A Forensically Sound Adversary Model for Mobile Devices

In this paper, we propose an adversary model to facilitate forensic investigations of mobile devices (e.g. Android, iOS and Windows smartphones) that can be readily adapted to the latest mobile device technologies. This is essential given the ongoing and rapidly changing nature of mobile device technologies. An integral principle and significant constraint upon forensic practitioners is that of forensic soundness. Our adversary model specifically considers and integrates the constraints of forensic soundness on the adversary, in our case, a forensic practitioner. One construction of the adversary model is an evidence collection and analysis methodology for Android devices. Using the methodology with six popular cloud apps, we were successful in extracting various information of forensic interest in both the external and internal storage of the mobile device

Tree-formed Verification Data for Trusted Platforms

The establishment of trust relationships to a computing platform relies on validation processes. Validation allows an external entity to build trust in the expected behaviour of the platform based on provided evidence of the platform's configuration. In a process like remote attestation, the 'trusted' platform submits verification data created during a start up process. These data consist of hardware-protected values of platform configuration registers, containing nested measurement values, e.g., hash values, of loaded or started components. Commonly, the register values are created in linear order by a hardware-secured operation. Fine-grained diagnosis of components, based on the linear order of verification data and associated measurement logs, is not optimal. We propose a method to use tree-formed verification data to validate a platform. Component measurement values represent leaves, and protected registers represent roots of a hash tree. We describe the basic mechanism of validating a platform using tree-formed measurement logs and root registers and show an logarithmic speed-up for the search of faults. Secure creation of a tree is possible using a limited number of hardware-protected registers and a single protected operation. In this way, the security of tree-formed verification data is maintained.Comment: 15 pages, 11 figures, v3: Reference added, v4: Revised, accepted for publication in Computers and Securit

Secure portable execution and storage environments: A capability to improve security for remote working

Remote working is a practice that provides economic benefits to both the employing organisation and the individual. However, evidence suggests that organisations implementing remote working have limited appreciation of the security risks, particularly those impacting upon the confidentiality and integrity of information and also on the integrity and availability of the remote worker’s computing environment. Other research suggests that an organisation that does appreciate these risks may veto remote working, resulting in a loss of economic benefits. With the implementation of high speed broadband, remote working is forecast to grow and therefore it is appropriate that improved approaches to managing security risks are researched. This research explores the use of secure portable execution and storage environments (secure PESEs) to improve information security for the remote work categories of telework, and mobile and deployed working. This thesis with publication makes an original contribution to improving remote work information security through the development of a body of knowledge (consisting of design models and design instantiations) and the assertion of a nascent design theory. The research was conducted using design science research (DSR), a paradigm where the research philosophies are grounded in design and construction. Following an assessment of both the remote work information security issues and threats, and preparation of a set of functional requirements, a secure PESE concept was defined. The concept is represented by a set of attributes that encompass the security properties of preserving the confidentiality, integrity and availability of the computing environment and data. A computing environment that conforms to the concept is considered to be a secure PESE, the implementation of which consists of a highly portable device utilising secure storage and an up-loadable (on to a PC) secure execution environment. The secure storage and execution environment combine to address the information security risks in the remote work location. A research gap was identified as no existing ‘secure PESE like’ device fully conformed to the concept, enabling a research problem and objectives to be defined. Novel secure storage and execution environments were developed and used to construct a secure PESE suitable for commercial remote work and a high assurance secure PESE suitable for security critical remote work. The commercial secure PESE was trialled with an existing telework team looking to improve security and the high assurance secure PESE was trialled within an organisation that had previously vetoed remote working due to the sensitivity of the data it processed. An evaluation of the research findings found that the objectives had been satisfied. Using DSR evaluation frameworks it was determined that the body of knowledge had improved an area of study with sufficient evidence generated to assert a nascent design theory for secure PESEs. The thesis highlights the limitations of the research while opportunities for future work are also identified. This thesis presents ten published papers coupled with additional doctoral research (that was not published) which postulates the research argument that ‘secure PESEs can be used to manage information security risks within the remote work environment’

