Providing cryptographic security and evidentiary chain-of-custody with the advanced forensic format, library, and tools

This paper presents improvements in the Advanced Forensics Format Library version 3 that provide for digital signatures and other cryptographic protections for digital evidence, allowing an investigator to establish a reliable chain-of-custody for electronic evidence from the crime scene to the court room. No other system for handling and storing electronic evidence currently provides such capabilities. This paper discusses implementation details, user level commands, and the AFFLIB programmer's API.Approved for public release; distribution is unlimited

Software for efficient file elimination in computer forensics investigations

Computer forensics investigators, much more than with any other forensic discipline, must process an ever continuing increase of data. Fortunately, computer processing speed has kept pace and new processes are continuously being automated to sort through the voluminous amount of data. There exists an unfulfilled need for a simple, streamlined, standalone public tool for automating the computer forensics analysis process for files on a hard disk drive under investigation. A software tool has been developed to dramatically reduce the number of files that an investigator must individually examine. This tool utilizes the National Institute of Standards and Technology (NIST) National Software Reference Library (NSRL) database to automatically identify files by comparing hash values of files on the hard drive under investigation to known good files (e.g., unaltered application files) and known bad files (e.g., exploits). This tool then provides a much smaller list of unknown files to be closely examined

Authentication of electronic evidence in cybercrime cases based on Malaysian laws

Electronic evidence is one of the many forms of documentary evidence. It is stored and retrievable from electronic devices such as computers and smartphones, particularly in the their hard disks or memory banks. However, due to the fragile nature of electronic evidences, it is prone or susceptible to damage or alteration, as well as destruction due to improper handling or safe keeping. Since it can easily be tampered with or self-deteriorate,establishing the authenticity and reliability of electronic evidence is a technical task. Meanwhile, states of affairs would cause such electronic evidence to be inadmissible or carries low or no weightage whatsoever by the court, thus undermining the prosecution’s or the plaintiff’s case, as the case may be. In order to ensure such evidence is admissible and carry the expected weightage, relevant parties must first prove the authenticity of such evidence and subsequently on its reliability and relevancy. Nevertheless, in cybercrime cases, proving the crime is actually a technical challenge, where the responsible personnel are required to understand what is electronic evidence, how to extract and preserve the originality of such evidence and the laws governing electronic evidence, as well as cybercrimes. This article attempts to explain the scope of electronic evidence in relation to criminal cases such as in cybercrimes, as far as its admissibility and weightage are concerned. The discussion will be based on Malaysian and common laws

IPCFA: A Methodology for Acquiring Forensically-Sound Digital Evidence in the Realm of IAAS Public Cloud Deployments

Cybercrimes and digital security breaches are on the rise: savvy businesses and organizations of all sizes must ready themselves for the worst. Cloud computing has become the new normal, opening even more doors for cybercriminals to commit crimes that are not easily traceable. The fast pace of technology adoption exceeds the speed by which the cybersecurity community and law enforcement agencies (LEAs) can invent countermeasures to investigate and prosecute such criminals. While presenting defensible digital evidence in courts of law is already complex, it gets more complicated if the crime is tied to public cloud computing, where storage, network, and computing resources are shared and dispersed over multiple geographical areas. Investigating such crimes involves collecting evidence data from the public cloud that is court-sound. Digital evidence court admissibility in the U.S. is governed predominantly by the Federal Rules of Evidence and Federal Rules of Civil Procedures. Evidence authenticity can be challenged by the Daubert test, which evaluates the forensic process that took place to generate the presented evidence. Existing digital forensics models, methodologies, and processes have not adequately addressed crimes that take place in the public cloud. It was only in late 2020 that the Scientific Working Group on Digital Evidence (SWGDE) published a document that shed light on best practices for collecting evidence from cloud providers. Yet SWGDE’s publication does not address the gap between the technology and the legal system when it comes to evidence admissibility. The document is high level with more focus on law enforcement processes such as issuing a subpoena and preservation orders to the cloud provider. This research proposes IaaS Public Cloud Forensic Acquisition (IPCFA), a methodology to acquire forensic-sound evidence from public cloud IaaS deployments. IPCFA focuses on bridging the gap between the legal and technical sides of evidence authenticity to help produce admissible evidence that can withstand scrutiny in U.S. courts. Grounded in design research science (DSR), the research is rigorously evaluated using two hypothetical scenarios for crimes that take place in the public cloud. The first scenario takes place in AWS and is hypothetically walked-thru. The second scenario is a demonstration of IPCFA’s applicability and effectiveness on Azure Cloud. Both cases are evaluated using a rubric built from the federal and civil digital evidence requirements and the international best practices for iv digital evidence to show the effectiveness of IPCFA in generating cloud evidence sound enough to be considered admissible in court

