Fig 4 - uploaded by Xiaolu Zhang
Content may be subject to copyright.
Convert the sample JSON file from a tree to a table.

Convert the sample JSON file from a tree to a table.

Source publication
Preprint
Full-text available
It is challenging for digital forensic practitioners to maintain skillset currency, for example knowing where and how to extract digital artifacts relevant to investigations from newer, emerging devices (e.g. due to the increased variety of data storage schemas across manufacturers and constantly changing models). This research presents a knowledge...

Contexts in source publication

Context 1
... naturally structured as a tree, there is only one root node 1 in the tree and the data is only stored on the leaf nodes. In terms of the JSON grammar, 1) each string before ':' is a node of the tree, 2) between '{' and '}' are child nodes and 3) if neither '{' nor '[' appear before ':', then the string/value following the ':' is the node's data. Fig. 4 is the tree structure of the parsed sample JSON file in Fig. ...
Context 2
... and the name of its furthest node is n l (l refers to the level of the node), then the unique name of a leaf node can be created by a ordered tuple (n 0 , ...n l−1 , n l , n), where n 0 is the root note. Note that the root node is an non-existent node of the JSON file, and the name of the root node is always 'null 2 ' (e.g. node 'manufacturer' in Fig. 4 is n 1 rather than n 0 if node 'motion' is n). The empty table is created by the set of (n 0 , ...n l−1 , n l , n). Also, c = (n 0 , ...n l−1 , n l , ...
Context 3
... The leaf nodes that have same depth are known as 'brothers' if they have the same furthest node. For leaf nodes with different depths, the shallow node is the 'uncle' of the deeper node. The deeper node is the 'nephew' of the shallow node if the deeper node's father has the same furthest node with the shallow node. The right-hand side of Fig. 4 shows the tabulated table of the sample JSON ...

Citations

... activities, assets, actors, resources, goals, and motive) and cyber and physical components and their interactions, which may be exploited during an incident. Applying a semantic approach, Zhang et al. [31] proposed an automated knowledge sharing forensic platform, to share knowledge about Internet of Things (IoT) forensic artefacts through a schema generated from another investigation of a similar IoT device. ...
Conference Paper
Enabling a forensically ready environment in an organization may include sharing the knowledge of digital forensics tools, procedures, and guidelines between practitioners. This paper presents a M-health Digital Evidence Taxonomy System (MDETS) as a proof of concept that facilitates the forensic readiness in terms of people, process and technology through knowledge sharing approach. Using mobile health (m-health) applications as a case study, MDETS comprises a knowledge warehouse of forensic artefacts from 34 m-health apps. We adopted four knowledge sharing criteria that are articulation, awareness, access, and guidelines. The effectiveness of MDETS was evaluated using people, process, and technology elements. Interviews were conducted with 7 digital forensics practitioners in Malaysia to examine respondents’ perception about the effectiveness of integrating the digital evidence taxonomy with knowledge sharing approach. Interview findings indicated that sharing the knowledge of digital evidence taxonomy is significantly enables the digital forensics readiness practices from people, process, and technology elements. Furthermore, the use of MDETS could beneficial to provide trainings for new digital forensics investigators.
... Results showed that members of the test group did not have to wait to access the test data, and accuracy rates were relatively equivalent between the groups. X. Zhang et al. [63] proposed an automated knowledgesharing forensic platform by applying the ontology-based approach. The proposed method involved five layers: collection, extraction, analysis, visualization, and abstraction. ...
... Therefore, there is a need for benchmarking evaluation methods in this research area. [56], [59], [60], [61], [63] User testing to evaluate tool functionality and performance [64], [51], [62], [66] Focus group to solve forensic challenges [57], [58], [65] In relation to the automated forensic tools metrics proposed by Ayers [32], speed (absolute and relative), reliability, accuracy, and completeness are the evaluation metrics used in existing studies. This is in line with our finding from automated IM forensic analysis tools, which show that performance and functionality are the most applied metrics. ...
