240 research outputs found
Forensic Methods and Tools for Web Environments
abstract: The Web is one of the most exciting and dynamic areas of development in today’s technology. However, with such activity, innovation, and ubiquity have come a set of new challenges for digital forensic examiners, making their jobs even more difficult. For examiners to become as effective with evidence from the Web as they currently are with more traditional evidence, they need (1) methods that guide them to know how to approach this new type of evidence and (2) tools that accommodate web environments’ unique characteristics.
In this dissertation, I present my research to alleviate the difficulties forensic examiners currently face with respect to evidence originating from web environments. First, I introduce a framework for web environment forensics, which elaborates on and addresses the key challenges examiners face and outlines a method for how to approach web-based evidence. Next, I describe my work to identify extensions installed on encrypted web thin clients using only a sound understanding of these systems’ inner workings and the metadata of the encrypted files. Finally, I discuss my approach to reconstructing the timeline of events on encrypted web thin clients by using service provider APIs as a proxy for directly analyzing the device. In each of these research areas, I also introduce structured formats that I customized to accommodate the unique features of the evidence sources while also facilitating tool interoperability and information sharing.Dissertation/ThesisDoctoral Dissertation Computer Science 201
Forensic acquisition of file systems with parallel processing of digital artifacts to generate an early case assessment report
A evolução da maneira como os seres humanos interagem e realizam tarefas rotineiras mudou nas Ăşltimas dĂ©cadas e uma longa lista de atividades agora somente sĂŁo possĂveis com o uso de tecnologias da informação – entre essas pode-se destacar a aquisição de bens e serviços, gestĂŁo e operações de negĂłcios e comunicações. Essas transformações sĂŁo visĂveis tambĂ©m em outras atividades menos legĂtimas, permitindo que crimes sejam cometidos atravĂ©s de meios digitais.
Em linhas gerais, investigadores forenses trabalham buscando por indĂcios de ações criminais realizadas por meio de dispositivos digitais para finalmente, tentar identificar os autores, o nĂvel do dano causado e a histĂłria atrás que possibilitou o crime. Na sua essĂŞncia, essa atividade deve seguir normas estritas para garantir que as provas sejam admitidas em tribunal, mas quanto maior o nĂşmero de novos artefatos e maior o volume de dispositivos de armazenamento disponĂveis, maior o tempo necessário entre a identificação de um dispositivo de um suspeito e o momento em que o investigador começa a navegar no mar de informações alojadas no dispositivo.
Esta pesquisa, tem como objetivo antecipar algumas etapas do EDRM atravĂ©s do uso do processamento em paralelo adjacente nas unidades de processamento (CPU) atuais para para traduzir multiplos artefactos forenses do sistema operativo Windows 10 e gerar um relatĂłrio com as informações mais cruciais sobre o dispositivo adquirido. Permitindo uma análise antecipada do caso (ECA) ao mesmo tempo em que uma aquisição completa do disco está em curso, desse modo causando um impacto mĂnimo no tempo geral de aquisição
A Domain Specific Language for Digital Forensics and Incident Response Analysis
One of the longstanding conceptual problems in digital forensics is the dichotomy between the need for verifiable and reproducible forensic investigations, and the lack of practical mechanisms to accomplish them. With nearly four decades of professional digital forensic practice, investigator notes are still the primary source of reproducibility information, and much of it is tied to the functions of specific, often proprietary, tools.
The lack of a formal means of specification for digital forensic operations results in three major problems. Specifically, there is a critical lack of:
a) standardized and automated means to scientifically verify accuracy of digital forensic tools;
b) methods to reliably reproduce forensic computations (their results); and
c) framework for inter-operability among forensic tools.
Additionally, there is no standardized means for communicating software requirements between users, researchers and developers, resulting in a mismatch in expectations. Combined with the exponential growth in data volume and complexity of applications and systems to be investigated, all of these concerns result in major case backlogs and inherently reduce the reliability of the digital forensic analyses.
