Digital Forensic Analysis through Document Clustering

Digital forensic is the process of uncovering and interpreting process of uncovering and interpretingelectronic data for use in a court of law. The goal of the process is to preserve any evidence in its most original form while performing a structured investigation by collecting identifying and validating the digital information for the purpose of reconstructing past events. Digital forensics deals with the analysis of artifacts on all types of digital devices. The role of digital forensics is to facilitate the investigation of criminal activities that involve digital devices, to preserve, gather, analyze and provide scientific and technical evidence, and to prepare the documentation for law enforcement authorities. Clustering methods can be used to automatically group the retrieved documents into a list of meaningful categories. Document clustering involves descriptors and descriptor extraction. Descriptors are sets of words that describe the contents within the cluster. Document cluster is generally considered to be a centralized process. Example of document clustering is web document clustering. Application of document clustering can be categorized to two types that are online and offline. Seized digital devices can provide precious information and evidence about facts

Forensic attribution challenges during forensic examinations of databases

An aspect of database forensics that has not yet received much attention in the academic research community is the attribution of actions performed in a database. When forensic attribution is performed for actions executed in computer systems, it is necessary to avoid incorrectly attributing actions to processes or actors. This is because the outcome of forensic attribution may be used to determine civil or criminal liability. Therefore, correctness is extremely important when attributing actions in computer systems, also when performing forensic attribution in databases. Any circumstances that can compromise the correctness of the attribution results need to be identified and addressed. This dissertation explores possible challenges when performing forensic attribution in databases. What can prevent the correct attribution of actions performed in a database? Thirst identified challenge is the database trigger, which has not yet been studied in the context of forensic examinations. Therefore, the dissertation investigates the impact of database triggers on forensic examinations by examining two sub questions. Firstly, could triggers due to their nature, combined with the way databases are forensically acquired and analysed, lead to the contamination of the data that is being analysed? Secondly, can the current attribution process correctly identify which party is responsible for which changes in a database where triggers are used to create and maintain data? The second identified challenge is the lack of access and audit information in NoSQL databases. The dissertation thus investigates how the availability of access control and logging features in databases impacts forensic attribution. The database triggers, as dened in the SQL standard, are studied together with a number of database trigger implementations. This is done in order to establish, which aspects of a database trigger may have an impact on digital forensic acquisition, analysis and interpretation. Forensic examinations of relational and NoSQL databases are evaluated to determine what challenges the presence of database triggers pose. A number of NoSQL databases are then studied to determine the availability of access control and logging features. This is done because these features leave valuable traces for the forensic attribution process. An algorithm is devised, which provides a simple test to determine if database triggers played any part in the generation or manipulation of data in a specific database object. If the test result is positive, the actions performed by the implicated triggers will have to be considered in a forensic examination. This dissertation identified a group of database triggers, classified as non-data triggers, which have the potential to contaminate the data in popular relational databases by inconspicuous operations, such as connection or shutdown. It also established that database triggers can influence the normal ow of data operations. This means what the original operation intended to do, and what actually happened, are not necessarily the same. Therefore, the attribution of these operations becomes problematic and incorrect deductions can be made. Accordingly, forensic processes need to be extended to include the handling and analysis of all database triggers. This enables safer acquisition and analysis of databases and more accurate attribution of actions performed in databases. This dissertation also established that popular NoSQL databases either lack sufficient access control and logging capabilities or do not enable them by default to support attribution to the same level as in relational databases.Dissertation (MSc)--University of Pretoria, 2018.Computer ScienceMScUnrestricte

Forensic investigation and analysis of user input information in business application

Objectives: This paper investigates the amount of user input that can be recovered from the volatile memory of Windows computer systems while an application is still running. Additionally, an investigation into temporal, functional analysis and event reconstruction of user input activities in business application is discussed and reported upon. Methods/Analysis: Forensically, relevant user information is suitable for an evidentiary purpose. Therefore, the qualitative assessment of user input on commonly used windows-based applications is presented. Findings: In this research, detailed emphasis has been laid on the quality of evidence recovered from the allocated line numbers of the application memory. This approach describes the process of securing digital evidence for investigators. The research uncovers the process of analysing the forensically relevant data recovered from Windows applications. The investigation comprises of the following; dumping of memory, data extraction, strings evidence strings conversion, result finding of the evidence and also, reconstructing the extracted evidence of user information. Applications/Improvement: This research focuses on digital forensic investigation of digital images captured and the memory analysis of user information on using some very popular windows-based applications. It is aimed that this may become part of forensic analysis in digital investigations

Architecture analysis of peer-to-peer network structure and data exhanges for distribution of contraband material.

