Skip to main content
Fachgebiete
Automobil + Motoren Bauwesen + Immobilien Business IT + Informatik Elektrotechnik + Elektronik Energie + Nachhaltigkeit Finance + Banking Management + Führung Marketing + Vertrieb Maschinenbau + Werkstoffe Versicherung + Risiko
DE
EN
Themenseiten
Organisationspsychologie Projektmanagement Marketing Smart Manufacturing
Bücher
Zeitschriften
Weitere Formate
Podcasts Webinare Technik Webinare Wirtschaft Kongresse Veranstaltungskalender Awards
Jetzt Einzelzugang starten
Zugang für Unternehmen
Referenzkunden
MTZ-Fachkongress

Antriebe und Energiesysteme von morgen


Austausch von Automobil- und Energiewirtschaft

Am 14./15. Mai geht es in Chemnitz um die Mobilitätswende durch Elektro- und Wasserstofffahrzeuge.
Erweiterte Suche
Anmelden
nach oben

2006 | Buch

Some Challenges in Digital Forensics Kapitel lesen Erstes Kapitel lesen

Advances in Digital Forensics II

IFIP international Conference on Digital Forensics, National Center for Forensic Science, Orlando, Florida, January 29– February 1, 2006

herausgegeben von: Martin S. Olivier, Sujeet Shenoi

Verlag: Springer US

Buchreihe : IFIP Advances in Information and Communication Technology

Enthalten in: Springer Professional "Wirtschaft+Technik" , Springer Professional "Technik" , Springer Professional "Wirtschaft"

Einloggen, um Zugang zu erhalten
insite
SUCHEN

Über dieses Buch

Digital forensics deals with the acquisition, preservation, examination, analysis and presentation of electronic evidence. Networked computing, wireless communications and portable electronic devices have expanded the role of digital forensics beyond traditional computer crime investigations. Practically every crime now involves some aspect of digital evidence; digital forensics provides the techniques and tools to articulate this evidence. Digital forensics also has myriad intelligence applications. Furthermore, it has a vital role in information assurance – investigations of security breaches yield valuable information that can be used to design more secure systems.

Advances in Digital Forensics II describes original research results and innovative applications in the emerging discipline of digital forensics. In addition, it highlights some of the major technical and legal issues related to digital evidence and electronic crime investigations. The areas of coverage include:

Themes and Issues in Digital Forensics Evidence Collecting and Handling Forensic Techniques Operating System and File System Forensics Network Forensics Portable Electronic Device Forensics Linux and File System Forensics Training, Governance and Legal Issues

This book is the second volume in the anual series produced by the International Federation for Information Processing (IFIP) Working Group 11.9 on Digital Forensics, an international community of scientists, engineers and practitioners dedicated to advancing the state of the art of research and practice in digital forensics. The book contains a selection of twenty-five edited papers from the First Annual IFIP WG 11.9 Conference on Digital Forensics, held at the National Center for Forensic Science, Orlando, Florida, USA in the spring of 2006.

Advances in Digital Forensics is an important resource for researchers, faculty members and graduate students, as well as for practitioners and individuals engaged in research and development efforts for the law enforcement and intelligence communities.

Martin S. Olivier is a Professor of Computer Science and co-manager of the Information and Computer Security Architectures Research Group at the University of Pretoria, Pretoria, South Africa.

Sujeet Shenoi is the F.P. Walter Professor of Computer Science and a principal with the Center for Information Security at the University of Tulsa, Tulsa, Oklahoma, USA.

For more information about the 300 other books in the IFIP series, please visit www.springeronline.com.

For more information about IFIP, please visit www.ifip.org.

Inhaltsverzeichnis

Frontmatter

Themes and Issues

Frontmatter
Chapter 1. Some Challenges in Digital Forensics
Abstract
This essay discusses some of the principal challenges facing the emerging discipline of digital forensics. Most of the challenges have a scientific basis—understanding the needs and limitations caused by changes in the scope and pace of information technology. Others are engineering in nature, requiring the construction of new software and hardware to enable the collection, retention and examination of potential digital evidence. All of the challenges have administrative and legal frameworks within which they must be addressed, and the limits and structures imposed by these frameworks must evolve and be shaped by science, engineering and practice.
Eugene Spafford

