Andrew Marrington | Zayed University (original) (raw)

Papers by Andrew Marrington

Research paper thumbnail of CAT Detect : A Tool for Detecting Inconsistency in Computer Activity Timelines

The construction of timelines of computer activity is a part of many digital investigations. Thes... more The construction of timelines of computer activity is a part of many digital investigations. These timelines of events are composed of traces of historical activity drawn from system logs and potentially from evidence of events found in the computer file system. A potential problem with the use of such information is that some of it may be inconsistent and contradictory thus compromising its value. This work introduces a software tool (CAT Detect) for the detection of inconsistency within timelines of computer activity. We examine the impact of deliberate tampering through experiments conducted with our prototype software tool. Based on the results of these experiments, we discuss techniques which can be employed to deal with such temporal inconsistencies. a 2011 Marrington, Baggili, Mohay & Clark. Published by Elsevier Ltd. All rights reserved.

Research paper thumbnail of Availability, Reliability and Security (ARES), 2016 11th International Conference on

Research paper thumbnail of Computer Forensic Profiling

Computer forensics is the process of gathering and analyzing evidence from computer systems to ai... more Computer forensics is the process of gathering and analyzing evidence from computer systems to aid in the investigation of a crime. Typically, such investigations are undertaken by trained forensic examiners using purpose-built software to discover evidence from a computer disk. This process is a manual one, and the time it takes for a forensic examiner to conduct such an investigation is proportional to the storage capacity of the computer's disk drives. The heterogeneity and complexity of various data formats stored on modern computer systems compounds the problems posed by the sheer volume of data. The decision to undertake a digital forensic examination of a computer system is a decision to commit significant quantities of a human examiner's time. Where there is no prior knowledge of the information contained on a computer system, this commitment of time and energy occurs with little idea of the potential benefit to the investigation.

Research paper thumbnail of Forensic analysis of xbox one and playstation 4 gaming consoles

2016 IEEE International Workshop on Information Forensics and Security (WIFS), 2016

This paper highlights the challenges faced due to non-availability of trusted specialized forensi... more This paper highlights the challenges faced due to non-availability of trusted specialized forensic tools for conducting investigation on gaming consoles. We have developed a framework to examine existing state-of-the-art forensic acquisition and analysis tools by exploring their applicability to eighth generation gaming consoles such as the Xbox One and PlayStation 4. The framework is used to validate the acquired images, compare the retrieved artifacts before and after restoring the console to the factory settings, and to conduct network forensics on both devices. The paper reveals the need of specialized forensic tools for forensic analysis of these devices.

Research paper thumbnail of Forensic investigation of cyberstalking cases using Behavioural Evidence Analysis

Digital Investigation, 2016

Behavioural Evidence Analysis (BEA) is, in theory, useful in developing an understanding of the o... more Behavioural Evidence Analysis (BEA) is, in theory, useful in developing an understanding of the offender, the victim, the crime scene, and the dynamics of the crime. It can add meaning to the evidence obtained through digital forensic techniques and assist investigators with reconstruction of a crime. There is, however, little empirical research examining the application of BEA to actual criminal cases, particularly cyberstalking cases. This study addresses this gap by examining the utility of BEA for such cases in terms of understanding the behavioural and motivational dimensions of offending, and the way in which digital evidence can be interpreted. It reports on the forensic analysis of 20 cyberstalking cases investigated by Dubai Police in the last five years. Results showed that BEA helps to focus an investigation, enables better understanding and interpretation of victim and offender behaviour, and assists in inferring traits of the offender from available digital evidence. These benefits can help investigators to build a stronger case, reduce time wasted to mistakes, and to exclude suspects wrongly accused in cyberstalking cases.

