A Forensically Sound Adversary Model for Mobile Devices

In this paper, we propose an adversary model to facilitate forensic investigations of mobile devices (e.g. Android, iOS and Windows smartphones) that can be readily adapted to the latest mobile device technologies. This is essential given the ongoing and rapidly changing nature of mobile device technologies. An integral principle and significant constraint upon forensic practitioners is that of forensic soundness. Our adversary model specifically considers and integrates the constraints of forensic soundness on the adversary, in our case, a forensic practitioner. One construction of the adversary model is an evidence collection and analysis methodology for Android devices. Using the methodology with six popular cloud apps, we were successful in extracting various information of forensic interest in both the external and internal storage of the mobile device

Conceptual evidence collection and analysis methodology for Android devices

Android devices continue to grow in popularity and capability meaning the need for a forensically sound evidence collection methodology for these devices also increases. This chapter proposes a methodology for evidence collection and analysis for Android devices that is, as far as practical, device agnostic. Android devices may contain a significant amount of evidential data that could be essential to a forensic practitioner in their investigations. However, the retrieval of this data requires that the practitioner understand and utilize techniques to analyze information collected from the device. The major contribution of this research is an in-depth evidence collection and analysis methodology for forensic practitioners.Comment: in Cloud Security Ecosystem (Syngress, an Imprint of Elsevier), 201

Data reduction and data mining framework for digital forensic evidence: storage, intelligence, review and archive

With the volume of digital forensic evidence rapidly increasing, this paper proposes a data reduction and data mining framework that incorporates a process of reducing data volume by focusing on a subset of information. Foreword The volume of digital forensic evidence is rapidly increasing, leading to large backlogs. In this paper, a Digital Forensic Data Reduction and Data Mining Framework is proposed. Initial research with sample data from South Australia Police Electronic Crime Section and Digital Corpora Forensic Images using the proposed framework resulted in significant reduction in the storage requirements—the reduced subset is only 0.196 percent and 0.75 percent respectively of the original data volume. The framework outlined is not suggested to replace full analysis, but serves to provide a rapid triage, collection, intelligence analysis, review and storage methodology to support the various stages of digital forensic examinations. Agencies that can undertake rapid assessment of seized data can more effectively target specific criminal matters. The framework may also provide a greater potential intelligence gain from analysis of current and historical data in a timely manner, and the ability to undertake research of trends over time

Integration of multimedia technology into the curriculum of forensic science courses using crime scene investigations.

Virtual reality technology is a powerful tool for the development of experimental learning in practical situations. Creation of software packages with some element of virtual learning allows educators to broaden the available experience of students beyond the scope that a standard curriculum provides. This teaching methodology is widely used in the delivery of medical education with many surgical techniques being practised via virtual reality technologies (see Engum et al., 2003). Use has been made of this technology for a wide range of teaching applications such as virtual field trials for an environmental science course (Ramasundaram et al., 2005), and community nursing visiting education scenarios (Nelson et al., 2005) for example. Nelson et al. (2005) imaged three-dimensional representations of patient living accommodation incorporating views of patient medication in order to deliver care modules via a problem-based learning approach. The use of virtual reality in the teaching of crime scene science was pioneered by the National Institute of Forensic Science in Australia as part of their Science Proficiency Advisory Committee testing programme. A number of scenarios were created using CDROM interfacing, allowing as near as possible normal procedures to be adopted. This package included proficiency testing integrated into the package and serves as a paradigm for the creation of virtual reality crime scene scenarios (Horswell, 2000). The package is commercially available on CD-ROM as part of the series ‘After the Fact’ (http://www.nfis.com.au). The CD-ROM package is geared to proficiency training of serving scenes of crime officers and thus contains details that may not be needed in the education of other parties with a need for forensic awareness. These include undergraduate students studying towards forensic science degree programmes in the UK as well as serving Police Officers. These groups may need virtual reality crime scene material geared to their specific knowledge requirements. In addition, Prof J Fraser, President of the Forensic Science Society and a former police Scientific Support Manager, speaking to the United Kingdom, House of Commons Science and Technology Select Committee in its report ‘Forensic Science on Trial’ (2005) states: ‘The documented evidence in relation to police knowledge of forensic science, in terms of making the best use of forensic science, is consistently clear, that their knowledge needs to improve and therefore their training needs to improve’. This clearly identifies a need for further training of serving police officers in forensic science. It was with this in mind that staff at the University collaborated with the West Midlands Police Service. The aim was to create a virtual reality CD-ROM that could serve as part of the continuing professional development of serving police officers in the area of scene management. Adaptation of the CD-ROM could allow some introductory materials to help undergraduate students of forensic science