This work proposes a new approach to the specification of forensic computations, such that the above concerns can be addressed on a scientific basis with a new domain specific language (DSL) called nugget. DSLs are specialized languages that aim to address the concerns of particular domains by providing practical abstractions. Successful DSLs, such as SQL, can transform an application domain by providing a standardized way for users to communicate what they need without specifying how the computation should be performed.
This is the first effort to build a DSL for (digital) forensic computations with the following research goals:
1) provide an intuitive formal specification language that covers core types of forensic computations and common data types;
2) provide a mechanism to extend the language that can incorporate arbitrary computations;
3) provide a prototype execution environment that allows the fully automatic execution of the computation;
4) provide a complete, formal, and auditable log of computations that can be used to reproduce an investigation;
5) demonstrate cloud-ready processing that can match the growth in data volumes and complexity
FORENSIC ANALYSIS OF THE GARMIN CONNECT ANDROID APPLICATION
Wearable smart devices are becoming more prevalent in our lives. These tiny devices
read various health signals such as heart rate and pulse and also serve as companion
devices that store sports activities and even their coordinates. This data is typically
sent to the smartphone via a companion application installed. These applications
hold a high forensic value because of the users’ private information they store. They
can be crucial in a criminal investigation to understand what happened or where
that person was during a given period. They also need to guarantee that the data
is secure and that the application is not vulnerable to any attack that can lead to
data leaks.
The present work aims to do a complete forensic analysis of the companion
application Garmin Connect for Android devices. We used a Garmin Smartband to
generate data and test the application with a rooted Android device. This analysis is
split into two parts. The first part will be a traditional Post Mortem analysis where
we will present the application, data generation process, acquisition process, tools,
and methodologies. Lastly, we analyzed the data extracted and studied what can
be considered a forensic artifact. In the second part of this analysis, we performed
a dynamic analysis. We used various offensive security techniques and methods to
find vulnerabilities in the application code and network protocol to obtain data in
transit.
Besides completing the Garmin Connect application analysis, we contributed
various modules and new features for the tool Android Logs Events And Protobuf
Parser (ALEAPP) to help forensic practitioners analyze the application and to
improve the open-source digital forensics landscape. We also used this analysis as a
blueprint to explore six other fitness applications that can receive data from Garmin
Connect.
With this work, we could conclude that Garmin Connect stores a large quantity
of private data in its device, making it of great importance in case of a forensic
investigation. We also studied its robustness and could conclude that the application
is not vulnerable to the tested scenarios. Nevertheless, we found a weakness in their
communication methods that lets us obtain any data from the user even if it was
not stored in the device. This fact increased its forensic importance even more
A Comprehensive Analysis of the Role of Artificial Intelligence and Machine Learning in Modern Digital Forensics and Incident Response
In the dynamic landscape of digital forensics, the integration of Artificial
Intelligence (AI) and Machine Learning (ML) stands as a transformative
technology, poised to amplify the efficiency and precision of digital forensics
investigations. However, the use of ML and AI in digital forensics is still in
its nascent stages. As a result, this paper gives a thorough and in-depth
analysis that goes beyond a simple survey and review. The goal is to look
closely at how AI and ML techniques are used in digital forensics and incident
response. This research explores cutting-edge research initiatives that cross
domains such as data collection and recovery, the intricate reconstruction of
cybercrime timelines, robust big data analysis, pattern recognition,
safeguarding the chain of custody, and orchestrating responsive strategies to
hacking incidents. This endeavour digs far beneath the surface to unearth the
intricate ways AI-driven methodologies are shaping these crucial facets of
digital forensics practice. While the promise of AI in digital forensics is
evident, the challenges arising from increasing database sizes and evolving
criminal tactics necessitate ongoing collaborative research and refinement
within the digital forensics profession. This study examines the contributions,
limitations, and gaps in the existing research, shedding light on the potential
and limitations of AI and ML techniques. By exploring these different research
areas, we highlight the critical need for strategic planning, continual
research, and development to unlock AI's full potential in digital forensics
and incident response. Ultimately, this paper underscores the significance of
AI and ML integration in digital forensics, offering insights into their
benefits, drawbacks, and broader implications for tackling modern cyber
threats
EviHunter: Identifying Digital Evidence in the Permanent Storage of Android Devices via Static Analysis
Crimes, both physical and cyber, increasingly involve smartphones due to
their ubiquity. Therefore, digital evidence on smartphones plays an
increasingly important role in crime investigations. Digital evidence could
reside in the memory and permanent storage of a smartphone. While we have
witnessed significant progresses on memory forensics recently, identifying
evidence in the permanent storage is still an underdeveloped research area.