Research paper thumbnail of The Promise and Perils of Wearable Technologies

Managing Security Issues and the Hidden Dangers of Wearable Technologies

Research paper thumbnail of Amazon Kindle Fire HD Forensics

Abstract. This research presents two developed approaches for the forensic acquisition of an Amaz... more Abstract. This research presents two developed approaches for the forensic acquisition of an Amazon Kindle Fire HD. It describes the forensic acquisition and analysis of the Amazon Kindle Fire HD device. Two developed methods of acquisition are presented; one requiring a special cable to reflash the boot par-tition of the device with a forensic acquisition environment (Method A), and the other exploiting a vulnerability in the device’s Android operating system (Method B). A case study is then presented showing the various digital evidence that can be extracted from the device. The results indicate that Method A is more favorable because it utilizes a general methodology that does not exploit a vulnerability that could potentially be patched by Amazon in future software updates.

Research paper thumbnail of 1 Dealing with Temporal Inconsistency in Automated Computer Forensic Profiling

Abstract. Computer profiling is the automated forensic examination of a computer system in order ... more Abstract. Computer profiling is the automated forensic examination of a computer system in order to provide a human investigator with a characterisation of the activities that have taken place on that system. As part of this process, the logical components of the computer system – components such as users, files and applications- are enumerated and the relationships between them discovered and reported. This information is enriched with traces of historical activity drawn from system logs and from evidence of events found in the computer file system. A potential problem with the use of such information is that some of it may be inconsistent and contradictory thus compromising its value. This work examines the impact of temporal inconsistency in such information and discusses two types of temporal inconsistency that may arise – inconsistency arising out of the normal errant behaviour of a computer system, and inconsistency arising out of deliberate tampering by a suspect – and techni...

Research paper thumbnail of Drone Forensics: Challenges and New Insights

Powerful information acquisition and processing capabilities, coupled with intelligent surveillan... more Powerful information acquisition and processing capabilities, coupled with intelligent surveillance and reconnaissance features, have contributed to increased popularity of Unmanned Aerial Vehicles (UAVs), also known as drones. In addition to the numerous beneficial uses, UAVs have been misused to launch illegal and sometimes criminal activities that pose direct threats to individuals, organizations, public safety and national security. Despite its increased importance, "drone forensics" remains a relatively unexplored research topic. This paper presents important results of a forensic investigation analysis performed on a test Parrot AR drone 2.0. We present new insights into drone forensics in terms of accessing the digital containers of an intercepted drone and retrieving all the information that can help digital forensic investigators establish ownership, recover flight data and acquire content of media files.

Research paper thumbnail of Forensic Challenges in Service Oriented Architectures

Digital forensics relates to the investigation of a crime or other suspect behaviour using digita... more Digital forensics relates to the investigation of a crime or other suspect behaviour using digital evidence. Previous work has dealt with the forensic reconstruction of computer-based activity on single hosts, but with the additional complexity involved with a distributed environment, a Web services-centric approach is required. A framework for this type of forensic examination needs to allow for the reconstruction of transactions spanning multiple hosts, platforms and applications. A tool implementing such an approach could be used by an investigator to identify scenarios of Web services being misused, exploited, or otherwise compromised. This information could be used to redesign Web services in order to mitigate identified risks. This paper explores the requirements of a framework for performing effective forensic examinations in a Web services environment. This framework will be necessary in order to develop forensic tools and techniques for use in service oriented architectures.

Research paper thumbnail of A Study of Detecting Child Pornography on Smart Phone

Child Pornography is an increasingly visible rising cybercrime in the world today. Over the past ... more Child Pornography is an increasingly visible rising cybercrime in the world today. Over the past decade, with rapid growth in smart phone usage, readily available free Cloud Computing storage, and various mobile communication apps, child pornographers have found a convenient and reliable mobile platform for instantly sharing pictures or videos of children being sexually abused. Within this new paradigm, law enforcement officers are finding that detecting, gathering, and processing evidence for the prosecution of child pornographers is becoming increasingly challenging. Deep learning is a machine learning method that models high-level abstractions in data and extracts hierarchical representations of data by using a deep graph with multiple processing layers. This paper presents a conceptual model of deep learning approach for detecting child pornography within the new paradigm by using log analysis, file name analysis and cell site analysis which investigate text logs of events that ...

