Developing a Proactive Framework for E-Discovery Compliance

The purpose of this document is to provide Information Systems Management an awareness of a compliance risk associated with the management of electronic data. The changes to the Federal Rules of Civil Procedure in 2006 make electronic data discoverable as evidence for civil court cases introducing the need for proactive management of end user data beyond the data that a particular form of legislation may require. Leveraging existing forensic data collection processes and raising the awareness of the problem and risk to the organization will provide a level of assurance for compliance should the data be requested in a civil trial. This project analyzed the current state that existed for businesses and organizations, the actual risk and precedence that has been set, and determines the current state of awareness and readiness that businesses have for this problem. The project then offers a solution to this problem that will aid in reducing the risk and hardship an organization could face when electronic data is requested. Finally, this project presents the results of actual testing of the proposed solution in a real world business enterprise

Book Review: Windows Forensic Analysis DVD Toolkit

This document is Dr. Kessler\u27s review of Windows Forensic Analysis DVD Toolkit, 2nd edition, by Harlan Carvey. Syngress, 2009. 482 pp. ISBN: 978-1-59749-422-9

A comparison of open source and proprietary digital forensic software

Scrutiny of the capabilities and accuracy of computer forensic tools is increasing as the number of incidents relying on digital evidence and the weight of that evidence increase. This thesis describes the capabilities of the leading proprietary and open source digital forensic tools. The capabilities of the tools were tested separately on digital media that had been formatted using Windows and Linux. Experiments were carried out with the intention of establishing whether the capabilities of open source computer forensics are similar to those of proprietary computer forensic tools, and whether these tools could complement one another. The tools were tested with regards to their capabilities to make and analyse digital forensic images in a forensically sound manner. The tests were carried out on each media type after deleting data from the media, and then repeated after formatting the media. The results of the experiments performed demonstrate that both proprietary and open source computer forensic tools have superior capabilities in different scenarios, and that the toolsets can be used to validate and complement one another. The implication of these findings is that investigators have an affordable means of validating their findings and are able to more effectively investigate digital media

Digitalna forenzika

Knjiga "Digitalna forenzika" pruža prikaz stanja oblasti digitalne forenzike, pojašnjava metode i tehnike digitalne forenzike računarskih sistema koji otkrivaju ovakvu vrstu kriminala i preventivno deluju kao vid zaštite računarskih sistema. Analizom računarskih sistema se pokazuje stanje sistema, tj. koliko je sistem ranjiv posle njegove instalacije na računaru. Na taj način se detektuju ranjivosti u sistemu, dobijaju se preporuke za prevazilaženje ovih bezbedonosnih problema, čime se preventivno deluje protiv mogućeg forenzičkog relevantnog događaja. Tako da se ovo sveobuhvatno istraživanje može posmatrati i kao jedna proaktivna digitalna forenzika u smislu spremnog dočekivanja, ali i otkrivanja forenzički relevantnog događaja. Digitalni podaci generisani ili uneti u računar ostavljaju brojne tragove u operativnim sistemima. Pretraga za podacima podrazumeva priključivanje forenzičkog alata, što znači ostavljanje tragova na digitalne podatke (Lokardov zakon). Izbrisani podaci ostavljaju tragove u nealociranim i slek prostorima diska, a odsustvo podataka ukazuje na antiforenzičku aktivnost i predstavlja jaku osnovu za sumnju u nedozvoljene aktivnosti. Knjiga "Digitalna forenzika" može biti od koristi kako onima koji se bave pitanjima digitalne forenzike sa teorijskog aspekta, tako i onima koji se problemima digitalne forenzike suočavaju u praksi

Digital forensic in security of information system based on Linux and Windows platforms

