Forensic investigation of cooperative storage cloud service: Symform as a case study

Researchers envisioned Storage as a Service (StaaS) as an effective solution to the distributed management of digital data. Cooperative storage cloud forensic is relatively new and is an under-explored area of research. Using Symform as a case study, we seek to determine the data remnants from the use of cooperative cloud storage services. In particular, we consider both mobile devices and personal computers running various popular operating systems, namely Windows 8.1, Mac OS X Mavericks 10.9.5, Ubuntu 14.04.1 LTS, iOS 7.1.2, and Android KitKat 4.4.4. Potential artefacts recovered during the research include data relating to the installation and uninstallation of the cloud applications, log-in to and log-out from Symform account using the client application, file synchronization as well as their time stamp information. This research contributes to an in-depth understanding of the types of terrestrial artifacts that are likely to remain after the use of cooperative storage cloud on client devices

Forensic investigation of P2P cloud storage services and backbone for IoT networks : BitTorrent Sync as a case study

Cloud computing has been regarded as the technology enabler for the Internet of Things (IoT). To ensure the most effective collection of IoT-based evidence, it is vital for forensic practitioners to possess a contemporary understanding of the artefacts from different cloud services. In this paper, we seek to determine the data remnants from the use of BitTorrent Sync version 2.0. Findings from our research using mobile and computer devices running Windows 8.1, Mac OS X Mavericks 10.9.5, Ubuntu 14.04.1 LTS, iOS 7.1.2, and Android KitKat 4.4.4 suggested that artefacts relating to the installation, uninstallation, log-in, log-off, and file synchronisation could be recovered, which are potential sources of IoT forensics. We also present a forensically sound investigation methodology for BitTorrent Sync

Digital Evidence Regulation - an assessment of underlying issues in England and Wales

In the field of Digital Forensics, in England and Wales, the author has published a study of technical requirements found in Standard Operating Procedures and validation methods, evaluated potential mechanisms for producing evidence of verification as a means of reducing the validation and re-validation effort required, and examined the use of language in various documents produced, and referenced, by the Forensic Science Regulator. From this work, he argues that the current situation re validation may be giving a false sense of assurance that technical requirements are being satisfied, that it should be possible for evidence of verification to be made available to solve this problem, without requiring full disclosure of commercially sensitive or secret methods, and that the situation may have arisen through poor use of language in the Regulator’s guides. He also suggests that the FSR’s guides may have allowed, or caused, Digital Forensic Laboratories to ignore or misunderstand the importance of technical requirements in Standard Operating Procedure design and validation. Finally, having observed the lack of interest in the FSR’s work and in method validation in court proceedings, he considers, from a lay perspective, the legal position relating to admissibility of computer-derived and computer-generated evidence. From this, he argues that the legal precedents are not entirely valid in the context of modern systems, and proposes a new classification of digital forensic systems which takes account of the increasingly automated analysis present in these tools

