Digital Investigation Research Papers - Academia.edu (original) (raw)

German physicist Georg Christoph Lichtenberg once said, “The most dangerous of all falsehoods is a slightly distorted truth.” In our multimedia–driven society, where photographic and video evidence enjoys an epistemologically unique... more

German physicist Georg Christoph Lichtenberg once said, “The most dangerous of all falsehoods is a slightly distorted truth.” In our multimedia–driven society, where photographic and video evidence enjoys an epistemologically unique status, this observation is exceedingly ominous.

Clustering Statistical analysis a b s t r a c t Due to its simple and inherently vulnerable nature, e-mail communication is abused for numerous illegitimate purposes. E-mail spamming, phishing, drug trafficking, cyber bullying, racial... more

Clustering Statistical analysis a b s t r a c t Due to its simple and inherently vulnerable nature, e-mail communication is abused for numerous illegitimate purposes. E-mail spamming, phishing, drug trafficking, cyber bullying, racial vilification, child pornography, and sexual harassment are some common e-mail mediated cyber crimes. Presently, there is no adequate proactive mechanism for securing e-mail systems. In this context, forensic analysis plays a major role by examining suspected e-mail accounts to gather evidence to prosecute criminals in a court of law. To accomplish this task, a forensic investigator needs efficient automated tools and techniques to perform a multi-staged analysis of e-mail ensembles with a high degree of accuracy, and in a timely fashion. In this article, we present our e-mail forensic analysis software tool, developed by integrating existing state-of-the-art statistical and machinelearning techniques complemented with social networking techniques. In this framework we incorporate our two proposed authorship attribution approaches; one is presented for the first time in this article.

The process of user simply deleting evidence from a computer hard disk will not ensure that it has been permanently removed. It is for this reason that many will go to far greater lengths and use disk-scrubbing tools in an attempt to... more

The process of user simply deleting evidence from a computer hard disk will not ensure that it has been permanently removed. It is for this reason that many will go to far greater lengths and use disk-scrubbing tools in an attempt to permanently remove information from storage media. This paper describes an experiment that was carried out to assess the effectiveness of two different diskscrubbing tools in removing data from a computer hard drive. The results of which are discussed and conclusions made.

On a global scale, cyber crime has skyrocketed with the advancement of the electronic medium. While progress is being made in combating cyber crime (particularly with the Council of Europe's Convention on Cyber Crime), a large gap... more

On a global scale, cyber crime has skyrocketed with the advancement of the electronic medium. While progress is being made in combating cyber crime (particularly with the Council of Europe's Convention on Cyber Crime), a large gap continues to exist in legislative compatibility across international borders. Often overlooked in regard to profiling is cyber crime. The idea that an individual committing crime in cyberspace can fit a certain outline (a profile) may seem far-fetched, but evidence suggests that certain distinguishing characteristics do regularly exist in cyber criminals. This can be particularly useful for companies (the most often hindered victims of cyber crime) attempting to do away with cyber criminals inside their own walls (the most common type of cyber criminals). Whether they are simply breaking company policy by browsing the Internet while on the clock or embezzling thousands of dollars through the company's network, insiders are a very real problem that companies spend millions of dollars annually to prevent. An accurate profile of an inside cyber criminal may help in identification both prospectively and retrospectively.

This book is written specifically for people who want to gain an understanding of the principles and use of Radio Frequency IDentification (RFID) devices in a practical setting. It also discusses the various security aspects of these... more

This book is written specifically for people who want to gain an understanding of the principles and use of Radio Frequency IDentification (RFID) devices in a practical setting. It also discusses the various security aspects of these devices. It is very much a book on fundamentals. The book opens with a discussion of how RFIDs work and addresses the principles behind signal processing with both active and passive transponder devices. It was a bit disconcerting to discover on the second page (page 5) a reference to ''Chapter xx'' which is no where to be found (the book contains 9 chapters and an appendix). Then on page 95 a reference to a ''128-character'' key being printed on a passport was somewhat mystifying. Actually a key of that length would be too large to even contemplate. Perhaps 128-bit was meantwhich equates to only 16 characters.

DFRWS is dedicated to the sharing of knowledge and ideas about digital forensics research. Ever since it organized the first open workshop devoted to digital forensics in 2001, DFRWS continues to bring academics and practitioners together... more

DFRWS is dedicated to the sharing of knowledge and ideas about digital forensics research. Ever since it organized the first open workshop devoted to digital forensics in 2001, DFRWS continues to bring academics and practitioners together in an informal environment.

