Now showing 1 - 10 of 103
  • Publication
    Leveraging Decentralisation to Extend the Digital Evidence Acquisition Window: Case Study on BitTorrent Sync
    File synchronization services such as Dropbox, Google Drive, Microsoft OneDrive, Apple iCloud, etc., are becoming increasingly popular in today’s always-connected world. A popular alternative to the aforementioned services is BitTorrent Sync. This is a decentralized/cloudless file synchronization service and is gaining significant popularity among Internet users with privacy concerns over where their data is stored and who has the ability to access it. The focus of this paper is the remote recovery of digital evidence pertaining to files identified as being accessed or stored on a suspect’s computer or mobile device. A methodology for the identification, investigation, recovery and verification of such remote digital evidence is outlined. Finally, a proof-of-concept remote evidence recovery from BitTorrent Sync shared folder highlighting a number of potential scenarios for the recovery and verification of such evidence.
      131
  • Publication
    Digital Forensic Investigations in the Cloud: A Proposed Approach for Irish Law Enforcement
    Cloud computing offers utility oriented Information and Communications Technology (ICT) services to users all over the world. The evolution of Cloud computing is driving the design of data centres by architecting them as networks of virtual services; this enables users to access and run applications from anywhere in the world. Cloud computing offers significant advantages to organisations through the provision of fast and flexible ICT hardware and software infrastructures, thus enabling organisations to focus on creating innovative business values for the services they provide.As the prevalence and usage of networked Cloud computer systems increases, logically the likelihood of these systems being used for criminal behaviour also increases. Thus, this new computing evolution has a direct effect on, and creates challenges for, digital forensic practitioners working in Irish law enforcement.The field of digital forensics has grown rapidly over the last decade due to the rise of the internet and associated crimes; however while the theory is well established, the practical application of the discipline is still new and developing. Law enforcement agencies can no longer rely on traditional digital forensic methods of data acquisition through device seizure to gather relevant evidence pertaining to an investigation. Using traditional digital forensic methods will lead to the loss of valuable evidential material if employed during investigations which involve Cloud based infrastructures.Cloud computing and its impact on digital forensics will continue to grow. This paper analyses traditional digital forensics methods and explains why these are inadequate for Cloud forensic investigations with particular focus on Irish law enforcement agencies. In this paper, we do a survey on approaches to digital forensics of Irish Law Enforcement Agencies for cloud based investigations and we propose a digital forensic framework approach to acquiring data from Cloud environments. This proposed approach aims to overcome the limitations of traditional digital forensics and the challenges Cloud computing presents for digital forensic practitioners working in Irish law enforcement.
      1229
  • Publication
    Forensic Analysis of Ares Galaxy Peer-to-Peer Network
    Child Abuse Material (CAM) is widely available on P2P networks. Over the last decade several tools were made for 24/7 monitoring of peer-to-peer (p2p) networks to discover suspects that use these networks for downloading and distribution of CAM. For some countries the amount of cases generated by these tools is so great that Law Enforcement (LE) just cannot handle them all. This is not only leading to backlogs and prioritizing of cases but also leading to discussions about the possibility of disrupting these networks and sending warning messages to potential CAM offenders. Recently, investigators are reporting that they are creating more serious cases on Ares Galaxy (Ares) than on other open p2p networks. Little has been done on automatic prioritization of cases with the information obtained from data that is available on P2P networks. Cases are mostly selected based on the highest number of CAM, while studies indicate that the abusers are most likely to be found not within that top user list. What kind of information can we use to prioritize cases in another way? Is it possible to disturb the network by sending warning messages and sharing fake material? Although the past years have seen a lot of successful CAM cases, generated in several countries, there is still little known about the Ares network. Although Ares network is open source, the protocol is not documented and the program does not come with serious documentation or support. In this paper, we present first of all a forensic analysis of using of Ares network in relation with the distribution of CAM. We then describe forensic artefacts found on an Ares computer involved in CAM.
      2266
  • Publication
    Electronic Evidence Discovery, Identification and Preservation: Role of the First Responder and related capacity building challenges
    The integrity of electronic evidence is essential for judicial proceedings. In this context, the role of the First Responder for discovery, identification and preservation is considered to be one of the short-term most critical challenge. While the number of devices to be collected was reasonably small and the items were easily identifiable in the past, it is not the case anymore. Many initiatives aim at harmonising technical and legal standards to facilitate electronic evidence exchange, although a consistent approach in basic equipment and training of the field police officer is still missing. Hence, in this paper, we study how synergies between different international organisations create and deploy an innovative and sustainable approach to address capacity building challenges related to the tasks assigned to the First Responder.
      254
  • Publication
    Leveraging Decentralisation to Extend the Digital Evidence Acquisition Window: Case Study on BitTorrent Sync
    (Association of Digital Forensics, Security and Law, 2014) ; ; ;
    File synchronization services such as Dropbox, Google Drive, Microsoft OneDrive, Apple iCloud, etc., are becoming increasingly popular in today's always-connected world. A popular alternative to the aforementioned services is BitTorrent Sync. This is a decentralized/cloudless file synchronization service and is gaining significant popularity among Internet users with privacy concerns over where their data is stored and who has the ability to access it. The focus of this paper is the remote recovery of digital evidence pertaining to files identified as being accessed or stored on a suspect's computer or mobile device. A methodology for the identification, investigation, recovery and verification of such remote digital evidence is outlined. Finally, a proof-of-concept remote evidence recovery from BitTorrent Sync shared folder highlighting a number of potential scenarios for the recovery and verification of such evidence.