Most existing studies on permanent-storage forensics rely on manual analysis or
keyword-based scanning of the permanent storage. Manual analysis is costly,
while keyword matching often misses the evidentiary data that do not have
interesting keywords.
In this work, we develop a tool called EviHunter to automatically identify
evidentiary data in the permanent storage of an Android device. There could be
thousands of files on the permanent storage of a smartphone. A basic question a
forensic investigator often faces is which files could store evidentiary data.
EviHunter aims to answer this question. Our intuition is that the evidentiary
data were produced by apps; and an app's code has rich information about the
types of data the app may write to a permanent storage and the files the data
are written to. Therefore, EviHunter first pre-computes an App Evidence
Database (AED) via static analysis of a large number of apps. The AED includes
the types of evidentiary data and files that store them for each app. Then,
EviHunter matches the files on a smartphone's permanent storage against the AED
to identify the files that could store evidentiary data.
We evaluate EviHunter on benchmark apps and 8,690 real-world apps. Our
results show that EviHunter can precisely identify both the types of
evidentiary data and the files that store them
IPCFA: A Methodology for Acquiring Forensically-Sound Digital Evidence in the Realm of IAAS Public Cloud Deployments
Cybercrimes and digital security breaches are on the rise: savvy businesses and organizations of all sizes must ready themselves for the worst. Cloud computing has become the new normal, opening even more doors for cybercriminals to commit crimes that are not easily traceable. The fast pace of technology adoption exceeds the speed by which the cybersecurity community and law enforcement agencies (LEAs) can invent countermeasures to investigate and prosecute such criminals. While presenting defensible digital evidence in courts of law is already complex, it gets more complicated if the crime is tied to public cloud computing, where storage, network, and computing resources are shared and dispersed over multiple geographical areas. Investigating such crimes involves collecting evidence data from the public cloud that is court-sound. Digital evidence court admissibility in the U.S. is governed predominantly by the Federal Rules of Evidence and Federal Rules of Civil Procedures. Evidence authenticity can be challenged by the Daubert test, which evaluates the forensic process that took place to generate the presented evidence.
Existing digital forensics models, methodologies, and processes have not adequately addressed crimes that take place in the public cloud. It was only in late 2020 that the Scientific Working Group on Digital Evidence (SWGDE) published a document that shed light on best practices for collecting evidence from cloud providers. Yet SWGDE’s publication does not address the gap between the technology and the legal system when it comes to evidence admissibility. The document is high level with more focus on law enforcement processes such as issuing a subpoena and preservation orders to the cloud provider.
This research proposes IaaS Public Cloud Forensic Acquisition (IPCFA), a methodology to acquire forensic-sound evidence from public cloud IaaS deployments. IPCFA focuses on bridging the gap between the legal and technical sides of evidence authenticity to help produce admissible evidence that can withstand scrutiny in U.S. courts. Grounded in design research science (DSR), the research is rigorously evaluated using two hypothetical scenarios for crimes that take place in the public cloud. The first scenario takes place in AWS and is hypothetically walked-thru. The second scenario is a demonstration of IPCFA’s applicability and effectiveness on Azure Cloud. Both cases are evaluated using a rubric built from the federal and civil digital evidence requirements and the international best practices for iv digital evidence to show the effectiveness of IPCFA in generating cloud evidence sound enough to be considered admissible in court
THE SCALABLE AND ACCOUNTABLE BINARY CODE SEARCH AND ITS APPLICATIONS
The past decade has been witnessing an explosion of various applications and devices.