Testing forensic tools EnCase Ò LinEn Linux a b s t r a c t Tools for disk imaging (or more generally speaking, digital acquisition) are a foundation for forensic examination of digital evidence. Therefore it is crucial that such tools... more

Testing forensic tools EnCase Ò LinEn Linux a b s t r a c t Tools for disk imaging (or more generally speaking, digital acquisition) are a foundation for forensic examination of digital evidence. Therefore it is crucial that such tools work as expected. The only way to determine whether this is the case or not is through systematic testing of each tool. In this paper we present such an evaluation of the disk imaging functions of EnCase 6.8 Ò and LinEn 6.1, conducted on behalf of the Swedish National Laboratory of Forensic Science.

In this research we forensically acquire and analyze the device-stored data and network traffic of 20 popular instant messaging applications for Android. We were able to reconstruct some or the entire message content from 16 of the 20... more

In this research we forensically acquire and analyze the device-stored data and network traffic of 20 popular instant messaging applications for Android. We were able to reconstruct some or the entire message content from 16 of the 20 applications tested, which reflects poorly on the security and privacy measures employed by these applications but may be construed positively for evidence collection purposes by digital forensic practitioners. This work shows which features of these instant messaging applications leave evidentiary traces allowing for suspect data to be reconstructed or partially reconstructed, and whether network forensics or device forensics permits the reconstruction of that activity. We show that in most cases we were able to reconstruct or intercept data such as: passwords, screenshots taken by applications, pictures, videos, audio sent, messages sent, sketches, profile pictures and more.

This paper presents strengths and shortcomings of WinHex Specialist Edition (version 11.25 SR-7) in the context of the overall digital forensics process, focusing on its ability to preserve and examine data on storage media. No serious... more

This paper presents strengths and shortcomings of WinHex Specialist Edition (version 11.25 SR-7) in the context of the overall digital forensics process, focusing on its ability to preserve and examine data on storage media. No serious problems were found during non-exhaustive testing of the tool's ability to create a forensic image of a disk, and to verify the integrity of an image. Generally accepted data sets were used to test WinHex's ability to reliably and accurately interpret file date–time stamps, recover deleted files, and search for keywords. The results of these tests are summarized in this paper. Certain advanced examination capabilities were also evaluated, including the creation of custom templates to interpret EXT2/EXT3 file systems. Based on this review, several enhancements are proposed. In addition to these results, this paper demonstrates a systematic approach to evaluating similar forensic tools.

Computer forensics is essential for the successful prosecution of criminals in computer (cyber) crime. Digital investigation process must be done in a lawful way, and some proposed steps must be followed in order for evidence to be... more

Computer forensics is essential for the successful prosecution of criminals in computer (cyber) crime. Digital investigation process must be done in a lawful way, and some proposed steps must be followed in order for evidence to be accepted by the court of law. The digital forensic investigation process will be successful, if we follow simple rules. The aim of this paper is to compare different existing models and framework developed in recent years and propose a new framework based on "chain of digital evidence". This Framework will be modeled using a UML -Use Case and Activity diagrams. The authors also warns of certain shortcomings and suggests some recommendation for further research.

Previous studies examining the investigative challenges and needs of Digital Forensic (DF) practitioners have typically taken a sector-wide focus. This paper presents the results of a survey which collected text-rich comments about the... more

Previous studies examining the investigative challenges and needs of Digital Forensic (DF) practitioners have typically taken a sector-wide focus. This paper presents the results of a survey which collected text-rich comments about the challenges experienced and related suggestions for improvement in the investigation of Indecent Images of Children (IIOC) cases. The comments were provided by 153 international DF practitioners (28.1% survey response rate) and were processed using Thematic Analysis. This resulted in the identification of 4 IIOC-specific challenge themes, and 6 DF-generic challenges which directly affect IIOC. The paper discusses these identified challenges from a practitioner perspective, and outlines their suggestions for addressing them.

Corpora Real data corpus Realistic data a b s t r a c t Progress in computer forensics research has been limited by the lack of a standardized data setsdcorporadthat are available for research purposes. We explain why corpora are needed... more

Corpora Real data corpus Realistic data a b s t r a c t Progress in computer forensics research has been limited by the lack of a standardized data setsdcorporadthat are available for research purposes. We explain why corpora are needed to further forensic research, present a taxonomy for describing corpora, and announce the availability of several forensic data sets.