... On the other hand, the shortfall of adequate large scale IoT malware artifacts collection scheme introduces a new set of challenges to the IoT security field; impeding by its turn security researchers in identifying the prevailing IoT malware threats, the origin of the IoT threats, and the current deficits pertained to the security posture of the IoT ecosystem. While different research works [13,29,32,48,57,58] provided a detailed description and analysis on IoT devices and IoT malware and its inner botnet functionalities, none of these works is accentuating on the large collection of IoT artifacts to support large scale IoT malware evidence identification, acquisition, and analysis, as well as attacks and deficit related to the security of the IoT paradigm. ...
Conference Paper
Full-text available
The chronic proliferation of Internet of Things (IoT) botnet malware activities coupled with an unprecedented rise in security vulner-abilities convene a new world of opportunities for perpetrators and unveil a new set of hurdles in deriving relevant IoT malware intelligence. Such shortfall within the IoT paradigm exacerbates the capabilities for largely identifying the prevailing IoT malware threats, the origin of the IoT attacks, as well as, the security deficit associated with the IoT paradigm. Previous work has vastly studied IoT malware activities in the wild but has not profiled at a large scale malicious activities to collect in near real-time central IoT artifacts much-needed to understand and eventually elevate the security posture of the IoT ecosystem. To this end, we propose in this work a near real-time collection scheme to collect and analyze at large IoT malware artifacts essential for understanding the prevalent cyber security risks. We leverage in this work a large network telescope comprising of 16.7 million IPs as one extensive honeypot to examine evidence of malicious IoT probes in the wild. Subsequently, we employ a deception technique to respond to these probes and eventually establish bogus connections to collect IoT malware artifacts. In only 120 hours of near real-time measurements, our proposed scheme collected 80,569,070 interactions originating from 30,190 malware-infected IoT devices. Accordingly, we derive pivotal IoT malware intelligence which includes system commands, file-less attacks evidence, payload URLs, Executable and Linkable Format (ELF) binaries, log-in credentials, malicious LDAP servers, and unique insights on the abuse of the recent Log4shell security vulnerability in distributing IoT malware binaries.
... While several IoT forensic approaches have been presented in the literature [14,15,25], there is limited discussion on how one can identify and leverage correlation(s) between artifacts acquired from different IoT devices and systems to provide a more complete picture of the incident. There have also been a number of studies focusing on the use of logs in IoT forensics [10,26], IoT network forensics [4], and ML-based approaches to classify and detect security threats from encrypted IoT network traffic [8,22]. ...
Article
Full-text available
In an Internet of Things (IoT) environment, IoT devices are typically connected through different network media types such as mobile, wireless and wired networks. Due to the pervasive nature of such devices, they are a potential evidence source in both civil litigation and criminal investigations. It is, however, challenging to identify and acquire forensic artefacts from a broad range of devices, which have varying storage and communication capabilities. Hence, in this paper, we first propose an IoT network architecture for the forensic purpose that uses machine learning algorithms to autonomously detect IoT devices. Then we posit the importance of focusing on the links between different IoT devices (e.g. whether one device is controlled or can be accessed from another device in the system), and design an approach to do so. Specifically, our approach adopts a graph for modelling IoT communications’ message flows to facilitate the identification of correlated network traffic based on the direction of the network and the associated attributes. To demonstrate how such an approach can be deployed in practice, we provide a proof of concept using two IoT controllers to generate 480 commands for controlling two IoT devices in a smart home environment and achieve an accuracy rate of 98.3% for detecting the links between devices. We also evaluate the proposed autonomous discovering of IoT devices and their activities in a TCP network by using real-world measurements from a public dataset of a popular off-the-shelf smart home deployed in two different locations. We selected 39 out of 81 different IoT devices for this evaluation.
... A solution that can help to discover how and where drone misuse is carried on is to employ scientific investigation processes. Device-level forensics [4][5][6], which mainly focuses on conducting forensic investigations of connected and sensor-based devices is presented as a more suitable approach that can be used to forensically investigate UAVs. This is because drones have sensing capabilities and tracking their movements may require amalgamating the two. ...