Digital evidence bags

This thesis analyses the traditional approach and methodology used to conduct digital forensic information capture, analysis and investigation. The predominant toolsets and utilities that are used and the features that they provide are reviewed. This is used to highlight the difficulties that are encountered due to both technological advances and the methodologies employed. It is suggested that these difficulties are compounded by the archaic methods and proprietary formats that are used. An alternative framework for the capture and storage of information used in digital forensics is defined named the `Digital Evidence Bag' (DEB). A DEB is a universal extensible container for the storage of digital information acquired from any digital source. The format of which can be manipulated to meet the requirements of the particular information that is to be stored. The format definition is extensible thereby allowing it to encompass new sources of data, cryptographic and compression algorithms and protocols as developed, whilst also providing the flexibility for some degree of backwards compatibility as the format develops. The DEB framework utilises terminology to define its various components that are analogous with evidence bags, tags and seals used for traditional physical evidence storage and continuity. This is crucial for ensuring that the functionality provided by each component is comprehensible by the general public, judiciary and law enforcement personnel without detracting or obscuring the evidential information contained within. Furthermore, information can be acquired from a dynamic or more traditional static environment and from a disparate range of digital devices. The flexibility of the DEB framework permits selective and/or intelligent acquisition methods to be employed together with enhanced provenance and continuity audit trails to be recorded. Evidential integrity is assured using accepted cryptographic techniques and algorithms. The DEB framework is implemented in a number of tool demonstrators and applied to a number of typical scenarios that illustrate the flexibility of the DEB framework and format. The DEB framework has also formed the basis of a patent application

The Chain of Custody in the Era of Modern Forensics: From the Classic Procedures for Gathering Evidence to the New Challenges Related to Digital Data

The purpose of this work is to renew the interest and attention for the chain of custody in forensic medicine, its establishment and maintenance, protecting the integrity and validity of evidence as well as to analyze how over time the establishment of the chain of custody and the collection of evidence has evolved also in function of the advent of technology and the use of electronic devices connected to the network. The analysis of the various aspects of the chain of custody demonstrates how necessary it is for the professional figures involved in the phases of the investigation (especially those who manage the evidence and who have, therefore, designated the assignment) to know the procedures to follow, trace the movement and the handling of objects subjected to seizure, also for the purposes of toxicological and/or histological investigations. The knowledge of interferences or complications helps to reduce errors and safeguard the validity of the evidence, assuring the proceeding judicial authority that the evidence is authentic and that it is, in other words, the same evidence seized at the scene of the crime. Furthermore, the issue is particularly felt today, with the recent need to guarantee the originality of digital data. Following a careful review and analysis of the literature currently available in this regard, it is worth adding that further efforts are needed to formulate internationally validated guidelines, harmonizing the different reference criteria in forensic science and medical areas, given the current absence of good international practices valid in the field and applicable both in the case of physical evidence and in the case of seizure of digital evidence

Advanced Techniques for Improving the Efficacy of Digital Forensics Investigations

Digital forensics is the science concerned with discovering, preserving, and analyzing evidence on digital devices. The intent is to be able to determine what events have taken place, when they occurred, who performed them, and how they were performed. In order for an investigation to be effective, it must exhibit several characteristics. The results produced must be reliable, or else the theory of events based on the results will be flawed. The investigation must be comprehensive, meaning that it must analyze all targets which may contain evidence of forensic interest. Since any investigation must be performed within the constraints of available time, storage, manpower, and computation, investigative techniques must be efficient. Finally, an investigation must provide a coherent view of the events under question using the evidence gathered. Unfortunately the set of currently available tools and techniques used in digital forensic investigations does a poor job of supporting these characteristics. Many tools used contain bugs which generate inaccurate results; there are many types of devices and data for which no analysis techniques exist; most existing tools are woefully inefficient, failing to take advantage of modern hardware; and the task of aggregating data into a coherent picture of events is largely left to the investigator to perform manually. To remedy this situation, we developed a set of techniques to facilitate more effective investigations. To improve reliability, we developed the Forensic Discovery Auditing Module, a mechanism for auditing and enforcing controls on accesses to evidence. To improve comprehensiveness, we developed ramparser, a tool for deep parsing of Linux RAM images, which provides previously inaccessible data on the live state of a machine. To improve efficiency, we developed a set of performance optimizations, and applied them to the Scalpel file carver, creating order of magnitude improvements to processing speed and storage requirements. Last, to facilitate more coherent investigations, we developed the Forensic Automated Coherence Engine, which generates a high-level view of a system from the data generated by low-level forensics tools. Together, these techniques significantly improve the effectiveness of digital forensic investigations conducted using them

