Forensic capabilities for service-oriented architectures

This report describes a framework to provide on-line forensic capabilities to service oriented architecture via Forensic Web Services (FWS) and runtime execution monitoring. The FWS is a new type of web services to be used by other web services (of an independent agency) to securely maintain transactional records of interest between other web services. The framework uses runtime execution monitoring to search the transactional log for interesting (or suspicious) service invocation sequences to recreate non-repudiable evidence of transactional history for use in a court of law.Contract Number: N6600107WR00222Approved for public release; distribution is unlimited

Beginner's Guide for Cybercrime Investigators

In the real world there are people who enter the homes and steal everything they find valuable. In the virtual world there are individuals who penetrate computer systems and "steal" all your valuable data. Just as in the real world, there are uninvited guests and people feel happy when they steal or destroy someone else's property, the computer world could not be deprived of this unfortunate phenomenon. It is truly detestable the perfidy of these attacks. For if it can be observed immediately the apparent lack of box jewelry, penetration of an accounting server can be detected after a few months when all clients have given up the company services because of the stolen data came to competition and have helped it to make best deals. Cybercrime is a phenomenon of our time, often reflected in the media. Forensic investigation of computer systems has a number of features that differentiate it fundamentally from other types of investigations. The computer itself is the main source of information for the investigator. CONTENTS: Computing systems and storage media - Computing devices - - Peripheral devices - - External drives for media storage - Typology of data stored on specific supports – File systems - - Program that allows working with ” inactive” space - Information that can be obtained from the computing system environment Computer networks - Copper wire in computer networks - Optical fibers - Wireless LAN - Internet and Intranet Software and services - Client/server architecture - Protocols and Standards - Internet Services - - e-Mail - - - Spam - - HTTP - - Web address - URL - - Web browsers - - - Browser cookies - - Working with web pages - - - Choosing your favorite web pages - - - Keeping track of visited web pages - - - Saving web pages - - Proxy servers - - Privacy on the Internet - FTP - Instant Messaging - Peer-to-peer networks Vulnerabilities - The first attacks on the Internet - Cybercrime - - Typologies of cyber attackers - - - Classification of cyber attackers according to their skills and objectives - Classification of risks and incidents in cyberworld - - Classification as a list of terms - - List of categories - - Categories of results - - Empirical lists - Events, attacks and incidents - Online security events, actions, and targets - - Actions - - Targets - Attacks - - Tools - - Vulnerabilities - - Unauthorized results Cybercrime laws - The concept of "cybercrime" Investigations - Computer forensic investigations - Digital evidence - Digital sampling during investigations - The suspect - Witnesses in cybercrime - Transporting of samples in laboratory - Analysis of samples - Preparing team members - Computer tools Convention on Cybercrime - Preamble - Chapter I – Use of terms - Chapter II – Measures to be taken at the national level - - Section 1 – Substantive criminal law - - - Title 1 – Offences against the confidentiality, integrity and availability of computer data and systems - - - Title 2 – Computer-related offences - - - Title 3 – Content-related offences - - - Title 4 – Offences related to infringements of copyright and related rights - - - Title 5 – Ancillary liability and sanctions - - Section 2 – Procedural law - - - Title 1 – Common provisions - - - Title 2 – Expedited preservation of stored computer data - - - Title 3 – Production order - - - Title 4 – Search and seizure of stored computer data - - - Title 5 – Real-time collection of computer data - - Section 3 – Jurisdiction - Chapter III – International co-operation - - Section 1 – General principles - - - Title 1 – General principles relating to international co-operation - - - Title 2 – Principles relating to extradition - - - Title 3 – General principles relating to mutual assistance - - - Title 4 – Procedures pertaining to mutual assistance requests in the absence of applicable international agreements - - Section 2 – Specific provisions - - - Title 1 – Mutual assistance regarding provisional measures - - - Title 2 – Mutual assistance regarding investigative powers - - - Title 3 – 24/7 Network - Chapter IV – Final provisions Recommendation No. R (95) 13 - Appendix to Recommendation No. R (95) 13 - - I. Search and seizure - - II. Technical surveillance - - III. Obligations to co-operate with the investigating authorities - - IV. Electronic evidence - - V. Use of encryption - - VI. Research, statistics and training - - VII. International co-operation Rules for obtaining digital evidence by police officers Standards in the field of digital forensics Principles in digital evidence Procedures model for the forensic examination - Hard disk examination Code of Ethics Sources and references About - Nicolae Sfetcu - - By the same author - - Contact Publishing House - MultiMedia Publishin

Calm before the storm: the challenges of cloud computing in digital forensics

Cloud computing is a rapidly evolving information technology (IT) phenomenon. Rather than procure, deploy and manage a physical IT infrastructure to host their software applications, organizations are increasingly deploying their infrastructure into remote, virtualized environments, often hosted and managed by third parties. This development has significant implications for digital forensic investigators, equipment vendors, law enforcement, as well as corporate compliance and audit departments (among others). Much of digital forensic practice assumes careful control and management of IT assets (particularly data storage) during the conduct of an investigation. This paper summarises the key aspects of cloud computing and analyses how established digital forensic procedures will be invalidated in this new environment. Several new research challenges addressing this changing context are also identified and discussed

A user-oriented network forensic analyser: the design of a high-level protocol analyser