Evidence Collection and Handling

Frontmatter
Chapter 2. Advanced Forensic Format: an Open Extensible Format for Disk Imaging
Abstract
This paper describes the Advanced Forensic Format (AFF), which is designed as an alternative to current proprietary disk image formats. AFF offers two significant benefits. First, it is more flexible because it allows extensive metadata to be stored with images. Second, AFF images consume less disk space than images in other formats (e.g., EnCase images). This paper also describes the Advanced Disk Imager, a new program for acquiring disk images that compares favorably with existing alternatives.
Simson Garfinkel, David Malan, Karl-Alexander Dubec, Christopher Stevens, Cecile Pham
Chapter 3. File System Support for Digital Evidence Bags
Abstract
Digital Evidence Bags (DEBs) are a mechanism for bundling digital evidence, associated metadata and audit logs into a single structure. DEB-compliant applications can update a DEB’s audit log as evidence is introduced into the bag and as data in the bag is processed. This paper investigates native file system support for DEBs, which has a number of benefits over ad hoc modification of digital evidence bags. The paper also describes an API for DEB-enabled applications and methods for providing DEB access to legacy applications through a DEB-aware file system. The paper addresses an urgent need for digital-forensics-aware operating system components that can enhance the consistency, security and performance of investigations.
Golden Richard III, Vassil Roussev
Chapter 4. Remote Upload of Evidence over Mobile Ad Hoc Networks
Abstract
In this work, we report on one aspect of an autonomous robot-based digital evidence acquisition system that we are developing. When forensic investigators operate within a hostile environment they may use remotely operated unmanned devices to gather digital evidence. These systems periodically upload the evidence to a remote central server using a mobile ad hoc network. In such cases, large pieces of information need to be fragmented and transmitted in an appropriate manner. To support proper forensic analysis, certain properties must ensured for each fragment of evidence — confidentiality during communication, authenticity and integrity of the data, and, most importantly, strong evidence of membership for fragments. This paper describes a framework to provide these properties for the robot-based evidence acquisition system under development.
Indrajit Ray
Chapter 5. Applying Machine Trust Models to Forensic Investigations
Abstract
Digital forensics involves the identification, preservation, analysis and presentation of electronic evidence for use in legal proceedings. In the presence of contradictory evidence, forensic investigators need a means to determine which evidence can be trusted. This is particularly true in a trust model environment where computerised agents may make trust-based decisions that influence interactions within the system. This paper focuses on the analysis of evidence in trust-based environments and the determination of the degree to which evidence can be trusted. The trust model proposed in this work may be implemented in a tool for conducting trust-based forensic investigations. The model takes into account the trust environment and parameters that influence interactions in a computer network being investigated. Also, it allows for crimes to be reenacted to create more substantial evidentiary proof.
Marika Wojcik, Hein Venter, Jan Eloff, Martin Olivier
Chapter 6. Exploring Big Haystacks
Data Mining and Knowledge Management
Abstract
The proliferation of computer-generated evidence in court proceedings during the last fifteen years has given rise to the new science of digital forensics and a new breed of law enforcement officials, “computer forensic examiners,” who apply the rules of evidence, investigative methods and sophisticated technical skills to analyze digital data for use in court proceedings. This paper explores the technical challenges facing the law enforcement community and discusses the application of data mining and knowledge management techniques to cope with the increasingly massive data sets involved in digital forensic investigations.
Mark Pollitt, Anthony Whitledge

