Towards a standardised strategy to collect and distribute application software artifacts

Reference sets contain known content that are used to identify relevant or filter irrelevant content. Application profiles are a type of reference set that contain digital artifacts associated with application software. An application profile can be compared against a target data set to identify relevant evidence of application usage in a variety of investigation scenarios. The research objective is to design and implement a standardised strategy to collect and distribute application software artifacts using application profiles. An advanced technique for creating application profiles was designed using a formalised differential analysis strategy. The design was implemented in a live differential forensic analysis tool, LiveDiff, to automate and simplify data collection. A storage mechanism was designed based on a previously standardised forensic data abstraction. The design was implemented in a new data abstraction, Application Profile XML (APXML), to provide storage, distribution and automated processing of collected artifacts

An Ontology-Based Transformation Model for the Digital Forensics Domain

The creation of an ontology makes it possible to form common information structures, to reuse knowledge, to make assumptions within a domain and to analyse every piece of knowledge. In this paper, we aim to create an ontologybased transformation model and a framework to develop an ontology-based transformation system in the digital forensics domain. We describe the architecture of the ontology-based transformation system and its components for assisting computer forensics experts in the appropriate selection of tools for digital evidence investigation. We consider the use of the attributes of Extensible Markup Language document transformation to map the computer forensics ontology and we use the representations in the National Institute of Standards and Technology's "Computer Forensics Tool Catalog" for aligning one form with the other

Model Enkripsi XML Pada Output DFXML untuk Pengamanan Metadata Bukti Digital

DFXML (Digital Forensics XML) adalah sebuah tool forensik yang dikembangkan untuk menghasilkan output dalam bentuk dokumen XML. Tools ini dirancang untuk menampilkan metadata dari file hasil disk imaging dari perangkat elektronik. Umumnya output DFXML berupa dokumen XML dalam bentuk plaintext. Hal ini memunculkan permasalahan dalam aspek keamanan data, yaitu bentuk plaintext dari dokumen XML memungkinkan dibaca dengan mudah oleh setiap orang. Untuk itu diusulkan pendekatan XML security sebagai solusi untuk keamanan dokumen XML hasil dari DFXML. Solusi yang diusulkan adalah dalam bentuk automatic encryption tool yang mampu melakukan enkripsi dokumen XML secara fleksibel dan otomatis. Usulan ini masih bersifat model yang dapat menunjukkan bahwa konsep enkripsi XML yang nantinya dikembangkan mampu meningkatkan keamanan informasi data pada output plaintext dokumen DFXML dan memberikan kemudahan bagi siapa saja yang ingin melakukan enkripsi dari dokumen XML

MANAJEMEN BUKTI DIGITAL HASIL AKUISISI DFXML

ABSTRAK Kasus kejahatan yang banyak terjadi di era modern ini adalah kejahatan di dunia maya yang meninggalkan jejak berupa barang bukti elektronik. Barang bukti elektronik tersebut harus diakuisisi terlebih dahulu untuk menemukan bukti didalamnya dengan mengunakan aplikasi. Salah satu hasil dari akuisisi bukti elektronik adalah berupa DFXML. DFXML adalah pengembangan dari bahasa XML yang dirancang untuk berbagai macam informasi forensik dan hasil pengelolaan forensik. Hasil dari DFXML ini berupa file dengan ekstensi XML, dimana file dengan ekstensi XML ini menghasilkan banyak elemen-elemen dari bukti elektronik yang diakuisisi menjadi bukti digital. Banyaknya elemen-elemen yang dihasilkan oleh XML membuat petugas investigator sulit untuk membacanya. Saat ini masih belum banyak pengembangan yang dilakukan untuk memudahkan petugas investigator untuk membaca elemen-elemen XML hasil akuisisi bukti elektronik menjadi bukti digital yang berupa DFXML. Oleh karena itu dilakukan penelitian dengan melakukan sebuah pengembangan dengan sebuah wadah yang akan mengubah elemen-elemen XML ke dalam sebuah form yang dapat dibaca oleh petugas investigator.   ABSTRACTCases of crime that many occur in this modern era is a crime in cyberspace that leaves traces of electronic evidence. Electronic evidence must be obtained first to find evidence in it by using the application. One of the results of electronic evidence acquisition is DFXML. DFXML is an XML language development designed for various forensic information and forensic management results. This DFXML result is a file with an XML extension, where XML files generate many elements from each acquisition result. The number of elements generated by XML makes the investigation officer hard to read. Currently there is not much development done to facilitate the investigator to read the XML elements from the acquisition of electronic evidence into digital evidence in the form of DFXML. Therefore, research is done by developing with a system that will transform the XML element into a form that can be read by the investigator. How To Cite : Setyaningsih, P.W. Prayudi, Y. Sugiantoro, B (2018). MANAJEMEN BUKTI DIGITAL HASIL AKUISISI DFXML. Jurnal Teknik Informatika, 11(1), 47-54.  doi 10.15408/jti.v11i1.6680 Permalink/DOI: http://dx.doi.org/10.15408/jti.v11i1.6680