This big-data era challenges the existing security technologies: new analysis techniques
should be scalable to handle “big data” scale codebase; They should be become smart
and proactive by using the data to understand what the vulnerable points are and where
they locate; effective protection will be provided for dissemination and analysis of the data
involving sensitive information on an unprecedented scale.
In this dissertation, I argue that the code search techniques can boost existing security
analysis techniques (vulnerability identification and memory analysis) in terms of scalability and accuracy. In order to demonstrate its benefits, I address two issues of code search by using the code analysis: scalability and accountability. I further demonstrate the benefit of code search by applying it for the scalable vulnerability identification [57] and the
cross-version memory analysis problems [55, 56].
Firstly, I address the scalability problem of code search by learning “higher-level” semantic
features from code [57]. Instead of conducting fine-grained testing on a single device
or program, it becomes much more crucial to achieve the quick vulnerability scanning
in devices or programs at a “big data” scale. However, discovering vulnerabilities in “big
code” is like finding a needle in the haystack, even when dealing with known vulnerabilities. This new challenge demands a scalable code search approach. To this end, I leverage successful techniques from the image search in computer vision community and propose a novel code encoding method for scalable vulnerability search in binary code. The evaluation results show that this approach can achieve comparable or even better accuracy and efficiency than the baseline techniques.
Secondly, I tackle the accountability issues left in the vulnerability searching problem
by designing vulnerability-oriented raw features [58]. The similar code does not always
represent the similar vulnerability, so it requires that the feature engineering for the code
search should focus on semantic level features rather than syntactic ones. I propose to
extract conditional formulas as higher-level semantic features from the raw binary code to
conduct the code search. A conditional formula explicitly captures two cardinal factors
of a vulnerability: 1) erroneous data dependencies and 2) missing or invalid condition
checks. As a result, the binary code search on conditional formulas produces significantly
higher accuracy and provides meaningful evidence for human analysts to further examine
the search results. The evaluation results show that this approach can further improve
the search accuracy of existing bug search techniques with very reasonable performance
overhead.
Finally, I demonstrate the potential of the code search technique in the memory analysis
field, and apply it to address their across-version issue in the memory forensic problem
[55, 56]. The memory analysis techniques for COTS software usually rely on the
so-called “data structure profiles” for their binaries. Construction of such profiles requires
the expert knowledge about the internal working of a specified software version. However,
it is still a cumbersome manual effort most of time. I propose to leverage the code search
technique to enable a notion named “cross-version memory analysis”, which can update a
profile for new versions of a software by transferring the knowledge from the model that
has already been trained on its old version. The evaluation results show that the code search based approach advances the existing memory analysis methods by reducing the
manual efforts while maintaining the reasonable accuracy. With the help of collaborators, I
further developed two plugins to the Volatility memory forensic framework [2], and show
that each of the two plugins can construct a localized profile to perform specified memory
forensic tasks on the same memory dump, without the need of manual effort in creating the corresponding profile
The twofold role of Cloud Computing in Digital Forensics: target of investigations and helping hand to evidence analysis
This PhD thesis discusses the impact of Cloud Computing infrastructures on Digital Forensics in the twofold role of target of investigations and as a helping hand to investigators. The Cloud offers a cheap and almost limitless computing power and storage space for data which can be leveraged to commit either new or old crimes and host related traces. Conversely, the Cloud can help forensic examiners to find clues better and earlier than traditional analysis applications, thanks to its dramatically improved evidence processing capabilities. In both cases, a new arsenal of software tools needs to be made available. The development of this novel weaponry and its technical and legal implications from the point of view of repeatability of technical assessments is discussed throughout the following pages and constitutes the unprecedented contribution of this wor
- …