When a USB flash drive is plugged into a Windows XP computer, a number of registry settings and log files are automatically updated that reflect the use of the USB flash drive. This information is often important in criminal proceedings where the use of a USB flash drive can be shown to have copied data to and from the computer. The aim of this work was to evaluate the information that can identify USB flash drive usage on a Windows XP computer and to understand how that information could be used by a computer forensics investigator. A tool was produced to perform a function that allowed the amendment of the information concerned with USB flash device usage. This amendment of data will be intentional and deliberate and can therefore be defined as being an anti forensics tool.
{"title":"An Investigation into the Development of an Anti-forensic Tool to Obscure USB Flash Drive Device Information on a Windows XP Platform","authors":"P. Thomas, Alun Morris","doi":"10.1109/WDFIA.2008.13","DOIUrl":"https://doi.org/10.1109/WDFIA.2008.13","url":null,"abstract":"When a USB flash drive is plugged into a Windows XP computer, a number of registry settings and log files are automatically updated that reflect the use of the USB flash drive. This information is often important in criminal proceedings where the use of a USB flash drive can be shown to have copied data to and from the computer. The aim of this work was to evaluate the information that can identify USB flash drive usage on a Windows XP computer and to understand how that information could be used by a computer forensics investigator. A tool was produced to perform a function that allowed the amendment of the information concerned with USB flash device usage. This amendment of data will be intentional and deliberate and can therefore be defined as being an anti forensics tool.","PeriodicalId":259636,"journal":{"name":"2008 Third International Annual Workshop on Digital Forensics and Incident Analysis","volume":"17 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2008-10-09","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"126067247","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
The growing popularity of Global Positioning Systems and other location-based telecommunications service provision provide a further potential source of data for the forensic investigator. Network- or device located information may have evidential value in supporting a case by providing details or proof of visited locations, navigation through particular routes,or communications with third parties. In this paper we focus on the examination of the end users portable device and we highlight the nature and locations where potential evidence may be left behind.
{"title":"Global Positioning Systems: Analysis Principles and Sources of Evidence in User Devices","authors":"D. Jones, I. Sutherland, T. Tryfonas","doi":"10.1109/WDFIA.2008.12","DOIUrl":"https://doi.org/10.1109/WDFIA.2008.12","url":null,"abstract":"The growing popularity of Global Positioning Systems and other location-based telecommunications service provision provide a further potential source of data for the forensic investigator. Network- or device located information may have evidential value in supporting a case by providing details or proof of visited locations, navigation through particular routes,or communications with third parties. In this paper we focus on the examination of the end users portable device and we highlight the nature and locations where potential evidence may be left behind.","PeriodicalId":259636,"journal":{"name":"2008 Third International Annual Workshop on Digital Forensics and Incident Analysis","volume":"33 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2008-10-09","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"128131657","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Email backscatter is a side effect of email spam, viruses or worms. When a spam or malware-laden email is sent, it nearly always has a forged sender address. If this email fails to reach its recipient, e.g., because the recipientpsilas mailbox is full or the recipient has set up an out-of-the-office auto-responder, the recipientpsilas mail system may attempt to generate and send an automated message replying to the forged sender. This unsolicited message sent to the forged sender is an email backscatter. On massive email spam runs where the same address (or domain) is forged as the sender, there can be significant amounts of backscatter email to the forged address. We consider potential forensic value in the analysis of email backscatter, for example, the times when certain compromised machines were used to send spams. We present results of an analysis performed with our Backscatter Email Analysis Tool (BEAT) of a massive backscatter incident that occurred in mid April, 2008.
