Now showing 1 - 10 of 63
  • Publication
    Leveraging Decentralisation to Extend the Digital Evidence Acquisition Window: Case Study on BitTorrent Sync
    File synchronization services such as Dropbox, Google Drive, Microsoft OneDrive, Apple iCloud, etc., are becoming increasingly popular in today’s always-connected world. A popular alternative to the aforementioned services is BitTorrent Sync. This is a decentralized/cloudless file synchronization service and is gaining significant popularity among Internet users with privacy concerns over where their data is stored and who has the ability to access it. The focus of this paper is the remote recovery of digital evidence pertaining to files identified as being accessed or stored on a suspect’s computer or mobile device. A methodology for the identification, investigation, recovery and verification of such remote digital evidence is outlined. Finally, a proof-of-concept remote evidence recovery from BitTorrent Sync shared folder highlighting a number of potential scenarios for the recovery and verification of such evidence.
      136
  • Publication
    Forensic Analysis of Ares Galaxy Peer-to-Peer Network
    Child Abuse Material (CAM) is widely available on P2P networks. Over the last decade several tools were made for 24/7 monitoring of peer-to-peer (p2p) networks to discover suspects that use these networks for downloading and distribution of CAM. For some countries the amount of cases generated by these tools is so great that Law Enforcement (LE) just cannot handle them all. This is not only leading to backlogs and prioritizing of cases but also leading to discussions about the possibility of disrupting these networks and sending warning messages to potential CAM offenders. Recently, investigators are reporting that they are creating more serious cases on Ares Galaxy (Ares) than on other open p2p networks. Little has been done on automatic prioritization of cases with the information obtained from data that is available on P2P networks. Cases are mostly selected based on the highest number of CAM, while studies indicate that the abusers are most likely to be found not within that top user list. What kind of information can we use to prioritize cases in another way? Is it possible to disturb the network by sending warning messages and sharing fake material? Although the past years have seen a lot of successful CAM cases, generated in several countries, there is still little known about the Ares network. Although Ares network is open source, the protocol is not documented and the program does not come with serious documentation or support. In this paper, we present first of all a forensic analysis of using of Ares network in relation with the distribution of CAM. We then describe forensic artefacts found on an Ares computer involved in CAM.
      2271
  • Publication
    Accuracy Enhancement of Electromagnetic Side-Channel Attacks on Computer Monitors
    Electromagnetic noise emitted from running computer displays modulates information about the picture frames being displayed on screen. Attacks have been demonstrated on eavesdropping computer displays by utilising these emissions as a side-channel vector. The accuracy of reconstructing a screen image depends on the emission sampling rate and bandwidth of the attackers signal acquisition hardware. The cost of radio frequency acquisition hardware increases with increased supported frequency range and bandwidth. A number of enthusiast-level, affordable software defined radio equipment solutions are currently available facilitating a number of radio-focused attacks at a more reasonable price point. This work investigates three accuracy influencing factors, other than the sample rate and bandwidth, namely noise removal, image blending, and image quality adjustments, that affect the accuracy of monitor image reconstruction through electromagnetic side-channel attacks.
    Scopus© Citations 7  19
  • Publication
    A Lightweight Software Write-blocker for Virtual Machine Forensics
    The integrity of any original evidence is fundamental to a forensic examination. Preserving the integrity of digital evidence is vitally important as changing just one bit among perhaps gigabits of data, will irrevocably alter that data and cast doubt on any evidence extracted. In traditional digital forensics write-blockers are used to preserve the integrity of that evidence and prevent changes from occurring, but virtual machine forensics presents more difficult challenges to address. Access to the digital storage device will probably not be possible, typically the only accessible storage will be a virtual hard disk drive. This will have the same integrity issues as those of a real device, but with the added complication that it is not possible to use a hardware write-blocker to prevent changes to those data. For this reason it is important to explore how to implement write-blocking mechanisms on a virtual device. In this paper we present an implementation of a software write-blocker and show how we can use it to be compliant with the 2nd ACPO principle on digital evidence.
