17 research outputs found
Forensic Analysis of the exFAT Artifacts
Although keeping some basic concepts inherited from FAT32, the exFAT file system introduces many differences, such as the new mapping scheme of directory entries. The combination of exFAT mapping scheme with the allocation of bitmap files and the use of FAT leads to new forensic possibilities. The recovery of deleted files, including fragmented ones and carving becomes more accurate compared with former forensic processes. Nowadays, the accurate and sound forensic analysis is more than ever needed, as there is a high risk of erroneous interpretation. Indeed, most of the related work in the literature on exFAT structure and forensics, is mainly based on reverse engineering research, and only few of them cover the forensic interpretation. In this paper, we propose a new methodology using of exFAT file systems features to improve the interpretation of inactive entries by using bitmap file analysis and recover the file system metadata information for carved files. Experimental results show how our approach improves the forensic interpretation accuracy
EviPlant: An efficient digital forensic challenge creation, manipulation and distribution solution
Education and training in digital forensics requires a variety of suitable
challenge corpora containing realistic features including regular
wear-and-tear, background noise, and the actual digital traces to be discovered
during investigation. Typically, the creation of these challenges requires
overly arduous effort on the part of the educator to ensure their viability.
Once created, the challenge image needs to be stored and distributed to a class
for practical training. This storage and distribution step requires significant
time and resources and may not even be possible in an online/distance learning
scenario due to the data sizes involved. As part of this paper, we introduce a
more capable methodology and system as an alternative to current approaches.
EviPlant is a system designed for the efficient creation, manipulation, storage
and distribution of challenges for digital forensics education and training.
The system relies on the initial distribution of base disk images, i.e., images
containing solely base operating systems. In order to create challenges for
students, educators can boot the base system, emulate the desired activity and
perform a "diffing" of resultant image and the base image. This diffing process
extracts the modified artefacts and associated metadata and stores them in an
"evidence package". Evidence packages can be created for different personae,
different wear-and-tear, different emulated crimes, etc., and multiple evidence
packages can be distributed to students and integrated into the base images. A
number of additional applications in digital forensic challenge creation for
tool testing and validation, proficiency testing, and malware analysis are also
discussed as a result of using EviPlant.Comment: Digital Forensic Research Workshop Europe 201
A Digital Forensics Case Study of the DJI Mini 3 Pro and DJI RC
The consumer drone market is rapidly expanding with new drone models
featuring unique variations of hardware and software. The rapid development of
drone technology and variability in drone systems can make it difficult for
digital forensic investigators and tools to keep pace and effectively extract
and analyse digital evidence from drones. Furthermore, the growing popularity
of drones and their increased use in illegal and harmful activities, such as
smuggling, espionage, and even terrorism, has led to an increase in the number
of drone forensic cases for authorities to manage. To assist forensic
investigators, a static digital forensic case study was conducted on two drone
devices recently released by Da-Jiang Innovations (DJI): the Mini 3 Pro drone,
and its remote controller, the DJI RC. The study discovered the presence of
several digital artefacts on both devices, including recorded media, flight
logs, and other information that could help investigators trace the drone's
usage and identify its operator. Additionally, this paper explored several
methods for extracting and visualising the drone's flight history, and
highlights some of the potential methods used to limit, obscure, or remove key
types of digital evidence.Comment: 20 Pages, 23 figure
Classification and evaluation of digital forensic tools
Digital forensic tools (DFTs) are used to detect the authenticity of digital images. Different DFTs have been developed to detect the forgery like (i) forensic focused operating system, (ii) computer forensics, (iii) memory forensics, (iv) mobile device forensics, and (v) software forensics tools (SFTs). These tools are dedicated to detect the forged images depending on the type of the applications. Based on our review, we found that in literature of the DFTs less attention is given to the evaluation and analysis of the forensic tools. Among various DFTs, we choose SFTs because it is concerned with the detection of the forged digital images. Therefore,the purpose of this study is to classify the different DFTs and evaluate the software forensic tools (SFTs) based on the different features which are present in the SFTs. In our work, we evaluate the following five SFTs, i.e.,âFotoForensicsâ, âJPEGsnoopâ, âGhiroâ, âForensicallyâ, and âIzitruâ, based on different features so that new research directions can be identified for the development of the SFTs