Research paper thumbnail of Forensic Challenges in Service Oriented Architectures

Digital forensics relates to the investigation of a crime or other suspect behaviour using digita... more Digital forensics relates to the investigation of a crime or other suspect behaviour using digital evidence. Previous work has dealt with the forensic reconstruction of computer-based activity on single hosts, but with the additional complexity involved with a distributed environment, a Web services-centric approach is required. A framework for this type of forensic examination needs to allow for the reconstruction of transactions spanning multiple hosts, platforms and applications. A tool implementing such an approach could be used by an investigator to identify scenarios of Web services being misused, exploited, or otherwise compromised. This information could be used to redesign Web services in order to mitigate identified risks. This paper explores the requirements of a framework for performing effective forensic examinations in a Web services environment. This framework will be necessary in order to develop forensic tools and techniques for use in service oriented architectures.

Research paper thumbnail of First Annual DFRWS APAC Conference

Forensic Science International: Digital Investigation

Research paper thumbnail of WordNet-based Criminal Networks Mining for Cybercrime Investigation

IEEE Access

Cybercriminals exploit the opportunities provided by the information revolution and social media ... more Cybercriminals exploit the opportunities provided by the information revolution and social media to communicate and conduct underground illicit activities such as online fraudulence, cyber predation, cyberbullying, hacking, blackmailing, and drug smuggling. To combat the increasing number of criminal activities, structure and content analysis of criminal communities can provide insight and facilitate cybercrime forensics. In this paper, we propose a framework to analyze chat logs for crime investigation using data mining and Natural Language Processing (NLP) techniques. The proposed framework extracts the social network from chat logs and summarizes conversation into topics. The crime investigator can use Information Visualizer to see the crime-related results. To test the validity of our proposed framework, we worked in a joint effort with the cybercrime unit of a Canadian law enforcement agency. Experimental outcomes on real-life data and feedback from the law enforcement officers suggest that the proposed chat log mining framework meets the need of law enforcement agencies and is very effective for crime investigation. INDEX TERMS data mining, crime investigation, criminal communities, clustering algorithms, WordNet

Research paper thumbnail of Behavioural Digital Forensics Model: Embedding Behavioural Evidence Analysis into the investigation of digital crimes

Digital Investigation

The state-of-the-art and practice show an increased recognition, but limited adoption, of Behavio... more The state-of-the-art and practice show an increased recognition, but limited adoption, of Behavioural Evidence Analysis (BEA) within the Digital Forensics (DF) investigation process. Yet, there is currently no BEA-driven process model and guidelines for DF investigators to follow in order to take advantage of such an approach. This paper proposes the Behavioural Digital Forensics Model to fill this gap. It takes a multidisciplinary approach which incorporates BEA into in-lab investigation of seized devices related to interpersonal cases (i.e., digital crimes involving human interactions between offender(s) and victim(s)). The model was designed based on the application of traditional BEA phases to 35 real cases, and evaluated using 5 real digital crime casesall from Dubai Police archive. This paper, however, provides details of only one case from this evaluation pool. Compared to the outcome of these cases using a traditional DF investigation process, the new model showed a number of benefits. It allowed a more effective focusing of the investigation, and provided logical directions for identifying the location of further relevant evidence. It also enabled a better understanding and interpretation of victim/offender behaviours (e.g., probable offenders' motivations and modus operandi), which facilitated a more in depth understanding of the dynamics of the specific crime. Finally, in some cases, it enabled the identification of suspect's collaborators, something which was not identified via the traditional investigative process.

