Leveraging the Windows Amcache.hve File in Forensic Investigations

The Amcache.hve is a registry hive file that is created by Microsoft® Windows® to store the information related to execution of programs. This paper highlights the evidential potential of Amcache.hve file and its application in the area of user activity analysis. The study uncovers numerous artifacts retained in Amcache.hve file when a user performs certain actions such as running host-based applications, installation of new applications, or running portable applications from external devices. The results of experiments demonstrate that Amcache.hve file stores intriguing artifacts related to applications such as timestamps of creation and last modification of any application; name, description, publisher name and version of applications; execution file path, SHA-1 hash of executable files etc. These artifacts are found to persist even after the applications have been deleted from the system. Further experiments were conducted to evaluate forensic usefulness of the information stored in Amcache.hve and it was found that Amcache.hve information is propitious to trace the deleted applications, malware programs and applications run from external devices. Finally, comparison of information in Amcache.hve file with information in other similar sources (IconCache.db, SRUDB.dat and Prefetch files) is shown, in order to provide more useful information to forensic investigators

Forensics Analysis of Privacy of Portable Web Browsers

Web browser vendors offer a portable web browser option which is considered as one of the features that provides user privacy. Portable web browser is a browser that can be launched from a USB flash drive without the need for its installation on the host machine. Most popular web browsers have portable versions of their browsers as well. Portable web browsing poses a great challenge to computer forensic investigators who try to reconstruct the past browsing history, in case of any computer incidence. This research examines various sources in the host machine such as physical memory, temporary, recent, event files, Windows Registry, and Cache.dll files for the evidential information regarding portable browsing session. The portable browsers under this study include Firefox, Chrome, Safari, and Opera. Results of this experiment show that portable web browsers do not provide user-privacy as they are expected to do. Keywords: computer forensics tools, RAM forensics, volatile memory, forensics artifacts, Registr

CuFA: A More Formal Definition for Digital Forensic Artifacts

The term “artifact” currently does not have a formal definition within the domain of cyber/ digital forensics, resulting in a lack of standardized reporting, linguistic understanding between professionals, and efficiency. In this paper we propose a new definition based on a survey we conducted, literature usage, prior definitions of the word itself, and similarities with archival science. This definition includes required fields that all artifacts must have and encompasses the notion of curation. Thus, we propose using a new term e curated forensic artifact (CuFA) e to address items which have been cleared for entry into a CuFA database (one implementation, the Artifact Genome Project, abbreviated as AGP, is under development and briefly outlined). An ontological model encapsulates these required fields while utilizing a lower-level taxonomic schema. We use the Cyber Observable eXpression (CybOX) project due to its rising popularity and rigorous classifications of forensic objects. Additionally, we suggest some improvements on its integration into our model and identify higher-level location categories to illustrate tracing an object from creation through investigative leads. Finally, a step-wise procedure for researching and logging CuFAs is devised to accompany the model

NVMe-Assist: A Novel Theoretical Framework for Digital Forensics A Case Study on NVMe Storage Devices and Related Artifacts on Windows 10

With ever-advancing changes in technology come implications for the digital forensics community. In this document, we use the term digital forensics to denote the scientific investigatory procedure for digital crimes and attacks. Digital forensics examiners often find it challenging when new devices are used for nefarious activities. The examiners gather evidence from these devices based on supporting literature. Multiple factors contribute to a lack of research on a particular device or technology. The most common factors are that the technology is new to the market, and there has not been much time to conduct sufficient research. It is also likely that the technology is not popular enough to garner research attention. If an examiner encounters such a device, they are often required to develop impromptu solutions to investigate such a case. Sometimes, examiners have to review their examination processes on model devices that labs are necessitated to purchase to see if existing methods suffice. This ad-hoc approach adds time and additional expense before actual analysis can commence. In this research, we investigate a new storage technology called Non-Volatile Memory Express (NVMe). This technology uses Peripheral Component Interconnect (PCIe) mechanics for its working. Since this storage technology is relatively new, it lacks a substantial digital forensics foundation to draw upon to conduct a forensics investigation. Additionally, to the best of our knowledge, there is an insufficient body of work to conduct sound forensics research on such devices. To this end, our framework, NVMe-Assist puts forth a strong theoretical foundation thatempowers digital forensics examiners in conducting analysis onNVMedevices, including wear-leveling, TRIM, Prefetch files, Shellbag, and BootPerfDiagLogger.etl. Lastly, we have also worked on creating the NVMe-Assist tool using Python. This tool parses the partition tables in the boot sector and is the upgrade of the mmls tool of The Sleuth Kit command-line tools. Our tool currently supports E01, and RAW files of the physical acquisition of hard-disk drives (HDDs), solid-state drives (SSDs), NVMe SSDs, and USB flash drives as data source files. To add to that, the tool works on both the MBR (Master Boot Record) and GPT (GUID Partition Table) style partitions

Multi-level analysis of Malware using Machine Learning

Multi-level analysis of Malware using Machine Learnin