Article
Full-text available
The emergence of unmanned aerial vehicles (also referred to as drones) has transformed the digital landscape of surveillance and supply chain logistics, especially in terrains where such was previously deemed unattainable. Moreover, the adoption of drones has further led to the proliferation of diverse drone types and drone-related criminality, which has introduced a myriad of security and forensics-related concerns. As a step towards understanding the state-of-the-art research into these challenges and potential approaches to mitigation, this study provides a detailed review of existing digital forensic models using the Design Science Research method. The outcome of this study generated in-depth knowledge of the research challenges and opportunities through which an effective investigation can be carried out on drone-related incidents. Furthermore, a potential generic investigation model has been proposed. The findings presented in this study are essentially relevant to forensic researchers and practitioners towards a guided methodology for drone-related event investigation. Ultimately, it is important to mention that this study presents a background for the development of international standardization for drone forensics.
... The ISO/IEC 27050: 2018 is a cybersecurity catalog that highlights standards and codes of practice for electronic discovery, i.e., eDiscovery, which aims at protecting electronically stored information (ESI) including recorded data by any involved parties in the investigation process. Similarly, the digital forensic research workshop (DFRWS) model is set to protect the digital forensic process, and has six stages that start with the identification phase during an incident/event, then preservation, collection, examination, analysis, and lastly the collected evidence report is set as part of the presentation phase [17,44]. ...
... Operation phases of pBFT[44]. ...
Article
Full-text available
With the increasing number of cybercrimes, the digital forensics team has no choice but to implement more robust and resilient evidence-handling mechanisms. The capturing of digital evidence, which is a tangible and probative piece of information that can be presented in court and used in trial, is very challenging due to its volatility and improper handling procedures. When computer systems get compromised, digital forensics comes into play to analyze, discover, extract, and preserve all relevant evidence. Therefore, it is imperative to maintain efficient evidence management to guarantee the credibility and admissibility of digital evidence in a court of law. A critical component of this process is to utilize an adequate chain of custody (CoC) approach to preserve the evidence in its original state from compromise and/or contamination. In this paper, a practical and secure CustodyBlock (CB) model using private blockchain protocol and smart contracts to support the control, transfer, analysis, and preservation monitoring is proposed. The smart contracts in CB are utilized to enhance the model automation process for better and more secure evidence preservation and handling. A further research direction in terms of implementing blockchain-based evidence management ecosystems, and the implications on other different areas, are discussed.
... Such an approach complements existing approaches such as those proposed by Zhang, Choo and Beebe. 9 Specifically in the latter, they proposed an IoT forensic knowledge sharing platform, where the forensic community can learn from the prior experience of their peers in the form of a shared digital forensic artifact schema. DFRIR is designed to be technology-neutral, in order to cater for the fast advances in consumer technologies and threat landscape (e.g., adversarial techniques), without affecting the capability to support attack attribution, etc. ...
... 8 There is also a need to integrate forensic-by-design principles in the design of such systems, so that they can be readily used (analogous to secure-by-design and privacy-by-design concepts). 1,2,7,9 For example, Rowlingson 12 identified key activities in implementing a forensic readiness programme, such as identifying available sources and different types of potential evidence and the establishment of a policy for secure storage and handling of potential evidence. Similarly, researchers in References 1, 2, 7, 9 have also identified several key building blocks in a forensic-by-design process. ...
Article
Full-text available
It may not always be possible to conduct a digital (forensic) investigation post-event if there is no process in place to preserve potential digital evidence. This study posits the importance of digital forensic readiness, or forensic-by-design, and presents an approach that can be used to construct a Digital Forensic Readiness Intelligence Repository (DFRIR). Based on the concept of knowledge sharing, the authors leverage this premise to suggest an intelligence repository. Such a repository can be used to cross-reference potential digital evidence (PDE) sources that may help digital investigators during the process. This approach employs a technique of capturing PDE from different sources and creating a DFR repository that can be able to be shared across diverse jurisdictions among digital forensic experts and law enforcement agencies (LEAs), in the form of intelligence. To validate the approach, the study has employed a qualitative approach based on a number of metrics and an analysis of experts' opinion has been incorporated. The DFRIR seeks to maximize the collection of PDE, and reducing the time needed to conduct forensic investigation (e.g., by reducing the time for learning). This study then explains how such an approach can be employed in conjunction with ISO/IEC 27043: 2015.
