Use of forensic corpora in validation of data carving on solid-state drives.

The need for greater focus on the validation and verification of tools has become more evident in recent years. The research in this area has been minimal. Continued research regarding the validation of digital forensics tools is necessary to help meet demands from both the law enforcement and scientific communities and to bring digital forensics in line with other forensic disciplines (as cited in Guo, et al., 2009). One of the most effective ways to perform validation and verification of digital forensics tools is to enlist the use of standardized data sets, also known as forensic corpora. This study focused on the use of forensic corpora to validate the file carving function of a common digital forensics tool, Access Data's Forensic Tool Kit (FTK). The study centers specifically on FTK's ability to recover data on solid-state drives (SSDs). The goal of this study was to both evaluate the use of forensic corpora in the validation and verification of digital forensic tools, as well as a serve as a validation study of FTK's carving function on solid-state drives

Development, Delivery and Dynamics of a Digital Forensics Subject

Digital forensics is a newly developed subject offered at Charles Sturt University (CSU). This subject serves as one of the core subjects for Master of Information Systems Security (Digital Forensics stream) course. The subject covers the legislative, regulatory, and technical aspects of digital forensics. The modules provide students detailed knowledge on digital forensics legislations, digital crime, forensics processes and procedures, data acquisition and validation, e-discovery tools, e-evidence collection and preservation, investigating operating systems and file systems, network forensics, email and web forensics, presenting reports and testimony as an expert witness. This paper summarises the process of subject development, delivery, assessments, teaching critique, and provides results from online subject evaluation survey. The dynamics and reflection on subject delivery is particularly important to determine if the subject has met its objectives. Results from the subject critique and student evaluation survey are presented and a reflection on how to improve the subject is provided

A Review on Software Quality Forensics: Techniques, Challenges, and Limitations

Software quality forensics plays a vibrant role related to software quality, security, and integrity. The paper aims to derive a software quality forensics model through existing software quality models and their factors. The papers explore quality models, factors, approaches, tools, techniques, and standards regarding software quality investigation and confine the research area for software quality integrity breach forensics. The explore the deviations of quality attributes, standards, factors, and artifacts, it leads to further investigation of root-cause followed by digital evidence procedure for alleged software quality issues. Therefore, there is a need for a software quality forensics model and dedicated standards to fulfill the digital evidence procedure validation, satisfiable, and prosecution in the court of law in the context of alleged or illegal activity investigation quality of software. The paper has  derived the techniques, challenges, and limitations of software quality forensics based on the review of research questions

The Advanced Framework for Evaluating Remote Agents (AFERA): A Framework for Digital Forensic Practitioners

Digital forensics experts need a dependable method for evaluating evidence-gathering tools. Limited research and resources challenge this process and the lack of multi-endpoint data validation hinders reliability in distributed digital forensics. A framework was designed to evaluate distributed agent-based forensic tools while enabling practitioners to self-evaluate and demonstrate evidence reliability as required by the courts. Grounded in Design Science, the framework features guidelines, data, criteria, and checklists. Expert review enhances its quality and practicality

Error Level Analysis Technique for Identifying JPEG Block Unique Signature for Digital Forensic Analysis

The popularity of unique image compression features of image files opens an interesting research analysis process, given that several digital forensics cases are related to diverse file types. Of interest has been fragmented file carving and recovery which forms a major aspect of digital forensics research on JPEG files. Whilst there exist several challenges, this paper focuses on the challenge of determining the co-existence of JPEG fragments within various file fragment types. Existing works have exhibited a high false-positive rate, therefore rendering the need for manual validation. This study develops a technique that can identify the unique signature of JPEG 8 × 8 blocks using the Error Level Analysis technique, implemented in MATLAB. The experimental result that was conducted with 21 images of JFIF format with 1008 blocks shows the efficacy of the proposed technique. Specifically, the initial results from the experiment show that JPEG 8 × 8 blocks have unique characteristics which can be leveraged for digital forensics. An investigator could, therefore, search for the unique characteristics to identify a JPEG fragment during a digital investigation process

EviPlant: An efficient digital forensic challenge creation, manipulation and distribution solution

Education and training in digital forensics requires a variety of suitable challenge corpora containing realistic features including regular wear-and-tear, background noise, and the actual digital traces to be discovered during investigation. Typically, the creation of these challenges requires overly arduous effort on the part of the educator to ensure their viability. Once created, the challenge image needs to be stored and distributed to a class for practical training. This storage and distribution step requires significant time and resources and may not even be possible in an online/distance learning scenario due to the data sizes involved. As part of this paper, we introduce a more capable methodology and system as an alternative to current approaches. EviPlant is a system designed for the efficient creation, manipulation, storage and distribution of challenges for digital forensics education and training. The system relies on the initial distribution of base disk images, i.e., images containing solely base operating systems. In order to create challenges for students, educators can boot the base system, emulate the desired activity and perform a "diffing" of resultant image and the base image. This diffing process extracts the modified artefacts and associated metadata and stores them in an "evidence package". Evidence packages can be created for different personae, different wear-and-tear, different emulated crimes, etc., and multiple evidence packages can be distributed to students and integrated into the base images. A number of additional applications in digital forensic challenge creation for tool testing and validation, proficiency testing, and malware analysis are also discussed as a result of using EviPlant.Comment: Digital Forensic Research Workshop Europe 201

