Using Computer Behavior Profiles to Differentiate between Users in a Digital Investigation

Most digital crimes involve finding evidence on the computer and then linking it to a suspect using login information, such as a username and a password. However, login information is often shared or compromised. In such a situation, there needs to be a way to identify the user without relying exclusively on login credentials. This paper introduces the concept that users may show behavioral traits which might provide more information about the user on the computer. This hypothesis was tested by conducting an experiment in which subjects were required to perform common tasks on a computer, over multiple sessions. The choices they made to complete each task was recorded. These were converted to a \u27behavior profile,\u27 corresponding to each login session. Cluster Analysis of all the profiles assigned identifiers to each profile such that 98% of profiles were attributed correctly. Also, similarity scores were generated for each session-pair to test whether the similarity analysis attributed profiles to the same user or to two different users. Using similarity scores, the user sessions were correctly attributed 93.2% of the time. Sessions were incorrectly attributed to the same user 3.1% of the time and incorrectly attributed to different users 3.7% of the time. At a confidence level of 95%, the average correct attributions for the population was calculated to be between 92.98% and 93.42%. This shows that users show uniqueness and consistency in the choices they make as they complete everyday tasks on a system, and this can be useful to differentiate between them. Keywords: computer behavior users, interaction, investigation, forensics, graphical inter-face, windows, digital Keywords: computer behavior users, interaction, investigation, forensics, graphical inter- face, windows, digita

Paper Session V: Steganography and Terrorist Communications - Current Information and Trends - Tools, Analysis and Future Directions in Steganalysis in Context with Terrorists and Other Criminals

In ancient times, users communicated using steganography, “…derived from the Greek words steganos, meaning ‘covered’, and graphein, meaning ‘to write.’” (Singh, 1999, p.5) Steganography facilitates secret, undetected communication. In modern times, in the context of the Global War on Terror, national intelligence and law enforcement agencies need tools to detect hidden information (steganography) in various types of media, most specifically to uncover the placement of hidden information in images. This paper will look at steganography in general terms, presenting the theory of some common steganographic techniques and touching on some theoretical work in steganography. Then a discussion of how to utilize detection tools will shed light on the question of how to make our nation more secure in light of this technology being used by nefarious individuals and organizations. Keywords: Steganography, information hiding, computer forensics, terrorism, steganalysis, cryptograph

Self-Reported Cyber Crime: An Analysis on the Effects of Anonymity and Pre-Employment Integrity

A key issue facing today’s society is the increase in cyber crimes. Cyber crimes pose threats to nations, organizations and individuals across the globe. Much of the research in cyber crime has risen from computer science-centric programs, and little experimental research has been performed on the psychology of cyber crime. This has caused a knowledge gap in the study of cyber crime. To this end, this research focuses on understanding psychological concepts related to cyber crime. Through an experimental design, participants were randomly assigned to three groups with varying degrees of anonymity. After each treatment, participants were asked to self-report their cyber crime engagement, and pre-employment integrity. Results indicated that the anonymity manipulation had a main effect on self-reported cyber crime engagement. The results also showed that there is a statistically significant negative relationship between self-reported cyber crime engagement and pre-employment integrity. Suggestions for future research are also discussed

Successful Implementation of PBIS in an alternative school setting

Mountain Creek Academy is beginning the 6th year of PBIS implementation. Year before last they began to look for ways to make this program meaningful to the population they serve, as many students were placed there for punitive measures. They decided to use the Boys Town model to teach social skills in conjunction with the PBIS framework. This additional curriculum gave the academy the push it needed to move from emergent to operational status on the list of PBIS schools kept by the Georgia Department of Education. Office discipline referrals were reduced by 460%, and the climate of the school was changed. The most significant changes were experienced by the students. They learned necessary social skills and achieved success. Many have been able to generalize those skills to other settings, and many now choose to remain at Mountain Creek Academy due to the feelings of being successful and respected in that environment

Exploring Forensic Implications of the Fusion Drive

This paper explores the forensic implications of Apple’s Fusion Drive. The Fusion Drive is an example of auto-tiered storage. It uses a combination of a flash drive and a magnetic drive. Data is moved between the drives automatically to maximize system performance. This is different from traditional caches because data is moved and not simply copied. The research included understanding the drive structure, populating the drive, and then accessing data in a controlled setting to observe data migration strategies. It was observed that all the data is first written to the flash drive with 4 GB of free space always maintained. If data on the magnetic drive is frequently accessed, it is promoted to the flash drive while demoting other information. Data is moved at a block-level and not a file-level. The Fusion Drive didn’t alter the timestamps of files with data migration

The General Digital Forensics Model

The lack of a graphical representation of all of the principles, processes, and phases necessary to carry out an digital forensic investigation is a key inhibitor to effective education in this newly emerging field of study. Many digital forensic models have been suggested for this purpose but they lack explanatory power as they are merely a collection of lists or one-dimensional figures. This paper presents a new multi-dimensional model, the General Digital Forensics Model (GDFM), that shows the relationships and inter-connectedness of the principles and processes needed within the domain of digital forensics. Keywords: process model, computer forensics, expert learning, educational framework, digital forensic

Methodology for the Automated Metadata-Based Classification of Incriminating Digital Forensic Artefacts

The ever increasing volume of data in digital forensic investigation is one of the most discussed challenges in the field. Usually, most of the file artefacts on seized devices are not pertinent to the investigation. Manually retrieving suspicious files relevant to the investigation is akin to finding a needle in a haystack. In this paper, a methodology for the automatic prioritisation of suspicious file artefacts (i.e., file artefacts that are pertinent to the investigation) is proposed to reduce the manual analysis effort required. This methodology is designed to work in a human-in-the-loop fashion. In other words, it predicts/recommends that an artefact is likely to be suspicious rather than giving the final analysis result. A supervised machine learning approach is employed, which leverages the recorded results of previously processed cases. The process of features extraction, dataset generation, training and evaluation are presented in this paper. In addition, a toolkit for data extraction from disk images is outlined, which enables this method to be integrated with the conventional investigation process and work in an automated fashion

SMIRK: SMS Management and Information Retrieval Kit

There has been tremendous growth in the information environment since the advent of the Internet and wireless networks. Just as e-mail has been the mainstay of the web in its use for personal and commercial communication, one can say that text messaging or Short Message Service (SMS) has become synonymous with communication on mobile networks. With the increased use of text messaging over the years, the amount of mobile evidence has increased as well. This has resulted in the growth of mobile forensics. A key function of digital forensics is efficient and comprehensive evidence analysis which includes authorship attribution. Significant work on mobile forensics has focused on data acquisition from devices and little attention has been given to the analysis of SMS. Consequentially, we propose a software application called: SMS Management and Information Retrieval Kit (SMIRK). SMIRK aims to deliver a fast and efficient solution for investigators and researchers to generate reports and graphs on text messaging. It also allows investigators to analyze the authorship of SMS messages. © Institute for Computer Sciences, Social-Informatics and Telecommunications Engineering 2010