Garmin satnav forensic methods and artefacts: an exploratory study.

Over ten years ago, major changes in the Global Positioning System (GPS) technology led to its explosion in popularity. GPS devices are now ubiquitous, escorting their users everywhere they go, and potentially recording the entirety of their whereabouts. As such, they represent invaluable assets to forensic practitioners. Amongst the different brands, Garmin and Tom-Tom are by far the most widespread, and are regularly encountered as part of investigations. GPS forensics is a relatively new field of study, in which tools and methodologies are very reliant upon the device itself. Whereas several tools and methodologies have been developed to address Tom-Tom devices, the lack of knowledge concerning Garmin devices may lead to investigators missing evidence. This thesis aims to explore forensic methods applicable to Garmin devices, and highlight locational artefacts located on them, which may be of use in a digital investigation. To do so, three series of experiments have been designed and performed, intending to document the behaviour of the device, the methods to acquire and analyse its content efficiently, and the reliability of the data recovered. This thesis shows successful acquisition of data from a range of Garmin devices. It also demonstrates that various forensic artefacts can be recovered from Garmin devices, with the results compared to similar research into Tom-Tom GPS devices. This highlights that Garmin devices potentially have a greater forensic potential than Tom-Tom devices, as it was found they typically hold up to 6 month of their user’s daily locations, regardless of whether the navigation was in use or not. Using carving techniques and file signatures discovered through the project, this thesis shows how to recover further location tracking data from unallocated clusters. However, it also highlights that such information should be considered carefully, since the work also demonstrates that the data can be manipulated using anti-forensic techniques

Garmin satnav forensic methods and artefacts: an exploratory study.

Over ten years ago, major changes in the Global Positioning System (GPS) technology led to its explosion in popularity. GPS devices are now ubiquitous, escorting their users everywhere they go, and potentially recording the entirety of their whereabouts. As such, they represent invaluable assets to forensic practitioners. Amongst the different brands, Garmin and Tom-Tom are by far the most widespread, and are regularly encountered as part of investigations. GPS forensics is a relatively new field of study, in which tools and methodologies are very reliant upon the device itself. Whereas several tools and methodologies have been developed to address Tom-Tom devices, the lack of knowledge concerning Garmin devices may lead to investigators missing evidence. This thesis aims to explore forensic methods applicable to Garmin devices, and highlight locational artefacts located on them, which may be of use in a digital investigation. To do so, three series of experiments have been designed and performed, intending to document the behaviour of the device, the methods to acquire and analyse its content efficiently, and the reliability of the data recovered. This thesis shows successful acquisition of data from a range of Garmin devices. It also demonstrates that various forensic artefacts can be recovered from Garmin devices, with the results compared to similar research into Tom-Tom GPS devices. This highlights that Garmin devices potentially have a greater forensic potential than Tom-Tom devices, as it was found they typically hold up to 6 month of their user’s daily locations, regardless of whether the navigation was in use or not. Using carving techniques and file signatures discovered through the project, this thesis shows how to recover further location tracking data from unallocated clusters. However, it also highlights that such information should be considered carefully, since the work also demonstrates that the data can be manipulated using anti-forensic techniques

