Options
Kechadi, Tahar
Preferred name
Kechadi, Tahar
Official Name
Kechadi, Tahar
Research Output
Now showing 1 - 10 of 10
- PublicationVirtual Machine Forensics by means of Introspection and Kernel Code Injection(2014-03-24)
; Virtual Machine Introspection offers the ability to access a virtual machine remotely and extract informationfrom it. Virtual machine introspection allows all processes, local data, and network traffic to be tracked andmade available to the investigation process. These properties offer the possibility to monitor a suspect virtualmachine (VM). Moreover, the access to a VM data is far from being trivial; there are various complex tasks tobe dealt with. For instance the returned data is in a raw format, and it is necessary to remap into a userfriendly representation (canonical representation). In this paper we propose a method of bridging thissemantic gap, and provide a graphical reconstruction of events. This proposal is essentially, the recreation ofa virtual machine at a remote location and the subsequent recreation of all processes, data, network traffic ina virtual machine as they occur in the original. This should be achieved in real-time, which will give anopportunity to quickly make decisions based on the evidence as we collect them in real-time. Our approachinvolves recreating a virtual machine and injecting into it all code and data within the original virtual machine,presenting an identical copy for examination. The approach proposed also has another advantage byallowing all data to be saved for further analysis and verification.548 - PublicationForensic Analysis of Virtual Hard Drives(The Association of Digital Forensics, Security and Law, 2017-03-31)
; ; The issue of the volatility of virtual machines is perhaps the most pressing concern in any digital investigation involving a virtual machine. Current digital forensics tools do not fully address the complexities of data recovery that are posed by virtual hard drives. It is necessary, for this reason, to explore ways to capture evidence, other than those using current digital forensic methods. Data recovery should be done in the most efficient and secure manner, as quickly, and in an as non-intrusive way as can be achieved. All data in a virtual machine is disposed of when that virtual machine is destroyed, it may not therefore be possible to extract and preserve evidence such as incriminating images prior to destruction. Recovering that evidence, or finding some way of associating that evidence with the virtual machine before destruction of that virtual machine, is therefore crucial.In this paper we present a method for extracting evidence from a virtual hard disk drive in a quick, secure and verifiable manner, with a minimum impact on the drive thus preserving its integrity for further analysis.395 - PublicationOverview of the Forensic Investigation of Cloud ServicesCloud Computing is a commonly used, yet ambiguous term, which can be used to refer to a multitude of differing dynamically allocated services. From a law enforcement and forensic investigation perspective, cloud computing can be thought of as a double edged sword. While on one hand, the gathering of digital evidence from cloud sources can bring with it complicated technical and cross-jurisdictional legal challenges. On the other, the employment of cloud storage and processing capabilities can expedite the forensics process and focus the investigation onto pertinent data earlier in an investigation. This paper examines the state-of-the-art in cloud-focused, digital forensic practises for the collection and analysis of evidence and an overview of the potential use of cloud technologies to provide Digital Forensics as a Service.
Scopus© Citations 28 914 - PublicationBitTorrent Sync: Network Investigation MethodologyThe volume of personal information and data most Internet users find themselves amassing is ever increasing and the fast pace of the modern world results in most requiring instant access to their files. Millions of these users turn to cloud based file synchronisation services, such as Dropbox, Microsoft Skydrive, Apple iCloud and Google Drive, to enable 'always-on' access to their most up-to-date data from any computer or mobile device with an Internet connection. The prevalence of recent articles covering various invasion of privacy issues and data protection breaches in the media has caused many to review their online security practices with their personal information. To provide an alternative to cloud based file backup and synchronisation, BitTorrent Inc. released an alternative cloudless file backup and synchronisation service, named BitTorrent Sync to alpha testers in April 2013. BitTorrent Sync's popularity rose dramatically throughout 2013, reaching over two million active users by the end of the year. This paper outlines a number of scenarios where the network investigation of the service may prove invaluable as part of a digital forensic investigation. An investigation methodology is proposed outlining the required steps involved in retrieving digital evidence from the network and the results from a proof of concept investigation are presented.