The increasing number of mobile devices being submitted to Digital Forensic Laboratories (DFLs) is creating a backlog that can hinder investigations and negatively impact public safety and the criminal justice system. In a military... more

The increasing number of mobile devices being submitted to Digital Forensic Laboratories (DFLs) is creating a backlog that can hinder investigations and negatively impact public safety and the criminal justice system. In a military context, delays in extracting intelligence from mobile devices can negatively impact troop and civilian safety as well as the overall mission. To address this problem, there is a need for more effective on-scene triage methods and tools to provide investigators with information in a timely manner, and to reduce the number of devices that are submitted to DFLs for analysis. Existing tools that are promoted for on-scene triage actually attempt to fulfill the needs of both on-scene triage and in-lab forensic examination in a single solution. On-scene triage has unique requirements because it is a precursor to and distinct from the forensic examination process, and may be performed by mobile device technicians rather than forensic analysts. This paper formalizes the on-scene triage process, placing it firmly in the overall forensic handling process and providing guidelines for standardization of on-scene triage. In addition, this paper outlines basic requirements for automated triage tools.

TomTom GPS navigation devices are one of the most popular kinds of satellite navigation devices in the UK, and are increasingly being examined in criminal cases to identify data of evidential value. This article outlines the format of... more

TomTom GPS navigation devices are one of the most popular kinds of satellite navigation devices in the UK, and are increasingly being examined in criminal cases to identify data of evidential value. This article outlines the format of TomTom location records and shows how these can be automatically extracted, enabling deleted location entries to be recovered. In addition, it shows

The emergence of webOS on Palm devices has created new challenges and opportunities for digital investigators. With the purchase of Palm by Hewlett Packard, there are plans to use webOS on an increasing number and variety of computer... more

The emergence of webOS on Palm devices has created new challenges and opportunities for digital investigators. With the purchase of Palm by Hewlett Packard, there are plans to use webOS on an increasing number and variety of computer systems. These devices can store substantial amounts of information relevant to an investigation, including digital photographs, videos, call logs, SMS/MMS messages, e-mail, remnants of Web browsing and much more. Although some files can be obtained from such devices with relative ease, the majority of information of forensic interest is stored in databases on a system partition that many mobile forensic tools do not acquire. This paper provides a methodology for acquiring and examining forensic duplicates of user and system partitions from a device running webOS. The primary sources of digital evidence on these devices are covered with illustrative examples. In addition, the recovery of deleted items from various areas on webOS devices is discussed.

There is a critical need in the law enforcement community to ensure the reliability of computer forensic tools. Many of the tools are free, but the most effective will come with a price. Nonetheless, one of the most important measures... more

There is a critical need in the law enforcement community to ensure the reliability of computer forensic tools. Many of the tools are free, but the most effective will come with a price. Nonetheless, one of the most important measures that must be undertaken is the establishment of a national standard in the field.

Evidence concerning times and dates in forensic computing is both important and complex. A case study is outlined in which forensic investigators were wrongly accused of tampering with computer evidence when a defence expert... more

Evidence concerning times and dates in forensic computing is both important and complex. A case study is outlined in which forensic investigators were wrongly accused of tampering with computer evidence when a defence expert misinterpreted time stamps. Time structures and their use in Microsoft Internet Explorer are discussed together with local and UTC time translation issues. A checklist for examiners when producing time evidence is suggested underlining the need for the examiner to fully understand the meaning of the data that they are seeking to interpret before reaching critical conclusions. ª

Mobile Device Forensics (MF) is an interdisciplinary field consisting of techniques applied to a wide range of computing devices, including smartphones and satellite navigation systems. Over the last few years, a significant amount of... more

Mobile Device Forensics (MF) is an interdisciplinary field consisting of techniques applied to a wide range of computing devices, including smartphones and satellite navigation systems. Over the last few years, a significant amount of research has been conducted, concerning various mobile device platforms, data acquisition schemes, and information extraction methods. This work provides a comprehensive overview of the field, by presenting a detailed assessment of the actions and methodologies taken throughout the last seven years. A multilevel chronological categorization of the most significant studies is given in order to provide a quick but complete way of observing the trends within the field. This categorization chart also serves as an analytic progress report, with regards to the evolution of MF. Moreover, since standardization efforts in this area are still in their infancy, this synopsis of research helps set the foundations for a common framework proposal. Furthermore, because technology related to mobile devices is evolving rapidly, disciplines in the MF ecosystem experience frequent changes. The rigorous and critical review of the state-of-the-art in this paper will serve as a resource to support efficient and effective reference and adaptation.