Technical and legal perspectives on forensics scenario

The dissertation concerns digital forensic. The expression digital forensic (sometimes called digital forensic science) is the science that studies the identification, storage, protection, retrieval, documentation, use, and every other form of computer data processing in order to be evaluated in a legal trial. Digital forensic is a branch of forensic science. First of all, digital forensic represents the extension of theories, principles and procedures that are typical and important elements of the forensic science, computer science and new technologies. From this conceptual viewpoint, the logical consideration concerns the fact that the forensic science studies the legal value of specific events in order to contrive possible sources of evidence. The branches of forensic science are: physiological sciences, social sciences, forensic criminalistics and digital forensics. Moreover, digital forensic includes few categories relating to the investigation of various types of devices, media or artefacts. These categories are: - computer forensic: the aim is to explain the current state of a digital artefact; such as a computer system, storage medium or electronic document; - mobile device forensic: the aim is to recover digital evidence or data from mobile device, such as image, log call, log sms and so on; - network forensic: the aim is related to the monitoring and analysis of network traffic (local, WAN/Internet, UMTS, etc.) to detect intrusion more in general to find network evidence; - forensic data analysis: the aim is examine structured data to discover evidence usually related to financial crime; - database forensic: the aim is related to databases and their metadata. The origin and historical development of the discipline of study and research of digital forensic are closely related to progress in information and communication technology in the modern era. In parallel with the changes in society due to new technologies and, in particular, the advent of the computer and electronic networks, there has been a change in the mode of collection, management and analysis of evidence. Indeed, in addition to the more traditional, natural and physical elements, the procedures have included further evidence that although equally capable of identifying an occurrence, they are inextricably related to a computer or a computer network or electronic means. The birth of computer forensics can be traced back to 1984, when the FBI and other American investigative agencies have began to use software for the extraction and analysis of data on a personal computer. At the beginning of the 80s, the CART(Computer Analysis and Response Team) was created within the FBI, with the express purpose of seeking the so-called digital evidence. This term is used to denote all the information stored or transmitted in digital form that may have some probative value. While the term evidence, more precisely, constitutes the judicial nature of digital data, the term forensic emphasizes the procedural nature of matter, literally, "to be presented to the Court". Digital forensic have a huge variety of applications. The most common applications are related to crime or cybercrime. Cybercrime is a growing problem for government, business and private. - Government: security of the country (terrorism, espionage, etc.) or social problems (child pornography, child trafficking and so on). - Business: purely economic problems, for example industrial espionage. - Private: personal safety and possessions, for example phishing, identity theft. Often many techniques, used in digital forensics, are not formally defined and the relation between the technical procedure and the law is not frequently taken into consideration. From this conceptual perspective, the research work intends to define and optimize the procedures and methodologies of digital forensic in relation to Italian regulation, testing, analysing and defining the best practice, if they are not defined, concerning common software. The research questions are: 1. The problem of cybercrime is becoming increasingly significant for governments, businesses and citizens. - In relation to governments, cybercrime involves problems concerning national security, such as terrorism and espionage, and social questions, such as trafficking in children and child pornography. - In relation to businesses, cybercrime entails problems concerning mainly economic issues, such as industrial espionage. - In relation to citizens, cybercrime involves problems concerning personal security, such as identity thefts and fraud. 2. Many techniques, used within the digital forensic, are not formally defined. 3. The relation between procedures and legislation are not always applied and taken into consideratio

