Joshua I James

Joshua I James
Hallym University, Chuncheon, South Korea · Digital Forensic Investigation Research (DFIRE) Laboratory

PhD

About

58
Publications
32,659
Reads
How we measure 'reads'
A 'read' is counted each time someone views a publication summary (such as the title, abstract, and list of authors), clicks on a figure, or views or downloads the full-text. Learn more
508
Citations
Introduction
My focus area is digital forensic investigations and specifically automation of human inference in investigations. I also work a lot on digital evidence exchange (MLA), Cyber Peacekeeping, technical and policy issues. I'm very open to collaboration. Feel free to contact me if you would like to work together.
Additional affiliations
March 2015 - December 2015
Hallym University
Position
  • Lecturer
March 2015 - May 2016
Hallym University, Chuncheon, South Korea
Position
  • Visiting Professor, Researcher
August 2013 - December 2015
Soonchunhyang University
Position
  • Lecturer

Publications

Publications (58)
Conference Paper
Full-text available
Until now, many works have focused on attempting to define cyber warfare, as well as appropriate response leading to conflict escalation. Instead, this paper proposes a comprehensive definition of Cyber Peacekeeping motivated by prior research on peacekeeping, cyber conflict and warfare, and international relations in cyberspace. Cyber Peacekeeping...
Article
International cooperation is becoming more important in digital investigations, yet methods of exchanging and requesting digital evidence across boarders continues to use traditional protocols. This work provides a comprehensive study about Mutual Legal Assistance in relation to digital evidence. First, we survey available information related to ma...
Preprint
Full-text available
Many artificial intelligence (AI) speakers have recently come to market. Beginning with Amazon Echo, many companies producing their own speaker technologies. Due to the limitations of technology, most speakers have similar functions, but the way of handling the data of each speaker is different. In the case of Amazon echo, the API of the cloud is o...
Preprint
Full-text available
Fundamental processes in digital forensic investigation, such as disk imaging, were developed when digital investigation was relatively young. As digital forensic processes and procedures matured, these fundamental tools, that are the pillars of the reset of the data processing and analysis phases of an investigation, largely stayed the same. This...
Article
Full-text available
With so much information collected from so many places and stored in so many others, the forensic value of digital evidence has exploded globally. This ranges from evidence relating to traditional crimes to that for new cybercrimes. The ability to use digital forensics, computational policing analytics and electronic evidence of all types, and the...
Article
Full-text available
The explosive growth of information and communications technologies (ICTs) as manifested in Smart Cities and the Internet of Things (IoT) creates more and more computable data with myriad benefits. They also produce ever more digital evidence of people's lives in all contexts, with commensurately greater potential risks to the safety and rights of...
Article
Full-text available
On October 2016 the South Korean cyber military unit was the victim of a successful cyber attack that allowed access to internal networks. Per usual with large scale attacks against South Korean entities, the hack was immediately attributed to North Korea. Also, per other large-scale cyber security incidents, the same types of 'evidence' were used...
Article
Full-text available
Prior works, such as the Tallinn manual on the international law applicable to cyber warfare, focus on the circumstances of cyber warfare. Many organizations are considering how to conduct cyber warfare, but few have discussed methods to reduce, or even prevent, cyber conflict. A recent series of publications started developing the framework of Cyb...
Article
This work focuses on near-future, User-Centric IoT systems used in smart homes. Our goal is to anticipate cyber threats to these systems and suggest points of focus for digital investigators. IoT smart homes have multi-featured, connected devices such as home appliances, monitoring devices and security devices. The envisioned near-future system is...
Article
Inspired by the work of the AAAS Science and Human Rights Coalition (AAAS is the publisher of Science), we asked young scientists this question: Describe how applications of knowledge in your field (information, methodologies, services, and/or products) could support civil, political, economic, social, or cultural rights. We received responses fro...
Article
Full-text available
This article explores a novel approach to file carving by viewing it as a decision problem. This allows us to design algorithms that produce best-effort results under given resource constraints. Resource-constrained carving is important for digital forensic triage, as well as for e-discovery, where a reduction in carving time may be preferred to co...
Article
Full-text available
Prior works on digital investigations focus on the detection of known actions. Many methods, such as signatures, are used to describe a causal relation between a known action and the resulting traces. However, some knowledge of the occurrence of actions in a system may be determined if the particular action, and therefore specific traces, are unkno...
