Understanding Computer Forensics Requirements in China via the “Panda Burning Incense” Virus Case

In March 2012, Mainland China has amended its Criminal Procedure Law, which includes the introduction of a new type of evidence, i.e., digital evidence, to the court of law. To better understand the development of computer forensics and digital evidence in Mainland China, this paper discusses the Chinese legal system in relation to digital investigation and how the current legal requirements affect the existing legal and technical usage of digital evidence at legal proceedings. Through studying the famous “Panda Burning Incense (Worm.WhBoy.cw)” virus case that happened in 2007, this paper aims to provide a better understanding of how to properly conduct computer forensics examination and present digital evidence at court of law in Mainland China

Towards a Threat Intelligence Informed Digital Forensics Readiness Framework

Digital Forensic Readiness (DFR) has received little attention by the research community, when compared to the core digital forensic investigation processes. DFR was primarily about logging of security events to be leveraged by the forensic analysis phase. However, the increasing number of security incidents and the overwhelming volumes of data produced mandate the development of more effective and efficient DFR approaches. We propose a DFR framework focusing on the prioritisation, triaging and selection of Indicators of Compromise (IoC) to be used in investigations of security incidents. A core component of the framework is the contextualisation of the IoCs to the underlying organisation, which can be achieved with the use of clustering and classification algoriihms and a local IoC database

Protecting digital legal professional privilege LPP data

The Best Paper AwardTo enable free communication between legal advisor and his client for proper functioning of the legal system, certain documents, known as Legal professional privilege (LPP) documents, can be excluded as evidence for prosecution. In physical world, protection of LPP information is well addressed and proper procedure for handling LPP articles has been established. However, there does not exist a forensically sound procedure for protecting 'digital' LPP information. In this paper, we try to address this important, but rarely addressed, issue. We point out the difficulties of handling digital LPP data and discuss the shortcomings of the current practices, then we propose a feasible procedure for solving this problem. © 2008 IEEE.published_or_final_versionThe 3rd International Workshop on Systematic Approaches to Digital Forensic Engineering (IEEE/SADFE 2008), Oakland, CA., 22 May 2008. In Proceedings of the 3rd SADFE, 2008, p. 91-10

Freeware Live Forensics tools evaluation and operation tips

Highlighted by a digital forensics investigation specialists from FBI in DFRWS 2006, live forensics investigations already become one of the most important procedures in digital forensics investigations. Many digital forensics investigation product companies have already joint the battlefield in developing their only live forensics tools. However, similar to the development trend in traditional digital forensics, evaluation criteria for Live Digital Forensics could only be standardized after operating procedures being standardized. One way to standardize the Live Digital Forensics Investigation procedure is to define the investigation objectives around the core digital forensics principles. Through the use of FORZA framework, a more legal and investigation oriented live digital forensics investigation procedures have been outlined. Based on the FORZA based procedure, a set of operation best practices, operational tips and evaluation criteria was derived. Using the derived criteria, various free Live Forensics toolkits including Windows Forensics Toolchest (WFT), Incident Response Collection Report (IRCR), First Responders Evidence Disk (FRED) and Computer Online Forensic Evidence (COFEE) were evaluated and reported in this paper

From Digital Forensics to Intelligent Forensics

In this paper we posit that current investigative techniques—particularly as deployed by law enforcement, are becoming unsuitable for most types of crime investigation. The growth in cybercrime and the complexities of the types of the cybercrime coupled with the limitations in time and resources, both computational and human, in addressing cybercrime put an increasing strain on the ability of digital investigators to apply the processes of digital forensics and digital investigations to obtain timely results. In order to combat the problems, there is a need to enhance the use of the resources available and move beyond the capabilities and constraints of the forensic tools that are in current use. We argue that more intelligent techniques are necessary and should be used proactively. The paper makes the case for the need for such tools and techniques, and investigates and discusses the opportunities afforded by applying principles and procedures of artificial intelligence to digital forensics intelligence and to intelligent forensics and suggests that by applying new techniques to digital investigations there is the opportunity to address the challenges of the larger and more complex domains in which cybercrimes are taking place

