A Case-Based Reasoning Method for Locating Evidence During Digital Forensic Device Triage

The role of triage in digital forensics is disputed, with some practitioners questioning its reliability for identifying evidential data. Although successfully implemented in the field of medicine, triage has not established itself to the same degree in digital forensics. This article presents a novel approach to triage for digital forensics. Case-Based Reasoning Forensic Triager (CBR-FT) is a method for collecting and reusing past digital forensic investigation information in order to highlight likely evidential areas on a suspect operating system, thereby helping an investigator to decide where to search for evidence. The CBR-FT framework is discussed and the results of twenty test triage examinations are presented. CBR-FT has been shown to be a more effective method of triage when compared to a practitioner using a leading commercial application

Calm before the storm: the challenges of cloud computing in digital forensics

Cloud computing is a rapidly evolving information technology (IT) phenomenon. Rather than procure, deploy and manage a physical IT infrastructure to host their software applications, organizations are increasingly deploying their infrastructure into remote, virtualized environments, often hosted and managed by third parties. This development has significant implications for digital forensic investigators, equipment vendors, law enforcement, as well as corporate compliance and audit departments (among others). Much of digital forensic practice assumes careful control and management of IT assets (particularly data storage) during the conduct of an investigation. This paper summarises the key aspects of cloud computing and analyses how established digital forensic procedures will be invalidated in this new environment. Several new research challenges addressing this changing context are also identified and discussed

B-CoC: A Blockchain-Based Chain of Custody for Evidences Management in Digital Forensics

One of the main issues in digital forensics is the management of evidences. From the time of evidence collection until the time of their exploitation in a legal court, evidences may be accessed by multiple parties involved in the investigation that take temporary their ownership. This process, called Chain of Custody (CoC), must ensure that evidences are not altered during the investigation, despite multiple entities owned them, in order to be admissible in a legal court. Currently digital evidences CoC is managed entirely manually with entities involved in the chain required to fill in documents accompanying the evidence. In this paper, we propose a Blockchain-based Chain of Custody (B-CoC) to dematerialize the CoC process guaranteeing auditable integrity of the collected evidences and traceability of owners. We developed a prototype of B-CoC based on Ethereum and we evaluated its performance

Generation and Handling of Hard Drive Duplicates as Piece of Evidence

An important area in digital forensics is images of hard disks. The correct production of the images as well as the integrity and authenticity of each hard disk image is essential for the probative force of the image to be used at court. Integrity and authenticity are under suspicion as digital evidence is stored and used by software based systems. Modifications to digital objects are hard or even impossible to track and can occur even accidentally. Even worse, vulnerabilities occur for all current computing systems. Therefore, it is difficult to guarantee a secure environment for forensic investigations. But intended deletions of dedicated data of disk images are often required because of legal issues in many countries. This article provides a technical framework on the protection of the probative force of hard disk images by ensuring the integrity and authenticity using state of the art technology. It combines hardware-based security, cryptographic hash functions and digital signatures to achieve a continuous protection of the image together with a reliable documentation of the status of the device that was used for image creation. The framework presented allows to detect modifications and to pinpoint the exact area of the modification to the digital evidence protecting the probative force of the evidence at a whole. In addition, it also supports the deletion of parts of images without invalidating the retained data blocks. Keywords: digital evidence, probative force hard disk image, verifiable deletion of image data, trusted imaging softwar

Multi-aspect, robust, and memory exclusive guest os fingerprinting

Precise fingerprinting of an operating system (OS) is critical to many security and forensics applications in the cloud, such as virtual machine (VM) introspection, penetration testing, guest OS administration, kernel dump analysis, and memory forensics. The existing OS fingerprinting techniques primarily inspect network packets or CPU states, and they all fall short in precision and usability. As the physical memory of a VM always exists in all these applications, in this article, we present OS-Sommelier+, a multi-aspect, memory exclusive approach for precise and robust guest OS fingerprinting in the cloud. It works as follows: given a physical memory dump of a guest OS, OS-Sommelier+ first uses a code hash based approach from kernel code aspect to determine the guest OS version. If code hash approach fails, OS-Sommelier+ then uses a kernel data signature based approach from kernel data aspect to determine the version. We have implemented a prototype system, and tested it with a number of Linux kernels. Our evaluation results show that the code hash approach is faster but can only fingerprint the known kernels, and data signature approach complements the code signature approach and can fingerprint even unknown kernels