Forensic Techniques

Frontmatter
Chapter 7. Countering Hostile Forensic Techniques
Abstract
Digital forensic investigations can be subverted by hostile forensic techniques and tools. This paper examines various hostile forensic techniques, including the exploitation of vulnerabilities in standard forensic procedures and denial of service attacks on forensic tools during imaging and analysis. Several techniques for concealing evidence within file systems and external to file systems are highlighted. In addition, strategies for countering hostile forensic techniques and tools are discussed.
Scott Piper, Mark Davis, Sujeet Shenoi
Chapter 8. Using PLSI-U To Detect Insider Threats from Email Traffic
Abstract
Despite a technology bias that focuses on external electronic threats, insiders pose the greatest threat to commercial and government organizations. Once information on a specific topic has gone missing, being able to quickly determine who has shown an interest in that topic can allow investigators to focus their attention. Even more promising is when individuals can be found who have an interest in the topic but who have never communicated that interest within the organization. An employee’s interests can be discerned by data mining corporate email correspondence. These interests can be used to construct social networks that graphically expose investigative leads. This paper describes the use of Probabilistic Latent Semantic Indexing (PLSI) [4] extended to include users (PLSI-U) to determine topics that are of interest to employees from their email activity. It then applies PLSI-U to the Enron email corpus and finds a small number of employees (0.02%) who appear to have had clandestine interests.
James Okolica, Gilbert Peterson, Robert Mills
Chapter 9. Collusion Detection Using Multimedia Fingerprints
Abstract
The large-scale distribution of digital multimedia over the Internet has seen steep increases in the numbers of criminal cases involving the unauthorized sharing and duplication of copyrighted multimedia content. Consequently, it is important to design reliable investigative techniques to combat unauthorized duplication and propagation, and to provide protection in the form of theft deterrence. Several fingerprint embedding schemes have been developed to combat single-user attacks. However, a new breed of attacks known as “collusion attacks” can defeat these schemes. Collusion attacks use the combination of multiple fingerprinted copies to create a new version of the multimedia artifact in which the underlying fingerprint is attenuated to render the colluders untraceable.
This paper proposes a wavelet-based fingerprinting scheme and a clustering algorithm for collusion attack detection and colluder identification. Experimental results show that the scheme can identify colluders while maintaining low miss rates and false accusation rates.
Anthony Persaud, Yong Guan
Chapter 10. Authorship Attribution for Electronic Documents
Abstract
Forensic analysis of questioned electronic documents is difficult because the nature of the documents eliminates many kinds of informative differences. Recent work in authorship attribution demonstrates the practicality of analyzing documents based on authorial style, but the state of the art is confusing. Analyses are difficult to apply, little is known about error types and rates, and no best practices are available. This paper discusses efforts to address these issues, partly through the development of a systematic testbed for multilingual, multigenre authorship attribution accuracy, and partly through the development and concurrent analysis of a uniform and portable software tool that applies multiple methods to analyze electronic documents for authorship based on authorial style.
Patrick Juola
Chapter 11. Linking Individuals to Digital Information
Abstract
As computer crime increases in scope and magnitude, it is imperative to develop techniques that can link individuals to specific computers, computer programs and electronic documents. Unfortunately, scientific techniques that can establish these links are limited at best. This paper demonstrates that computer use characteristics can be employed to establish strong, legitimate links between individuals and digital information. Certain characteristics can be used to identify individuals. Other characteristics may be used to create profiles that assist in eliminating suspects and reducing the scope of investigations.
Shelly Seier, David Greer, Gavin Manes
Chapter 12. Use-Misuse Case Driven Analysis of Positive Train Control
Abstract
Forensic analysis helps identify the causes of crimes and accidents. Determination of cause, however, requires detailed knowledge of a system’s design and operational characteristics. This paper advocates that “use cases,” which specify operational interactions and requirements, and “misuse cases,” which specify potential misuse or abuse scenarios, can be used to analyze and link forensic evidence and create postincident reconstructions. Use-misuse case analysis techniques involving non-probabilistic and probabilistic methods are described and applied to Positive Train Control (PTC) Systems — a network-based automated system that controls the movements of passenger and freight trains.
Mark Hartong, Rajni Goel, Duminda Wijesekera

Operating System and File System Forensics

Frontmatter
Chapter 13. Mac OS X Forensics
Abstract
This paper describes procedures for conducting forensic examinations of Apple Macs running Mac OS X. The target disk mode is used to create a forensic duplicate of a Mac hard drive and preview it. Procedures are discussed for recovering evidence from allocated space, unallocated space, slack space and virtual memory. Furthermore, procedures are described for recovering trace evidence from Mac OS X default email, web browser and instant messaging applications, as well as evidence pertaining to commands executed from a terminal.
Philip Craiger, Paul Burke
Chapter 14. Detecting Data Concealment Programs Using Passive File System Analysis
Abstract
Individuals who wish to avoid leaving evidence on computers and networks often use programs that conceal data from conventional digital forensic tools. This paper discusses the application of passive file system analysis techniques to detect trace evidence left by data concealment programs. In addition, it describes the design and operation of Seraph, a tool that determines whether certain encryption, steganography and erasing programs were used to hide or destroy data.
Mark Davis, Richard Kennedy, Kristina Pyles, Amanda Strickler, Sujeet Shenoi
Chapter 15. Assessing Trace Evidence Left by Secure Deletion Programs
Abstract
Secure deletion programs purport to permanently erase files from digital media. These programs are used by businesses and individuals to remove sensitive information from media, and by criminals to remove evidence of the tools or fruits of illegal activities. This paper focuses on the trace evidence left by secure deletion programs. In particular, five Windows-based secure deletion programs are tested to determine if they leave identifiable signatures after deleting a file. The results show that the majority of the programs leave identifiable signatures. Moreover, some of the programs do not completely erase file metadata, which enables forensic investigators to extract the name, size, creation date and deletion date of the “deleted” files.
Paul Burke, Philip Craiger

