9 research outputs found
Experimental Analysis of Web Browser Sessions Using Live Forensics Method
In today's digital era almost every aspect of life requires the internet, one way to access the internet is through a web browser. For security reasons, one developed is private mode. Unfortunately, some users using this feature do it for cybercrime. The use of this feature is to minimize the discovery of digital evidence. The standard investigative techniques of NIST need to be developed to uncover an ever-varied cybercrime. Live Forensics is an investigative development model for obtaining evidence of computer usage. This research provides a solution in forensic investigation effectively and efficiently by using live forensics. This paper proposes a framework for web browser analysis. Live Forensics allows investigators to obtain data from RAM that contains computer usage sessions.
Forensic Analysis of Encrypted Volumes Using Hibernation File
Abstract -Nowadays, software tools are commonly used to encrypt data on hard disk. Those tools keep encryption keys in system memory to provide the user easy access to plain text of encrypted files. Key possesion enables data decryption. A procedure that includes usage of hibernation file as a source of memory content is described. Publicly available tools are used to perform the procedure. The procedure is successfully tested on a system that uses current encryption program
Technical and legal perspectives on forensics scenario
The dissertation concerns digital forensic. The expression digital forensic (sometimes called digital forensic science)
is the science that studies the identification, storage, protection, retrieval, documentation, use, and every
other form of computer data processing in order to be evaluated in a legal trial. Digital forensic is a branch of
forensic science. First of all, digital forensic represents the extension of theories, principles and procedures that
are typical and important elements of the forensic science, computer science and new technologies. From this
conceptual viewpoint, the logical consideration concerns the fact that the forensic science studies the legal value
of specific events in order to contrive possible sources of evidence. The branches of forensic science are: physiological
sciences, social sciences, forensic criminalistics and digital forensics. Moreover, digital forensic includes
few categories relating to the investigation of various types of devices, media or artefacts. These categories are:
- computer forensic: the aim is to explain the current state of a digital artefact; such as a computer system,
storage medium or electronic document;
- mobile device forensic: the aim is to recover digital evidence or data from mobile device, such as image, log
call, log sms and so on;
- network forensic: the aim is related to the monitoring and analysis of network traffic (local, WAN/Internet,
UMTS, etc.) to detect intrusion more in general to find network evidence;
- forensic data analysis: the aim is examine structured data to discover evidence usually related to financial
crime;
- database forensic: the aim is related to databases and their metadata.
The origin and historical development of the discipline of study and research of digital forensic are closely
related to progress in information and communication technology in the modern era. In parallel with the changes
in society due to new technologies and, in particular, the advent of the computer and electronic networks, there
has been a change in the mode of collection, management and analysis of evidence. Indeed, in addition to
the more traditional, natural and physical elements, the procedures have included further evidence that although
equally capable of identifying an occurrence, they are inextricably related to a computer or a computer network
or electronic means. The birth of computer forensics can be traced back to 1984, when the FBI and other
American investigative agencies have began to use software for the extraction and analysis of data on a personal
computer. At the beginning of the 80s, the CART(Computer Analysis and Response Team) was created within
the FBI, with the express purpose of seeking the so-called digital evidence. This term is used to denote all the
information stored or transmitted in digital form that may have some probative value. While the term evidence,
more precisely, constitutes the judicial nature of digital data, the term forensic emphasizes the procedural nature
of matter, literally, "to be presented to the Court". Digital forensic have a huge variety of applications. The
most common applications are related to crime or cybercrime. Cybercrime is a growing problem for government,
business and private.
- Government: security of the country (terrorism, espionage, etc.) or social problems (child pornography,
child trafficking and so on).
- Business: purely economic problems, for example industrial espionage.
- Private: personal safety and possessions, for example phishing, identity theft.
Often many techniques, used in digital forensics, are not formally defined and the relation between the technical
procedure and the law is not frequently taken into consideration. From this conceptual perspective, the research
work intends to define and optimize the procedures and methodologies of digital forensic in relation to Italian
regulation, testing, analysing and defining the best practice, if they are not defined, concerning common software.
The research questions are:
1. The problem of cybercrime is becoming increasingly significant for governments, businesses and citizens.
- In relation to governments, cybercrime involves problems concerning national security, such as terrorism
and espionage, and social questions, such as trafficking in children and child pornography.
- In relation to businesses, cybercrime entails problems concerning mainly economic issues, such as
industrial espionage.
- In relation to citizens, cybercrime involves problems concerning personal security, such as identity
thefts and fraud.
2. Many techniques, used within the digital forensic, are not formally defined.
3. The relation between procedures and legislation are not always applied and taken into consideratio
Forensic analysis of linux physical memory: Extraction and resumption of running processes.
