A Novel Android Memory Forensics for Discovering Remnant Data

As recently updated on the vulnerability statistics shown in 2019, Android-driven smartphones, tablet PCs, and other Android devices are vulnerable, whether from internal or external threats. Most users store sensitive data like emails, photos, cloud storage access, and contact lists on Android smartphones. This information holds a growing-importance for the digital investigation process of mobile devices, e.g., internal memory or random-access memory (RAM) forensics, or external memory or read-only memory (ROM) forensics on Android smartphones. Internal memory retrieval is considered flawed and difficult by some researchers as it alters the digital evidence in an intrusive way. On the other hand, external memory retrieval also called logical acquisition that implies the image of logical storage items (e.g., files, database, directories, etc.) that locate on logical storage. This research provides a novel methodology that focuses only on internal memory forensic in a forensically sound manner. This research also contributes two algorithms, e.g., collect raw information (CRI) for parsing the raw data, and investigate raw information (IRI) for extracting the digital evidence to be more readable. This research conducted with fourteenth events to be analyzed, and each event was captured by SHA-1 as digital evidence. By using GDrive as the case study, the authors concluded that the proposed methodology could be used as guidance by forensics analyst(s), cyberlaw practitioner(s), and expert witness(es) in the court

Evidencia digital orientada a unidades de estado sólido (SSD): una revisión

Nowadays, the massive electronic usage and it's dependance. (Phones, tablets, computers, laptops, among others) it has taken to people in some way the necessity to stay connected permanently on this technology tools; in sinister terms make them really useful such as evidentiary da data. In the academy literature absence, this article checks main topics clarifying from computer forensics concepts to digital evidence, recollections and digital evidence in Argentina, Chile, Colombia and Mexico. During the last decade we use IEEE data base information and organization such as International Telecommunications Union (UIT), the attorney general's office, the Ministry of information and communications (MINTIC) and specializing web sites. Making an interpretative with Cybersecurity resources and their main focus on SSD and the physical information recovery and logically in this type of controlling materials.El uso masivo de dispositivos electrónicos (celulares, tabletas, computadoras, laptops, entre otros) y su dependencia, han llevado a las personas a crear una necesidad de estar conectados permanentemente con estas herramientas tecnológicas; situación que en el caso de siniestros las hace útiles como material probatorio. Ante la ausencia de literatura académica, este artículo realiza una revisión sobre informática forense, recolección y manejo de evidencia digital en: Argentina, Chile Colombia y México, durante la última década. Para el efecto se usan fuentes emanadas de las bases: IEEE, y organizaciones como la Unión Internacional de telecomunicaciones (UIT), la Fiscalía General de la Nación, el Ministerio de Tecnologías de la Información y Comunicaciones (MINTIC), y páginas web especializadas. Se realiza un estudio interpretativo de las fuentes relacionadas con ciberseguridad y su orientación hacia las UES y la recuperación de información física y lógica en este tipo de elementos de control.&nbsp

Forensic smartphone analysis using adhesives:Transplantation of Package on Package components

International audienceInvestigators routinely recover data from mobile devices. In many cases the target device is severely damaged. Events such as airplane crashes, accidents, terrorism or long submersion may bend or crack the device's main board and hence prevent using standard forensic tools. This paper shows how to salvage forensic information when NAND memory, SoC or cryptographic chips are still intact. We do not make any assumptions on the state of the other components. In usual forensic investigations, damaged phone components are analysed using a process called “forensic transplantation”. This procedure consists of unsoldering (or lapping) chips, re-soldering them on a functionnal donor board and rebooting.Package on Package (PoP) component packaging is a new technique allowing manufacturers to stack two silicon chips, e.g. memory, CPU or cryptographic processors. Currently, PoP is widely used by most device manufacturers and in particular by leading brands such as Apple, BlackBerry, Samsung, HTC and Huawei. Unfortunately, forensic transplantation destroys PoP components.This work overcomes this difficulty by introducing a new chip-off analysis method based on High Temperature Thixotropic Thermal Conductive Adhesive (HTTTCA) for gluing the PoP packages to prevent misalignment during the transplantation process. The HTTTCA process allows the investigator to safely unsolder PoP components, which is a crucial step for transplantation. To demonstrate feasibility, we describe in detail an experimental forensic transplantation of a secure mobile phone PoP CPU