{"title":"Forensic Value of Backscatter from Email Spam","authors":"C. Fuhrman","doi":"10.1109/WDFIA.2008.10","DOIUrl":"https://doi.org/10.1109/WDFIA.2008.10","url":null,"abstract":"Email backscatter is a side effect of email spam, viruses or worms. When a spam or malware-laden email is sent, it nearly always has a forged sender address. If this email fails to reach its recipient, e.g., because the recipientpsilas mailbox is full or the recipient has set up an out-of-the-office auto-responder, the recipientpsilas mail system may attempt to generate and send an automated message replying to the forged sender. This unsolicited message sent to the forged sender is an email backscatter. On massive email spam runs where the same address (or domain) is forged as the sender, there can be significant amounts of backscatter email to the forged address. We consider potential forensic value in the analysis of email backscatter, for example, the times when certain compromised machines were used to send spams. We present results of an analysis performed with our Backscatter Email Analysis Tool (BEAT) of a massive backscatter incident that occurred in mid April, 2008.","PeriodicalId":259636,"journal":{"name":"2008 Third International Annual Workshop on Digital Forensics and Incident Analysis","volume":"83 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2008-10-09","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"124136992","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
The widespread adoption of mobile agents as a best appropriate mean for supporting distributed computing is facing the major problem of security. The subtle issue of malicious hosts is by far the most difficult facet of this concern. Many various solutions had been reported in the area of mobile agentspsila trustworthiness, varying from tamper free hardware to pure software protocols. Nonetheless, none is fully satisfactory. This paper addresses the issues of mobile agentspsila trustworthiness in a new basis. In fact, our approach uses a mediation procedure, resorting at last to a mechanism enforcing the truth where the malicious character of a host is unambiguously reported. The core ideas of our approach are new. However, the principles driving them were around for years, since the era of distributed systems investigations. This paper will develop the issues raised by our approach.
{"title":"Malicious Hosts Detection through Truth Powered Approach","authors":"M. Chihoub","doi":"10.1109/WDFIA.2008.6","DOIUrl":"https://doi.org/10.1109/WDFIA.2008.6","url":null,"abstract":"The widespread adoption of mobile agents as a best appropriate mean for supporting distributed computing is facing the major problem of security. The subtle issue of malicious hosts is by far the most difficult facet of this concern. Many various solutions had been reported in the area of mobile agentspsila trustworthiness, varying from tamper free hardware to pure software protocols. Nonetheless, none is fully satisfactory. This paper addresses the issues of mobile agentspsila trustworthiness in a new basis. In fact, our approach uses a mediation procedure, resorting at last to a mechanism enforcing the truth where the malicious character of a host is unambiguously reported. The core ideas of our approach are new. However, the principles driving them were around for years, since the era of distributed systems investigations. This paper will develop the issues raised by our approach.","PeriodicalId":259636,"journal":{"name":"2008 Third International Annual Workshop on Digital Forensics and Incident Analysis","volume":"43 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2008-10-09","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"134188798","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Investigating cases of e-mail misuse within an organization (e.g. sexist / racist content, offensive material, etc.) to determine culpability can be a complex process. Such investigations are less likely to result in a formal prosecution, but are more likely to end in disciplinary action. In a criminal investigation, the evidence is collected, analyzed and then presented to the court. In an internal corporate forensics investigation, management must not only assess evidence to determine culpability, but must also determine appropriate levels of corporate discipline to be applied. These range from informal verbal warnings through formal verbal and written warnings, to suspension or termination of employment. Such a process may often be conducted by management who have no experience of the investigatory process. The social network analysis approach presented in this paper can be used not only to analyze and appreciate what can be a complex sequence of events involved in e-mail misuse, but also to determine levels of culpability.
{"title":"Determining Culpability in Investigations of Malicious E-mail Dissemination within the Organisation","authors":"J. Haggerty, M. Taylor, D. Gresty","doi":"10.1109/WDFIA.2008.8","DOIUrl":"https://doi.org/10.1109/WDFIA.2008.8","url":null,"abstract":"Investigating cases of e-mail misuse within an organization (e.g. sexist / racist content, offensive material, etc.) to determine culpability can be a complex process. Such investigations are less likely to result in a formal prosecution, but are more likely to end in disciplinary action. In a criminal investigation, the evidence is collected, analyzed and then presented to the court. In an internal corporate forensics investigation, management must not only assess evidence to determine culpability, but must also determine appropriate levels of corporate discipline to be applied. These range from informal verbal warnings through formal verbal and written warnings, to suspension or termination of employment. Such a process may often be conducted by management who have no experience of the investigatory process. The social network analysis approach presented in this paper can be used not only to analyze and appreciate what can be a complex sequence of events involved in e-mail misuse, but also to determine levels of culpability.","PeriodicalId":259636,"journal":{"name":"2008 Third International Annual Workshop on Digital Forensics and Incident Analysis","volume":"2 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2008-10-09","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"127731514","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Adamantini Martini, Alexandros Zaharis, C. Ilioudis
Data hiding technique through alternate data streams in compressed form is poorly documented and less known among forensic experts. This paper deals with the documentation of compressed ADS and their attributes concerning hiding information, provides a simple technique of creating compressed ADS and using it in a malicious manner. Finally a method is presented in order to detect and manipulate ADS in a proper way, complying with the computer forensic techniques.