Traditional digital forensics’ procedures to recover and analyze digital data were focused on media-type storage devices like hard drives, hoping to acquire evidence or traces of malicious behavior in stored files. Usually, investigators would image the data and explore it in a somewhat “safe” environment; this is meant to reduce as much as possible the amount of loss and corruption that might occur when analysis tools are used. Unfortunately, techniques developed by intruders to attack machines without leaving files on the disks and the ever dramatically increasing size of hard drives make the discovery of evidence difficult. These increased interest in research on live forensics (attempting to obtain evidence while the system is running) and on volatile memory forensic analysis. Because of the important role they play in computing systems, volatile memory is a source of information about running processes, network connections, opened files and/or loaded kernel modules that might be valuable to forensic investigations. In this thesis we show that when provided with an image of the physical memory of a Linux system, it is possible to extract data about a specific running process, enough to be able to resume its execution on a prepared environment. We also describe two proof-of-concept tools gettsk and memexec developed for this purpose. This would allow investigators to not only obtain information about a suspicious running task from a RAM dump, but also to perform further inquiry through techniques such as malware analysis
Technical and legal perspectives on forensics scenario
The dissertation concerns digital forensic. The expression digital forensic (sometimes called digital forensic science)
is the science that studies the identification, storage, protection, retrieval, documentation, use, and every
other form of computer data processing in order to be evaluated in a legal trial. Digital forensic is a branch of
forensic science. First of all, digital forensic represents the extension of theories, principles and procedures that
are typical and important elements of the forensic science, computer science and new technologies. From this
conceptual viewpoint, the logical consideration concerns the fact that the forensic science studies the legal value
of specific events in order to contrive possible sources of evidence. The branches of forensic science are: physiological
sciences, social sciences, forensic criminalistics and digital forensics. Moreover, digital forensic includes
few categories relating to the investigation of various types of devices, media or artefacts. These categories are:
- computer forensic: the aim is to explain the current state of a digital artefact; such as a computer system,
storage medium or electronic document;
- mobile device forensic: the aim is to recover digital evidence or data from mobile device, such as image, log
call, log sms and so on;
- network forensic: the aim is related to the monitoring and analysis of network traffic (local, WAN/Internet,
UMTS, etc.) to detect intrusion more in general to find network evidence;
- forensic data analysis: the aim is examine structured data to discover evidence usually related to financial
crime;
- database forensic: the aim is related to databases and their metadata.
The origin and historical development of the discipline of study and research of digital forensic are closely
related to progress in information and communication technology in the modern era. In parallel with the changes
in society due to new technologies and, in particular, the advent of the computer and electronic networks, there
has been a change in the mode of collection, management and analysis of evidence. Indeed, in addition to
the more traditional, natural and physical elements, the procedures have included further evidence that although
equally capable of identifying an occurrence, they are inextricably related to a computer or a computer network
or electronic means. The birth of computer forensics can be traced back to 1984, when the FBI and other
American investigative agencies have began to use software for the extraction and analysis of data on a personal
computer. At the beginning of the 80s, the CART(Computer Analysis and Response Team) was created within
the FBI, with the express purpose of seeking the so-called digital evidence. This term is used to denote all the
information stored or transmitted in digital form that may have some probative value. While the term evidence,
more precisely, constitutes the judicial nature of digital data, the term forensic emphasizes the procedural nature
of matter, literally, "to be presented to the Court". Digital forensic have a huge variety of applications. The
most common applications are related to crime or cybercrime. Cybercrime is a growing problem for government,
business and private.
- Government: security of the country (terrorism, espionage, etc.) or social problems (child pornography,
child trafficking and so on).
- Business: purely economic problems, for example industrial espionage.
- Private: personal safety and possessions, for example phishing, identity theft.
Often many techniques, used in digital forensics, are not formally defined and the relation between the technical
procedure and the law is not frequently taken into consideration. From this conceptual perspective, the research
work intends to define and optimize the procedures and methodologies of digital forensic in relation to Italian
regulation, testing, analysing and defining the best practice, if they are not defined, concerning common software.
The research questions are:
1. The problem of cybercrime is becoming increasingly significant for governments, businesses and citizens.
- In relation to governments, cybercrime involves problems concerning national security, such as terrorism
and espionage, and social questions, such as trafficking in children and child pornography.
- In relation to businesses, cybercrime entails problems concerning mainly economic issues, such as
industrial espionage.
- In relation to citizens, cybercrime involves problems concerning personal security, such as identity
thefts and fraud.
2. Many techniques, used within the digital forensic, are not formally defined.
3. The relation between procedures and legislation are not always applied and taken into consideratio
Development of an extensible forensic analysis framework: application to user-side cloud scenarios
Computer forensic procedures are among the most important methods for nowadays crime
investigations, since IT devices are increasingly more and more present in our society and
life as main tools for productivity enhancement and social communication.
This improvement in relevance for such procedures is however increasing the efforts in bypassing
such methods in an more sophisticated manner. IT forensic analysts must face the
complexity of new techniques used by criminals in order to hide their activities and avoid
the evidence recovery as much as possible . Some of those include, but are not limited to:
Covered communication channels and information leakage.
Obfuscation and information hiding regarding the operations of a malicious agent.
Operation in volatile media such as RAM and similar procedures with a relatively
small digital fingerprint in the system.
