A Novel Forensic Computing Model

According to the requirement of computer forensic and network forensic, a novel forensic computing model is presented, which exploits XML/OEM/RM data model, Data fusion technology, forensic knowledgebase, inference mechanism of expert system and evidence mining engine. This model takes advantage of flexility and openness, so it can be widely used in mining evidence.

MobSafe:Cloud Computing Based Forensic Analysis for Massive Mobile Applications Using Data Mining

With the explosive increase in mobile apps, more and more threats migrate from traditional PC client to mobile device. Compared with traditional Win＋Intel alliance in PC, Android＋ARM alliance dominates in Mobile Internet, the apps replace the PC client software as the major target of malicious usage. In this paper, to improve the security status of current mobile apps, we propose a methodology to evaluate mobile apps based on cloud computing platform and data mining. We also present a prototype system named MobSafe to identify the mobile app＇s virulence or benignancy. Compared with traditional method, such as permission pattern based method, MobSafe combines the dynamic and static analysis methods to comprehensively evaluate an Android app. In the implementation, we adopt Android Security Evaluation Framework （ASEF） and Static Android Analysis Framework （SAAF）, the two representative dynamic and static analysis methods, to evaluate the Android apps and estimate the total time needed to evaluate all the apps stored in one mobile app market. Based on the real trace from a commercial mobile app market called AppChina, we can collect the statistics of the number of active Android apps, the average number apps installed in one Android device, and the expanding ratio of mobile apps. As mobile app market serves as the main line of defence against mobile malwares, our evaluation results show that it is practical to use cloud computing platform and data mining to verify all stored apps routinely to filter out malware apps from mobile app markets. As the future work, MobSafe can extensively use machine learning to conduct automotive forensic analysis of mobile apps based on the generated multifaceted data in this stage.

TIFAflow: Enhancing Traffic Archiving System with Flow Granularity for Forensic Analysis in Network Security

The archiving of Internet traffic is an essential function for retrospective network event analysis and forensic computer communication. The state-of-the-art approach for network monitoring and analysis involves storage and analysis of network flow statistic. However, this approach loses much valuable information within the Internet traffic. With the advancement of commodity hardware, in particular the volume of storage devices and the speed of interconnect technologies used in network adapter cards and multi-core processors, it is now possible to capture 10 Gbps and beyond real-time network traffic using a commodity computer, such as n2disk. Also with the advancement of distributed file system （such as Hadoop, ZFS, etc.） and open cloud computing platform （such as OpenStack, CloudStack, and Eucalyptus, etc.）, it is practical to store such large volume of traffic data and fully in-depth analyse the inside communication within an acceptable latency. In this paper, based on well- known TimeMachine, we present TIFAflow, the design and implementation of a novel system for archiving and querying network flows. Firstly, we enhance the traffic archiving system named TImemachine＋FAstbit （TIFA） with flow granularity, i.e., supply the system with flow table and flow module. Secondly, based on real network traces, we conduct performance comparison experiments of TIFAflow with other implementations such as common database solution, TimeMachine and TIFA system. Finally, based on comparison results, we demonstrate that TIFAflow has a higher performance improvement in storing and querying performance than TimeMachine and TIFA, both in time and space metrics.

FORSETI: A visual analysis environment enabling provenance awareness for the accountability of e-autopsy reports

Autopsy reports play a pivotal role in forensic science.Medical examiners(MEs)and diagnostic radiologists(DRs)cross-reference autopsy results in the form of autopsy reports,while judicial personnel derive legal documents from final autopsy reports.In our prior study,we presented a visual analysis system called the forensic autopsy system for e-court instruments(FORSETI)with an extended legal medicine markup language(x-LMML)that enables MEs and DRs to author and review e-autopsy reports.In this paper,we present our extended work to incorporate provenance infrastructure with authority management into FORSETI for forensic data accountability,which contains two features.The first is a novel provenance management mechanism that combines the forensic autopsy workflow management system(FAWfMS)and a version control system called lmmlgit for x-LMML files.This management mechanism allows much provenance data on e-autopsy reports and their documented autopsy processes to be individually parsed.The second is provenance-supported immersive analytics,which is intended to ensure that the DRs’and MEs’autopsy provenances can be viewed,listed,and analyzed so that a principal ME can author their own report through accountable autopsy referencing in an augmented reality setting.A fictitious case with a synthetic wounded body is used to demonstrate the effectiveness of the provenance-aware FORSETI system in terms of data accountability through the experience of experts in legal medicine.