{"title":"Detecting and Manipulating Compressed Alternate Data Streams in a Forensics Investigation","authors":"Adamantini Martini, Alexandros Zaharis, C. Ilioudis","doi":"10.1109/WDFIA.2008.9","DOIUrl":"https://doi.org/10.1109/WDFIA.2008.9","url":null,"abstract":"Data hiding technique through alternate data streams in compressed form is poorly documented and less known among forensic experts. This paper deals with the documentation of compressed ADS and their attributes concerning hiding information, provides a simple technique of creating compressed ADS and using it in a malicious manner. Finally a method is presented in order to detect and manipulate ADS in a proper way, complying with the computer forensic techniques.","PeriodicalId":259636,"journal":{"name":"2008 Third International Annual Workshop on Digital Forensics and Incident Analysis","volume":"25 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2008-10-09","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"115674812","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Being related to law and state-of-the-art technology, digital forensics needs more discipline than traditional forensics. The variety of types of crimes, distribution of networks and complexity of information and communication technology, add to the complexity of the process of digital investigations. A rigorous and flexible process model is needed to overcome challenges and obstacles in this area. In this paper we propose a digital forensics process, called "two-dimensional evidence reliability amplification process model", which presents a detailed digital forensic process model in five main phases and different roles to perform it. At the same time, this iterative process addresses four essential tasks as the umbrella activities that are applicable across all phases and sub-phases. We have also developed a hypothetical solution based on intersection of events and exploit mathematical operations and symbols for making an algorithm to increase the reliability of evidence. This process model is detailed enough to describe the investigation process so that it could possibly provide a guideline that investigators can take advantage of it during a forensics investigation process.
{"title":"Two-Dimensional Evidence Reliability Amplification Process Model for Digital Forensics","authors":"M. Khatir, S.M. Hejazi, E. Sneiders","doi":"10.1109/WDFIA.2008.11","DOIUrl":"https://doi.org/10.1109/WDFIA.2008.11","url":null,"abstract":"Being related to law and state-of-the-art technology, digital forensics needs more discipline than traditional forensics. The variety of types of crimes, distribution of networks and complexity of information and communication technology, add to the complexity of the process of digital investigations. A rigorous and flexible process model is needed to overcome challenges and obstacles in this area. In this paper we propose a digital forensics process, called \"two-dimensional evidence reliability amplification process model\", which presents a detailed digital forensic process model in five main phases and different roles to perform it. At the same time, this iterative process addresses four essential tasks as the umbrella activities that are applicable across all phases and sub-phases. We have also developed a hypothetical solution based on intersection of events and exploit mathematical operations and symbols for making an algorithm to increase the reliability of evidence. This process model is detailed enough to describe the investigation process so that it could possibly provide a guideline that investigators can take advantage of it during a forensics investigation process.","PeriodicalId":259636,"journal":{"name":"2008 Third International Annual Workshop on Digital Forensics and Incident Analysis","volume":"7 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2008-10-09","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"121465805","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Peter M. Bednar, Vasilios Katos, C. Hennell, Peter M. Bednar
This paper reports on the challenges computer forensic investigators face in relation to collaborative decision making, communication and coordination.The opportunities, operational environment and modus operandi of a cyber criminal are considered and used to develop the requirements in terms of both skill sets and procedural support a forensics investigator should have in order to respond to the respective threat vectors. As such, we show how a published framework for systemic thinking can be fit for purpose for supporting the collaborative enquiry and decision-making process.
{"title":"Cyber-Crime Investigations: Complex Collaborative Decision Making","authors":"Peter M. Bednar, Vasilios Katos, C. Hennell, Peter M. Bednar","doi":"10.1109/WDFIA.2008.7","DOIUrl":"https://doi.org/10.1109/WDFIA.2008.7","url":null,"abstract":"This paper reports on the challenges computer forensic investigators face in relation to collaborative decision making, communication and coordination.The opportunities, operational environment and modus operandi of a cyber criminal are considered and used to develop the requirements in terms of both skill sets and procedural support a forensics investigator should have in order to respond to the respective threat vectors. As such, we show how a published framework for systemic thinking can be fit for purpose for supporting the collaborative enquiry and decision-making process.","PeriodicalId":259636,"journal":{"name":"2008 Third International Annual Workshop on Digital Forensics and Incident Analysis","volume":"130 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2008-10-09","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"123404979","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
京公网安备 11010802042870号
京ICP备2023020795号-1
扫码关注我们
求助内容:
应助结果提醒方式: