Conceptual evidence collection and analysis methodology for Android devices

Android devices continue to grow in popularity and capability meaning the need for a forensically sound evidence collection methodology for these devices also increases. This chapter proposes a methodology for evidence collection and analysis for Android devices that is, as far as practical, device agnostic. Android devices may contain a significant amount of evidential data that could be essential to a forensic practitioner in their investigations. However, the retrieval of this data requires that the practitioner understand and utilize techniques to analyze information collected from the device. The major contribution of this research is an in-depth evidence collection and analysis methodology for forensic practitioners.Comment: in Cloud Security Ecosystem (Syngress, an Imprint of Elsevier), 201

Identifying Trace Evidence from Target-Specific Data Wiping Application Software

One area of particular concern for computer forensics examiners involves situations in which someone utilized software applications to destroy evidence. There are products available in the marketplace that are relatively inexpensive and advertised as being able to destroy targeted portions of data stored within a computer system. This study was undertaken to analyze a subset of these tools in order to identify trace evidence, if any, left behind on disk media after executing these applications. We evaluated five Windows 7 compatible software products whose advertised features include the ability for users to wipe targeted files, folders, or evidence of selected activities. We conducted a series of experiments that involved executing each application on systems with identical data, and we then analyzed the results and compared the before and after images for each application. We identified information for each application that is beneficial to forensics examiners when faced with similar situations. This paper describes our application selection process, our application evaluation methodology, and our findings, including the variability of the effects of these tools. Following this, we describe limitations of this study and suggest areas of additional research that will benefit the study of digital forensics. --from articl

Identifying Trace Evidence from Target-Specific Data Wiping Application Software

One area of particular concern for computer forensics examiners involves situations in which someone utilized software applications to destroy evidence. There are products available in the marketplace that are relatively inexpensive and advertised as being able to destroy targeted portions of data stored within a computer system. This study was undertaken to analyze a subset of these tools in order to identify trace evidence, if any, left behind on disk media after executing these applications. We evaluated five Windows 7 compatible software products whose advertised features include the ability for users to wipe targeted files, folders, or evidence of selected activities. We conducted a series of experiments that involved executing each application on systems with identical data, and we then analyzed the results and compared the before and after images for each application. We identified information for each application that is beneficial to forensics examiners when faced with similar situations. This paper describes our application selection process, our application evaluation methodology, and our findings, including the variability of the effects of these tools. Following this, we describe limitations of this study and suggest areas of additional research that will benefit the study of digital forensics. --from articl

Identifying Trace Evidence from Target-Specific Data Wiping Application Software

One area of particular concern for computer forensics examiners involves situations in which someone utilized software applications to destroy evidence. There are products available in the marketplace that are relatively inexpensive and advertised as being able to destroy targeted portions of data stored within a computer system. This study was undertaken to analyze a subset of these tools in order to identify trace evidence, if any, left behind on disk media after executing these applications. We evaluated five Windows 7 compatible software products whose advertised features include the ability for users to wipe targeted files, folders, or evidence of selected activities. We conducted a series of experiments that involved executing each application on systems with identical data, and we then analyzed the results and compared the before and after images for each application. We identified information for each application that is beneficial to forensics examiners when faced with similar situations. This paper describes our application selection process, our application evaluation methodology, and our findings, including the variability of the effects of these tools. Following this, we describe limitations of this study and suggest areas of additional research that will benefit the study of digital forensics

An Evaluation Of Data Erasing Tools

The permanent removal of data from media is a major area of concern mainly because of the misconception that once a file is deleted or storage media is formatted, it cannot be recovered. There has been the development of both commercial and freeware data erasing tools, which all claim complete file or disk erasure. This report analyzes the efficiency of a number of these tools in performing erasures on an electromechanical drive. It focuses on a selection of popular and modern erasing tools; taking into consideration their usability, claimed erasing standards and whether they perform complete data erasure with the use of the Write Zero method

Interaction of some extreme-pressure type lubricating compounds with an iron surface

An iron surface was exposed to the extreme-pressure type lubricant benzyl chloride, dichlorophenyl phosphine, dichlorophenyl phosphine sulfide, ophenyl phosphine oxide. Iron, in the sputter-cleaned state, was exposed to these materials statically and during dynamic friction experiments. With benzyl chloride only chlorine adsorbed to the surface, and with dichlorophenyl phosphine no adsorption occurred, while the addition of sulfur to that same molecular structure resulted in the promotion of carbon and chlorine adsorption. substitution of oxygen for sulfur in the dichlorobenzyl phosphine molecule resulted in carbon, chlorine, and oxygen adsorption. With none of the phosphorus containing molecules was phosphorus detected on the surface. Sliding in an atmosphere of benzyl chloride promoted adsorption of chlorine to the iron surface. Increases in load resulted in a decrease in the surface concentration of iron chloride

Secure State Deletion: Testing the efficacy and integrity of secure deletion tools onSolid State Drives