Network forensics is becoming an increasingly important tool in the investigation of cyber and computer-assisted crimes. Unfortunately, whilst much effort has been undertaken in developing computer forensic file system analysers (e.g. Encase and FTK), such focus has not been given to Network Forensic Analysis Tools (NFATs). The single biggest barrier to effective NFATs is the handling of large volumes of low-level traffic and being able to exact and interpret forensic artefacts and their context – for example, being able extract and render application-level objects (such as emails, web pages and documents) from the low-level TCP/IP traffic but also understand how these applications/artefacts are being used. Whilst some studies and tools are beginning to achieve object extraction, results to date are limited to basic objects. No research has focused upon analysing network traffic to understand the nature of its use – not simply looking at the fact a person requested a webpage, but how long they spend on the application and what interactions did they have with whilst using the service (e.g. posting an image, or engaging in an instant message chat). This additional layer of information can provide an investigator with a far more rich and complete understanding of a suspect’s activities. To this end, this paper presents an investigation into the ability to derive high-level application usage characteristics from low-level network traffic meta-data. The paper presents a three application scenarios – web surfing, communications and social networking and demonstrates it is possible to derive the user interactions (e.g. page loading, chatting and file sharing ) within these systems. The paper continues to present a framework that builds upon this capability to provide a robust, flexible and user-friendly NFAT that provides access to a greater range of forensic information in a far easier format

Recovering Residual Forensic Data from Smartphone Interactions with Cloud Storage Providers

There is a growing demand for cloud storage services such as Dropbox, Box, Syncplicity and SugarSync. These public cloud storage services can store gigabytes of corporate and personal data in remote data centres around the world, which can then be synchronized to multiple devices. This creates an environment which is potentially conducive to security incidents, data breaches and other malicious activities. The forensic investigation of public cloud environments presents a number of new challenges for the digital forensics community. However, it is anticipated that end-devices such as smartphones, will retain data from these cloud storage services. This research investigates how forensic tools that are currently available to practitioners can be used to provide a practical solution for the problems related to investigating cloud storage environments. The research contribution is threefold. First, the findings from this research support the idea that end-devices which have been used to access cloud storage services can be used to provide a partial view of the evidence stored in the cloud service. Second, the research provides a comparison of the number of files which can be recovered from different versions of cloud storage applications. In doing so, it also supports the idea that amalgamating the files recovered from more than one device can result in the recovery of a more complete dataset. Third, the chapter contributes to the documentation and evidentiary discussion of the artefacts created from specific cloud storage applications and different versions of these applications on iOS and Android smartphones

The Need to Support of Data Flow Graph Visualization of Forensic Lucid Programs, Forensic Evidence, and their Evaluation by GIPSY

Lucid programs are data-flow programs and can be visually represented as data flow graphs (DFGs) and composed visually. Forensic Lucid, a Lucid dialect, is a language to specify and reason about cyberforensic cases. It includes the encoding of the evidence (representing the context of evaluation) and the crime scene modeling in order to validate claims against the model and perform event reconstruction, potentially within large swaths of digital evidence. To aid investigators to model the scene and evaluate it, instead of typing a Forensic Lucid program, we propose to expand the design and implementation of the Lucid DFG programming onto Forensic Lucid case modeling and specification to enhance the usability of the language and the system and its behavior. We briefly discuss the related work on visual programming an DFG modeling in an attempt to define and select one approach or a composition of approaches for Forensic Lucid based on various criteria such as previous implementation, wide use, formal backing in terms of semantics and translation. In the end, we solicit the readers' constructive, opinions, feedback, comments, and recommendations within the context of this short discussion.Comment: 11 pages, 7 figures, index; extended abstract presented at VizSec'10 at http://www.vizsec2010.org/posters ; short paper accepted at PST'1

Using smartphones as a proxy for forensic evidence contained in cloud storage services

Cloud storage services such as Dropbox, Box and SugarSync have been embraced by both individuals and organizations. This creates an environment that is potentially conducive to security breaches and malicious activities. The investigation of these cloud environments presents new challenges for the digital forensics community. It is anticipated that smartphone devices will retain data from these storage services. Hence, this research presents a preliminary investigation into the residual artifacts created on an iOS and Android device that has accessed a cloud storage service. The contribution of this paper is twofold. First, it provides an initial assessment on the extent to which cloud storage data is stored on these client-side devices. This view acts as a proxy for data stored in the cloud. Secondly, it provides documentation on the artifacts that could be useful in a digital forensics investigation of cloud services

API-Based Acquisition of Evidence from Cloud Storage Providers

Cloud computing and cloud storage services, in particular, pose a new challenge to digital forensic investigations. Currently, evidence acquisition for such services still follows the traditional approach of collecting artifacts on a client device. In this work, we show that such an approach not only requires upfront substantial investment in reverse engineering each service, but is also inherently incomplete as it misses prior versions of the artifacts, as well as cloud-only artifacts that do not have standard serialized representations on the client. In this work, we introduce the concept of API-based evidence acquisition for cloud services, which addresses these concerns by utilizing the officially supported API of the service. To demonstrate the utility of this approach, we present a proof-of-concept acquisition tool, kumodd, which can acquire evidence from four major cloud storage providers: Google Drive, Microsoft One, Dropbox, and Box. The implementation provides both command-line and web user interfaces, and can be readily incorporated into established forensic processes