Research paper thumbnail of Investigation of Indecent Images of Children cases: Challenges and suggestions collected from the trenches

Digital Investigation

Previous studies examining the investigative challenges and needs of Digital Forensic (DF) practi... more Previous studies examining the investigative challenges and needs of Digital Forensic (DF) practitioners have typically taken a sector-wide focus. This paper presents the results of a survey which collected text-rich comments about the challenges experienced and related suggestions for improvement in the investigation of Indecent Images of Children (IIOC) cases. The comments were provided by 153 international DF practitioners (28.1% survey response rate) and were processed using Thematic Analysis. This resulted in the identification of 4 IIOC-specific challenge themes, and 6 DF-generic challenges which directly affect IIOC. The paper discusses these identified challenges from a practitioner perspective, and outlines their suggestions for addressing them.

Research paper thumbnail of Factors Influencing Digital Forensic Investigations: Empirical Evaluation of 12 Years of Dubai Police Cases

Journal of Digital Forensics, Security and Law, 2015

In Digital Forensics, the number of person-hours spent on investigation is a key factor which nee... more In Digital Forensics, the number of person-hours spent on investigation is a key factor which needs to be kept to a minimum whilst also paying close attention to the authenticity of the evidence. The literature describes challenges behind increasing person-hours and identifies several factors which contribute to this phenomenon. This paper reviews these factors and demonstrates that they do not wholly account for increases in investigation time. Using real case records from the Dubai Police, an extensive study explains the contribution of other factors to the increase in person-hours. We conclude this work by emphasizing on several factors affecting the person-hours in contrast to what most of the literature in this area proposes.

Research paper thumbnail of Magec: An Image Searching Tool for Detecting Forged Images in Forensic Investigation

2016 8th IFIP International Conference on New Technologies, Mobility and Security (NTMS), 2016

Manipulation of digital images for the purpose of forgery is a rapidly growing phenomenon that po... more Manipulation of digital images for the purpose of forgery is a rapidly growing phenomenon that poses a challenge for cyber-crime investigators. Distinguishing original images from duplicates and the number of original copies within the same media are some examples of challenges presented by duplicate digital images. In this paper, we present a new image-searching tool called, Magec, to detect duplicate image(s) on digital media, using the original image modification attributes as a signature. First, we describe the tool and the methods used to detect duplicate images, then we evaluate the tool's performance based on the number of folders it searches and the number of files it searches for. Later, we present the analysis of the tool using different operating system attributes. The goal is to find copies of the same object that is hidden; compressed images, or images saved with different attributes and demonstrates which one is the original image and thereby deduce which ones are copies. This research helps in better utilization of small/limited capacity devices, where limited storage capacity may be a problem. The experimental results prove that the presented search tool provides faster and accurate results. Finally, the conducted tests on the Magec tool analyzed, and verified, and the results are presented alongside with challenges identified.

Research paper thumbnail of Forensic Analysis of Xbox One and PlayStation 4 Gaming Consoles

This paper highlights the challenges faced due to non-availability of trusted specialized forensi... more This paper highlights the challenges faced due to non-availability of trusted specialized forensic tools for conducting investigation on gaming consoles. We have developed a framework to examine existing state-of-the-art forensic acquisition and analysis tools by exploring their applicability to eighth generation gaming consoles such as the Xbox One and PlayStation 4. The framework is used to validate the acquired images, compare the retrieved artifacts before and after restoring the console to the factory settings, and to conduct network forensics on both devices. The paper reveals the need of specialized forensic tools for forensic analysis of these devices.

Research paper thumbnail of Managing Security Issues and the Hidden Dangers of Wearable Technologies

Advances in mobile computing have provided numerous innovations that make peoples daily lives eas... more Advances in mobile computing have provided numerous innovations that make peoples daily lives easier and more convenient. However, as technology becomes more ubiquitous, corresponding risks increase as well. Managing Security Issues and the Hidden Dangers of Wearable Technologies examines the positive and negative ramifications of emerging wearable devices and their potential threats to individuals, as well as organizations. Highlighting socio-ethical issues, policy implementation, and appropriate usage, this book is a pivotal reference source for professionals, policy makers, academics, managers, and students interested in the security and privacy implications of wearable digital devices.