Digitalna forenzika je multidisciplinarna nauka koja podrazumeva spoj razlicitih naučnih disciplina (računarske nauke, pravo, kriminologija) sa brojnim izazovima u uslovima masovnog generisanja digitalnih podataka (Big Data), virtuelizacije klijentske i serverske strane (Cloud Computng), neusaglašenosti standardizacionih tela i opšteg nedostatka brojnih standarda i eksperata u svim disciplinama. Kako se digitalna forenzika odnosi na sve digitalne urađaje, uža naučna oblast uklјučuje brojne aplikacije digitalne forenzike, kao što su računarska forenzika, forenzika mobilnih uređaja, forenzika na sistemima savremenih automobila, senzorskih mreža itd. U ovom radu je analizirana i primenjena uža naučna oblast računarske forenzike. Opisana je digitalna forenzika računarskih sistema baziranih na Windows i Linux platformi, sa fokusom na određena mesta u implementiranom sistemu proaktivne digitalne forenzike koja mogu ukazati na forenzički relevantne događaje kritične za bezbednost sistema. Opisane su brojne metodologije, tehnologije i tehnike istrage visokotehnološkog kriminala. Proces prikuplјanja podataka i digitalne forenzičke analize „uživo”, detalјno je razmatran. Izvršena je kratka revizija karakteristika i tipično zahtevanih funkcionalnosti softverskih forenzičkih alata, za inicijalni odgovor i oporavak podataka i particija magnetnih diskova. Opisani su i najvažniji digitalni forenzički kompleti alata i njihove osnovne funkcionalnosti. U radu se ističu i najznačajniji elementi kojima treba posvetiti posebnu pažnju prilikom digitalne forenzičke analize u virtuelnom okruženju. Takođe su objašnjeni i najvažniji segmenti samog virtuelnog okruženja i način na koji oni mogu biti značajni alati, za postupak digitalne forenzičke analize. U poslednjem delu ovog rada, fokus je usmeren na ranjivosti Windows i Linux platformi sa prikazanim načinima zlonamernog proboja sistema. Opisane su opšte ranjivosti i specifične ranjivosti koje se odnose samo na Windows, odnosno samo na Linux platforme. Takođe, navedeni su i najčešći načini zlonamernog iskorišćavanja sistema. Ranjivosti računarskih sistema i mreža mogu se odnositi na programe, hardver, konfiguraciju i lјude. Isklјučujući lјude kao najznačajniji i istovremeno najkritičniji faktor u zaštiti informacija, programske ranjivosti se tipično koriste za online direktne napade, ili napade malicioznim programima. Otkrivanje i otklanjanje ranjivosti sistemskih programa je jedan od glavnih cilјeva digitalne forenzike. Pored skuplјanja forenzički relevantnih digitalnih podataka i izgradnje čvrstih digitalnih dokaza o kompjuterskom incidentu ili kriminalu za potrebe pravosudnog sistema, cilј digitalne forenzičke analize je da se iskorišćene ranjivosti trajno otklone i da se incident/protivpravna aktivnost takve vrste više nikada ne ponovi. U tom smislu je doprinos ovog rada veoma značajan. Praktičan primer ispitivanja ranjivosti servisa na Windows i Linux platformama obuhvatio je 80 operativnih sistema. Od tog broja, 51 se odnosi na Windows operativne sisteme, a 29 na Linux operativne sisteme. Dobijeni rezultati su rezultat dvogodišnjeg istraživanja, jer je ispitivanje sistema vršeno u 2011. i 2013. godini. Kroz skeniranje i prikaz ranjivosti difoltno instaliranih Windows i Linux sistema preventivno se otkrivaju ranjivosti koje potencijalno mogu biti iskorišćene od strane bezbednosnih pretnji (maliciozni programi ili zlonamerni napadači) i time ugroziti računarske sisteme i informacije. Proaktivnim otklanjanjem ovih ranjivosti realizuje se preventivna zaštita. Uspostavlјanjem sistema proaktivne forenzike, obezbeđuje se logovanje forenzički relevantnih događaja, tj. tragova pokušaja napada u realnom vremenu, čime se bitno olakšava forenzička istraga u slučaju incidenta ili protivpravne aktivnosti.Digital forensics is a multidisciplinary science which includes different scientific disciplines (computer scineces, law, criminology) with numerous challenges in conditions of digital data mass generating (Big Data), clients and servers virtualisation (Cloud Computng), incompatibility of standardizing bodies and general lack of numerous standards and experts in all of the disciplines. Since digital forensics applies to all of the digital devices, a focused scientific field includes numerous applications of digital forensics, like computer forensics, mobile devices forensics, forensics on modern cars systems, sensor networks etc. The focused scientific field of computer forensics was analyzed and applied in this paper. Digital forensics of computer systems based on Windows and Linux platforms was described, focused on certain points within the implementing system of proactive digital forensics, which can indicate forensically relevant data critical for system's security. Numerous methodologies, technologies and techniques of investigating cyber crime are described. The process of collecting data and "live" digital forensic analyses were considered in detail. A short revision of features was made, as well as of typical demanded functionality of software fonensic tools for an initial answer and recovery of data and partitions of magnetic discs. The most important sets of digital forensic tools and their basic functionalities were also descibed. In the paper, most important elements were listed which need special attention while performing digital forensic analysis in a virtual environment. The most important segments of virtual environment itself were also explained, as well as ways in which they can represent important tools for performing digital forensis analysis. The last chapter of this paper is focused on vulnerabilities of Windows and Linux platforms, with listed ways of malicious system intrusion. General and specific vulnerabilities were described regarding only Windows or only Linux platforms. The most common ways of malicious system abuse were also listed. Computer systems vulnerabilities can be applied on programs, hardware, configuration and staff. Disregarding staff as the most important, but at the same time the most critical factor in protecting information, program vulnerabilities are typically used for online direct attacks or attacks with malicious programs. Detecting and removing vulnerabilities of system programs is one of the digital forensics main goals. Beside collecting forensically relevant digital data and constructing strong digital evidence about computer incident or criminal for the purposes of law, the goal of digital forensic anlysis is to permanently remove abused vulnerabilities and to prevent incidents/illegal actions from repeating. In this sense, this paper is of utmost importance. A practical example of investigating system vulnerabilities on Windows and Linux platforms included 80 operating systems. Out of that, 51 regards Windows operating systems and 29 of them Linux operating systems. The obtained results derive from a two-year research, since system scanning was performed in 2011 and 2013. Through scanning and displaying vulnerabilities of Windows and Linux systems installed by default, vulnerabilities which could potentially be used by security threats (malicious programs or malicious attacks) and potentially endanger computer systems and information, are precautionally removed. By proactive removing of these vulnerabilities, preventive protection is being performed. By establishing the system of proactive forensics, logging of forensically relevant events, i. e. clues for potential attacks within real time are being secured, making it much easier to perform forensic investigation in case of an incident or illegal action