Using Visual Capabilities to Improve Efficiency in Computer Forensic Analysis

Computer forensics is the preservation, analysis, and interpretation of computer data. Computer forensics is dependent on the availability of software tools and applications. Such tools are critical components in law enforcement investigations. Due to the diversity of cyber crime and cyber assisted crime, advanced software tools are essential apparatus for typical law enforcement investigators, national security analysts, corporate emergency response teams, civil lawyers, risk management personnel, etc. Typical tools available to investigators are text-based, which are sorely inadequate given the volume of data needing analysis in today’s environment. Many modern tools essentially provide simple GUIs to simplify access to typical textbased commands but the capabilities are essentially the same. For simplicity we continue to refer to these as text-based and command-based in constrast to the visualization tools and associated direct manipulation interfaces we are attempting to develop. The reading of such large volumes of textual information is extremely time-consuming in contrast with the interpretation of images through which the user can interpret large amounts of information simultaneously. Forensic analysts have a growing need for new capabilities to aid in locating files holding evidence of criminal activity. Such capabilities must improve both the efficiency of the analysis process and the identification of additionally hidden files. This paper discusses visualization research that more perceptually and intuitively represents file characteristics. Additionally, we integrate interaction capabilities for more complete exploration, significantly improving analysis efficiency. Finally, we discuss the results of an applied user study designed specifically to measure the efficacy of the developed visualization capabilities in the analysis of computer forensic related data

Validation of forensic images for assurance of digital evidence integrity

The reliability of digital evidence is an important consideration in legal cases requiring sound validation. To ensure its reliability, digital evidence requires the adoption of reliable processes for the acquisition, preservation, and analysis of digital data. To undertake these tasks, the courts expect digital forensic practitioners to possess specialised skills, experience, and use sound forensic tools and processes. The courts require that the reliability of digital evidence can be verified with supporting documentation; notably acquisition process logs and a chain of custody register, confirming that the process of recovering and protecting the evidence was based on sound scientific principles. In typical cases the digital evidence has been ‘preserved’ in a special file or ‘container’ that has been declared to be secure on the basis that it is not possible to tamper with the contents of the container or the information supporting the contents (metadata) without this act being discovered. However, through the use of a freely available open source library, libewf, it has been discovered that the most commonly used forensic container format, Encase Evidence File Format, also known by its file extension .E01, can be manipulated to circumvent validation by forensic tools. This digital forensic container contains an embedded forensic image of the acquired device and metadata fields containing information about the data that was acquired, the circumstances of the acquisition, and details about the device from which the forensic image was acquired. It has been found that both the forensic image and the metadata associated with that image can be freely altered using simple file editors and open source software. Exploiting these weaknesses within the Encase Evidence File format results in a forensic container that can be altered but fails to provide any evidence that this has occurred. In practice the original device is often unavailable, damaged, or otherwise unable to provide independent validation of the data held in the container. In such situations, it would be difficult, if not impossible, to determine which of two forensic containers held the original record of the evidence. As part of a proof of concept, existing libewf code was manipulated to allow for legitimate metadata to be attached to a compromised and altered forensic image with recalculated hashes and data integrity checksums. Without incontrovertible records of the original data’s hash value, this manipulation might only be detected by an independent third party holding a copy of the original forensic container’s metadata and hashes for comparison. While hashes and metadata held by an interested party could also potentially be altered or declared unreliable, an uninterested party would be able to provide a more reliable set of hashes that could be used to validate the unaltered container. In order to add to the body of knowledge supporting digital forensics as a scientific discipline this research has brought into question a fundamental assumption about the reliability of a fundamental method currently used to collect and validate digital evidence. Further research is required to determine the whether processes can be designed to enhance the detection of contaminated images

Study of Peer-to-Peer Network Based Cybercrime Investigation: Application on Botnet Technologies

The scalable, low overhead attributes of Peer-to-Peer (P2P) Internet protocols and networks lend themselves well to being exploited by criminals to execute a large range of cybercrimes. The types of crimes aided by P2P technology include copyright infringement, sharing of illicit images of children, fraud, hacking/cracking, denial of service attacks and virus/malware propagation through the use of a variety of worms, botnets, malware, viruses and P2P file sharing. This project is focused on study of active P2P nodes along with the analysis of the undocumented communication methods employed in many of these large unstructured networks. This is achieved through the design and implementation of an efficient P2P monitoring and crawling toolset. The requirement for investigating P2P based systems is not limited to the more obvious cybercrimes listed above, as many legitimate P2P based applications may also be pertinent to a digital forensic investigation, e.g, voice over IP, instant messaging, etc. Investigating these networks has become increasingly difficult due to the broad range of network topologies and the ever increasing and evolving range of P2P based applications. In this work we introduce the Universal P2P Network Investigation Framework (UP2PNIF), a framework which enables significantly faster and less labour intensive investigation of newly discovered P2P networks through the exploitation of the commonalities in P2P network functionality. In combination with a reference database of known network characteristics, it is envisioned that any known P2P network can be instantly investigated using the framework, which can intelligently determine the best investigation methodology and greatly expedite the evidence gathering process. A proof of concept tool was developed for conducting investigations on the BitTorrent network.Comment: This is a thesis submitted in fulfilment of a PhD in Digital Forensics and Cybercrime Investigation in the School of Computer Science, University College Dublin in October 201