Investigations into Decrypting Live Secure Traffic in Virtual Environments

Malicious agents increasingly use encrypted tunnels to communicate with external servers. Communications may contain ransomware keys, stolen banking details, or other confidential information. Rapid discovery of communicated contents through decrypting tunnelled traffic can support effective means of dealing with these malicious activities.Decrypting communications requires knowledge of cryptographic algorithms and artefacts, such as encryption keys and initialisation vectors. Such artefacts may exist in volatile memory when software applications encrypt. Virtualisation technologies can enable the acquisition of virtual machine memory to support the discovery of these cryptographic artefacts.A framework is constructed to investigate the decryption of potentially malicious communications using novel approaches to identify candidate initialisation vectors, and use these to discover candidate keys. The framework focuses on communications that use the Secure Shell and Transport Layer Security protocols in virtualised environments for different operating systems, protocols, encryption algorithms, and software implementations. The framework minimises virtual machine impact, and functions at an elevated level to make detection by virtual machine software difficult.The framework analyses Windows and Linux memory and validates decrypts for both protocols when the Advanced Encryption Standard symmetric block or ChaCha20 symmetric stream algorithms are used for encryption. It also investigates communications originating from malware clients, such as bot and ransomware, that use Windows cryptographic libraries.The framework correctly decrypted tunnelled traffic with near certainty in almost all experiments. The analysis durations ranged from sub-second to less than a minute, demonstrating that decryption of malicious activity before network session completion is possible. This can enable in-line detection of unknown malicious agents, timely discovery of ransomware keys, and knowledge of exfiltrated confidential information

The twofold role of Cloud Computing in Digital Forensics: target of investigations and helping hand to evidence analysis

This PhD thesis discusses the impact of Cloud Computing infrastructures on Digital Forensics in the twofold role of target of investigations and as a helping hand to investigators. The Cloud offers a cheap and almost limitless computing power and storage space for data which can be leveraged to commit either new or old crimes and host related traces. Conversely, the Cloud can help forensic examiners to find clues better and earlier than traditional analysis applications, thanks to its dramatically improved evidence processing capabilities. In both cases, a new arsenal of software tools needs to be made available. The development of this novel weaponry and its technical and legal implications from the point of view of repeatability of technical assessments is discussed throughout the following pages and constitutes the unprecedented contribution of this wor

QRsens:dual-purpose quick response code with built-in colorimetric sensors

QRsens represents a family of Quick Response (QR) sensing codes for in-situ air analysis with a customized smartphone application to simultaneously read the QR code and the colorimetric sensors. Five colorimetric sensors (temperature, relative humidity (RH), and three gas sensors (CO₂, NH₃ and H₂S)) were designed with the aim of proposing two end-use applications for ambient analysis, i.e., enclosed spaces monitoring, and smart packaging. Both QR code and colorimetric sensing inks were deposited by standard screen printing on white paper. To ensure minimal ambient light dependence of QRsens during the real-time analysis, the smartphone application was programmed for an effective colour correction procedure based on black and white references for three standard illumination temperatures (3000, 4000 and 5000 K). Depending on the type of sensor being analysed, this integration achieved a reduction of ∼71 – 87% of QRsens's dependence on the light temperature. After the illumination colour correction, colorimetric gas sensors exhibited a detection range of 0.7–4.1%, 0.7–7.5 ppm, and 0.13–0.7 ppm for CO2, NH3 and H2S, respectively. In summary, the study presents an affordable built-in multi-sensing platform in the form of QRsens for in-situ monitoring with potential in different types of ambient air analysis applications