Digital Forensics and Born-Digital Content in Cultural Heritage Collections

Digital Forensics and Born-Digital Content in Cultural Heritage Collections examines digital forensics and its relevance for contemporary research. The applicability of digital forensics to archivists, curators, and others working within our cultural heritage is not necessarily intuitive. When the shared interests of digital forensics and responsibilities associated with securing and maintaining our cultural legacy are identified—preservation, extraction, documentation, and interpretation, as this report details—the correspondence between these fields of study becomes logical and compelling.Council on Library and Information Resource

A study of application level information from the volatile memory of Windows computer systems

The purpose of this research work was to investigate into the seven most commonly used applications in order to uncover information that may have been hidden from forensic investigators by extracting the application level information from volatile memory of a Windows system and performing analysis of that volatile memory. The aim of this research was to formulate how the extracted application level information can be reconstructed to describe what user activities had taken place on the application under investigation. After reviewing the relevant literature on volatile memory analysis and forensically relevant data from Windows applications, this thesis confines its research to a study of the application level information and the volatile memory analysis of Windows applications. Quantitative and qualitative results were produced in this study. The quantitative assessment consists of four metrics and that were used to investigate the quantity of user input on the applications while the qualitative measures were formulated to infer what the user is doing on the application, what they have been doing and what they are using the applications for. The reconstruction of user input activities was carried out by using some commonly used English words to search for user input and pattern matching techniques for when the user input is known in the investigation. The analysis of user input was discussed based on four scenarios developed for this research. The result shows that different amounts of user input can be recovered from various applications. The result in scenario 1, indicates that user input can be recovered easily from Word, PowerPoint, Outlook Email and Internet Explorer 7.0 and that little user input can be found on Excel, MS Access and Adobe Reader 8.0. In scenario 2, a significant amount of user input was recovered in the memory allocated to all the applications except MS Access where little user input was found. In scenario3, only Outlook Email and Internet Explorer 7.0 resulted in a large amount of user input being recovered. The rest of the applications retain little user input in memory. In scenario 4, a greatly reduced amount of information was found for all the applications. But some user input was found from Outlook Email and Internet Explorer 7.0 which shows that user input can be retained for some time in the memory. After the analysis of user input, the importance of volatile memory of the application level information was discussed. A procedure has been formulised for the extraction and analysis of application level information and these have been discussed with respect to their use in the court of law based on the five Daubert tests of scientific method of gathering digital evidence. As presented, three out of the Daubert tests have been completed while the two others forms the unique contribution of the research project to digital forensic community. The author recommends that the research theory of application level information should be extended to other operating systems using the scenarios formulated in this research project.EThOS - Electronic Theses Online ServiceGBUnited Kingdo