Navigating Unmountable Media with the Digital Forensics XML File System

Some computer storage is non-navigable by current general-purpose computers. This could be because of obsolete interface software, or a more specialized storage system lacking widespread support. These storage systems may contain artifacts of great cultural, historical, or technical significance, but implementing compatible interfaces that are fully navigable may be beyond available resources. We developed the DFXML File System (DFXMLFS) to enable navigation of arbitrary storage systems that fulfill a minimum feature set of the POSIX file system standard. Our approach advocates for a two-step workflow that separates parsing the storage’s file system structures from navigating the storage like a contemporary file system, including file contents. The parse extracts essential file system metadata, serializing to Digital Forensics XML for later consumption as a read-only file system

Automating Disk Image Redaction

In order to comply with best preservation and curation practices, collecting institutions must ensure that private and sensitive information contained in born-digital materials has been properly redacted before the materials are made available. Institutions receiving donor media in the form of hard disks, USB flash drives, compact disks, floppy disks, and even entire computers, are increasingly creating bit-identical copies called disk images. Redacting data from within a disk image currently is a manual, time-consuming task. In this project, I demonstrate the feasibility of automating disk image redaction using open-source, forensic software. I discuss the problems encountered when redacting disk images using automated methods and ways to improve future disk image redaction tools.Master of Science in Information Scienc

Improved Decay Tolerant Inference of Previously Uninstalled Computer Applications

When an application is uninstalled from a computer system, the application’s deleted file contents are overwritten over time, depending on factors such as operating system, available unallocated disk space, user activity, etc. As this content decays, the ability to infer the application’s prior presence, based on the remaining digital artifacts, becomes more difficult. Prior research inferring previously installed applications by matching sectors from a hard disk of interest to a previously constructed catalog of labeled sector hashes showed promising results. This prior work used a white list approach to identify relevant artifacts, resulting in no irrelevant artifacts but incurring the loss of some potentially useful artifacts. In this current work, we collect a more complete set of relevant artifacts by adapting the sequential snapshot file differencing method to identify and eliminate from the catalog file-system changes which are not due to application installation and use. The key contribution of our work is the building of a more complete catalog which ultimately results in more accurate prior application inference

Improved Decay Tolerant Inference of Previously Uninstalled Computer Applications

When an application is uninstalled from a computer system, the application\u27s deleted file contents are overwritten over time, depending on factors such as operating system, available unallocated disk space, user activity, etc. As this content decays, the ability to infer the application\u27s prior presence, based on the remaining digital artifacts, becomes more difficult. Prior research inferring previously installed applications by matching sectors from a hard disk of interest to a previously constructed catalog of labeled sector hashes showed promising results. This prior work used a white list approach to identify relevant artifacts, resulting in no irrelevant artifacts but incurring the loss of some potentially useful artifacts. In this current work, we collect a more complete set of relevant artifacts by adapting the sequential snapshot file differencing method to identify and eliminate from the catalog filesystem changes which are not due to application installation and use. The key contribution of our work is the building of a more complete catalog which ultimately results in more accurate prior application inference

Inferring Previously Uninstalled Applications from Residual Partial Artifacts

In this paper, we present an approach and experimental results to suggest the past presence of an application after the application has been uninstalled and the system has remained in use. Current techniques rely on the recovery of intact artifacts and traces, e.g., whole files, Windows Registry entries, or log file entries, while our approach requires no intact artifact recovery and leverages trace evidence in the form of residual partial files. In the case of recently uninstalled applications or an instrumented infrastructure, artifacts and traces may be intact and complete. In most cases, however, digital artifacts and traces are al- tered, destroyed, and disassociated over time due to normal system operation and deliberate obfuscation activity. As a result, analysts are often presented with partial and incomplete artifacts and traces from which defensible conclusions must be drawn. In this work, we match the sectors from a hard disk of interest to a previously constructed catalog of full files captured while various applications were installed, used, and uninstalled. The sectors composing the files in the catalog are not necessarily unique to each file or application, so we use an inverse frequency-weighting scheme to compute the inferential value of matched sectors. Similarly, we compute the fraction of full files associated with each application that is matched, where each file with a sector match is weighted by the fraction of total catalog sectors matched for that file. We compared results using both the sector-weighted and file- weighted values for known ground truth test images and final snapshot images from the M57 Patents Scenario data set. The file-weighted measure was slightly more accurate than the sector-weighted measure, although both identified all of the uninstalled applications in the test images and a high percentage of installed and uninstalled applications in the M57 data set, with minimal false positives for both sets. The key contribution of our work is the sug- gestion of uninstalled applications through weighted measurement of residual file fragments. Our experimental results indicate that past application activity can be reliably indicated even after an application has been uninstalled and the host system has been rebooted and used. The rapid and reliable indication of previously uninstalled applications is useful for cyber defense, law enforcement, and intelligence operations. Keywords: digital forensics; digital artifact; digital trace; partial artifact; residual artifact; uninstalled applicatio

"The Way We Do It Here": Mapping Digital Forensics Workflows in Collecting Institutions

This paper presents the findings of semi-structured interviews with archivists and curators applying digital forensics tools and practices to the management of born-digital content. The interviews were designed to explore which digital forensic tools are in use, how they are implemented within a digital forensics workflow, and what further challenges and opportunities such use may present. Findings indicate that among interview participants these tools are beneficial in the capture and preservation of born-digital content, particularly with digital media such as external hard drives, and optical or floppy disks. However, interviews reveal that metadata generated from the use of such tools is not easily translated into the arrangement, description, and provision of access to born-digital content.Master of Science in Library Scienc