In all phases of forensic investigation, digital evidence is exposed to external influences and coming into contact with many factors. Legal admissibility of digital evidence is the ability of that evidence being acce...In all phases of forensic investigation, digital evidence is exposed to external influences and coming into contact with many factors. Legal admissibility of digital evidence is the ability of that evidence being accepted as evidence in a court of law. Life cycle of digital evidence is very complex. In each stage there is more impact that can violate a chain of custody and its integrity. Contact with different variables occurs through a life cycle of digital evidence and can disrupt its integrity. In order for the evidence to be accepted by the court as valid, chain of custody for digital evidence must be kept, or it must be known who exactly came into contact with evidence in each stage of the investigation. This paper presents a dynamics and life cycle of digital evidence. The Petri nets will be proposed and used for modeling and simulation of this process.展开更多
Network intrusion forensics is an important extension to present security infrastructure,and is becoming the focus of forensics research field.However,comparison with sophisticated multi-stage attacks and volume of se...Network intrusion forensics is an important extension to present security infrastructure,and is becoming the focus of forensics research field.However,comparison with sophisticated multi-stage attacks and volume of sensor data,current practices in network forensic analysis are to manually examine,an error prone,labor-intensive and time consuming process.To solve these problems,in this paper we propose a digital evidence fusion method for network forensics with Dempster-Shafer theory that can detect efficiently computer crime in networked environments,and fuse digital evidence from different sources such as hosts and sub-networks automatically.In the end,we evaluate the method on well-known KDD Cup1999 dataset.The results prove our method is very effective for real-time network forensics,and can provide comprehensible messages for a forensic investigators.展开更多
This summary paper will discuss the concept of forensic evidence and evidence collection methods. Emphasis will be placed on the techniques used to collect forensically sound digital evidence for the purpose of introd...This summary paper will discuss the concept of forensic evidence and evidence collection methods. Emphasis will be placed on the techniques used to collect forensically sound digital evidence for the purpose of introduction to digital forensics. This discussion will thereafter result in identifying and categorizing the different types of digital forensics evidence and a clear procedure for how to collect forensically sound digital evidence. This paper will further discuss the creation of awareness and promote the idea that competent practice of computer forensics collection is important for admissibility in court.展开更多
An effective and secure system used for evidence preservation is essential to possess the properties of anti- loss, anti-forgery, anti-tamper and perfect verifiability. Traditional architecture which relies on central...An effective and secure system used for evidence preservation is essential to possess the properties of anti- loss, anti-forgery, anti-tamper and perfect verifiability. Traditional architecture which relies on centralized cloud storage is depressingly beset by the security problems such as incomplete confidence and unreliable regulation. Moreover, an expensive, inefficient and incompatible design impedes the effort of evidence preservation. In contrast, the decentralized blockchain network is qualified as a perfect replacement for its secure anonymity, irrevocable commitment, and transparent traceability. Combining with subliminal channels in blockchain, we have weaved the transaction network with newly designed evidence audit network. In this paper, we have presented and implemented a lightweight digital evidence-preservation architecture which possesses the features of privacy-anonymity, audit-transparency, function-scalability and operation-lightweight. The anonymity is naturally formed from the cryptographic design, since the cipher evidence under encrypted cryptosystem and hash-based functions leakages nothing to the public. Covert channels are efficiently excavated to optimize the cost, connectivity and security of the framework, transforming the great computation power of Bitcoin network to the value of credit. The transparency used for audit, which relates to the proof of existence, comes from instant timestamps and irreversible hash functions in mature blockchain network. The scalability is represented by the evidence chain interacted with the original blockchain, and the extended chains on top of mainchain will cover the most of auditors in different institutions. And the lightweight, which is equal to low-cost, is derived from our fine-grained hierarchical services. At last, analyses of efficiency, security, and availability have shown the complete accomplishment of our system.展开更多