An Integrated Dataflow Based Model for Digital Investigation

This study developed a highly adaptive digital forensic model, applicable to various situations, which clearly describes the digital forensic process and their purposes as well as ensuring the exactness and effectiveness of digital forensic results. It examined the viewpoint of the digital evidence process flow throughout an entire forensic process, and it hoped to provide a complete explanation of the digital forensic procedure and the details of execution. In addition, it proposed three new forensic concepts: primary, supported and comprehensive forensic procedures. The structural hierarchy constructed in the model can be expanded, then divided into its simplest forms, allowing independent task assignments. It further proposed several innovative digital forensic concepts, such as a new feedback mechanism. Finally, this model could provide a detailed list of the resources necessary for an entire forensic activity, applicable to management planning. This model provided a practical description approach and established a comprehensive and uniform digital expression form. The aim is to accumulate and to share experience and knowledge, hoping to create more mature and practical digital forensic science and to provide a reference for the practitioners of digital forensics

The use of artificial intelligence in digital forensics and incident response in a constrained environment

Digital investigators often have a hard time spotting evidence in digital information. It has become hard to determine which source of proof relates to a specific investigation. A growing concern is that the various processes, technology, and specific procedures used in the digital investigation are not keeping up with criminal developments. Therefore, criminals are taking advantage of these weaknesses to commit further crimes. In digital forensics investigations, artificial intelligence (AI) is invaluable in identifying crime. Providing objective data and conducting an assessment is the goal of digital forensics and digital investigation, which will assist in developing a plausible theory that can be presented as evidence in court. This research paper aims at developing a multiagent framework for digital investigations using specific intelligent software agents (ISAs). The agents communicate to address particular tasks jointly and keep the same objectives in mind during each task. The rules and knowledge contained within each agent are dependent on the investigation type. A criminal investigation is classified quickly and efficiently using the case-based reasoning (CBR) technique. The proposed framework development is implemented using the Java Agent Development Framework, Eclipse, Postgres repository, and a rule engine for agent reasoning. The proposed framework was tested using the Lone Wolf image files and datasets. Experiments were conducted using various sets of ISAs and VMs. There was a significant reduction in the time taken for the Hash Set Agent to execute. As a result of loading the agents, 5% of the time was lost, as the File Path Agent prescribed deleting 1,510, while the Timeline Agent found multiple executable files. In comparison, the integrity check carried out on the Lone Wolf image file using a digital forensic tool kit took approximately 48 minutes (2,880 ms), whereas the MADIK framework accomplished this in 16 minutes (960 ms). The framework is integrated with Python, allowing for further integration of other digital forensic tools, such as AccessData Forensic Toolkit (FTK), Wireshark, Volatility, and Scapy

Research Toward a Partially-Automated, and Crime Specific Digital Triage Process Model

The digital forensic process as traditionally laid out begins with the collection, duplication, and authentication of every piece of digital media prior to examination. These first three phases of the digital forensic process are by far the most costly. However, complete forensic duplication is standard practice among digital forensic laboratories. The time it takes to complete these stages is quickly becoming a serious problem. Digital forensic laboratories do not have the resources and time to keep up with the growing demand for digital forensic examinations with the current methodologies. One solution to this problem is the use of pre-examination techniques commonly referred to as digital triage. Pre-examination techniques can assist the examiner with intelligence that can be used to prioritize and lead the examination process. This work discusses a proposed model for digital triage that is currently under development at Mississippi State University

Security Privacy Process Involvement in Cloud Security for Data Preservation against Data Malicious Activity

Cloud data sent from the person is attacked, leading to data hacking. Data classification can be made by malware detection, leading to the data warehouse technique and data storage. The cloud data from a particular internet protocol address cannot be hacked. Only random cloud data is hacked. Even though this leads to some illegal issues. The method of managing the cloud data and maintaining the factor to hack illegal cloud data has been proposed. The method of malware detection and ML-based end-to-end malware detection are used in calculating the time efficiency. The malware detection and defence method has been introduced for managing the data tracking and the system's formation to hack unwanted data. The time efficiency calculation for the data transmitted in the network has been enabled for the cloud data sent and received. The data from each router makes the data store 12% of the unwanted compared to the original messages. The factor for managing the individual aspect to produce the data is 30% of the database. This will contain 20% of the data in formulating the cloud storage system, which makes the data classifications. 4% of redundant data from the database has been enveloped for the data classifications. Meanwhile, the data attack can be evaluated using the malware detector and also manages classification method for evaluation of data and formation of the system to produce data from the appearance of Secure data clouds