El uso de la tecnología informática se extiende cada vez más en el mundo occidental. Los usuarios se asisten en sus trabajos, haciendo mayor uso de dispositivos digitales, como, por ejemplo, los teléfonos inteligentes. Los delitos no... more

El uso de la tecnología informática se extiende cada vez más en el mundo occidental. Los usuarios se asisten en sus trabajos, haciendo mayor uso de dispositivos digitales, como, por ejemplo, los teléfonos inteligentes. Los delitos no escapan a esta tendencia y por ello a algunas instituciones del Estado les resulta imprescindible conocer, comprender y
aplicar en modo práctico la realidad de la computación forense moderna. Este trabajo describe una revisión general de lo que trata la disciplina de la computación forense. Igualmente, describe un caso real a modo de ilustrar la aplicación organizada de la misma.

Every state needs a special prosecutor’s office dedicated to the investigation and prosecution of identity theft/financial fraud, which is often a multi-jurisdictional crime. This would facilitate a robust investigation and prosecution of... more

Every state needs a special prosecutor’s office dedicated to the investigation and prosecution of identity theft/financial fraud, which is often a multi-jurisdictional crime. This would facilitate a robust investigation and prosecution of such crime. There are numerous problems that arise with localized prosecution in the investigation and prosecution of financial crimes and identity theft. It is a pervasive crime and the number of victims, limited government resources, overworked or inexperienced prosecutors, lack of knowledge or understanding of the elements of the crime, and application of the traditional approach to jurisdiction used in physical crimes further compound the problem.

Verification Searching a b s t r a c t

The increased use of social networking applications on smartphones makes these devices a goldmine for forensic investigators. Potential evidence can be held on these devices and recovered with the right tools and examination methods. This... more

The increased use of social networking applications on smartphones makes these devices a goldmine for forensic investigators. Potential evidence can be held on these devices and recovered with the right tools and examination methods. This paper focuses on conducting forensic analyses on three widely used social networking applications on smartphones: Facebook, Twitter, and MySpace. The tests were conducted on three popular smartphones: BlackBerrys, iPhones, and Android phones. The tests consisted of installing the social ...

Current memory forensic tools concentrate mainly on system-related information like processes and sockets. There is a need for more memory forensic techniques to extract user-entered data retained in various Microsoft Windows applications... more

Current memory forensic tools concentrate mainly on system-related information like processes and sockets. There is a need for more memory forensic techniques to extract user-entered data retained in various Microsoft Windows applications such as the Windows command prompt. The command history is a prime source of evidence in many intrusions and other computer crimes, revealing important details about an offender’s activities on the subject system. This paper dissects the data structures of the command prompt history and gives forensic practitioners a tool for reconstructing the Windows command history from a Windows XP memory capture. At the same time, this paper demonstrates a methodology that can be generalized to extract user-entered data on other versions of Windows.

Psycho-linguistic analysis Logistic regression Decision tree Support vector machine a b s t r a c t Text is still the most prevalent Internet media type. Examples of this include popular social networking applications such as Twitter,... more

Psycho-linguistic analysis Logistic regression Decision tree Support vector machine a b s t r a c t Text is still the most prevalent Internet media type. Examples of this include popular social networking applications such as Twitter, Craigslist, Facebook, etc. Other web applications such as e-mail, blog, chat rooms, etc. are also mostly text based. A question we address in this paper that deals with text based Internet forensics is the following: given a short text document, can we identify if the author is a man or a woman? This question is motivated by recent events where people faked their gender on the Internet. Note that this is different from the authorship attribution problem.

ABSTRACT Windows Search maintains a single database of the files, emails, programmes and Internet history of all the users of a personal computer, providing a potentially valuable source of information for a forensic investigator,... more

ABSTRACT Windows Search maintains a single database of the files, emails, programmes and Internet history of all the users of a personal computer, providing a potentially valuable source of information for a forensic investigator, especially since some information within the database is persistent, even if the underlying data are not available to the system (e.g. removable or encrypted drives). However, when files are deleted from the system their record is also deleted from the database. Existing tools to extract information from Windows Search use a programmatic interface to the underlying database, but this approach is unable to recover deleted records that may remain in unused space within the database or in other parts of the file system. This paper explores when unavailable files are indexed, and therefore available to an investigator via the search database, and how this is modified by the indexer scope and by attributes that control the indexing of encrypted content. Obtaining data via the programmatic interface is contrasted with a record carving approach using a new database record carver (wdsCarve); the strengths and weaknesses of the two approaches are reviewed, and the paper identifies several different strategies that may be productive in recovering deleted database records.