Network Forensics

Frontmatter
Chapter 16. On the Reliability of Network Eavesdropping Tools
Abstract
This paper analyzes the problem of intercepting Internet traffic from the eavesdropper’s point of view. It examines the reliability and accuracy of transcripts, and shows that obtaining “high fidelity” transcripts is harder than previously assumed. Even in highly favorable situations, such as capturing unencrypted traffic using standard protocols, simple — and entirely unilateral — countermeasures are shown to be sufficient to prevent accurate traffic analysis in many Internet interception configurations. In particular, these countermeasures were successful against every available eavesdropping system we tested. Central to our approach is a new class of “confusion” techniques, that unlike cryptography or steganography, do not require cooperation by the communicating parties and, in some cases, can be employed entirely by a third party who is not involved in the communication.
Eric Cronin, Micah Sherr, Matthew Blaze
Chapter 17. Active Traffic Capture for Network Forensics
Abstract
Network traffic capture is an integral part of network forensics, but current traffic capture techniques are typically passive in nature. Under heavy loads, it is possible for a sniffer to miss packets, which affects the quality of forensic evidence.
This paper explores means for active capture of network traffic. In particular, it examines how traffic capture can influence the stream under surveillance so that no data is lost. A tool that forces TCP retransmissions is presented. The paper also provides a legal analysis—based on United States and South African laws—which shows that few legal obstacles are faced by traffic capture techniques that force attackers to retransmit data.
Marco Slaviero, Anna Granova, Martin Olivier
Chapter 18. Logical Traffic Isolation Using Differentiated Services
Abstract
This paper proposes a scheme in which the differentiated services field of IP headers is used to logically isolate network traffic for forensic purposes. The scheme is described and two example scenarios are presented to illustrate its utility. The scheme, which is based on standard networking technology, helps achieve isolation without additional network infrastructure. Moreover, the scheme is relatively easy to implement in an existing differentiated services network. The paper also discusses key design and configuration challenges that must be addressed in a successful implementation.
Tinus Strauss, Martin Olivier, Derrick Kourie
Chapter 19. Passive Detection of Nat Routers and Client Counting
Abstract
Network Address Translation (NAT) routers pose challenges to individuals and organizations attempting to keep untrusted hosts off their networks, especially with the proliferation of wireless NAT routers. Residential NAT routers also create problems for Internet Service Provider (ISP) taps by law enforcement by concealing network clients behind cable or DSL modems. This paper discusses the feasibility and limitations of methods for detecting NAT routers and counting the number of clients behind NAT routers.
Kenneth Straka, Gavin Manes
Chapter 20. Analysis of Web Proxy Logs
Abstract
Network forensics involves capturing, recording and analysing network audit trails. A crucial part of network forensics is to gather evidence at the server level, proxy level and from other sources. A web proxy relays URL requests from clients to a server. Analysing web proxy logs can give unobtrusive insights to the browsing behavior of computer users and provide an overview of the Internet usage in an organisation. More importantly, in terms of network forensics, it can aid in detecting anomalous browsing behavior. This paper demonstrates the use of a self-organising map (SOM), a powerful data mining technique, in network forensics. In particular, it focuses on how a SOM can be used to analyse data gathered at the web proxy level.
Bennie Fei, Jan Eloff, Martin Olivier, Hein Venter
Chapter 21. GSM Cell Site Porensics
Abstract
Cell site forensics is a new and growing area of digital forensics, enabling investigators to verify a mobile phone subscriber’s location at specific times. This paper focuses on cell site forensics in GSM networks. In particular, it discusses current methods utilizing call detail records generated from telephone switches that provide information about cellular calls and text messages, and the cellular towers on which calls/messages were placed and received.
Christopher Swenson, Tyler Moore, Sujeet Shenoi
Chapter 22. An Architecture for SCADA Network Forensics
Abstract
Supervisory control and data acquisition (SCADA) systems are widely used in industrial control and automation. Modern SCADA protocols often employ TCP/IP to transport sensor data and control signals. Meanwhile, corporate IT infrastructures are interconnecting with previously isolated SCADA networks. The use of TCP/IP as a carrier protocol and the interconnection of IT and SCADA networks raise serious security issues. This paper describes an architecture for SCADA network forensics. In addition to supporting forensic investigations of SCADA network incidents, the architecture incorporates mechanisms for monitoring process behavior, analyzing trends and optimizing plant performance.
Tim Kilpatrick, Jesus Gonzalez, Rodrigo Chandia, Mauricio Papa, Sujeet Shenoi

