Skip to main content
Disciplines
Automotive Business IT + Informatics Construction + Real Estate Electrical Engineering + Electronics Energy + Sustainability Insurance + Risk Finance + Banking Management + Leadership Marketing + Sales Mechanical Engineering + Materials
Events
DE
EN
Books
Journals
Topic Page
Marketing
Start single access now
Access for companies
EXTENDED SEARCH
Log in
Top

2011 | Book

Dealing with the Problem of Cybercrime Read chapter Read first chapter

Digital Forensics and Cyber Crime

Second International ICST Conference, ICDF2C 2010, Abu Dhabi, United Arab Emirates, October 4-6, 2010, Revised Selected Papers

Editor: Ibrahim Baggili

Publisher: Springer Berlin Heidelberg

Book Series : Lecture Notes of the Institute for Computer Sciences, Social Informatics and Telecommunications Engineering

Part of: Springer Professional "Wirtschaft+Technik" , Springer Professional "Technik" , Springer Professional "Wirtschaft"

Login to get access
insite
SEARCH

About this book

This book contains a selection of thoroughly refereed and revised papers from the Second International ICST Conference on Digital Forensics and Cyber Crime, ICDF2C 2010, held October 4-6, 2010 in Abu Dhabi, United Arab Emirates. The field of digital forensics is becoming increasingly important for law enforcement, network security, and information assurance. It is a multidisciplinary area that encompasses a number of fields, including law, computer science, finance, networking, data mining, and criminal justice. The 14 papers in this volume describe the various applications of this technology and cover a wide range of topics including law enforcement, disaster recovery, accounting frauds, homeland security, and information warfare.