Crimes committed among electronic or digital domains, significantly within cyberspace, have become common. Criminals are using technology to commit their offenses and to create new challenges for law enforcement agents, attorneys, judges,... more

Crimes committed among electronic or digital domains, significantly within cyberspace, have
become common. Criminals are using technology to commit their offenses and to create new
challenges for law enforcement agents, attorneys, judges, military, and security professionals.
Digital forensics has become a vital instrument in distinguishing and identifying computer-based
and computer-assisted crime. Court proceedings worldwide are currently encountering variety of
cases where despite their focus and origin, there is some kind of digital evidence concerned.
Orthodox cases including drug traffic, murders, fraud and a myriad of others currently rely
heavily on some information/data residing on a digital device. Digital forensics methodologies
are therefore not solely needed to accumulate digital evidence in cases where the crime is
committed employing a digital device however conjointly where digital evidence is required for
cases originally not completely a digital crime. Digital forensics present challenges, as the
evidence acquired is inherently totally different from other kinds of evidence acquired in other
forensic investigations. The main variations include the fact that digital evidence can simply be
reproduced and manipulated by personnel involved with the investigation, maliciously or
accidentally. This paper will establish some crucial problems relating to the utilization of the
digital forensic method to acquire the digital evidence to be used to convict or acquit persons
accused of such crimes. It'll present a multidimensional approach delivering along the legal,
technical, ethical and academic dimensions of digital forensics to create an integrated framework
and methodology for investigations involving digital evidence. The objective of these designs is
to provide a solution to issues encompassing digital evidence acquisition and consequent
presentation in court and outlines tips for creating this sort of evidence more robust once
presented in court.

This Innovation Collection on investigative methods brings together investigators working in different domains, sectors, and on different topics of interest to help capture the breadth, scope and relevance of investigative practices over... more

Cached data a b s t r a c t This paper describes the structure of the Windows registry as it is stored in physical memory. We present tools and techniques that can be used to extract this data directly from memory dumps. We also provide... more

Cached data a b s t r a c t This paper describes the structure of the Windows registry as it is stored in physical memory. We present tools and techniques that can be used to extract this data directly from memory dumps. We also provide guidelines to aid investigators and experimentally demonstrate the value of our techniques. Finally, we describe a compelling attack that modifies the cached version of the registry without altering the on-disk version. While this attack would be undetectable with conventional on-disk registry analysis techniques, we demonstrate that such malicious modifications are easily detectable by examining memory.

In this paper we present a malware forensics framework for assessing and reporting on the modus operandi of a malware within a specific organizational context. The proposed framework addresses the limitations existing dynamic malware... more

In this paper we present a malware forensics framework for assessing and reporting on the modus operandi of a malware within a specific organizational context. The proposed framework addresses the limitations existing dynamic malware analysis approaches exhibit. More specifically we extended the functionality of the cuckoo sandbox malware analysis tool in order to automate the process of correlating and investigating the analysis results that multiple executions of a suspect binary on distinct and specific system configurations can produce. In contrast to standard malware analysis methods that assess the potential damage a malware may cause in general, this approach enables the analyst to identify contingent behavioral changes when the malware is executed and answer questions relating to the malware's activities within a specific environment. By doing this, the analyst is in the position to report on the actual rather theoretical actions a malware has performed, allowing the stakeholders to make informed recovery decisions. In this context, we identify the necessary forensic readiness prerequisites which are critical for the successful application and adoption of the proposed framework. ª

Perkembangan Teknologi Informasi pada saat ini sudah berkembang pesat dan memberi dampak positif dengan meningkatnya kinerja dan efektivitas kerja pada aktivitas sehri manusia. Dari sisi lain perkembangan teknologi informasi juga... more