Memory Forensics

Memory forensics is rapidly becoming a critical part of all digital forensic investigations. The value of information stored within a computer’s memory is immense; failing to capture it could result in a substantial loss of evidence. However, it is becoming increasingly more common to find situations where standard memory acquisition tools do not work. The paper addresses how an investigator can capture the memory of a locked computer when authentication is not present. The proposed solution is to use a bootable memory acquisition tool, in this case, Passware Bootable Memory Imager. To enhance the findings, three different reboot methods will be tested to help identify what would happen if the recommended warm reboot is not possible. Using a warm reboot and a secure reboot, Passware Bootable Memory Imager was able to successfully acquire the memory of the locked machine, with the resulting captures being highly representative of the populated data. However, the memory samples collected after a cold reboot did not retain any populated data. These findings highlight that to capture the memory of a locked machine, the reboot method is highly successful, providing the correct method is followed.Memory forensics is rapidly becoming a critical part of all digital forensic investigations. The value of information stored within a computer’s memory is immense; failing to capture it could result in a substantial loss of evidence. However, it is becoming increasingly more common to find situations where standard memory acquisition tools do not work. The paper addresses how an investigator can capture the memory of a locked computer when authentication is not present. The proposed solution is to use a bootable memory acquisition tool, in this case, Passware Bootable Memory Imager. To enhance the findings, three different reboot methods will be tested to help identify what would happen if the recommended warm reboot is not possible. Using a warm reboot and a secure reboot, Passware Bootable Memory Imager was able to successfully acquire the memory of the locked machine, with the resulting captures being highly representative of the populated data. However, the memory samples collected after a cold reboot did not retain any populated data. These findings highlight that to capture the memory of a locked machine, the reboot method is highly successful, providing the correct method is followed

Customization and automation in the future of digital forensics: live OS forensics with FENIX (forensic examiner unix)

FENIX (Forensic Examiner uNIX) is a Linux based live OS (Operating System) created to be used in remote environments for incident response and digital forensics. Between a joint effort between the Center for Information Protection (CIP) and the Iowa State University Police Department (ISUPD), FENIX has been tailored to suit the needs and requests of law enforcement forensic specialists. The very basis for FENIX is to allow ISU police officers the ability to carry an easy to operate and customize forensic toolkit with them at the scene of a crime allowing for better acquisitions and a deeper analysis to be conducted in an investigation. FENIX isn\u27t a standard forensic toolkit as others are. FENIX is a custom build of the Linux kernel with several of its own applications created for specific OS and forensic purposes and designed for a user friendly interface. However, since most users will be more familiar with existing tools those tools have the ability to interface easily with FENIX

Data mining Techniques for Digital Forensic Analysis

The computer forensic involve the protection, classification, taking out information and documents the evidence stored as data or magnetically encoded information. But the organizations have an increasing amount of data from many sources like computing peripherals, personal digital assistants (PDA), consumer electronic devices, computer systems, networking equipment and various types of media, among other sources. To find similar kinds of evidences, crimes happened previously, the law enforcement officers, police forces and detective agencies is time consuming and headache. The main motive of this work is by combining a data mining techniques with computer forensic tools to get the data ready for analysis, find crime patterns, understand the mind of the criminal, assist investigation agencies have to be one step ahead of the bad guys, to speed up the process of solving crimes and carry out computer forensics analyses for criminal affairs

Teams Responsibilities for Digital Forensic Process

This paper presents a detailed digital forensics process model and the responsible teams to perform it. The discussed model presents three teams and a forensic leader who coordinate between the three teams; these teams are physical crime scene team, laboratory examination team and courtroom team. These teams are responsible of achieving the digital forensic model by applying five main phases which are preparation phase, physical forensics and investigation phase, digital forensics phase, reporting and presentation phase and closure phase. Most of the existing models in this field are either theoretical that deals with data processing or based on a legal point of view. Although they gave good information to base on it a guide, but they are not detailed enough to describe fully the investigative process and do not define teams and their responsibilities for investigation in a way that can be used by investigators during investigation. In this model the responsibilities and procedures of each team is represented given detailed steps for each team, so it can be used as guidance for the forensic investigators during investigation and assist their training. Keywords: digital forensics, computer forensics, digital investigation, forensic model, reference framework, Forensic teams’ responsibilities

Guideline Model for Digital Forensic Investigation

This paper proposes a detailed guideline model for digital forensics; the proposed model consists of five main phases, Preparation phase, Physical Forensics and Investigation Phase, Digital Forensics Phase, Reporting and Presentation Phase, and Closure Phase. Most of the existing models in this field do not cover all aspects of digital forensic investigations, as they focus mainly on the processing of digital evidence or on the legal points. Although they gave good information to base on it a guide, but they are not detailed enough to describe fully the investigative process in a way that can be used by investigators during investigation. In this model detailed steps for each phase is given, so it can be used as guidance for the forensic investigators, and it can assist the development of new investigative tools and techniques. Keywords: digital forensics, computer forensics, digital investigation, forensic model, reference framework