Table of Contents

Frontmatter
Dealing with the Problem of Cybercrime
Abstract
Lack of a universally accepted and comprehensive taxonomy of cybercrime seriously impedes international efforts to accurately identify, report and monitor cybercrime trends. There is, not surprisingly, a corresponding disconnect internationally on the cybercrime legislation front, a much more serious problem and one which the International Telecommunication Union (ITU) says requires ‘the urgent attention of all nations’. Yet, and despite the existence of the Council of Europe Convention on Cybercrime, a proposal for a global cybercrime treaty was rejected by the United Nations (UN) as recently as April 2010. This paper presents a refined and comprehensive taxonomy of cybercrime and demonstrates its utility for widespread use. It analyses how the USA, the UK, Australia and the UAE align with the CoE Convention and finds that more needs to be done to achieve conformance. We conclude with an analysis of the approaches used in Australia, in Queensland, and in the UAE, in Abu Dhabi, to fight cybercrime and identify a number of shared problems.
Ali Alkaabi, George Mohay, Adrian McCullagh, Nicholas Chantler
Software Piracy Forensics: The Need for Further Developing AFC
Abstract
Among all the available approaches for software piracy forensics, one existing and exceptional approach is the theoretical frame work called AFC (Abstraction-Filtering-Comparison), an accepted approach in US courts for evaluating copyright infringement claims involving computer software. Through this paper, the authors would like to approach AFC in a threefold manner: One, to discuss the nature and efficacy of AFC; two, to recount some existing observations on it, and three, to identify areas, if any, where there is scope and need for appropriate modifications to further increase the efficacy and validate the legitimacy of the AFC approach, and in particular from the view point of a researcher who believes that software intelligence offered by the automated tools for software piracy investigation needs to be supplemented with manual intelligence for making the expert report more judiciary-friendly.
S. Santhosh Baboo, P. Vinod Bhattathiripad
A Simple Cost-Effective Framework for iPhone Forensic Analysis
Abstract
Apple iPhone has made significant impact on the society both as a handheld computing device and as a cellular phone. Due to the unique hardware system as well as storage structure, iPhone has already attracted the forensic community in digital investigation of the device. Currently available commercial products and methodologies for iPhone forensics are somewhat expensive, complex and often require additional hardware for analysis. Some products are not robust and often fail to extract optimal evidence without modifying the iPhone firmware which makes the analysis questionable in legal platforms. In this paper, we present a simple and inexpensive framework (iFF) for iPhone forensic analysis. Through experimental results using real device, we have shown the effectiveness of this framework in extracting digital evidence from an iPhone.
Mohammad Iftekhar Husain, Ibrahim Baggili, Ramalingam Sridhar
Detecting Intermediary Hosts by TCP Latency Measurements
Abstract
Use of intermediary hosts as stepping stones to conceal tracks is common in Internet misuse. It is therefore desirable to find a method to detect whether the originating party is using an intermediary host. Such a detection technique would allow the activation of a number of countermeasures that would neutralize the effects of misuse, and make it easier to trace a perpetrator. This work explores a new approach in determining if a host communicating via TCP is the data originator or if it is acting as a mere TCP proxy. The approach is based on measuring the inter packet arrival time at the receiving end of the connection only, and correlating the observed results with the network latency between the receiver and the proxy. The results presented here indicate that determining the use of a proxy host is possible, if the network latency between the originator and proxy is larger than the network latency between the proxy and the receiver. We show that this technique has potential to be used to detect connections were data is sent through a TCP proxy, such as remote login through TCP proxies, or rejecting spam sent through a bot network.
Gurvinder Singh, Martin Eian, Svein Y. Willassen, Stig Fr. Mjølsnes
Reliable Acquisition of RAM Dumps from Intel-Based Apple Mac Computers over FireWire
Abstract
RAM content acquisition is an important step in live forensic analysis of computer systems. FireWire offers an attractive way to acquire RAM content of Apple Mac computers equipped with a FireWire connection. However, the existing techniques for doing so require substantial knowledge of the target computer configuration and cannot be used reliably on a previously unknown computer in a crime scene. This paper proposes a novel method for acquiring RAM content of Apple Mac computers over FireWire, which automatically discovers necessary information about the target computer and can be used in the crime scene setting. As an application of the developed method, the techniques for recovery of AOL Instant Messenger (AIM) conversation fragments from RAM dumps are also discussed in this paper.
Pavel Gladyshev, Afrah Almansoori
Towards More Secure Biometric Readers for Effective Digital Forensic Investigation
Abstract
This paper investigates the effect of common network attacks on the performance, and security of several biometric readers. Experiments are conducted using Denial of Service attacks (DoSs) and the ARP cache poisoning attack. The experiments show that the tested biometric readers are vulnerable to DoS attacks, and their recognition performance is significantly affected after launching the attacks. However, the experiments show that the tested biometric readers are secure from the ARP cache poisoning attack. This work demonstrates that biometric readers are easy targets for malicious network users, lack basic security mechanisms, and are vulnerable to common attacks. The confidentiality, and integrity of the log files in the biometric readers, could be compromised with such attacks. It then becomes important to study these attacks in order to find flags that could aid in a network forensic investigation of a biometric device.
Zouheir Trabelsi, Mohamed Al-Hemairy, Ibrahim Baggili, Saad Amin
Defining a Standard for Reporting Digital Evidence Items in Computer Forensic Tools
Abstract