Perkembangan Teknologi Informasi pada saat ini sudah berkembang pesat dan memberi dampak positif dengan meningkatnya kinerja dan efektivitas kerja pada aktivitas sehri manusia. Dari sisi lain perkembangan teknologi informasi juga menimbulkan dampak negatif yang tidak dapat dihindari. Dengan kecanggihan perangkat digital pada saat ini. Kejahatan juga semakin maju dengan alat alat tersebut dengan berbagai modus kejahatan terbaru yang belum ada sebelumnya.
Berbagai persoalan hokum yang muncul pada akhir-akhir ini telah membuka mata kita akan pentingnya keahlian di bidang Digital Forensic dalam mendukung investigasi dan pencarian barang bukti digital pada kasus kejahatan khususnya kejahatan yang menggunakan perangkat Digital contohnya seperti Leptop,Handphone,CCTV dan lain sebagainya.

The Internet and the World Wide Web have become integral parts of the lives of many modern individuals, enabling almost instantaneous communication, sharing and broadcasting of thoughts, feelings and opinions. Much of this information is... more

The Internet and the World Wide Web have become integral parts of the lives of many modern individuals, enabling almost instantaneous communication, sharing and broadcasting of thoughts, feelings and opinions. Much of this information is publicly facing, and as such, it can be utilised in a multitude of online investigations, ranging from employee vetting and credit checking to counter-terrorism and fraud prevention/detection. However, the search needs and behaviours of these investigators are not well documented in the literature. In order to address this gap, an in-depth qualitative study was carried out in cooperation with a leading investigation company. The research contribution is an initial identification of Open-Source Intelligence investigator search behaviours, the procedures and practices that they undertake, along with an overview of the di culties and challenges that they encounter as part of their domain. This lays the foundation for future research in to the varied domain of Open-Source Intelligence gathering.

Event visualization E-fraud Timestamp Chronological evidence Time Variable Time determination a b s t r a c t

In this paper a new method for photo-response non-uniformity (PRNU) noise extraction is proposed. Photo-response non-uniformity noise patterns are a reliably method for digital camera identification. Especially with a large number of... more

In this paper a new method for photo-response non-uniformity (PRNU) noise extraction is proposed. Photo-response non-uniformity noise patterns are a reliably method for digital camera identification. Especially with a large number of images the process of camera identification can be time consuming. The proposed method aims to increase the speed of PRNU extraction without losing accuracy when compared to the state-of-the-art method. Currently wavelet based denoising is used as the standard for PRNU extraction. Our proposed method is based on a simplified version of the Total Variation based noise removal algorithm. Results show that extraction is about 3.5 times faster with our method than with the wavelet based denoising algorithm. While initially only an increase in speed was the goal, results indicate that the Total Variation based noise removal algorithm is not only faster, but also more accurate than the state-of-the-art method.

The eternal preoccupation with multimedia technology is the precursor of us becoming a civilization replete with astonishing miscellanea of digital audiovisual information. Not so long ago, this digital information (images and videos... more

The eternal preoccupation with multimedia technology is the precursor of us becoming a civilization replete with astonishing miscellanea of digital audiovisual information. Not so long ago, this digital information (images and videos especially) savored the unique status of 'definitive proof of occurrence of events'. However, given their susceptibility to malicious modifications, this status is rapidly depreciating. In sensitive areas like intelligence and surveillance, reliance on manipulated visual data could be detrimental. The disparity between the ever-growing importance of digital content and the suspicions regarding their vulnerability to alterations has made it necessary to determine whether or not the contents of a given digital image or video can be considered trustworthy. Digital videos are prone to several kinds of tamper attacks, but on a broad scale these can be categorized as either inter-frame forgeries, where the arrangement of frames in a video is manipulated, or intra-frame forgeries, where the contents of the individual frames are altered. Intra-frame forgeries are simply digital image forgeries performed on individual frames of the video. Upscale-crop and splicing are two intra-frame forgeries, both of which are performed via an image processing operation known as resampling. While the challenge of resampling detection in digital images has remained at the receiving end of much innovation over the past two decades, detection of resampling in digital videos has been regarded with little attention. With the intent of ameliorating this situation, in this paper, we propose a forensic system capable of validating the authenticity of digital videos by establishing if any of its frames or regions of frames have undergone post-production resampling. The system integrates the outcomes of pixel-correlation inspection and noise-inconsistency analysis; the operation of the system as a whole overcomes the limitations usually faced by these individual analyses. The proposed system has been extensively tested on a large dataset consisting of digital videos and images compressed using different codecs at different bit-rates and scaling factors, by varying noise and tampered region sizes. Empirical evidence gathered over this dataset suggests good efficacy of the system in different forensic scenarios.