Digital evidences can be obtained from computers and various kinds of digital devices, such as telephones, mp3/mp4 players, printers, cameras, etc. Telephone Call Detail Records (CDRs) are one important source of di...Digital evidences can be obtained from computers and various kinds of digital devices, such as telephones, mp3/mp4 players, printers, cameras, etc. Telephone Call Detail Records (CDRs) are one important source of digital evidences that can identify suspects and their partners. Law enforcement authorities may intercept and record specific conversations with a court order and CDRs can be obtained from telephone service providers. However, the CDRs of a suspect for a period of time are often fairly large in volume. To obtain useful information and make appropriate decisions automatically from such large amount of CDRs become more and more difficult. Current analysis tools are designed to present only numerical results rather than help us make useful decisions. In this paper, an algorithm based on Fuzzy Decision Tree (FDT) for analyzing CDRs is proposed. We conducted experimental evaluation to verify the proposed algorithm and the result is very promising.展开更多
Network forensics is a security infrastructure,and becomes the research focus of forensic investigation.However many challenges still exist in conducting network forensics:network has produced large amounts of data;th...Network forensics is a security infrastructure,and becomes the research focus of forensic investigation.However many challenges still exist in conducting network forensics:network has produced large amounts of data;the comprehensibility of evidence extracting from collected data;the efficiency of evidence analysis methods,etc.To solve these problems,in this paper we develop a network intrusion forensics system based on transductive scheme that can detect and analyze efficiently computer crime in networked environments,and extract digital evidence automatically.At the end of the paper,we evaluate our method on a series of experiments on KDD Cup 1999 dataset.The results demonstrate that our methods are actually effective for real-time network forensics,and can provide comprehensible aid for a forensic expert.展开更多
According to the features of the semantic web technology,it is very suitable to solve the security issue of the current social network environment.Firstly,in this paper,it extends the existing ontology model of the so...According to the features of the semantic web technology,it is very suitable to solve the security issue of the current social network environment.Firstly,in this paper,it extends the existing ontology model of the social network with some relevant classes,and introduces a brand new ontology which is used to represent the malicious information.After introducing these models,a method of identifying the malicious message is raised.Finally,the experiments and simulations analyze the feasibility of the whole system.The results validate that the malicious users can be automatically filtered,and some worthy digital evidence can be effectively provided to forensic investigators.展开更多
With the development of Internet and information technology, the digital crimes are also on the rise. Computer forensics is an emerging research area that applies computer investigation and analysis techniques to help...With the development of Internet and information technology, the digital crimes are also on the rise. Computer forensics is an emerging research area that applies computer investigation and analysis techniques to help detection of these crimes and gathering of digital evidence suitable for presentation in courts. This paper provides foundational concept of computer forensics, outlines various principles of computer forensics, discusses the model of computer forensics and presents a proposed model.展开更多
Privacy preservation(PP)in Digital forensics(DF)is a conflicted and non-trivial issue.Existing solutions use the searchable encryption concept and,as a result,are not efficient and support only a keyword search.Moreov...Privacy preservation(PP)in Digital forensics(DF)is a conflicted and non-trivial issue.Existing solutions use the searchable encryption concept and,as a result,are not efficient and support only a keyword search.Moreover,the collected forensic data cannot be analyzed using existing well-known digital tools.This research paper first investigates the lawful requirements for PP in DF based on the organization for economic co-operation and development OECB)privacy guidelines.To have an efficient investigation process and meet the increased volume of data,the presented framework is designed based on the selective imaging concept and advanced encryption standard(AES).The proposed framework has two main modules,namely Selective Imaging Module(SIM)and Selective Analysis Module(SAM).The SIM and SAM modules are implemented based on advanced forensic format 4(AFF4)and SleuthKit open source forensics frameworks,respectively,and,accordingly,the proposed framework is evaluated in a forensically sound manner.The evaluation result is compared with other relevant works and,as a result,the proposed solution provides a privacy-preserving,efficient forensic imaging and analysis process while having also sufficient methods.Moreover,the AFF4 forensic image,produced by the SIM module,can be analyzed not only by SAM,but also by other well-known analysis tools available on the market.展开更多