A Framework for the Systematic Evaluation of Malware Forensic Tools

Following a series of high profile miscarriages of justice linked to questionable expert evidence, the post of the Forensic Science Regulator was created in 2008 with a remit to improve the standard of practitioner competences and forensic procedures. It has since moved to incorporate a greater level of scientific practice in these areas, as used in the production of expert evidence submitted to the UK Criminal Justice System. Accreditation to their codes of practice and conduct will become mandatory for all forensic practitioners by October 2017. A variety of challenges with expert evidence are explored and linked to a lack of a scientific methodology underpinning the processes followed. In particular, the research focuses upon investigations where malicious software (‘malware’) has been identified. A framework, called the ‘Malware Analysis Tool Evaluation Framework’ (MATEF), has been developed to address this lack of methodology to evaluate software tools used during investigations involving malware. A prototype implementation of the framework was used to evaluate two tools against a population of over 350,000 samples of malware. Analysis of the findings indicated that the choice of tool could impact on the number of artefacts observed in malware forensic investigations as well as identifying the optimal execution time for a given tool when observing malware artefacts. Three different measures were used to evaluate the framework. The first of these evaluated the framework against the requirements and determined that these were largely met. Where the requirements were not met these are attributed to matters either outside scope or the fledgling nature of the research. Another measure used to evaluate the framework was to consider its performance in terms of speed and resource utilisation. This identified scope for improvement in terms of the time to complete a test and the need for more economical use of disk space. Finally, the framework provides a scientific means to evaluate malware analysis tools, hence addressing the Research Question subject to the level at which ground truth is established. A number of contributions are produced as the output of this work. First there is confirmation for the case for a lack of trusted practice in the field of malware forensics. Second, the MATEF itself, as it facilitates the production of empirical evidence of a tool’s ability to detect malware artefacts. A third contribution is a set of requirements for establishing trusted practice in the use of malware artefact detection tools. Finally, empirical evidence that supports both the notion that the choice of tool can impact on the number of artefacts observed in malware forensic investigations as well as identifying the optimal execution time for a given tool when observing malware artefacts

The Hermeneutics Of The Hard Drive: Using Narratology, Natural Language Processing, And Knowledge Management To Improve The Effectiveness Of The Digital Forensic Process

In order to protect the safety of our citizens and to ensure a civil society, we ask our law enforcement, judiciary and intelligence agencies, under the rule of law, to seek probative information which can be acted upon for the common good. This information may be used in court to prosecute criminals or it can be used to conduct offensive or defensive operations to protect our national security. As the citizens of the world store more and more information in digital form, and as they live an ever-greater portion of their lives online, law enforcement, the judiciary and the Intelligence Community will continue to struggle with finding, extracting and understanding the data stored on computers. But this trend affords greater opportunity for law enforcement. This dissertation describes how several disparate approaches: knowledge management, content analysis, narratology, and natural language processing, can be combined in an interdisciplinary way to positively impact the growing difficulty of developing useful, actionable intelligence from the ever-increasing corpus of digital evidence. After exploring how these techniques might apply to the digital forensic process, I will suggest two new theoretical constructs, the Hermeneutic Theory of Digital Forensics and the Narrative Theory of Digital Forensics, linking existing theories of forensic science, knowledge management, content analysis, narratology, and natural language processing together in order to identify and extract narratives from digital evidence. An experimental approach will be described and prototyped. The results of these experiments demonstrate the potential of natural language processing techniques to digital forensics