The omnipresence of mobile devices (or small scale digital devices e SSDD) and more importantly the utility of their associated applications for our daily activities, which range from financial transactions to learning, and from... more

The omnipresence of mobile devices (or small scale digital devices e SSDD) and more importantly the utility of their associated applications for our daily activities, which range from financial transactions to learning, and from entertainment to distributed social presence, create an abundance of digital evidence for each individual. Some of the evidence may be a result of illegal activities that need to be identified, understood and eventually prevented in the future. There are numerous tools for acquiring and analyzing digital evidence extracted from mobile devices. The diversity of SSDDs, types of evidence generated and the number of tools used to uncover them posit a rather complex and challenging problem of selecting the best available tool for the extraction and the subsequent analysis of the evidence gathered from a specific digital device. Failing to select the best tool may easily lead to incomplete and or improper extraction, which eventually may violate the integrity of the digital evidence and diminish its probative value. Moreover, the compromised evidence may result in erroneous analysis, incorrect interpretation, and wrong conclusions which may eventually compromise the right of a fair trial. Hence, a digital forensics investigator has to deal with the complex decision problem from the very start of the investigative process called preparatory phase. The problem could be addressed and possibly solved by using multi criteria decision analysis. The performance of the tool for extracting a specific type of digital evidence, and the relevance of that type of digital evidence to the investigative problem are the two central factors for selecting the best available tool, which we advocate in our work. In this paper we explain the method used and showcase a case study by evaluating two tools using two mobile devices to demonstrate the utility of our proposed approach. The results indicated that XRY (Alt 1) dominates UFED (Alt 2) for most of the cases after balancing the requirements for both performance and relevance.

Scientific method a b s t r a c t With its use highlighted in many high profile court cases around the world, Digital forensics over the last decade has become an integral part of the modern legal system and corporate investigations. As... more

Scientific method a b s t r a c t With its use highlighted in many high profile court cases around the world, Digital forensics over the last decade has become an integral part of the modern legal system and corporate investigations. As the discipline grows and it use becomes widely accepted, there is a need to align it with traditional forensic sciences and move towards strengthening an accreditation regime for the discipline. This paper examines the origins of science and scientific method to form the core premises for establishing criteria to assess digital forensics as a science and hence justifying the basis for standards and accreditation. ª

Simuliamo una piccola indagine informatica, sfruttando solo strumenti software freeware ed open source gratuiti, per dimostrare come tutto si può fare senza grandi spese o macchine potentissime, cogliendo anche il fasci-no della ricerca... more

Simuliamo una piccola indagine informatica, sfruttando solo strumenti software freeware ed open source gratuiti, per dimostrare come tutto si può fare senza grandi spese o macchine potentissime, cogliendo anche il fasci-no della ricerca degli strumento e della diversificazione degli stessi. In questo percorso si evidenzierà anche che così operando si impara e si approfondiscono le conoscenze informatiche. Ormai nel panorama dei tool (software) di digital forensics, campeggiano molti strumenti commerciali veramente efficienti e comodi, ma spesso anche costosi. Tra hardware e software si può creare un laboratorio forense per le fasi d'acquisizione ed analisi di tutto rispetto e con la comodità ed efficienza fornita dalla facilità d'uso dei suddetti tool commerciali. In quest'articolo vorrei mostrare un piccolo percorso d'acquisizione ed analisi effettuato tutto con strumenti gratuiti o molto economici ed open source, su sistemi operativi Gnu/Linux e Windows, sicuramente non sarà comodo come premere un unico tasto, ma forse più affascinante e più "intimo" con l'informatica ed i dati.

1. Model atau framework yang diperkenalkan oleh Yusoff, dkk adalah Generic Computer Forensic Investigation Model (GCFIM). 2. Model yang diperkenalkan oleh Kohn, dkk adalah Integrated Digital Forensic Process Model (IDFPM). 3. Model yang... more

1. Model atau framework yang diperkenalkan oleh Yusoff, dkk adalah Generic Computer Forensic Investigation Model (GCFIM).
2. Model yang diperkenalkan oleh Kohn, dkk adalah Integrated Digital Forensic Process Model (IDFPM).
3. Model yang diperkenalkan oleh Agarwal, dkk adalah Systematic Digital Forensic Investigation Model (SDFIM)