Computer forensics is the science of obtaining,preserving,and documenting evidence from computers,mobile devices as well as other digital electronic storage devices.All must be done in a manner designed to preserve th...Computer forensics is the science of obtaining,preserving,and documenting evidence from computers,mobile devices as well as other digital electronic storage devices.All must be done in a manner designed to preserve the probative value of the evidence and to assure its admissibility in a legal proceeding.However,computer forensics is continually evolving as existing technologies progress and new technologies are introduced.For example,digital investigators are required to investigate content on mobile device or data stored at the cloud servers.With the popularity of computers in everyday life as well as the acceleration of cybercrime rates in recent years,computer forensics is becoming an essential element of modern IT security.This paper will cover the development of computer forensics in law enforcement and discuss the development in the latest live forensics skillsets.A number of interested areas of computer forensics will be also highlighted to explain how it can support IT security and civil / criminal investigation.展开更多
The Enhanced Complexity Model( ECM) developed previously has been further extended to produce a Motivationally Enhanced Complexity Model( MECM) which enables the degree of motivation,capability and opportunity of a hy...The Enhanced Complexity Model( ECM) developed previously has been further extended to produce a Motivationally Enhanced Complexity Model( MECM) which enables the degree of motivation,capability and opportunity of a hypothetical Trojan Horse author to be included in quantifying the relative plausibility of competing explanations for the existence of uncontested digital evidence.This new model has been applied to the case of the Trojan Horse defence( THD) against the possession of child pornography.Our results demonstrate that the THD in this case cannot be plausibly sustained unless it can be shown that an ‘off-theshelf'( OTS) Trojan Horse for this task is available and it is not detectable by the target computer,at the material time.展开更多
Verifying the integrity of a hard disk is an important concern in computer forensics,as the law enforcement party needs to confirm that the data inside the hard disk have not been modified during the investigation.A t...Verifying the integrity of a hard disk is an important concern in computer forensics,as the law enforcement party needs to confirm that the data inside the hard disk have not been modified during the investigation.A typical approach is to compute a single chained hash value of all sectors in a specific order.However,this technique loses the integrity of all other sectors even if only one of the sectors becomes a bad sector occasionally or is modified intentionally.In this paper we propose a k-dimensional hashing scheme,kD for short,to distribute sectors into a kD space,and to calculate multiple hash values for sectors in k dimensions as integrity evidence.Since the integrity of the sectors can be verified depending on any hash value calculated using the sectors,the probability to verify the integrity of unchanged sectors can be high even with bad/modified sectors in the hard disk.We show how to efficiently implement this kD hashing scheme such that the storage of hash values can be reduced while increasing the chance of an unaffected sector to be verified successfully.Experimental results of a 3D scheme show that both the time for computing the hash values and the storage for the hash values are reasonable.展开更多
The relevance of the study is forensic expert activity in terms of forensic examinations have been so transformed that existing theoretical provisions do not already solve traditional problems in some fields;their sol...The relevance of the study is forensic expert activity in terms of forensic examinations have been so transformed that existing theoretical provisions do not already solve traditional problems in some fields;their solvation requires new approaches of both theoretical and practical nature.In this regard,the purpose of this study is to analyze the content of new innovative directions in forensic examinations,including criminalistic ones,and the possibility of their effective application in forensic expert activity.The methodological basis of the study is the dialectical method of scientific knowledge,which allowed the authors to consider the theoretical and scientific,and practical foundations of modem trends in forensic examinations,including criminalistic ones.It also helped to identify promising fields of examinations necessary for crime prevention.Therefore,authors singled out the following advanced fields:biometric and computer forensic analyses,polygraph,and odor and trace evidence analyses.The materials of the article are of practical value for forensic experts and criminologists,law enforcement agencies.展开更多
文摘In all phases of forensic investigation, digital evidence is exposed to external influences and coming into contact with many factors. Legal admissibility of digital evidence is the ability of that evidence being accepted as evidence in a court of law. Life cycle of digital evidence is very complex. In each stage there is more impact that can violate a chain of custody and its integrity. Contact with different variables occurs through a life cycle of digital evidence and can disrupt its integrity. In order for the evidence to be accepted by the court as valid, chain of custody for digital evidence must be kept, or it must be known who exactly came into contact with evidence in each stage of the investigation. This paper presents a dynamics and life cycle of digital evidence. The Petri nets will be proposed and used for modeling and simulation of this process.