Scopus© Citations 13 433 - PublicationIncreasing Digital Investigator Availability Through Efficient Workflow Management And Automation(IEEE, 2016-04-27)
; ; ; ; The growth of digital storage capacities and diversity devices has had a significant time impact on digital forensic laboratories in law enforcement. Backlogs have become commonplace and increasingly more time is spent in the acquisition and preparation steps of an investigation as opposed to detailed evidence analysis and reporting. There is generally little room for increasing digital investigation capacity in law enforcement digital forensic units and the allocated budgets for these units are often decreasing. In the context of developing an efficient investigation process, one of the key challenges amounts to how to achieve more with less. This paper proposes a workflow management automation framework for handling common digital forensic tools. The objective is to streamline the digital investigation workflow - enabling more efficient use of limited hardware and software. The proposed automation framework reduces the time digital forensic experts waste conducting time consuming, though necessary, tasks. The evidence processing time is decreased through server-side automation resulting in 24/7 evidence preparation. The proposed framework increases efficiency of use of forensic software and hardware, reduces the infrastructure costs and license fees, and simplifies the preparation steps for the digital investigator. The proposed approach is evaluated in a real-world scenario to evaluate its robustness and highlight its benefits.Scopus© Citations 12 586 - PublicationDigital Evidence Bag Selection for P2P Network InvestigationThe collection and handling of court admissible evidence is a fundamental component of any digital forensic investigation. While the procedures for handling digital evidence take much of their influence from the established policies for the collection of physical evidence, due to the obvious differences in dealing with non-physical evidence, a number of extra policies and procedures are required. This paper compares and contrasts some of the existing digital evidence formats or “bags” and analyses them for their compatibility with evidence gathered from a network source. A new digital extended evidence bag is proposed to specifically deal with evidence gathered from P2P networks, incorporating the network byte stream and on-the-fly metadata generation to aid in expedited identification and analysis.
16Scopus© Citations 6 - PublicationA Lightweight Software Write-blocker for Virtual Machine ForensicsThe integrity of any original evidence is fundamental to a forensic examination. Preserving the integrity of digital evidence is vitally important as changing just one bit among perhaps gigabits of data, will irrevocably alter that data and cast doubt on any evidence extracted. In traditional digital forensics write-blockers are used to preserve the integrity of that evidence and prevent changes from occurring, but virtual machine forensics presents more difficult challenges to address. Access to the digital storage device will probably not be possible, typically the only accessible storage will be a virtual hard disk drive. This will have the same integrity issues as those of a real device, but with the added complication that it is not possible to use a hardware write-blocker to prevent changes to those data. For this reason it is important to explore how to implement write-blocking mechanisms on a virtual device. In this paper we present an implementation of a software write-blocker and show how we can use it to be compliant with the 2nd ACPO principle on digital evidence.
Scopus© Citations 3 619 - PublicationDigital Forensic Investigations in the Cloud: A Proposed Approach for Irish Law Enforcement(2015-01-28)
; ; Cloud computing offers utility oriented Information and Communications Technology (ICT) services to users all over the world. The evolution of Cloud computing is driving the design of data centres by architecting them as networks of virtual services; this enables users to access and run applications from anywhere in the world. Cloud computing offers significant advantages to organisations through the provision of fast and flexible ICT hardware and software infrastructures, thus enabling organisations to focus on creating innovative business values for the services they provide.As the prevalence and usage of networked Cloud computer systems increases, logically the likelihood of these systems being used for criminal behaviour also increases. Thus, this new computing evolution has a direct effect on, and creates challenges for, digital forensic practitioners working in Irish law enforcement.The field of digital forensics has grown rapidly over the last decade due to the rise of the internet and associated crimes; however while the theory is well established, the practical application of the discipline is still new and developing. Law enforcement agencies can no longer rely on traditional digital forensic methods of data acquisition through device seizure to gather relevant evidence pertaining to an investigation. Using traditional digital forensic methods will lead to the loss of valuable evidential material if employed during investigations which involve Cloud based infrastructures.Cloud computing and its impact on digital forensics will continue to grow. This paper analyses traditional digital forensics methods and explains why these are inadequate for Cloud forensic investigations with particular focus on Irish law enforcement agencies. In this paper, we do a survey on approaches to digital forensics of Irish Law Enforcement Agencies for cloud based investigations and we propose a digital forensic framework approach to acquiring data from Cloud environments. This proposed approach aims to overcome the limitations of traditional digital forensics and the challenges Cloud computing presents for digital forensic practitioners working in Irish law enforcement.1233 - PublicationVolkswagen Car Entertainment System ForensicsVehicles are fast becoming another importantsource of digital evidence in a criminal investigation.Traditionally, when a vehicle is involved in a crime scene (e.g.drink driving), the investigators focus on the acquisition of DNA, fingerprints and other identifying materials, usually non digitalin nature. However, modern day cars, particularly smart ordriverless cars, store a wealth of digital information, such asrecent destinations, favourite locations, routes, personal datasuch as call logs, contact lists, SMS messages, pictures, andvideos. In this paper, we describe some challenges associated withvehicle data forensics, an understudied area. Next, we presentour case study on forensic acquisition and data analysis of anentertainment system on a Volkswagen car.
Scopus© Citations 14 1779 - PublicationForensic Analysis and Remote Evidence Recovery from Syncthing: An Open Source Decentralised File Synchronisation UtilityCommercial and home Internet users are becoming increasingly concerned with data protection and privacy. Questions have been raised regarding the privacy afforded by popular cloud-based file synchronisation services such as Dropbox, OneDrive and Google Drive. A number of these services have recently been reported as sharing information with governmental security agencies without the need for warrants to be granted. As a result, many users are opting for decentralised (cloudless) file synchronisation alternatives to the aforementioned cloud solutions. This paper outlines the forensic analysis and applies remote evidence recovery techniques for one such decentralised service, Syncthing.
Scopus© Citations 5 20