Remote forensic investigations

Diese Arbeit setzt sich zur Aufgabe, die neue Ermittlungsmethode der Online Durchsuchung zu erörtern und in einer breiten und allgemeinen Art zu präsentieren. Ein besonderer Fokus wird dabei auf das Verhältnis von Technik und Recht gelegt. Dem Leser wird vorab ein weit gefasster technischer Teil präsentiert, der die Darstellung der verschiedenen, im Zuge einer Online Durchsuchung angewendeten, Software-Programme involviert, wobei besonderes Augenmerk auf die technischen Aspekte der Telekommunikation sowie der Verschlüsselungstechnik gelegt wird. Darüber hinaus beinhaltet die, in einem Abschnitt konzentrierte, technische Aufarbeitung des Dissertationsthemas eine kurze Einführung in die Computer-Forensik, also die Vorgehensweise einer „Computerdurchsuchung“ durch die Strafverfolgungsbehörden. Neben einer Beschreibung der festgelegten Verfahren und Prinzipien einer derartigen „Computerdurchsuchung“ wird überblicksmäßig auch auf die speziellen Hard- und Software-Tools eingegangen. Diesen technischen Teil abschließend werden sodann auch die angedachten Einsatzgebiete der Online-Durchsuchung aufgezeigt und einer faktisch-technischen Begutachtung unterzogen. Der auf die technische Erörterung folgende Rechtsteil der Arbeit enthält neben einem Überblick über die verfassungsrechtlichen Bestimmungen, insbesondere eine Auseinandersetzung mit der in punkto Online-Durchsuchung wesentlichen Frage der Verhältnismäßigkeit. Trotz des Umstandes, dass sich die vorliegende Dissertation vor allem mit dem Verfahrensrecht befasst, erfolgt eine kurze Darstellung von wichtigen materiell-rechtliche Bestimmungen. Nach einer Einführung in die Strafprozessordnung und ihrer Grundsätze – wobei insbesondere das Kräfteverhältnis zwischen Kriminalpolizei, Staatsanwaltschaft und Gerichten sowie das System zur Durchsetzung von Zwangsmaßnahmen erläutert wird – konzentriert sich die Darstellung auf einzelne Bestimmungen der StPO, die auf den ersten Blick gerechtfertigt erscheinen, eine Online-Durchsuchung durchzuführen. Die dabei eingehend beleuchteten verfahrensrechtlichen Paragraphen betreffen: - Durchsuchung von Orten und Gegenständen (§§ 117 Z2 iVm 119 Abs 1 StPO), - Überwachung von Nachrichten (§§ 135 Abs 3 iVm 134 Z3 StPO), - Auskunft über Daten einer Nachrichtenübermittlung (§§ 134 Z2 iVm 135 Abs 2 StPO), - Großer bzw. kleiner Lauschangriff (§§ 136 iVm 134 Z4 StPO). Im Anschluss widmet sich die Dissertation dem Sicherheitspolizeigesetz. Die Aufarbeitung des SPG erfolgt in gleicher Art und Weise wie die zuvor erörterten Thematiken, wobei die darin normierten Aufgaben des Rechtsträgers, i.e. die erste allgemeine Hilfeleistungspflicht sowie die Aufrechterhaltung der öffentlichen Sicherheit und Ordnung und die damit einhergehenden Kompetenzen der Sicherheitspolizei, einer näheren Begutachtung unterzogen werden. Im Speziellen werden folgende Bestimmungen untersucht: - Betreten und Durchsuchen von Grundstücken, Räumen und Fahrzeugen (§ 39 SPG), - Zulässigkeit der Verarbeitung von personenbezogenen Daten (§ 53 SPG), - Besondere Bestimmungen für die Ermittlung (§ 54 SPG). Die betreffenden Unterkapiteln des rechtlichen Teils dieser Dissertation endet mit dem Versuch, die Online-Durchsuchung als modernes Ermittlungs- und Beweissicherungsinstrument die besprochenen verfahrensrechtlichen Bestimmungen zu subsumieren. Im abschließenden Teil beschäftigt sich die vorliegende Arbeit mit dem Verhältnis von Prävention und (Straf-)Verfahrensrecht. Ausgehend von generellen Überlegungen zu Prävention und einem historischen Abriss der Entwicklung vom Naturrecht zum Rechts- und schließlich zum Präventionsstaat, beleuchtet der Autor die problematische Wechselbeziehung anhand von fünf Punkte näher: - Generelle Überlegungen zur Prävention, - Verhältnis der Kompetenzen von Kriminal- und Sicherheitspolizei, - Systematische Problem der Eingliederung der Online Durchsuchung im Rechtssystem Österreichs, - Präventive Aspekte im materiellen Strafrecht, - Verdachtslage vor Durchführung einer Online Durchsuchung. Zusammenfassend ist festzuhalten, dass nach Intention der vorliegenden Dissertation der geschätzte Leser einen generellen Überblick über das Thema „Online Durchsuchung“ erhalten soll. Darüber hinaus wird der Versuch unternommen, sowohl die in der Maßnahme involvierten technischen als auch rechtlichen Aspekte gleichermaßen zu erläutern und einander gegenüber zu stellen. Der Fokus soll dabei jedoch nicht wie in anderen, bereits verfügbaren Schriften auf grund- und menschenrechtlicher Basis liegen, sondern wird vielmehr die problematische Eingliederung dieser Ermittlungsmethode in das österreichische (Verfahrens-)Rechtsystem aufgezeigt. Dabei dienen insbesondere die Strafprozessordnung und das Sicherheitspolizeigesetz als Vergleichsmaßstab.The purpose of this thesis is to provide an introduction and general overview of the newly developed method of remote forensic investigations. It intends to present RFIs in a rather broad and general way with a special focus on the relationship between technology and law. T The technical part of this thesis involves presentations of software programs potentially capable to be applied in RIFs. The terms of ‘malware’ and ‘viruses’ are also clarified, as are the expressions ‘spyware’ and the various forms of ‘Trojan horses’. Special attention is given to the technical issues and properties of telecommunication as well as to that of decryption and encryption. In order to show how a computer has to be searched physically by law enforcement agencies, the author gives a brief introduction into computer forensics. The illustration includes a description of the established procedures for the investigation authorities and the various principles the process is based on. Furthermore, a brief overview of the special hardware as well as software tools is given. Thereafter, a presentation of the potential application of a remote forensic investigation in regards to its two main purposes, i.e. obtaining access to a computer and the exploitation of that access. The legal part of this thesis starts with an overview on the relevant provisions in the Austrian constitutional law and one of its cornerstones - the principle of proportionality. Despite the fact that this thesis is mainly dedicated to procedural law, the author gives a summary of important substantive law provisions. This is necessary in order to show that the security agencies would – without empowerment to conduct a remote forensic investigation – commit a criminal act and would therefore be liable for it as well. After an introduction into criminal procedures law, involving an illustration of general principles – such as the principle of indictment, or the system of warrants – the relationship between the criminal police, the public prosecution and the court as well as their special tasks and competences, the provisions in regard to remote forensic investigations are pointed out extensively. Especially the following provisions of the Austrian Code of Criminal Procedure are examined in detail including an extensive effort to subsume an RFI under them: - Search of Locations and Objects according to section 117 no. 2 in conjunction with section 119 para. 1 of the Austrian Code of Criminal Procedure - Surveillance of Data and Communication according to section 135 para. 3 in conjunction with section 134 no. 3 of the Austrian Code of Criminal Procedure - Disclosure of Transmission Data according to section 134 no. 2 in conjunction with section 135 para. 2 of the Austrian Code of Criminal Procedure - Surveillance of Persons according to section 136 in conjunction with section 134 no. 4 of the Austrian Code of Criminal Procedure Following this, a similar approach is used in order to present the Austrian Security Police Act. Special focus is put on the tasks of maintaining public order, primary assistance and maintaining public security. Consequently, the competences of the public security police will be illustrated in the same manner as the competences of the criminal police: - Competence to Enter and Search of Premises, Rooms and Vehicles according to section 39 of the Austrian Security Police Act - Legitimacy of Processing of Personal Data according to section 53 of the Austrian Security Police Act - Special Regulations for Investigation according to section 54 Austrian Security Police Act The final part of this thesis is dedicated to the relationship between the prevention of criminal incidents and criminal procedural law. Starting with rather general considerations to prevention and a historic overview on the development from a state of nature, to a state of law and finally to a state of prevention, following five aspects are examined in depth: - General aspects of prevention, - Relationship between the criminal police and the public security police, - Systematic questions regarding an incorporation of RFIs into the Austrian legal order, - Preventive aspects within the regime of substantive criminal law, and - Demanded degree of suspicion. Summarizing, it is to state that the intention for this thesis is to give a broad and general overview on RFIs, from a technological as well as a legal point of view. The focus is – unlike other publications in this respect – not directed on fundamental/human rights issues, rather than on issues related to a potential incorporation of RFIs into the Austrian legal order. The Austrian Code of Criminal Procedure and the Austria Security Police Act are the points of reference and the standard of comparison