Memory acquisition: A 2-Take approach

When more and more people recognize the value of volatile data, live forensics gains more weight in digital forensics. It is often used in parallel with traditional pull-the-plug forensics to provide a more reliable result in forensic examination. One of the core components in live forensics is the collection and analysis of memory volatile data, during which the memory content is acquired for searching of relevant evidential data or investigating various computer processes to unveil the activities being performed by a user. However, this conventional method may have weaknesses because of the volatile nature of memory data and the absence of original data for validation. This may cause implication to the admissibility of memory data at the court of law which requires strict authenticity and reliability of evidence. In this paper, we discuss the impact of various memory acquisition methods and suggest a 2-Take approach which aims to enhance the confidence level of the acquired memory data for legal proceedings. © 2009 IEEE.published_or_final_versionThe 2009 International Workshop on Forensics for Future Generation Communication Environments (F2GC-09) in conjunction with CSA 2009, Jeju Island, Korea, 10-12 December 2009. In Proceedings of CSA, 2009, p. 1-

Standards for Digital Evidence:an inquiry into the opportunities for fair trial safeguards through digital forensics standards in criminal investigations

Is digital evidence reliable? Does digital forensics in criminal investigations uphold to fair trial principles and forensics standards? What is the impact of the increased use of science and technology in the investigation on the rights of suspects, accused, and defendants? This research attempts to address those questions through the lens of the right to a fair trial (Art. 6 ECHR). Selected fair trial guarantees are analysed in order to clarify specific evidence rules for digital investigations. These evidence rules feed into a gap analysis exemplifying unaddressed threats to the right to a fair trial rooted in the specifics of digital investigations and the underdeveloped reliability standard for digital evidence. The imminent challenges with digital evidence in practice are demonstrated in the review of the Encrochat investigation. To address the identified challenges the thesis employs action research and examines practical solutions for improvement of digital evidence reliability by integrating fair trial based evidence rules, with existing digital forensics methodology and given law enforcement requirements. As a result, a new reliability validation enabling framework for digital evidence is proposed. The practical benefits of the proposed framework for digital forensic examiners and law enforcement are tested in two case studies in cooperation with the Norwegian police. The argumentative legal analysis further explores the feasibility and implications of a new digital right to procedural accuracy to comprehensively address the significant impact of digital forensic science and technology on individuals’ rights in criminal proceedings and to serve as a legislative anchor for digital evidence reliability assurance

Current state of validation and testing of digital forensic tools in the United States.

The Federal courts' decision in Dauber v. Merrell Dow Pharmaceutical, Inc. (1993) requires forensic testing protocols and tools to be validated and tested for reliability before they can be used to support expert witness testimony. Digital forensic labs and individual examiners in the United States should be performing their own validation and verification tests on their digital forensic tools. The Scientific Working Group of Digital Evidence (SWDGE) recommends that examiners perform validation testing whenever there are new, revised, or reconfigured tools, techniques, or procedures. This study surveyed digital forensics examiners in the U.S. to provide a description of the current state of validation and testing of digital forensic tools, current protocols used for validation, and barriers to performing these tests. The findings included, 95% validate and test their Digital Forensic tools. 80.3% document the validation and testing process and their results. 53.6% validate and test each function if the forensic tool performs several different functions. Examiners should test their digital forensic tools to make sure they are working properly and receiving accurate results. The findings and testimony can be dismissed in court if the examiner is not following set standards.--Abstract

A case study of the challenges of cyber forensics analysis of digital evidence in a child pornography trial

Perfunctory case analysis, lack of evidence validation, and an inability or unwillingness to present understandable analysis reports adversely affect the outcome course of legal trials reliant on digital evidence. These issues have serious consequences for defendants facing heavy penalties or imprisonment yet expect their defence counsel to have clear understanding of the evidence. Poorly reasoned, validated and presented digital evidence can result in conviction of the innocent as well as acquittal of the guilty. A possession of child pornography Case Study highlights the issues that appear to plague case analysis and presentation of digital evidence relied on in these odious crimes; crimes increasingly consuming the time, resources and expertise of law enforcement and the legal fraternity. The necessity to raise the standard and formalise examinations of digital evidence used in child pornography seems timely. The case study shows how structured analysis and presentation processes can enhance examinations. The case study emphasises the urgency to integrate vigorous validation processes into cyber forensics examinations to meet acceptable standard of cyber forensics examinations. The processes proposed in this Case Study enhance clarity in case management and ensure digital evidence is correctly analysed, contextualised and validated. This will benefit the examiner preparing the case evidence and help legal teams better understand the technical complexities involved