Because of the anonymity that P2P networks provide, they are an ideal medium for the exchange of contraband material such as child pornography. Unfortunately, not much research has been conducted on how to best monitor these types of networks for contraband searching and sharing activity. This thesis proposes techniques to advance the state of the art in peer to peer data exchange monitoring and detection of nodes that participate in distributing and sharing contraband material. Because of the legal considerations in working with a live P2P network and the technical di culty in developing and testing a surveillance system for P2P networks, a simulator was developed that attempts to accurately simulate the behavior of users on P2P networks based upon empirical data collected from several researchers. With the help of the simulation platform that has been developed, a complete methodology for monitoring contraband activity and reporting the most proli c contraband users has been created. This methodology, if implemented on an actual P2P network, should allow the detection of members of the network who are the most active sharers and distributors of contraband material

Delta bloom filter compression using stochastic learning-based weak estimation

Substantial research has been done, and sill continues, for reducing the bandwidth requirement and for reliable access to the data, stored and transmitted, in a space efficient manner. Bloom filters and their variants have achieved wide spread acceptability in various fields due to their ability to satisfy these requirements. As this need has increased, especially, for the applications which require heavy use of the transmission bandwidth, distributed computing environment for the databases or the proxy servers, and even the applications which are sensitive to the access to the information with frequent modifications, this thesis proposes a solution in the form of compressed delta Bloom filter. This thesis proposes delta Bloom filter compression, using stochastic learning-based weak estimation and prediction with partial matching to achieve the goal of lossless compression with high compression gain for reducing the large data transferred frequently

Automated dental identification: A micro-macro decision-making approach

Identification of deceased individuals based on dental characteristics is receiving increased attention, especially with the large volume of victims encountered in mass disasters. In this work we consider three important problems in automated dental identification beyond the basic approach of tooth-to-tooth matching.;The first problem is on automatic classification of teeth into incisors, canines, premolars and molars as part of creating a data structure that guides tooth-to-tooth matching, thus avoiding illogical comparisons that inefficiently consume the limited computational resources and may also mislead the decision-making. We tackle this problem using principal component analysis and string matching techniques. We reconstruct the segmented teeth using the eigenvectors of the image subspaces of the four teeth classes, and then call the teeth classes that achieve least energy-discrepancy between the novel teeth and their approximations. We exploit teeth neighborhood rules in validating teeth-classes and hence assign each tooth a number corresponding to its location in a dental chart. Our approach achieves 82% teeth labeling accuracy based on a large test dataset of bitewing films.;Because dental radiographic films capture projections of distinct teeth; and often multiple views for each of the distinct teeth, in the second problem we look for a scheme that exploits teeth multiplicity to achieve more reliable match decisions when we compare the dental records of a subject and a candidate match. Hence, we propose a hierarchical fusion scheme that utilizes both aspects of teeth multiplicity for improving teeth-level (micro) and case-level (macro) decision-making. We achieve a genuine accept rate in excess of 85%.;In the third problem we study the performance limits of dental identification due to features capabilities. We consider two types of features used in dental identification, namely teeth contours and appearance features. We propose a methodology for determining the number of degrees of freedom possessed by a feature set, as a figure of merit, based on modeling joint distributions using copulas under less stringent assumptions on the dependence between feature dimensions. We also offer workable approximations of this approach