基金supported by the National Natural Science Foundation of China under Grant No.60903166 the National High Technology Research and Development Program of China(863 Program) under Grants No.2012AA012506,No.2012AA012901,No.2012AA012903+9 种基金 Specialized Research Fund for the Doctoral Program of Higher Education of China under Grant No.20121103120032 the Humanity and Social Science Youth Foundation of Ministry of Education of China under Grant No.13YJCZH065 the Opening Project of Key Lab of Information Network Security of Ministry of Public Security(The Third Research Institute of Ministry of Public Security) under Grant No.C13613 the China Postdoctoral Science Foundation General Program of Science and Technology Development Project of Beijing Municipal Education Commission of China under Grant No.km201410005012 the Research on Education and Teaching of Beijing University of Technology under Grant No.ER2013C24 the Beijing Municipal Natural Science Foundation Sponsored by Hunan Postdoctoral Scientific Program Open Research Fund of Beijing Key Laboratory of Trusted Computing Funds for the Central Universities, Contract No.2012JBM030
文摘Network intrusion forensics is an important extension to present security infrastructure,and is becoming the focus of forensics research field.However,comparison with sophisticated multi-stage attacks and volume of sensor data,current practices in network forensic analysis are to manually examine,an error prone,labor-intensive and time consuming process.To solve these problems,in this paper we propose a digital evidence fusion method for network forensics with Dempster-Shafer theory that can detect efficiently computer crime in networked environments,and fuse digital evidence from different sources such as hosts and sub-networks automatically.In the end,we evaluate the method on well-known KDD Cup1999 dataset.The results prove our method is very effective for real-time network forensics,and can provide comprehensible messages for a forensic investigators.
文摘This summary paper will discuss the concept of forensic evidence and evidence collection methods. Emphasis will be placed on the techniques used to collect forensically sound digital evidence for the purpose of introduction to digital forensics. This discussion will thereafter result in identifying and categorizing the different types of digital forensics evidence and a clear procedure for how to collect forensically sound digital evidence. This paper will further discuss the creation of awareness and promote the idea that competent practice of computer forensics collection is important for admissibility in court.
基金This work is supported by the National Key Research and Development Program of China under Grant No. 2017YFB0802500, the National Natural Science Foundation of China under Grant Nos. 61772538, 61672083, 61370190, 61532021, 61472429, and 61402029, and the National Cryptography Development Fund of China under Grant No. MMJJ20170106.
文摘An effective and secure system used for evidence preservation is essential to possess the properties of anti- loss, anti-forgery, anti-tamper and perfect verifiability. Traditional architecture which relies on centralized cloud storage is depressingly beset by the security problems such as incomplete confidence and unreliable regulation. Moreover, an expensive, inefficient and incompatible design impedes the effort of evidence preservation. In contrast, the decentralized blockchain network is qualified as a perfect replacement for its secure anonymity, irrevocable commitment, and transparent traceability. Combining with subliminal channels in blockchain, we have weaved the transaction network with newly designed evidence audit network. In this paper, we have presented and implemented a lightweight digital evidence-preservation architecture which possesses the features of privacy-anonymity, audit-transparency, function-scalability and operation-lightweight. The anonymity is naturally formed from the cryptographic design, since the cipher evidence under encrypted cryptosystem and hash-based functions leakages nothing to the public. Covert channels are efficiently excavated to optimize the cost, connectivity and security of the framework, transforming the great computation power of Bitcoin network to the value of credit. The transparency used for audit, which relates to the proof of existence, comes from instant timestamps and irreversible hash functions in mature blockchain network. The scalability is represented by the evidence chain interacted with the original blockchain, and the extended chains on top of mainchain will cover the most of auditors in different institutions. And the lightweight, which is equal to low-cost, is derived from our fine-grained hierarchical services. At last, analyses of efficiency, security, and availability have shown the complete accomplishment of our system.