      148
  • Publication
    Leveraging Decentralization to Extend the Digital Evidence Acquisition Window: Case Study On Bittorent Sync
    (Association of Digital Forensics, Security and Law, 2014-09-20) ; ; ;
    File synchronization services such as Dropbox, Google Drive, Microsoft OneDrive, Apple iCloud, etc., are becoming increasingly popular in today’s always-connected world. A popular alternative to the aforementioned services is BitTorrent Sync. This is a decentralized/cloudless file synchronization service and is gaining significant popularity among Internet users with privacy concerns over where their data is stored and who has the ability to access it. The focus of this paper is the remote recovery of digital evidence pertaining to files identified as being accessed or stored on a suspect’s computer or mobile device. A methodology for the identification, investigation, recovery and verification of such remote digital evidence is outlined. Finally, a proof-of-concept remote evidence recovery from BitTorrent Sync shared folder highlighting a number of potential scenarios for the recovery and verification of such evidence
      219
  • Publication
    Smartphone Forensic Analysis: A Case Study for Obtaining Root Access of an Android Samsung S3 Device and Analyse the Image without an Expensive Commercial Tool
    (Scientific Research Publishing, 2014) ; ;
    Smartphone is a very useful and compact device that fits in persons pocket, but at the same time itcan be used as a tool for criminal activities. In this day and age, people increasingly rely on smartphones rather than desktop computers or laptops to exchange messages, share videos and audiomessages. A smartphone is almost equivalent in its application to a PC, hence there are securityrisks associated with its use such as carrying out a digital crime or becoming a victim of one. Criminalscan use smartphones for a number of activities. Namely, committing a fraud over e-mail,harassment via text messages, drug trafficking, child pornography, communications related to narcotics,etc. It is a great challenge for forensic experts to extract data from a smartphone for forensic purposes that can be used as evidence in the court of law. In this case study, I show how to obtain the root access of Samsung S3 phone, how to create DD image and then how to examine DD image via commercial tool like UFED physical analyzer trial version which doesnt support Android devices. I will extract the messages for Viber on trial version of UFED Physical analyzer.
      1870
  • Publication
    A New Distributed Chinese Wall Security Policy Model
    (Association of Digital Forensics, Security and Law, 2016) ; ;
    The application of the Chinese wall security policy model (CWSPM ) to control the informationflows between two or more competing and/or conflicting companies in cloud computing(Multi-tenancy) or in the social network, is a very interesting solution.The main goal of the Chinese Wall Security Policy is to build a wall between the datasetsof competing companies, and among the system subjects. This is done by the applying tothe subjects mandatory rules, in order to control the information flow caused between them.This problem is one of the hottest topics in the area of cloud computing (as a distributedsystem) and has been attempted in the past; however the proposed solutions cannot dealwith the composite information flows problem (e.g., a malicious Trojan horses problem),caused by the writing access rule imposed to the subject on the objects.In this article, we propose a new CWSP model, based on the access query type of the subjectto the objects using the concepts of the CWSP. We have two types of walls placement, thefirst type consists of walls that are built around the subject, and the second around theobject. We cannot find inside each once wall two competing objects data. We showed thatthis mechanism is a good alternative to deal with some previous models limitations. Themodel is easy to implement in a distributed system (as Cloud-Computing). It is based on thetechnique of Object Oriented Programming (Can be used in Cloud computing Software asa service SaaS) or by using the capabilities as an access control in real distributed system
      355
  • Publication
    Forensic analysis of Exfat Artefacts
    (University College Dublin, 2018-05-23) ; ; ;
    Although keeping some basic concepts inherited from FAT32, the exFAT file system introduces many differences, such as the new mapping scheme of directory entries. The combination of exFAT mapping scheme with the allocation of bitmap files and the use of FAT leads to new forensic possibilities. The recovery of deleted files, including fragmented ones and carving becomes more accurate compared with former forensic processes. Nowadays, the accurate and sound forensic analysis is more than ever needed, as there is a high risk of erroneous interpretation. Indeed, most of the related work in the literature on exFAT structure and forensics, is mainly based on reverse engineering research, and only few of them cover the forensic interpretation. In this paper, we propose a new methodology using of exFAT file systems features to improve the interpretation of inactive entries by using bitmap file analysis and recover the file system metadata information for carved files. Experimental results show how our approach improves the forensic interpretation accuracy.
      213
  • Publication
    A Cloud Forensic Readiness Model for Service Level Agreements Management
    (Academic Conferences and Publishing International Limited, 2015-07-03) ; ;
    Cloud computing is increasingly becoming a target of cyber-criminal attacks. Often the committedcrimes violate the Service Level Agreement (SLA) contracts, which must be respected by all the involvedparties. Cloud Forensics is a branch of Digital Forensic discipline dealing with crimes involving the Cloud. Amanner for leveraging some of the attacks is the provisioning of a Forensic Readiness capability, by performingsome activities before the crimes happen. In this paper we introduce a model aimed to represent themanagement of SLAs through a cloud system.
      389