Research paper thumbnail of CAT Detect : A Tool for Detecting Inconsistency in Computer Activity Timelines

The construction of timelines of computer activity is a part of many digital investigations. Thes... more The construction of timelines of computer activity is a part of many digital investigations. These timelines of events are composed of traces of historical activity drawn from system logs and potentially from evidence of events found in the computer file system. A potential problem with the use of such information is that some of it may be inconsistent and contradictory thus compromising its value. This work introduces a software tool (CAT Detect) for the detection of inconsistency within timelines of computer activity. We examine the impact of deliberate tampering through experiments conducted with our prototype software tool. Based on the results of these experiments, we discuss techniques which can be employed to deal with such temporal inconsistencies. a 2011 Marrington, Baggili, Mohay & Clark. Published by Elsevier Ltd. All rights reserved.

Research paper thumbnail of Availability, Reliability and Security (ARES), 2016 11th International Conference on

Research paper thumbnail of Computer Forensic Profiling

Computer forensics is the process of gathering and analyzing evidence from computer systems to ai... more Computer forensics is the process of gathering and analyzing evidence from computer systems to aid in the investigation of a crime. Typically, such investigations are undertaken by trained forensic examiners using purpose-built software to discover evidence from a computer disk. This process is a manual one, and the time it takes for a forensic examiner to conduct such an investigation is proportional to the storage capacity of the computer's disk drives. The heterogeneity and complexity of various data formats stored on modern computer systems compounds the problems posed by the sheer volume of data. The decision to undertake a digital forensic examination of a computer system is a decision to commit significant quantities of a human examiner's time. Where there is no prior knowledge of the information contained on a computer system, this commitment of time and energy occurs with little idea of the potential benefit to the investigation.

Research paper thumbnail of Forensic analysis of xbox one and playstation 4 gaming consoles

2016 IEEE International Workshop on Information Forensics and Security (WIFS), 2016

This paper highlights the challenges faced due to non-availability of trusted specialized forensi... more This paper highlights the challenges faced due to non-availability of trusted specialized forensic tools for conducting investigation on gaming consoles. We have developed a framework to examine existing state-of-the-art forensic acquisition and analysis tools by exploring their applicability to eighth generation gaming consoles such as the Xbox One and PlayStation 4. The framework is used to validate the acquired images, compare the retrieved artifacts before and after restoring the console to the factory settings, and to conduct network forensics on both devices. The paper reveals the need of specialized forensic tools for forensic analysis of these devices.

Research paper thumbnail of Forensic investigation of cyberstalking cases using Behavioural Evidence Analysis

Digital Investigation, 2016

Behavioural Evidence Analysis (BEA) is, in theory, useful in developing an understanding of the o... more Behavioural Evidence Analysis (BEA) is, in theory, useful in developing an understanding of the offender, the victim, the crime scene, and the dynamics of the crime. It can add meaning to the evidence obtained through digital forensic techniques and assist investigators with reconstruction of a crime. There is, however, little empirical research examining the application of BEA to actual criminal cases, particularly cyberstalking cases. This study addresses this gap by examining the utility of BEA for such cases in terms of understanding the behavioural and motivational dimensions of offending, and the way in which digital evidence can be interpreted. It reports on the forensic analysis of 20 cyberstalking cases investigated by Dubai Police in the last five years. Results showed that BEA helps to focus an investigation, enables better understanding and interpretation of victim and offender behaviour, and assists in inferring traits of the offender from available digital evidence. These benefits can help investigators to build a stronger case, reduce time wasted to mistakes, and to exclude suspects wrongly accused in cyberstalking cases.