The research aimed to determine the efficacy and integrity of several hard-drive disk deletion tools on solid state drives (SSDs). SSDs contain new technologies such as wear-levelling and device under provisioning to provide efficient functionality and speed for data management, but the same technologies may also provide obstacles to ensuring that all information is fully removed from the drive. Furthermore SSDs stores files in 4KB pages, yet data can only be deleted in 512KB blocks. This function uses the disk controller to remove all the pages from the block a file is being deleted from, storing the pages in a disk controlled cache. Once the whole block has been reset, the valid data is retrieved from the cache and replaced on an available block. The reset block is added to the SSDs free space. The specific purpose of this paper was to discover if any data was recovered, especially from the disk controlled cache while testing various tools and methods for their effectiveness of securely wiping data off SSDs. All tools except the GNU core utility DD left some file information which was recovered, though none of the recovered files was loadable. Additionally, the paper introduces the concept of the TRIM functionality and provides a baseline further research into this feature. Finally, a comparison of methods for securely deleting Solid State Drives is provided

Validating digital forensic evidence

This thesis was submitted for the degree of Doctor of Philosophy and awarded by Brunel University.This dissertation focuses on the forensic validation of computer evidence. It is a burgeoning field, by necessity, and there have been significant advances in the detection and gathering of evidence related to electronic crimes. What makes the computer forensics field similar to other forensic fields is that considerable emphasis is placed on the validity of the digital evidence. It is not just the methods used to collect the evidence that is a concern. What is also a problem is that perpetrators of digital crimes may be engaged in what is called anti-forensics. Digital forensic evidence techniques are deliberately thwarted and corrupted by those under investigation. In traditional forensics the link between evidence and perpetrator's actions is often straightforward: a fingerprint on an object indicates that someone has touched the object. Anti-forensic activity would be the equivalent of having the ability to change the nature of the fingerprint before, or during the investigation, thus making the forensic evidence collected invalid or less reliable. This thesis reviews the existing security models and digital forensics, paying particular attention to anti-forensic activity that affects the validity of data collected in the form of digital evidence. This thesis will build on the current models in this field and suggest a tentative first step model to manage and detect possibility of anti-forensic activity. The model is concerned with stopping anti-forensic activity, and thus is not a forensic model in the normal sense, it is what will be called a “meta-forensic” model. A meta-forensic approach is an approach intended to stop attempts to invalidate digital forensic evidence. This thesis proposes a formal procedure and guides forensic examiners to look at evidence in a meta-forensic way

An investigation into the efficiency of forensic data erasure tools for removable usb flash memory storage devices

Securely erasing data is of key importance to anyone that is concerned with the security of their sensitive information, whether an individual or an organization. Simply deleting the data in question or formatting the storage device is not enough to ensure that the data cannot be recovered. Furthermore, with the uptake of Universal Serial Bus drives (USBs) flash memory based storage devices have replaced previous portable secondary storage media. Therefore, it is of a major concern whether these tools and products developed for securely erasing data secondary storage Hard Disk Drives (HDDs) would be as efficient when targeting the USB flash memory storage devices. With a wide range of open source and commercial products available on the market, all claiming, among other things, to be able to securely delete your data, it is quite a difficult task for the consumer to pick the most efficient product. This paper therefore discusses the results of experiments conducted with both the open source and commercial tools which claim to securely delete data off USB flash memory storage devices

PRECEPT:a framework for ethical digital forensics investigations

Purpose: Cyber-enabled crimes are on the increase, and law enforcement has had to expand many of their detecting activities into the digital domain. As such, the field of digital forensics has become far more sophisticated over the years and is now able to uncover even more evidence that can be used to support prosecution of cyber criminals in a court of law. Governments, too, have embraced the ability to track suspicious individuals in the online world. Forensics investigators are driven to gather data exhaustively, being under pressure to provide law enforcement with sufficient evidence to secure a conviction. Yet, there are concerns about the ethics and justice of untrammeled investigations on a number of levels. On an organizational level, unconstrained investigations could interfere with, and damage, the organization’s right to control the disclosure of their intellectual capital. On an individual level, those being investigated could easily have their legal privacy rights violated by forensics investigations. On a societal level, there might be a sense of injustice at the perceived inequality of current practice in this domain. This paper argues the need for a practical, ethically-grounded approach to digital forensic investigations, one that acknowledges and respects the privacy rights of individuals and the intellectual capital disclosure rights of organisations, as well as acknowledging the needs of law enforcement. We derive a set of ethical guidelines, then map these onto a forensics investigation framework. We subjected the framework to expert review in two stages, refining the framework after each stage. We conclude by proposing the refined ethically-grounded digital forensics investigation framework. Our treatise is primarily UK based, but the concepts presented here have international relevance and applicability.Design methodology: In this paper, the lens of justice theory is used to explore the tension that exists between the needs of digital forensic investigations into cybercrimes on the one hand, and, on the other, individuals’ rights to privacy and organizations’ rights to control intellectual capital disclosure.Findings: The investigation revealed a potential inequality between the practices of digital forensics investigators and the rights of other stakeholders. That being so, the need for a more ethically-informed approach to digital forensics investigations, as a remedy, is highlighted, and a framework proposed to provide this.Practical Implications: Our proposed ethically-informed framework for guiding digital forensics investigations suggest a way of re-establishing the equality of the stakeholders in this arena, and ensuring that the potential for a sense of injustice is reduced.Originality/value: Justice theory is used to highlight the difficulties in squaring the circle between the rights and expectations of all stakeholders in the digital forensics arena. The outcome is the forensics investigation guideline, PRECEpt: Privacy-Respecting EthiCal framEwork, which provides the basis for a re-aligning of the balance between the requirements and expectations of digital forensic investigators on the one hand, and individual and organizational expectations and rights, on the other