Digital Forensics Practices: A Road Map for Building Digital Forensics Capability

Identifying the needs for building and managing Digital Forensics Capability (DFC) are important because these can help organisations to stay abreast of criminal’s activities and challenging pace of technological advancement. The field of Digital Forensics (DF) is witnessing rapid development in investigation procedures, tools used, and the types of digital evidence. However, several research publications confirm that a unified standard for building and managing DF capability does not exit. Therefore, this thesis identifies, documents, and analyses existing DF frameworks and the attitudes of organisations for establishing the DF team, staffing and training, acquiring and employing effective tools in practice and establishing effective procedures. First, this thesis looks into the existing practices in the DF community for carrying out digital investigations and more importantly the precise steps taken for setting up the laboratories. Second, the thesis focuses on research data collected from organisations in the United Kingdom and the United Arab Emirates and based on this collection a framework has been developed to understand better the building and managing the capabilities of the DFOs (DFOs). This framework has been developed by applying Grounded Theory as a systematic and comprehensive qualitative methodology in the emerging field of DF research. This thesis, furthermore, provides a systematic guideline to describe the procedures and techniques of using grounded theory in DF research by applying three Grounded Theory coding methods (open, axial, and selective coding) which have been used in this thesis. Also the techniques presented in this thesis provide a thorough critique, making it a valuable contribution to the discussion of methods of analysis in the field of DF. Finally, the thesis proposes a framework in the form of an equation for analysing the capability of DFOs. The proposed framework, called the Digital Forensics Organisation Core Capability Framework, offers an explanation of the factors involved in establishing the capability for a digital forensics organisation. Also software was developed for applying the framework in real lif