Portable Electronic Device Forensics

Frontmatter
Chapter 23. Identifying Digital Cameras Using CFA Interpolation
Abstract
In an earlier work [4], we proposed a technique for identifying digital camera models based on trace evidence left by their proprietary interpolation algorithms. This work improves on our previous approach by incorporating methods to better detect interpolation artifacts in smooth image parts. To identify the source camera model of a digital image, new features that can detect traces of low-order interpolation are introduced and used in conjunction with a support vector machine based multi-class classifier. Experimental results are presented for source camera identification from among multiple digital camera models.
Sevinc Bayram, Husrev Sencar, Nasir Memon
Chapter 24. Forensic Analysis of BIOS Chips
Abstract
Data can be hidden in BIOS chips without hindering computer performance. This feature has been exploited by virus writers and computer game enthusiasts. Unused BIOS storage can also be used by criminals, terrorists and intelligence agents to conceal secrets. However, BIOS chips are largely ignored in digital forensic investigations. Few techniques exist for imaging BIOS chips and no tools are available specifically for analyzing BIOS data.
This paper focuses on the Award BIOS chip, which is commonly used in IBM compatible machines. It demonstrates how data may be concealed within BIOS free apace and modules in a manner that makes it accessible using operating system commands. Furthermore, forensically sound techniques are described for detecting and recovering concealed data from BIOS chips.
Pavel Gershteyn, Mark Davis, Sujeet Shenoi

Training, Governance and Legal Issues

Frontmatter
Chapter 25. A Training Tool for Internet Crimes Against Children Cases
Abstract
The Internet has greatly increased the vulnerability of children to those who would commit crimes against them. In response to Internet Crimes Against Children (ICAC) legislation, law enforcement agencies have dedicated resources to educate the public of the threat, respond to ongoing attacks, and assist victims. A significant trend in the investigation of ICAC cases is the proactive masquerading of law enforcement agents as vulnerable prey in Internet forums. This approach has shown great promise, and agents who have mastered it possess valuable knowledge and skills that could assist others. The Predator and Prey Alert (PAPA) system, a hardware and software suite of tools, originally developed for proactive shadowing, assistance and direct manipulation of a cyberstalking victim’s computer, shows potential as a proactive forensic tool for ICAC investigations. This paper discusses the use of PAPA as a networked application to train law enforcement agents to investigate online cases involving the exploitation of children and teenagers.
Sudhir Aggarwal, Bob Breeden, Peter Henry, Judie Mulholland
Chapter 26. Process Flow Diagrams for Training and Operations
Abstract
This paper focuses on the use of process flow diagrams for training first responders who execute search and seizure warrants at electronic crime scenes. A generic process flow framework is presented, and the design goals and layout characteristics of process flow diagrams are discussed. An evaluation of the process flow diagrams used in training courses indicates that they are beneficial to first responders performing searches and seizures, and they speed up investigations, including those conducted by experienced personnel.
Jacobus Venter
Chapter 27. A Control Framework for Digital Forensics
Abstract
This paper introduces a control framework for digital forensics. It proposes a taxonomy for control objectives, categorized within the phases of the digital forensic process: planning and preparation, incident response, investigation and juridical/evidentiary. Using the taxonomy as a basis, a digital forensic reference framework, consisting of control groupings, control objectives and detailed control objectives, is defined. The control framework is intended to provide a sound theoretical basis for digital forensics as well as a reference framework for digital forensics governance within organizations.
Sebastiaan von Solms, Cecil Louwrens, Colette Reekie, Talania Grobler
Chapter 28. Criminal Regulation of Anti-Forensic Tools in Japan
Abstract
This paper discusses the continuing landmark debate in a Japanese Court concerning the development and distribution of a peer-to-peer (P2P) file sharing program. The program, known as Winny, facilitates illegal activities such as piracy and the distribution of child pornography because of the encryption and anonymity afforded to users. The court has to determine whether Isamu Kaneko, the designer of Winny, is criminally liable for developing and distributing the program. This paper also assesses whether the judgment in the Winny case might set a precedent for regulating the creation and distribution of anti-forensic tools.
Tetsuya Ishii
Erratum
Tetsuya Ishii
Metadaten
Titel
Advances in Digital Forensics II
herausgegeben von
Martin S. Olivier
Sujeet Shenoi
Copyright-Jahr
2006
Verlag
Springer US
Electronic ISBN
978-0-387-36891-7
Print ISBN
978-0-387-36890-0
DOI
https://doi.org/10.1007/0-387-36891-4

Premium Partner

    Bildnachweise