories are: - computer forensic: the aim is to explain the current state of a digital artefact; such as a computer system, storage medium or electronic document; - mobile device forensic: the aim is to recover digital evidence or data from mobile device, such as image, log call, log sms and so on; - network forensic: the aim is related to the monitoring and analysis of network traffic (local, WAN/Internet, UMTS, etc.) to detect intrusion more in general to find network evidence; - forensic data analysis: the aim is examine structured data to discover evidence usually related to financial crime; - database forensic: the aim is related to databases and their metadata. The origin and historical development of the discipline of study and research of digital forensic are closely related to progress in information and communication technology in the modern era. In parallel with the changes in society due to new technologies and, in particular, the advent of the computer and electronic networks, there has been a change in the mode of collection, management and analysis of evidence. Indeed, in addition to the more traditional, natural and physical elements, the procedures have included further evidence that although equally capable of identifying an occurrence, they are inextricably related to a computer or a computer network or electronic means. The birth of computer forensics can be traced back to 1984, when the FBI and other American investigative agencies have began to use software for the extraction and analysis of data on a personal computer. At the beginning of the 80s, the CART(Computer Analysis and Response Team) was created within the FBI, with the express purpose of seeking the so-called digital evidence. This term is used to denote all the information stored or transmitted in digital form that may have some probative value. While the term evidence, more precisely, constitutes the judicial nature of digital data, the term forensic emphasizes the procedural nature of matter, literally, "to be presented to the Court". Digital forensic have a huge variety of applications. The most common applications are related to crime or cybercrime. Cybercrime is a growing problem for government, business and private. - Government: security of the country (terrorism, espionage, etc.) or social problems (child pornography, child trafficking and so on). - Business: purely economic problems, for example industrial espionage. - Private: personal safety and possessions, for example phishing, identity theft. Often many techniques, used in digital forensics, are not formally defined and the relation between the technical procedure and the law is not frequently taken into consideration. From this conceptual perspective, the research work intends to define and optimize the procedures and methodologies of digital forensic in relation to Italian regulation, testing, analysing and defining the best practice, if they are not defined, concerning common software. The research questions are: 1. The problem of cybercrime is becoming increasingly significant for governments, businesses and citizens. - In relation to governments, cybercrime involves problems concerning national security, such as terrorism and espionage, and social questions, such as trafficking in children and child pornography. - In relation to businesses, cybercrime entails problems concerning mainly economic issues, such as industrial espionage. - In relation to citizens, cybercrime involves problems concerning personal security, such as identity thefts and fraud. 2. Many techniques, used within the digital forensic, are not formally defined. 3. The relation between procedures and legislation are not always applied and taken into consideratio

Development of an extensible forensic analysis framework: application to user-side cloud scenarios

Computer forensic procedures are among the most important methods for nowadays crime investigations, since IT devices are increasingly more and more present in our society and life as main tools for productivity enhancement and social communication. This improvement in relevance for such procedures is however increasing the efforts in bypassing such methods in an more sophisticated manner. IT forensic analysts must face the complexity of new techniques used by criminals in order to hide their activities and avoid the evidence recovery as much as possible . Some of those include, but are not limited to: Covered communication channels and information leakage. Obfuscation and information hiding regarding the operations of a malicious agent. Operation in volatile media such as RAM and similar procedures with a relatively small digital fingerprint in the system. Current forensic tools highly depend on the analyst awareness of aforementioned covert channels and evidences existence in order to retrieve them by means of a proactive search methodology. This project documents the creation of Monocle, an open-source extensible framework for automated forensic analysis. Monocle provides automation over the forensic procedure by means of user-created plugins, reducing the complexity of evidence retrieval in target's machine hard disk and memory. The software makes use of external tools such as the Volatility Framework in order to provide extended functionality to the executed plugins. To show the applicability of the proposal Monocle is applied to two user-side cloud storage scenarios – iCloud and Box. This application is further used in order to study such scenarios and their usefulness when targeting cloud storage systems from a forensic point of view.Los procedimientos de cómputo forense se encuentran entre los más importantes para las investigaciones criminales de hoy en día, puesto que los dispositivos electrónicos se encuentran cada vez más presentes en nuestra sociedad, ya sea como medio para mejorar la productividad personal o como conectores sociales. Este incremento de relevancia en dichos procedimientos ha provocado no obstante que los esfuerzos por contrarrestarlos se vuelvan más sofisticados. Los analistas forenses deben enfrentarse a la complejidad de las nuevas técnicas empleadas por los criminales para ocultar sus actividades y dificultar la recuperación de pruebas en la medida de lo posible. Algunas de estas técnicas incluyen, pero no están limitadas a: Canales de comunicación encubierta y fugas de información por métodos no convencionales. Ofuscación y ocultación de información relacionada con las actividades maliciosas del agente criminal. Operaciones realizadas en memoria RAM y procedimientos de similar naturaleza, los cuales dejan muy poca huella digital en el sistema. Las herramientas forenses actuales dependen en gran medida de la capacidad del analista para tener en cuenta estos métodos de ocultación, además de conocer la localización y formato de las pruebas potenciales a encontrar, a fin de ser capaz de recuperarlas por medio de una herramienta forense. Este proyecto documenta la creación de Monocle, un framework extensible y de código abierto para la automatización de análisis forense. Monocle dota los procedimientos forenses de automatización gracias a plugins creados y definidos por el usuario, lo que reduce la complejidad a la hora de recuperar información tanto del disco como de la memoria del sistema analizado. Monocle hace uso de herramientas externas tales como Volatility Framework a fin de otorgar funcionalidad extendida a los plugins en ejecución. Para demostrar la aplicabilidad de la propuesta, Monocle ha sido evaluado en dos escenarios de análisis forense en cloud desde el lado del cliente, iCloud y Box. Esta evaluación permitirá además el estudio de estos escenarios y la aplicabilidad del análisis desde el lado del cliente a la hora de analizar entornos de cloud storage.Ingeniería Informátic

Digitale Forensik in Unternehmen

Die zunehmende und komplexer werdende Vernetzung und die stetige Digitalisierung in Unternehmen werfen oft auch neue Risiken für Angriffe auf die Informationssysteme der Unternehmen auf. Gerade durch das Aufbrechen von Unternehmensnetzen und der immer komplexer werdenden gegenseitigen Integration von Unternehmen, Behörden und Privatpersonen entstehen neue Angriffsvektoren und Risiken. Durch die Digitalisierung wächst zudem die Menge der digitalen Daten, die unter Umständen auch als digitale Spuren zur Aufklärung von Verbrechen verwertet werden müssen, da der Prozentsatz der ausgedruckten oder anderweitig analog vorhandenen Spuren im Vergleich zu den digitalen Spuren beständig schrumpft. Die digitale Forensik als forensische Wissenschaft, die sich mit der Sicherung und Analyse von digitalen Spuren beschäftigt ist aber eine vergleichsweise junge forensische Wissenschaft. Aus diesem Grund untersucht diese Arbeit die grundlegenden Prinzipien und Definitionen der digitalen Forensik und betrachtet anschließend die speziell für digitale forensische Untersuchungen in Unternehmen vorhandenen Problemlösungsstrategien. Auf Basis der Erkenntnisse aus der Betrachtung der vorhandenen Problemlösungsstrategien wird dann eine Methodik für unternehmensforensische Untersuchungen vorgeschlagen. Die Methodik selbst basiert auf dem ebenfalls in dieser Arbeit entwickelten digitalen Spurenverständnis im Kontext der Informations- und Anwendungssysteme von Unternehmen sowie der Definition der Unternehmensforensik, als Teildisziplin der digitalen Forensik. Durch die anschließende Evaluation der Methodik anhand einer Fallstudie sowie in der Praxis wird sowohl ihr Nutzen als auch die Praxistauglichkeit bestätigt. Es zeigen sich aber auch weiterer Forschungsbedarf und neue Problemstellungen für die Unternehmensforensik, die durch zukünftige Arbeiten adressiert werden müssen. Insgesamt kann die Methodik aber den zukünftigen Nutzen und das Potential der Unternehmensforensik aufzeigen