Research paper thumbnail of The Promise and Perils of Wearable Technologies

Managing Security Issues and the Hidden Dangers of Wearable Technologies

Research paper thumbnail of Amazon Kindle Fire HD Forensics

Abstract. This research presents two developed approaches for the forensic acquisition of an Amaz... more Abstract. This research presents two developed approaches for the forensic acquisition of an Amazon Kindle Fire HD. It describes the forensic acquisition and analysis of the Amazon Kindle Fire HD device. Two developed methods of acquisition are presented; one requiring a special cable to reflash the boot par-tition of the device with a forensic acquisition environment (Method A), and the other exploiting a vulnerability in the device’s Android operating system (Method B). A case study is then presented showing the various digital evidence that can be extracted from the device. The results indicate that Method A is more favorable because it utilizes a general methodology that does not exploit a vulnerability that could potentially be patched by Amazon in future software updates.

Research paper thumbnail of 1 Dealing with Temporal Inconsistency in Automated Computer Forensic Profiling

Abstract. Computer profiling is the automated forensic examination of a computer system in order ... more Abstract. Computer profiling is the automated forensic examination of a computer system in order to provide a human investigator with a characterisation of the activities that have taken place on that system. As part of this process, the logical components of the computer system – components such as users, files and applications- are enumerated and the relationships between them discovered and reported. This information is enriched with traces of historical activity drawn from system logs and from evidence of events found in the computer file system. A potential problem with the use of such information is that some of it may be inconsistent and contradictory thus compromising its value. This work examines the impact of temporal inconsistency in such information and discusses two types of temporal inconsistency that may arise – inconsistency arising out of the normal errant behaviour of a computer system, and inconsistency arising out of deliberate tampering by a suspect – and techni...

Research paper thumbnail of Drone Forensics: Challenges and New Insights

Powerful information acquisition and processing capabilities, coupled with intelligent surveillan... more Powerful information acquisition and processing capabilities, coupled with intelligent surveillance and reconnaissance features, have contributed to increased popularity of Unmanned Aerial Vehicles (UAVs), also known as drones. In addition to the numerous beneficial uses, UAVs have been misused to launch illegal and sometimes criminal activities that pose direct threats to individuals, organizations, public safety and national security. Despite its increased importance, "drone forensics" remains a relatively unexplored research topic. This paper presents important results of a forensic investigation analysis performed on a test Parrot AR drone 2.0. We present new insights into drone forensics in terms of accessing the digital containers of an intercepted drone and retrieving all the information that can help digital forensic investigators establish ownership, recover flight data and acquire content of media files.

Research paper thumbnail of Forensic Challenges in Service Oriented Architectures

Digital forensics relates to the investigation of a crime or other suspect behaviour using digita... more Digital forensics relates to the investigation of a crime or other suspect behaviour using digital evidence. Previous work has dealt with the forensic reconstruction of computer-based activity on single hosts, but with the additional complexity involved with a distributed environment, a Web services-centric approach is required. A framework for this type of forensic examination needs to allow for the reconstruction of transactions spanning multiple hosts, platforms and applications. A tool implementing such an approach could be used by an investigator to identify scenarios of Web services being misused, exploited, or otherwise compromised. This information could be used to redesign Web services in order to mitigate identified risks. This paper explores the requirements of a framework for performing effective forensic examinations in a Web services environment. This framework will be necessary in order to develop forensic tools and techniques for use in service oriented architectures.

Research paper thumbnail of A Study of Detecting Child Pornography on Smart Phone

Child Pornography is an increasingly visible rising cybercrime in the world today. Over the past ... more Child Pornography is an increasingly visible rising cybercrime in the world today. Over the past decade, with rapid growth in smart phone usage, readily available free Cloud Computing storage, and various mobile communication apps, child pornographers have found a convenient and reliable mobile platform for instantly sharing pictures or videos of children being sexually abused. Within this new paradigm, law enforcement officers are finding that detecting, gathering, and processing evidence for the prosecution of child pornographers is becoming increasingly challenging. Deep learning is a machine learning method that models high-level abstractions in data and extracts hierarchical representations of data by using a deep graph with multiple processing layers. This paper presents a conceptual model of deep learning approach for detecting child pornography within the new paradigm by using log analysis, file name analysis and cell site analysis which investigate text logs of events that ...