Measuring trustworthiness of image data in the internet of things environment

Internet of Things (IoT) image sensors generate huge volumes of digital images every day. However, easy availability and usability of photo editing tools, the vulnerability in communication channels and malicious software have made forgery attacks on image sensor data effortless and thus expose IoT systems to cyberattacks. In IoT applications such as smart cities and surveillance systems, the smooth operation depends on sensors’ sharing data with other sensors of identical or different types. Therefore, a sensor must be able to rely on the data it receives from other sensors; in other words, data must be trustworthy. Sensors deployed in IoT applications are usually limited to low processing and battery power, which prohibits the use of complex cryptography and security mechanism and the adoption of universal security standards by IoT device manufacturers. Hence, estimating the trust of the image sensor data is a defensive solution as these data are used for critical decision-making processes. To our knowledge, only one published work has estimated the trustworthiness of digital images applied to forensic applications. However, that study’s method depends on machine learning prediction scores returned by existing forensic models, which limits its usage where underlying forensics models require different approaches (e.g., machine learning predictions, statistical methods, digital signature, perceptual image hash). Multi-type sensor data correlation and context awareness can improve the trust measurement, which is absent in that study’s model. To address these issues, novel techniques are introduced to accurately estimate the trustworthiness of IoT image sensor data with the aid of complementary non-imagery (numeric) data-generating sensors monitoring the same environment. The trust estimation models run in edge devices, relieving sensors from computationally intensive tasks. First, to detect local image forgery (splicing and copy-move attacks), an innovative image forgery detection method is proposed based on Discrete Cosine Transformation (DCT), Local Binary Pattern (LBP) and a new feature extraction method using the mean operator. Using Support Vector Machine (SVM), the proposed method is extensively tested on four well-known publicly available greyscale and colour image forgery datasets and on an IoT-based image forgery dataset that we built. Experimental results reveal the superiority of our proposed method over recent state-of-the-art methods in terms of widely used performance metrics and computational time and demonstrate robustness against low availability of forged training samples. Second, a robust trust estimation framework for IoT image data is proposed, leveraging numeric data-generating sensors deployed in the same area of interest (AoI) in an indoor environment. As low-cost sensors allow many IoT applications to use multiple types of sensors to observe the same AoI, the complementary numeric data of one sensor can be exploited to measure the trust value of another image sensor’s data. A theoretical model is developed using Shannon’s entropy to derive the uncertainty associated with an observed event and Dempster-Shafer theory (DST) for decision fusion. The proposed model’s efficacy in estimating the trust score of image sensor data is analysed by observing a fire event using IoT image and temperature sensor data in an indoor residential setup under different scenarios. The proposed model produces highly accurate trust scores in all scenarios with authentic and forged image data. Finally, as the outdoor environment varies dynamically due to different natural factors (e.g., lighting condition variations in day and night, presence of different objects, smoke, fog, rain, shadow in the scene), a novel trust framework is proposed that is suitable for the outdoor environments with these contextual variations. A transfer learning approach is adopted to derive the decision about an observation from image sensor data, while also a statistical approach is used to derive the decision about the same observation from numeric data generated from other sensors deployed in the same AoI. These decisions are then fused using CertainLogic and compared with DST-based fusion. A testbed was set up using Raspberry Pi microprocessor, image sensor, temperature sensor, edge device, LoRa nodes, LoRaWAN gateway and servers to evaluate the proposed techniques. The results show that CertainLogic is more suitable for measuring the trustworthiness of image sensor data in an outdoor environment.Doctor of Philosoph

Smurf : A reliable method for contextualising social media artefacts

© Cranfield University 2020. All rights reserved. No part of this publication may be reproduced without the written permission of the copyright ownerThis research aims to evaluate whether artefacts other than the content of user com munication on social media can be used to attribute actions or relationships to a user. Social Media has enhanced the way users communicate on the Internet; providing the means for users to share content in real-time, and to establish connections and social relationships with like-minded individuals. However, as with all technology, social media can be leveraged for disagreeable and/or unlawful activities such as cyber bullying, trolling, grooming, or luring. There are reported cases where evidence from social media was used to secure convictions; for example, the tragic cases of Ashleigh Hall in 2009 and Kayleigh Haywood in 2015. The social media evidence e.g. the messages sent to the victim to arrange a meet up was used to link the suspect to the victim, and attribute actions to the suspect; in addition to other physical evidence presented as part of the case. Investigations with elements of social media is growing within digital forensics. This reinforces the need for a technique that can be used to make inferences about user actions and relationships, especially during a live triage investigation where the information needs to be obtained as quickly as possible. This research evaluates the use of live triage in the investigation of social media interactions, in order to determine the reliability of such a technique as a means of contextualising user activity, and attributing relationships or actions to a user. This research also evaluates the reliability of artefacts other than the actual content exchanged on social media; in the event that the content of communication is not immediately accessible/available to the investigator. To achieve this, it was important to break down the events that occur before, during and after user activity on social media; followed by the determination of what constitutes communication content in the context of this research. This research makes the following contributions: establishes a method for the cat egorisation of social media artefacts based on perceived user activity; communication content was characterised, thus highlighting evidential data of interest from user social media activity; the criteria for assessing the reliability of social media artefacts in a live triage investigation was proposed; a novel framework for social media investigation was developed with a Proof of Concept (PoC) to test its viability. The PoC demonstrates that it is possible to attribute actions or relationships to a user, using artefacts other than the actual content exchanged on social media.Ph

Handbook of Digital Face Manipulation and Detection

This open access book provides the first comprehensive collection of studies dealing with the hot topic of digital face manipulation such as DeepFakes, Face Morphing, or Reenactment. It combines the research fields of biometrics and media forensics including contributions from academia and industry. Appealing to a broad readership, introductory chapters provide a comprehensive overview of the topic, which address readers wishing to gain a brief overview of the state-of-the-art. Subsequent chapters, which delve deeper into various research challenges, are oriented towards advanced readers. Moreover, the book provides a good starting point for young researchers as well as a reference guide pointing at further literature. Hence, the primary readership is academic institutions and industry currently involved in digital face manipulation and detection. The book could easily be used as a recommended text for courses in image processing, machine learning, media forensics, biometrics, and the general security area