文摘Digital evidences can be obtained from computers and various kinds of digital devices, such as telephones, mp3/mp4 players, printers, cameras, etc. Telephone Call Detail Records (CDRs) are one important source of digital evidences that can identify suspects and their partners. Law enforcement authorities may intercept and record specific conversations with a court order and CDRs can be obtained from telephone service providers. However, the CDRs of a suspect for a period of time are often fairly large in volume. To obtain useful information and make appropriate decisions automatically from such large amount of CDRs become more and more difficult. Current analysis tools are designed to present only numerical results rather than help us make useful decisions. In this paper, an algorithm based on Fuzzy Decision Tree (FDT) for analyzing CDRs is proposed. We conducted experimental evaluation to verify the proposed algorithm and the result is very promising.
基金supported by the National Natural Science Foundation of China under Grant No.60903166 and 61170262the National High-Tech Research and Development Plan of China under Grant Nos.2012AA012506+4 种基金Specialized Research Fund for the Doctoral Program of Higher Education of China under Grant No.20121103120032the Humanity and Social Science Youth Foundation of Ministry of Education of China under Grant No.13YJCZH065General Program of Science and Technology Development Project of Beijing Municipal Education Commission of China under Grant No.km201410005012the Research on Education and Teaching of Beijing University of Technology under Grant No.ER2013C24Open Research Fund of Beijing Key Laboratory of Trusted Computing
文摘Network forensics is a security infrastructure,and becomes the research focus of forensic investigation.However many challenges still exist in conducting network forensics:network has produced large amounts of data;the comprehensibility of evidence extracting from collected data;the efficiency of evidence analysis methods,etc.To solve these problems,in this paper we develop a network intrusion forensics system based on transductive scheme that can detect and analyze efficiently computer crime in networked environments,and extract digital evidence automatically.At the end of the paper,we evaluate our method on a series of experiments on KDD Cup 1999 dataset.The results demonstrate that our methods are actually effective for real-time network forensics,and can provide comprehensible aid for a forensic expert.
基金Sponsored by the National Natural Science Foundation of China(Grant No.61373006)the Foundation of Nanjing University of Posts and Telecommunications(Grant No.NY212059)the Priority Academic Program Development of Jiangsu Higher Education Institutions(PAPD)
文摘According to the features of the semantic web technology,it is very suitable to solve the security issue of the current social network environment.Firstly,in this paper,it extends the existing ontology model of the social network with some relevant classes,and introduces a brand new ontology which is used to represent the malicious information.After introducing these models,a method of identifying the malicious message is raised.Finally,the experiments and simulations analyze the feasibility of the whole system.The results validate that the malicious users can be automatically filtered,and some worthy digital evidence can be effectively provided to forensic investigators.
文摘With the development of Internet and information technology, the digital crimes are also on the rise. Computer forensics is an emerging research area that applies computer investigation and analysis techniques to help detection of these crimes and gathering of digital evidence suitable for presentation in courts. This paper provides foundational concept of computer forensics, outlines various principles of computer forensics, discusses the model of computer forensics and presents a proposed model.
基金The authors extend their appreciation to the Deanship of Scientific Research at King Saud University for funding this work through research group no(RG-1441-531).