Research paper thumbnail of Forensic Challenges in Service Oriented Architectures

Digital forensics relates to the investigation of a crime or other suspect behaviour using digita... more Digital forensics relates to the investigation of a crime or other suspect behaviour using digital evidence. Previous work has dealt with the forensic reconstruction of computer-based activity on single hosts, but with the additional complexity involved with a distributed environment, a Web services-centric approach is required. A framework for this type of forensic examination needs to allow for the reconstruction of transactions spanning multiple hosts, platforms and applications. A tool implementing such an approach could be used by an investigator to identify scenarios of Web services being misused, exploited, or otherwise compromised. This information could be used to redesign Web services in order to mitigate identified risks. This paper explores the requirements of a framework for performing effective forensic examinations in a Web services environment. This framework will be necessary in order to develop forensic tools and techniques for use in service oriented architectures.

Research paper thumbnail of First Annual DFRWS APAC Conference

Forensic Science International: Digital Investigation

Research paper thumbnail of WordNet-based Criminal Networks Mining for Cybercrime Investigation

IEEE Access

Cybercriminals exploit the opportunities provided by the information revolution and social media ... more Cybercriminals exploit the opportunities provided by the information revolution and social media to communicate and conduct underground illicit activities such as online fraudulence, cyber predation, cyberbullying, hacking, blackmailing, and drug smuggling. To combat the increasing number of criminal activities, structure and content analysis of criminal communities can provide insight and facilitate cybercrime forensics. In this paper, we propose a framework to analyze chat logs for crime investigation using data mining and Natural Language Processing (NLP) techniques. The proposed framework extracts the social network from chat logs and summarizes conversation into topics. The crime investigator can use Information Visualizer to see the crime-related results. To test the validity of our proposed framework, we worked in a joint effort with the cybercrime unit of a Canadian law enforcement agency. Experimental outcomes on real-life data and feedback from the law enforcement officers suggest that the proposed chat log mining framework meets the need of law enforcement agencies and is very effective for crime investigation. INDEX TERMS data mining, crime investigation, criminal communities, clustering algorithms, WordNet

Research paper thumbnail of Behavioural Digital Forensics Model: Embedding Behavioural Evidence Analysis into the investigation of digital crimes

Digital Investigation

The state-of-the-art and practice show an increased recognition, but limited adoption, of Behavio... more The state-of-the-art and practice show an increased recognition, but limited adoption, of Behavioural Evidence Analysis (BEA) within the Digital Forensics (DF) investigation process. Yet, there is currently no BEA-driven process model and guidelines for DF investigators to follow in order to take advantage of such an approach. This paper proposes the Behavioural Digital Forensics Model to fill this gap. It takes a multidisciplinary approach which incorporates BEA into in-lab investigation of seized devices related to interpersonal cases (i.e., digital crimes involving human interactions between offender(s) and victim(s)). The model was designed based on the application of traditional BEA phases to 35 real cases, and evaluated using 5 real digital crime casesall from Dubai Police archive. This paper, however, provides details of only one case from this evaluation pool. Compared to the outcome of these cases using a traditional DF investigation process, the new model showed a number of benefits. It allowed a more effective focusing of the investigation, and provided logical directions for identifying the location of further relevant evidence. It also enabled a better understanding and interpretation of victim/offender behaviours (e.g., probable offenders' motivations and modus operandi), which facilitated a more in depth understanding of the dynamics of the specific crime. Finally, in some cases, it enabled the identification of suspect's collaborators, something which was not identified via the traditional investigative process.