Novel Techniques for Automated Dental Identification

Automated dental identification is one of the best candidates for postmortem identification. With the large number of victims encountered in mass disasters, automating the process of postmortem identification is receiving an increased attention. This dissertation introduces new approaches for different stages of Automated Dental Identification system: These stages include segmentations, classification, labeling, and matching:;We modified the seam carving technique to adapt the problem of segmenting dental image records into individual teeth. We propose a two-stage teeth segmentation approach for segmenting the dental images. In the first stage, the teeth images are preprocessed by a two-step thresholding technique, which starts with an iterative thresholding followed by an adaptive thresholding to binarize the teeth images. In the second stage, we adapt the seam carving technique on the binary images, using both horizontal and vertical seams, to separate each individual tooth. We have obtained an optimality rate of 54.02% for the bitewing type images, which is superior to all existing fully automated dental segmentation algorithms in the literature, and a failure rate of 1.05%. For the periapical type images, we have obtained a high optimality rate of 58.13% and a low failure rate of 0.74 which also surpasses the performance of existing techniques. An important problem in automated dental identification is automatic classification of teeth into four classes (molars, premolars, canines, and incisors). A dental chart is a key to avoiding illogical comparisons that inefficiently consume the limited computational resources, and may mislead decision-making. We tackle this composite problem using a two-stage approach. The first stage, utilizes low computational-cost, appearance-based features, using Orthogonal Locality Preserving Projections (OLPP) for assigning an initial class. The second stage applies a string matching technique, based on teeth neighborhood rules, to validate initial teeth-classes and hence to assign each tooth a number corresponding to its location in the dental chart, even in the presence of a missed tooth. The experimental results of teeth classification show that on a large dataset of bitewing and periapical films, the proposed approach achieves overall classification accuracy of 77% and teeth class validation enhances the overall teeth classification accuracy to 87% which is slightly better than the performance obtained from previous methods based on EigenTeeth the performance of which is 75% and 86%, respectively.;We present a new technique that searches the dental database to find a candidate list. We use dental records of the FBI\u27s Criminal Justice Service (CJIC) ADIS database, that contains 104 records (about 500 bitewing and periapical films) involving more than 2000 teeth, 47 Antemortem (AM) records and 57 Postmortem (PM) records with 20 matched records.;The proposed approach consists of two main stages, the first stage is to preprocess the dental records (segmentation and teeth labeling classification) in order to get a reliable, appearance-based, low computational-cost feature. In the second stage, we developed a technique based on LaplacianTeeth using OLPP algorithm to produce a candidate list. The proposed technique can correctly retrieve the dental records 65% in the 5 top ranks while the method based on EigenTeeth remains at 60%. The proposed approach takes about 0.17 seconds to make record to record comparison while the other method based on EigenTeeth takes about 0.09 seconds.;Finally, we address the teeth matching problem by presenting a new technique for dental record retrieval. The technique is based on the matching of the Scale Invariant feature Transform (SIFT) descriptors guided by the teeth contour between the subject and reference dental records. Our fundamental objective is to accomplish a relatively short match list, with a high probability of having the correct match reference. The proposed technique correctly retrieves the dental records with performance rates of 35% and 75% in the 1 and 5 top ranks respectively, and takes only an average time of 4.18 minutes to retrieve a match list. This compares favorably with the existing technique shape-based (edge direction histogram) method which has the performance rates of 29% and 46% in the 1 and 5 top ranks respectively.;In summary, the proposed ADIS system accurately retrieves the dental record with an overall rate of 80% in top 5 ranks when a candidate list of 20 is used (from potential match search) whereas a candidate size of 10 yields an overall rate of 84% in top 5 ranks and takes only a few minutes to search the database, which compares favorably against most of the existing methods in the literature, when both accuracy and computational complexity are considered

Proceedings of the 15th Australian Digital Forensics Conference, 5-6 December 2017, Edith Cowan University, Perth, Australia

Conference Foreword This is the sixth year that the Australian Digital Forensics Conference has been held under the banner of the Security Research Institute, which is in part due to the success of the security conference program at ECU. As with previous years, the conference continues to see a quality papers with a number from local and international authors. 8 papers were submitted and following a double blind peer review process, 5 were accepted for final presentation and publication. Conferences such as these are simply not possible without willing volunteers who follow through with the commitment they have initially made, and I would like to take this opportunity to thank the conference committee for their tireless efforts in this regard. These efforts have included but not been limited to the reviewing and editing of the conference papers, and helping with the planning, organisation and execution of the conference. Particular thanks go to those international reviewers who took the time to review papers for the conference, irrespective of the fact that they are unable to attend this year. To our sponsors and supporters a vote of thanks for both the financial and moral support provided to the conference. Finally, to the student volunteers and staff of the ECU Security Research Institute, your efforts as always are appreciated and invaluable. Yours sincerely, Conference ChairProfessor Craig ValliDirector, Security Research Institute Congress Organising Committee Congress Chair: Professor Craig Valli Committee Members: Professor Gary Kessler – Embry Riddle University, Florida, USA Professor Glenn Dardick – Embry Riddle University, Florida, USA Professor Ali Babar – University of Adelaide, Australia Dr Jason Smith – CERT Australia, Australia Associate Professor Mike Johnstone – Edith Cowan University, Australia Professor Joseph A. Cannataci – University of Malta, Malta Professor Nathan Clarke – University of Plymouth, Plymouth UK Professor Steven Furnell – University of Plymouth, Plymouth UK Professor Bill Hutchinson – Edith Cowan University, Perth, Australia Professor Andrew Jones – Khalifa University, Abu Dhabi, UAE Professor Iain Sutherland – Glamorgan University, Wales, UK Professor Matthew Warren – Deakin University, Melbourne Australia Congress Coordinator: Ms Emma Burk

On the Benefits of Information Retrieval and Information Extraction Techniques Applied to Digital Forensics

Many jurisdictions suffer from lengthy evidence processing backlogs in digital forensics investigations. This has negative consequences for the timely incorporation of digital evidence into criminal investigations, while also affecting the timelines required to bring a case to court. Modern technological advances, in particular the move towards cloud computing, have great potential in expediting the automated processing of digital evidence, thus reducing the manual workload for investigators. It also promises to provide a platform upon which more sophisticated automated techniques may be employed to improve the process further. This paper identifies some research strains from the areas of Information Retrieval and Information Extraction that have the potential to greatly help with the efficiency and effectiveness of digital forensics investigations