文摘Privacy preservation(PP)in Digital forensics(DF)is a conflicted and non-trivial issue.Existing solutions use the searchable encryption concept and,as a result,are not efficient and support only a keyword search.Moreover,the collected forensic data cannot be analyzed using existing well-known digital tools.This research paper first investigates the lawful requirements for PP in DF based on the organization for economic co-operation and development OECB)privacy guidelines.To have an efficient investigation process and meet the increased volume of data,the presented framework is designed based on the selective imaging concept and advanced encryption standard(AES).The proposed framework has two main modules,namely Selective Imaging Module(SIM)and Selective Analysis Module(SAM).The SIM and SAM modules are implemented based on advanced forensic format 4(AFF4)and SleuthKit open source forensics frameworks,respectively,and,accordingly,the proposed framework is evaluated in a forensically sound manner.The evaluation result is compared with other relevant works and,as a result,the proposed solution provides a privacy-preserving,efficient forensic imaging and analysis process while having also sufficient methods.Moreover,the AFF4 forensic image,produced by the SIM module,can be analyzed not only by SAM,but also by other well-known analysis tools available on the market.
文摘Computer forensics is the science of obtaining,preserving,and documenting evidence from computers,mobile devices as well as other digital electronic storage devices.All must be done in a manner designed to preserve the probative value of the evidence and to assure its admissibility in a legal proceeding.However,computer forensics is continually evolving as existing technologies progress and new technologies are introduced.For example,digital investigators are required to investigate content on mobile device or data stored at the cloud servers.With the popularity of computers in everyday life as well as the acceleration of cybercrime rates in recent years,computer forensics is becoming an essential element of modern IT security.This paper will cover the development of computer forensics in law enforcement and discuss the development in the latest live forensics skillsets.A number of interested areas of computer forensics will be also highlighted to explain how it can support IT security and civil / criminal investigation.
文摘The Enhanced Complexity Model( ECM) developed previously has been further extended to produce a Motivationally Enhanced Complexity Model( MECM) which enables the degree of motivation,capability and opportunity of a hypothetical Trojan Horse author to be included in quantifying the relative plausibility of competing explanations for the existence of uncontested digital evidence.This new model has been applied to the case of the Trojan Horse defence( THD) against the possession of child pornography.Our results demonstrate that the THD in this case cannot be plausibly sustained unless it can be shown that an ‘off-theshelf'( OTS) Trojan Horse for this task is available and it is not detectable by the target computer,at the material time.
基金Project supported by the Research Grants Council of Hong Kong SAR,China (No. RGC GRF HKU 713009E)the NSFC/RGC Joint Research Scheme (No. N_HKU 722/09)HKU Seed Fundings for Basic Research (Nos. 200811159155 and 200911159149)
文摘Verifying the integrity of a hard disk is an important concern in computer forensics,as the law enforcement party needs to confirm that the data inside the hard disk have not been modified during the investigation.A typical approach is to compute a single chained hash value of all sectors in a specific order.However,this technique loses the integrity of all other sectors even if only one of the sectors becomes a bad sector occasionally or is modified intentionally.In this paper we propose a k-dimensional hashing scheme,kD for short,to distribute sectors into a kD space,and to calculate multiple hash values for sectors in k dimensions as integrity evidence.Since the integrity of the sectors can be verified depending on any hash value calculated using the sectors,the probability to verify the integrity of unchanged sectors can be high even with bad/modified sectors in the hard disk.We show how to efficiently implement this kD hashing scheme such that the storage of hash values can be reduced while increasing the chance of an unaffected sector to be verified successfully.Experimental results of a 3D scheme show that both the time for computing the hash values and the storage for the hash values are reasonable.
文摘The relevance of the study is forensic expert activity in terms of forensic examinations have been so transformed that existing theoretical provisions do not already solve traditional problems in some fields;their solvation requires new approaches of both theoretical and practical nature.In this regard,the purpose of this study is to analyze the content of new innovative directions in forensic examinations,including criminalistic ones,and the possibility of their effective application in forensic expert activity.The methodological basis of the study is the dialectical method of scientific knowledge,which allowed the authors to consider the theoretical and scientific,and practical foundations of modem trends in forensic examinations,including criminalistic ones.It also helped to identify promising fields of examinations necessary for crime prevention.Therefore,authors singled out the following advanced fields:biometric and computer forensic analyses,polygraph,and odor and trace evidence analyses.The materials of the article are of practical value for forensic experts and criminologists,law enforcement agencies.