Research paper thumbnail of Investigation of Indecent Images of Children cases: Challenges and suggestions collected from the trenches

Digital Investigation

Previous studies examining the investigative challenges and needs of Digital Forensic (DF) practi... more Previous studies examining the investigative challenges and needs of Digital Forensic (DF) practitioners have typically taken a sector-wide focus. This paper presents the results of a survey which collected text-rich comments about the challenges experienced and related suggestions for improvement in the investigation of Indecent Images of Children (IIOC) cases. The comments were provided by 153 international DF practitioners (28.1% survey response rate) and were processed using Thematic Analysis. This resulted in the identification of 4 IIOC-specific challenge themes, and 6 DF-generic challenges which directly affect IIOC. The paper discusses these identified challenges from a practitioner perspective, and outlines their suggestions for addressing them.

Research paper thumbnail of Factors Influencing Digital Forensic Investigations: Empirical Evaluation of 12 Years of Dubai Police Cases

Journal of Digital Forensics, Security and Law, 2015

In Digital Forensics, the number of person-hours spent on investigation is a key factor which nee... more In Digital Forensics, the number of person-hours spent on investigation is a key factor which needs to be kept to a minimum whilst also paying close attention to the authenticity of the evidence. The literature describes challenges behind increasing person-hours and identifies several factors which contribute to this phenomenon. This paper reviews these factors and demonstrates that they do not wholly account for increases in investigation time. Using real case records from the Dubai Police, an extensive study explains the contribution of other factors to the increase in person-hours. We conclude this work by emphasizing on several factors affecting the person-hours in contrast to what most of the literature in this area proposes.

Research paper thumbnail of Magec: An Image Searching Tool for Detecting Forged Images in Forensic Investigation

2016 8th IFIP International Conference on New Technologies, Mobility and Security (NTMS), 2016

Manipulation of digital images for the purpose of forgery is a rapidly growing phenomenon that po... more Manipulation of digital images for the purpose of forgery is a rapidly growing phenomenon that poses a challenge for cyber-crime investigators. Distinguishing original images from duplicates and the number of original copies within the same media are some examples of challenges presented by duplicate digital images. In this paper, we present a new image-searching tool called, Magec, to detect duplicate image(s) on digital media, using the original image modification attributes as a signature. First, we describe the tool and the methods used to detect duplicate images, then we evaluate the tool's performance based on the number of folders it searches and the number of files it searches for. Later, we present the analysis of the tool using different operating system attributes. The goal is to find copies of the same object that is hidden; compressed images, or images saved with different attributes and demonstrates which one is the original image and thereby deduce which ones are copies. This research helps in better utilization of small/limited capacity devices, where limited storage capacity may be a problem. The experimental results prove that the presented search tool provides faster and accurate results. Finally, the conducted tests on the Magec tool analyzed, and verified, and the results are presented alongside with challenges identified.

Research paper thumbnail of Forensic Analysis of Xbox One and PlayStation 4 Gaming Consoles

This paper highlights the challenges faced due to non-availability of trusted specialized forensi... more This paper highlights the challenges faced due to non-availability of trusted specialized forensic tools for conducting investigation on gaming consoles. We have developed a framework to examine existing state-of-the-art forensic acquisition and analysis tools by exploring their applicability to eighth generation gaming consoles such as the Xbox One and PlayStation 4. The framework is used to validate the acquired images, compare the retrieved artifacts before and after restoring the console to the factory settings, and to conduct network forensics on both devices. The paper reveals the need of specialized forensic tools for forensic analysis of these devices.

Research paper thumbnail of Managing Security Issues and the Hidden Dangers of Wearable Technologies

Advances in mobile computing have provided numerous innovations that make peoples daily lives eas... more Advances in mobile computing have provided numerous innovations that make peoples daily lives easier and more convenient. However, as technology becomes more ubiquitous, corresponding risks increase as well. Managing Security Issues and the Hidden Dangers of Wearable Technologies examines the positive and negative ramifications of emerging wearable devices and their potential threats to individuals, as well as organizations. Highlighting socio-ethical issues, policy implementation, and appropriate usage, this book is a pivotal reference source for professionals, policy makers, academics, managers, and students interested in the security and privacy implications of wearable digital devices.