Identification and separation of DNA mixtures using peak area information

We introduce a new methodology, based upon probabilistic expert systems, for analysing forensic identification problems involving DNA mixture traces using quantitative peak area information. Peak area is modelled with conditional Gaussian distributions. The expert system can be used for ascertaining whether individuals, whose profiles have been measured, have contributed to the mixture. It can also be used to predict DNA profiles of unknown contributors by separating the mixture into its individual components. The potential of our probabilistic methodology is illustrated on case data examples and compared with alternative approaches. The advantages are that identification and separation issues can be handled in a unified way within a single probabilistic model and the uncertainty associated with the analysis is quantified. Further work, required to bring the methodology to a point where it could be applied to the routine analysis of casework, is discussed.

A framework for designing cloud forensic‑enabled services (CFeS)

Cloud computing is used by consumers to access cloud services. Malicious actors exploit vulnerabilities of cloud services to attack consumers. The link between these two assumptions is the cloud service. Although cloud forensics assists in the direction of investigating and solving cloud-based cyber-crimes, in many cases the design and implementation of cloud services falls back. Software designers and engineers should focus their attention on the design and implementation of cloud services that can be investigated in a forensic sound manner. This paper presents a methodology that aims on assisting designers to design cloud forensic-enabled services. The methodology supports the design of cloud services by implementing a number of steps to make the services cloud forensic-enabled. It consists of a set of cloud forensic constraints, a modelling language expressed through a conceptual model and a process based on the concepts identified and presented in the model. The main advantage of the proposed methodology is the correlation of cloud services’ characteristics with the cloud investigation while providing software engineers the ability to design and implement cloud forensic-enabled services via the use of a set of predefined forensic related task

Identification and separation of DNA mixtures using peak area information (Updated version of Statistical Research Paper No. 25)

We introduce a new methodology, based upon probabilistic expert systems, for analysing forensic identification problems involving DNA mixture traces using quantitative peak area information. Peak area is modelled with conditional Gaussian distributions. The expert system can be used for ascertaining whether individuals, whose profiles have been measured, have contributed to the mixture, but also to predict DNA profiles of unknown contributors by separating the mixture into its individual components. The potential of our probabilistic methodology is illustrated on case data examples and compared with alternative approaches. The advantages are that identification and separation issues can be handled in a unified way within a single probabilistic model and the uncertainty associated with the analysis is quantified. Further work, required to bring the methodology to a point where it could be applied to the routine analysis of casework, is discussed

EviPlant: An efficient digital forensic challenge creation, manipulation and distribution solution

Education and training in digital forensics requires a variety of suitable challenge corpora containing realistic features including regular wear-and-tear, background noise, and the actual digital traces to be discovered during investigation. Typically, the creation of these challenges requires overly arduous effort on the part of the educator to ensure their viability. Once created, the challenge image needs to be stored and distributed to a class for practical training. This storage and distribution step requires significant time and resources and may not even be possible in an online/distance learning scenario due to the data sizes involved. As part of this paper, we introduce a more capable methodology and system as an alternative to current approaches. EviPlant is a system designed for the efficient creation, manipulation, storage and distribution of challenges for digital forensics education and training. The system relies on the initial distribution of base disk images, i.e., images containing solely base operating systems. In order to create challenges for students, educators can boot the base system, emulate the desired activity and perform a "diffing" of resultant image and the base image. This diffing process extracts the modified artefacts and associated metadata and stores them in an "evidence package". Evidence packages can be created for different personae, different wear-and-tear, different emulated crimes, etc., and multiple evidence packages can be distributed to students and integrated into the base images. A number of additional applications in digital forensic challenge creation for tool testing and validation, proficiency testing, and malware analysis are also discussed as a result of using EviPlant.Comment: Digital Forensic Research Workshop Europe 201

Replication of Known Dental Characteristics in Porcine Skin: Emerging Technologies for the Imaging Specialist

This study demonstrates that it is sometimes possible to replicate patterns of human teeth in pig skin and determine scientifically that a given injury pattern (bite mark) correlates with the dentitions of a very small proportion of a population dataset, e.g., 5 percent or even 1 percent. The authors recommend building on the template of this research with a sufficiently large database of samples that reflects the diverse world population. They also envision the development of a sophisticated imaging software application that enables forensic examiners to insert parameters for measurement, as well as additional methods of applying force to produce bite marks for research. The authors further advise that this project is applied science for injury pattern analysis and is only foundational research that should not be cited in testimony and judicial procedures. It supplements but does not contradict current guidelines of the American Board of Forensic Odontology regarding bite mark analysis and comparisons. A much larger population database must be developed. The project’s methodology is described in detail, accompanied by 11 tables and 41 figures