QRsens: Dual-purpose quick response code with built-in colorimetric sensors

Supplementary data associated with this article can be found in the online version at doi:10.1016/j.snb.2022.133001.QRsens represents a family of Quick Response (QR) sensing codes for in-situ air analysis with a customized smartphone application to simultaneously read the QR code and the colorimetric sensors. Five colorimetric sensors (temperature, relative humidity (RH), and three gas sensors (CO2, NH3 and H2S)) were designed with the aim of proposing two end-use applications for ambient analysis, i.e., enclosed spaces monitoring, and smart packaging. Both QR code and colorimetric sensing inks were deposited by standard screen printing on white paper. To ensure minimal ambient light dependence of QRsens during the real-time analysis, the smartphone application was programmed for an effective colour correction procedure based on black and white references for three standard illumination temperatures (3000, 4000 and 5000 K). Depending on the type of sensor being analysed, this integration achieved a reduction of ~71 – 87% of QRsens’s dependence on the light temperature. After the illumination colour correction, colorimetric gas sensors exhibited a detection range of 0.7–4.1%, 0.7–7.5 ppm, and 0.13–0.7 ppm for CO2, NH3 and H2S, respectively. In summary, the study presents an affordable built-in multi-sensing platform in the form of QRsens for in-situ monitoring with potential in different types of ambient air analysis applications.Spanish MCIN/AEI/10.13039/ 501100011033/ (Projects PID2019–103938RB-I00, ECQ2018–004937- P and grant IJC2020–043307-I)Junta de Andalucía (Projects B- FQM-243-UGR18, P18-RT-2961)European Regional Development Funds (ERDF)European Union NextGenerationEU/PRT

Forensic attribution challenges during forensic examinations of databases

An aspect of database forensics that has not yet received much attention in the academic research community is the attribution of actions performed in a database. When forensic attribution is performed for actions executed in computer systems, it is necessary to avoid incorrectly attributing actions to processes or actors. This is because the outcome of forensic attribution may be used to determine civil or criminal liability. Therefore, correctness is extremely important when attributing actions in computer systems, also when performing forensic attribution in databases. Any circumstances that can compromise the correctness of the attribution results need to be identified and addressed. This dissertation explores possible challenges when performing forensic attribution in databases. What can prevent the correct attribution of actions performed in a database? Thirst identified challenge is the database trigger, which has not yet been studied in the context of forensic examinations. Therefore, the dissertation investigates the impact of database triggers on forensic examinations by examining two sub questions. Firstly, could triggers due to their nature, combined with the way databases are forensically acquired and analysed, lead to the contamination of the data that is being analysed? Secondly, can the current attribution process correctly identify which party is responsible for which changes in a database where triggers are used to create and maintain data? The second identified challenge is the lack of access and audit information in NoSQL databases. The dissertation thus investigates how the availability of access control and logging features in databases impacts forensic attribution. The database triggers, as dened in the SQL standard, are studied together with a number of database trigger implementations. This is done in order to establish, which aspects of a database trigger may have an impact on digital forensic acquisition, analysis and interpretation. Forensic examinations of relational and NoSQL databases are evaluated to determine what challenges the presence of database triggers pose. A number of NoSQL databases are then studied to determine the availability of access control and logging features. This is done because these features leave valuable traces for the forensic attribution process. An algorithm is devised, which provides a simple test to determine if database triggers played any part in the generation or manipulation of data in a specific database object. If the test result is positive, the actions performed by the implicated triggers will have to be considered in a forensic examination. This dissertation identified a group of database triggers, classified as non-data triggers, which have the potential to contaminate the data in popular relational databases by inconspicuous operations, such as connection or shutdown. It also established that database triggers can influence the normal ow of data operations. This means what the original operation intended to do, and what actually happened, are not necessarily the same. Therefore, the attribution of these operations becomes problematic and incorrect deductions can be made. Accordingly, forensic processes need to be extended to include the handling and analysis of all database triggers. This enables safer acquisition and analysis of databases and more accurate attribution of actions performed in databases. This dissertation also established that popular NoSQL databases either lack sufficient access control and logging capabilities or do not enable them by default to support attribution to the same level as in relational databases.Dissertation (MSc)--University of Pretoria, 2018.Computer ScienceMScUnrestricte