... While several IoT forensic approaches have been presented in the literature [10,11,19], there is limited discussion on how one can identify and leverage correlation(s) between artifacts acquired from different IoT devices and systems to provide a more complete picture of the incident. There have also been a number of studies focusing on the use of logs in IoT forensics [6,20], IoT network forensics [3], and machine learning-based approaches to classify and detect security threats from encrypted IoT network traffic [5,17]. ...
Chapter
In an Internet of Things (IoT) environment, IoT devices are typically connected through different network media types such as mobile, WiFi and wired networks. Due to the pervasive nature of such devices, they are a potential evidence source in both civil litigation and criminal investigations. It is, however, challenging to identify and acquire forensic artifacts from the broad range of devices, which have varying storage and communication capabilities. We posit the importance of focusing on the hidden links between different IoT devices (e.g. whether one device is controlled or can be accessed from another device in the system), and design an approach to do so. Specifically, our approach adopts a graph to model the message flows of IoT communications, with the aim of facilitating the identification of correlated network traffic, based on the direction of the network and the associated attributes. To demonstrate how such an approach can be deployed in practice, we evaluate our approach using IoT devices in a smart home environment and achieve an accuracy rate of 98.3% for detecting hidden links between devices.
... As noted in the paper, the main focus of city pulse is the use of open traffic events with timestamps and location data to form a bigger picture of incidents that takes place in Aarhus. A formatting standard for use in sharing evidence artefacts that originates from IoT devices were introduced in [13]. Their data format was presented as a means to which law enforcement could share their findings and experiences from working with IoT devices. ...
... Law enforcement lacks the ability to efficiently share evidence and experiences from working with IoT devices. Therefore, [13] developed this format for the sole purpose of allowing Law Enforcement Agencies LEAs to share this information in a manner that does not reveal sensitive information and also allows for an easier way of reading the accumulated sensor data. ...
Article
Full-text available
Information Technology (IT) has become an essential part of our lives and due to the emergence of the Internet-of-Things (IoT), technology has encompassed a majority of things that humans rely on in their daily lives. Furthermore, as IT becomes more relevant in daily lives, the need for IT to serve public emergency services has become more important. However, due to the infancy status of IoT, there is a need for a data consortium that would prove to be best used in servicing policing in a technological driven society. This paper will discuss the plausibility of creating a universal format for use in carrying out public services, such as emergency response by the police and regular law maintenance. In this research we will discuss what the police requires in their line-of-duty and how smart devices can be used to satisfy those needs. A data formatting framework is developed and demonstrated, with the goal of showing what can be done to unifying data from smart city sensors.
... The shift in conventional digital forensics to cloud forensics, network forensics, device-level forensics and live forensics across the IoT ecosystems has compounded the challenges in performing digital investigations, for example in terms of data size and the rapidly changing technological landscape [23][24][25][26]. Hence, there is a need to ensure that digital forensic capabilities keep pace with emerging technologies [27], as well as designing AI-based approaches to facilitate digital forensics and real-time incident detection and incident response for ECOs [28,29]. This necessitates the understanding of the composition of ECOs, for example in terms of process and architecture [30]. ...
Article
Full-text available
Machine learning has been shown as a promising approach to mine larger datasets, such as those that comprise data from a broad range of Internet of Things devices, across complex environment(s) to solve different problems. This paper surveys existing literature on the potential of using supervised classical machine learning techniques, such as K-Nearest Neigbour, Support Vector Machines, Naive Bayes and Random Forest algorithms, in performing live digital forensics for different IoT configurations. There are also a number of challenges associated with the use of machine learning techniques, as discussed in this paper.