Current forensic tools highly depend on the analyst awareness of aforementioned covert
channels and evidences existence in order to retrieve them by means of a proactive search
methodology. This project documents the creation of Monocle, an open-source extensible
framework for automated forensic analysis. Monocle provides automation over the forensic
procedure by means of user-created plugins, reducing the complexity of evidence retrieval in
target's machine hard disk and memory. The software makes use of external tools such as
the Volatility Framework in order to provide extended functionality to the executed plugins.
To show the applicability of the proposal Monocle is applied to two user-side cloud storage
scenarios – iCloud and Box. This application is further used in order to study such scenarios
and their usefulness when targeting cloud storage systems from a forensic point of view.Los procedimientos de cómputo forense se encuentran entre los más importantes para las investigaciones
criminales de hoy en día, puesto que los dispositivos electrónicos se encuentran
cada vez más presentes en nuestra sociedad, ya sea como medio para mejorar la productividad
personal o como conectores sociales.
Este incremento de relevancia en dichos procedimientos ha provocado no obstante que los
esfuerzos por contrarrestarlos se vuelvan más sofisticados. Los analistas forenses deben
enfrentarse a la complejidad de las nuevas técnicas empleadas por los criminales para ocultar
sus actividades y dificultar la recuperación de pruebas en la medida de lo posible. Algunas
de estas técnicas incluyen, pero no están limitadas a:
Canales de comunicación encubierta y fugas de información por métodos no convencionales.
Ofuscación y ocultación de información relacionada con las actividades maliciosas del
agente criminal.
Operaciones realizadas en memoria RAM y procedimientos de similar naturaleza, los
cuales dejan muy poca huella digital en el sistema.
Las herramientas forenses actuales dependen en gran medida de la capacidad del analista para
tener en cuenta estos métodos de ocultación, además de conocer la localización y formato
de las pruebas potenciales a encontrar, a fin de ser capaz de recuperarlas por medio de
una herramienta forense. Este proyecto documenta la creación de Monocle, un framework
extensible y de código abierto para la automatización de análisis forense. Monocle dota
los procedimientos forenses de automatización gracias a plugins creados y definidos por el
usuario, lo que reduce la complejidad a la hora de recuperar información tanto del disco
como de la memoria del sistema analizado. Monocle hace uso de herramientas externas
tales como Volatility Framework a fin de otorgar funcionalidad extendida a los plugins en
ejecución. Para demostrar la aplicabilidad de la propuesta, Monocle ha sido evaluado en
dos escenarios de análisis forense en cloud desde el lado del cliente, iCloud y Box. Esta
evaluación permitirá además el estudio de estos escenarios y la aplicabilidad del análisis
desde el lado del cliente a la hora de analizar entornos de cloud storage.Ingeniería Informátic
Digitale Forensik in Unternehmen
Die zunehmende und komplexer werdende Vernetzung und die stetige Digitalisierung in Unternehmen werfen oft auch neue Risiken für Angriffe auf die Informationssysteme der Unternehmen auf. Gerade durch das Aufbrechen von Unternehmensnetzen und der immer komplexer werdenden gegenseitigen Integration von Unternehmen, Behörden und Privatpersonen entstehen neue Angriffsvektoren und Risiken. Durch die Digitalisierung wächst zudem die Menge der digitalen Daten, die unter Umständen auch als digitale Spuren zur Aufklärung von Verbrechen verwertet werden müssen, da der Prozentsatz der ausgedruckten oder anderweitig analog vorhandenen Spuren im Vergleich zu den digitalen Spuren beständig schrumpft.
Die digitale Forensik als forensische Wissenschaft, die sich mit der Sicherung und Analyse von digitalen Spuren beschäftigt ist aber eine vergleichsweise junge forensische Wissenschaft. Aus diesem Grund untersucht diese Arbeit die grundlegenden Prinzipien und Definitionen der digitalen Forensik und betrachtet anschließend die speziell für digitale forensische Untersuchungen in Unternehmen vorhandenen Problemlösungsstrategien. Auf Basis der Erkenntnisse aus der Betrachtung der vorhandenen Problemlösungsstrategien wird dann eine Methodik für unternehmensforensische Untersuchungen vorgeschlagen. Die Methodik selbst basiert auf dem ebenfalls in dieser Arbeit entwickelten digitalen Spurenverständnis im Kontext der Informations- und Anwendungssysteme von Unternehmen sowie der Definition der Unternehmensforensik, als Teildisziplin der digitalen Forensik.
Durch die anschließende Evaluation der Methodik anhand einer Fallstudie sowie in der Praxis wird sowohl ihr Nutzen als auch die Praxistauglichkeit bestätigt. Es zeigen sich aber auch weiterer Forschungsbedarf und neue Problemstellungen für die Unternehmensforensik, die durch zukünftige Arbeiten adressiert werden müssen. Insgesamt kann die Methodik aber den zukünftigen Nutzen und das Potential der Unternehmensforensik aufzeigen