    Scopus© Citations 3  621
  • Publication
    Volkswagen Car Entertainment System Forensics
    Vehicles are fast becoming another importantsource of digital evidence in a criminal investigation.Traditionally, when a vehicle is involved in a crime scene (e.g.drink driving), the investigators focus on the acquisition of DNA, fingerprints and other identifying materials, usually non digitalin nature. However, modern day cars, particularly smart ordriverless cars, store a wealth of digital information, such asrecent destinations, favourite locations, routes, personal datasuch as call logs, contact lists, SMS messages, pictures, andvideos. In this paper, we describe some challenges associated withvehicle data forensics, an understudied area. Next, we presentour case study on forensic acquisition and data analysis of anentertainment system on a Volkswagen car.
    Scopus© Citations 14  1781
  • Publication
    Forensic analysis of Exfat Artefacts
    (University College Dublin, 2018-05-23) ; ; ;
    Although keeping some basic concepts inherited from FAT32, the exFAT file system introduces many differences, such as the new mapping scheme of directory entries. The combination of exFAT mapping scheme with the allocation of bitmap files and the use of FAT leads to new forensic possibilities. The recovery of deleted files, including fragmented ones and carving becomes more accurate compared with former forensic processes. Nowadays, the accurate and sound forensic analysis is more than ever needed, as there is a high risk of erroneous interpretation. Indeed, most of the related work in the literature on exFAT structure and forensics, is mainly based on reverse engineering research, and only few of them cover the forensic interpretation. In this paper, we propose a new methodology using of exFAT file systems features to improve the interpretation of inactive entries by using bitmap file analysis and recover the file system metadata information for carved files. Experimental results show how our approach improves the forensic interpretation accuracy.
      222
  • Publication
    ADMIRE framework: Distributed Data Mining on Data Grid platforms
    In this paper, we present the ADMIRE architecture; a new framework for developing novel and innovative data mining techniques to deal with very large and distributed heterogeneous datasets in both commercial and academic applications. The main ADMIRE components are detailed as well as its interfaces allowing the user to efficiently develop and implement their data mining applications techniques on a Grid platform such as Globus ToolKit, DGET, etc.
      278
  • Publication
    Evaluation of Digital Forensic Process Models with Respect to Digital Forensics as a Service
    (Academic Conferences And Publishing International Limited, 2017-06-12) ; ;
    Digital forensic science is very much still in its infancy, but is becoming increasingly invaluable to investigators. A popular area for research is seeking a standard methodology to make the digital forensic process accurate, robust, and efficient. The first digital forensic process model proposed contains four steps: Acquisition, Identification, Evaluation and Admission. Since then, numerous process models have been proposed to explain the steps of identifying, acquiring, analysing, storage, and reporting on the evidence obtained from various digital devices. In recent years, an increasing number of more sophisticated process models have been proposed. These models attempt to speed up the entire investigative process or solve various of problems commonly encountered in the forensic investigation. In the last decade, cloud computing has emerged as a disruptive technological concept, and most leading enterprises such as IBM, Amazon, Google, and Microsoft have set up their own cloud-based services. In the field of digital forensic investigation, moving to a cloudbased evidence processing model would be extremely beneficial and preliminary attempts have been made in its implementation. Moving towards a Digital Forensics as a Service model would not only expedite the investigative process, but can also result in significant cost savings - freeing up digital forensic experts and law enforcement personnel to progress their caseload. This paper aims to evaluate the applicability of existing digital forensic process models and analyse how each of these might apply to a cloud-based evidence processing paradigm.
      21
  • Publication
    Distributed Knowledge Map for Mining Data on Grid Platforms
    Recently, huge datasets representing different applications domains are produced and stored on distributed platforms. These datasets are, generally, owned by different organizations. As a consequence, The scale and distribution nature of these datasets have created the problem of efficient mining and management on these platforms. Most of the existing knowledge management approaches are mainly for centralized data mining. Few of them propose solutions for mining and handling knowledge on Grid. However, the new knowledge is stored and managed as any other kinds of resources.
      173
  • Publication
    Private Web Browser Forensics: A Case Study on Epic Privacy Browser
    (Journal of Information Warfare, 2018-03) ; ;
    Organized crime, as well as individual criminals, are benefiting from the protection of private browsers to carry out illegal activity, such as money laundering, drug trafficking, the online exchange of child abuse material, etc. Epic Privacy Browser is one common example. It is currently in use in approximately 180 countries worldwide. In this paper, we outline the location and type of evidence available through live and post-mortem state analysis of the Epic Privacy Browser. This analysis identifies how the browser functions during use and where evidence can be recovered after use, the tools, and effective presentation of the recovered material.
      696