17 research outputs found

    Forensic Analysis of the exFAT Artifacts

    Get PDF
    Although keeping some basic concepts inherited from FAT32, the exFAT file system introduces many differences, such as the new mapping scheme of directory entries. The combination of exFAT mapping scheme with the allocation of bitmap files and the use of FAT leads to new forensic possibilities. The recovery of deleted files, including fragmented ones and carving becomes more accurate compared with former forensic processes. Nowadays, the accurate and sound forensic analysis is more than ever needed, as there is a high risk of erroneous interpretation. Indeed, most of the related work in the literature on exFAT structure and forensics, is mainly based on reverse engineering research, and only few of them cover the forensic interpretation. In this paper, we propose a new methodology using of exFAT file systems features to improve the interpretation of inactive entries by using bitmap file analysis and recover the file system metadata information for carved files. Experimental results show how our approach improves the forensic interpretation accuracy

    Front Matter

    Get PDF

    EviPlant: An efficient digital forensic challenge creation, manipulation and distribution solution

    Full text link
    Education and training in digital forensics requires a variety of suitable challenge corpora containing realistic features including regular wear-and-tear, background noise, and the actual digital traces to be discovered during investigation. Typically, the creation of these challenges requires overly arduous effort on the part of the educator to ensure their viability. Once created, the challenge image needs to be stored and distributed to a class for practical training. This storage and distribution step requires significant time and resources and may not even be possible in an online/distance learning scenario due to the data sizes involved. As part of this paper, we introduce a more capable methodology and system as an alternative to current approaches. EviPlant is a system designed for the efficient creation, manipulation, storage and distribution of challenges for digital forensics education and training. The system relies on the initial distribution of base disk images, i.e., images containing solely base operating systems. In order to create challenges for students, educators can boot the base system, emulate the desired activity and perform a "diffing" of resultant image and the base image. This diffing process extracts the modified artefacts and associated metadata and stores them in an "evidence package". Evidence packages can be created for different personae, different wear-and-tear, different emulated crimes, etc., and multiple evidence packages can be distributed to students and integrated into the base images. A number of additional applications in digital forensic challenge creation for tool testing and validation, proficiency testing, and malware analysis are also discussed as a result of using EviPlant.Comment: Digital Forensic Research Workshop Europe 201

    Contents

    Get PDF

    A Digital Forensics Case Study of the DJI Mini 3 Pro and DJI RC

    Full text link
    The consumer drone market is rapidly expanding with new drone models featuring unique variations of hardware and software. The rapid development of drone technology and variability in drone systems can make it difficult for digital forensic investigators and tools to keep pace and effectively extract and analyse digital evidence from drones. Furthermore, the growing popularity of drones and their increased use in illegal and harmful activities, such as smuggling, espionage, and even terrorism, has led to an increase in the number of drone forensic cases for authorities to manage. To assist forensic investigators, a static digital forensic case study was conducted on two drone devices recently released by Da-Jiang Innovations (DJI): the Mini 3 Pro drone, and its remote controller, the DJI RC. The study discovered the presence of several digital artefacts on both devices, including recorded media, flight logs, and other information that could help investigators trace the drone's usage and identify its operator. Additionally, this paper explored several methods for extracting and visualising the drone's flight history, and highlights some of the potential methods used to limit, obscure, or remove key types of digital evidence.Comment: 20 Pages, 23 figure

    Classification and evaluation of digital forensic tools

    Get PDF
    Digital forensic tools (DFTs) are used to detect the authenticity of digital images. Different DFTs have been developed to detect the forgery like (i) forensic focused operating system, (ii) computer forensics, (iii) memory forensics, (iv) mobile device forensics, and (v) software forensics tools (SFTs). These tools are dedicated to detect the forged images depending on the type of the applications. Based on our review, we found that in literature of the DFTs less attention is given to the evaluation and analysis of the forensic tools. Among various DFTs, we choose SFTs because it is concerned with the detection of the forged digital images. Therefore,the purpose of this study is to classify the different DFTs and evaluate the software forensic tools (SFTs) based on the different features which are present in the SFTs. In our work, we evaluate the following five SFTs, i.e.,“FotoForensics”, “JPEGsnoop”, “Ghiro”, “Forensically”, and “Izitru”, based on different features so that new research directions can be identified for the development of the SFTs

    Forensic analysis of popular UAV systems

    Full text link
    corecore