Due to the lack of standards in reporting digital evidence items, investigators are facing difficulties in efficiently presenting their findings. This paper proposes a standard for digital evidence to be used in reports that are generated using computer forensic software tools. The authors focused on developing a standard digital evidence items by surveying various digital forensic tools while keeping in mind the legal integrity of digital evidence items. Additionally, an online questionnaire was used to gain the opinion of knowledgeable and experienced stakeholders in the digital forensics domain. Based on the findings, the authors propose a standard for digital evidence items that includes data about the case, the evidence source, evidence item, and the chain of custody. Research results enabled the authors in creating a defined XML schema for digital evidence items.
Hamda Bariki, Mariam Hashmi, Ibrahim Baggili
Signature Based Detection of User Events for Post-mortem Forensic Analysis
Abstract
This paper introduces a novel approach to user event reconstruction by showing the practicality of generating and implementing signature-based analysis methods to reconstruct high-level user actions from a collection of low-level traces found during a post-mortem forensic analysis of a system. Traditional forensic analysis and the inferences an investigator normally makes when given digital evidence, are examined. It is then demonstrated that this natural process of inferring high-level events from low-level traces may be encoded using signature-matching techniques. Simple signatures using the defined method are created and applied for three popular Windows-based programs as a proof of concept.
Joshua Isaac James, Pavel Gladyshev, Yuandong Zhu
Protecting Digital Evidence Integrity by Using Smart Cards
Abstract
RFC 3227 provides general guidelines for digital evidence collection and archiving, while the International Organization on Computer Evidence offers guidelines for best practice in the digital forensic examination. In the light of these guidelines we will analyze integrity protection mechanism provided by EnCase and FTK which is mainly based on Message Digest Codes (MDCs). MDCs for integrity protection are not tamper proof, hence they can be forged. With the proposed model for protecting digital evidence integrity by using smart cards (PIDESC) that establishes a secure platform for digitally signing the MDC (in general for a whole range of cryptographic services) in combination with Public Key Cryptography (PKC), one can show that this weakness might be overcome.
Shahzad Saleem, Oliver Popov
An Architecture for the Forensic Analysis of Windows System Artifacts
Abstract
We propose an architecture to enable the forensic investigator to analyze and visualise a range of system generated artifacts with known and unknown data structures. The architecture is intended to facilitate the extraction and analysis of operating system artifacts while being extensible, flexible and reusable. The examples selected for the paper are the Windows Event Logs and Swap Files. Event logs can reveal evidence regarding logons, authentication, accounts and privileged use and can address questions relating to which user accounts were being used and which machines were accessed. The Swap file may contain fragments of data, remnants or entire documents, e-mail messages or the results of internet browsing which may reveal past user activities. Issues relating to understanding and visualising artifacts data structures are discussed and possible solutions are explored. We outline a proposed solution; an extraction component responsible for extracting data and preparing the data for visualisation, a storage subsystem consisting of a database that holds all of the extracted data and the interface, an integrated set of visualization tools.
Noor Hashim, Iain Sutherland
An IP Traceback Model for Network Forensics
Abstract
Network forensics deals with capture, recording, analysis and investigation of network traffic to traceback the attackers. Its ultimate goal is to provide sufficient evidence to allow the perpetrator to be prosecuted. IP traceback is an important aspect in the investigation process where the real attacker is identified by tracking source address of the attack packets. In this paper we classify the various approaches to network forensics to list the requirements of the traceback. We propose a novel model for traceback based on autonomous systems (AS) and deterministic packet marking (DPM) to enable traceback even with a single packet. The model is analyzed against various evaluation metrics. The traceback solution will be a major step in the direction of attack attribution and investigation.
Emmanuel S. Pilli, R. C. Joshi, Rajdeep Niyogi
Forensic Data Carving
Abstract
File or data carving is a term used in the field of Cyber forensics. Cyber forensics is the process of acquisition, authentication, analysis and documentation of evidence extracted from and/or contained in a computer system, computer network and digital media. Extracting data (file) out of undifferentiated blocks (raw data) is called as carving. Identifying and recovering files based on analysis of file formats is known as file carving. In Cyber Forensics, carving is a helpful technique in finding hidden or deleted files from digital media. A file can be hidden in areas like lost clusters, unallocated clusters and slack space of the disk or digital media. To use this method of extraction, a file should have a standard file signature called a file header (start of the file). A search is performed to locate the file header and continued until the file footer (end of the file) is reached. The data between these two points will be extracted and analyzed to validate the file. The extraction algorithm uses different methods of carving depending on the file formats.
Digambar Povar, V. K. Bhadran
Semantic Modelling of Digital Forensic Evidence
Abstract
The reporting of digital investigation results are traditionally carried out in prose and in a large investigation may require successive communication of findings between different parties. Popular forensic suites aid in the reporting process by storing provenance and positional data but do not automatically encode why the evidence is considered important. In this paper we introduce an evidence management methodology to encode the semantic information of evidence. A structured vocabulary of terms, ontology, is used to model the results in a logical and predefined manner. The descriptions are application independent and automatically organised. The encoded descriptions aim to help the investigation in the task of report writing and evidence communication and can be used in addition to existing evidence management techniques.
Damir Kahvedžić, Tahar Kechadi
Backmatter
Metadata
Title
Digital Forensics and Cyber Crime
Editor
Ibrahim Baggili
Copyright Year
2011
Publisher
Springer Berlin Heidelberg
Electronic ISBN
978-3-642-19513-6
Print ISBN
978-3-642-19512-9
DOI
https://doi.org/10.1007/978-3-642-19513-6

Premium Partner

    Image Credits