Article
Full-text available
AAAS (the publisher of Science ) recently launched [www.forceforscience.org][1], a new website to facilitate science advocacy. The site offers news, resources, and information about upcoming events for both scientists and the public. By way of introduction, we asked these questions: Why is science
Article
Full-text available
Many systems rely on reliable timestamps to determine the time of a particular action or event. This is especially true in digital investigations where investigators are attempting to determine when a suspect actually committed an action. The challenge, however, is that objects are not updated at the exact moment that an event occurs, but within so...
Article
Full-text available
Cyberattacks against organizations are extremely common. Simple automated attacks or organized, targeted efforts can compromise an organization even if that organization takes cybersecurity seriously. Once an organization is compromised, law enforcement might need to be involved, especially if suspects or evidence is hosted in foreign jurisdictions...
Article
Full-text available
As investigations dealing with digital evidence increase, so to does the need for skilled first responders and improved investigation process models. Recently the concept of digital forensic triage and preliminary analysis has been gaining popularity in investigation laboratories. At the same time, however, there has been little focus on specific t...
Research
Science magazine #NextGenSci Six word stories.
Article
Full-text available
Cryptocurrency, and its underlying technologies, has been gaining popularity for transaction management beyond financial transactions. Transaction information is maintained in the block-chain, which can be used to audit the integrity of the transaction. The focus on this paper is the potential availability of block-chain technology of other transac...
Article
We asked young scientists from a variety of fields this question: According to the United Nations (http://esa.un.org/unpd/wup/), more than two-thirds of the human population will live in cities by 2050. How can scientists in your field help society prepare for an increasingly urbanized world? Excerpts of our panel’s proposed contributions follow, c...
Conference Paper
Full-text available
International cooperation is becoming more important in digital investigations. This work provides a comprehensive study about Mutual Legal Assistance in relation to digital evidence. A survey of available information related to making a Mutual Legal Assistance Request is given, followed by a quantitative analysis of practitioner survey results rel...
Conference Paper
Full-text available
Imagine the following scenario: an inexperienced law enforcement officer enters a crime scene and – on finding a USB key on a potential suspect – inserts it into a nearby Windows desktop computer hoping to find some information which may help an ongoing investigation. The desktop crashes and all data on the USB key and on the Windows desktop has no...
Article
Full-text available
Article
Full-text available
We now live in a new space of information density, evolving with the Internet of Things and the Smart City. This global information space is shared with powerful analytics that can give an organization, private or public, massive surveillance powers. As Justice Sotomayor commented in United States of America v. Jones (2012), this may change the rel...
Article
Full-text available
This work addresses the definition and identification of key elements of robustness and resilience in the context of sustainable digital investigation capacity. After a review of prior work, we describe the results of a structured questionnaire that was sent to 72 law enforcement agencies and subject-matter experts in both online and oral formats (...
Conference Paper
Full-text available
This work presents a method for the measurement of the accuracy of evidential artifact extraction and categorization tasks in digital forensic investigations. Instead of focusing on the measurement of accuracy and errors in the functions of digital forensic tools, this work proposes the application of information retrieval measurement techniques th...
Conference Paper
Full-text available
As more businesses and users adopt cloud computing services, security vulnerabilities will be increasingly found and exploited. There are many technological and political challenges where investigation of potentially criminal incidents in the cloud are concerned. Security experts, however, must still be able to acquire and analyze data in a methodi...
Article
Full-text available
An area presenting new opportunities for both legitimate business, as well as criminal organizations, is Cloud computing. This work gives a strong background in current digital forensic science, as well as a basic understanding of the goal of Law Enforcement when conducting digital forensic investigations. These concepts are then applied to digital...
Chapter
Full-text available
This chapter aims to be a high-level introduction into the fundamental concepts of both digital forensic investigations and cloud computing for non-experts in one or both areas. Once fundamental concepts are established, this work begins to examine cloud computing security-related questions, specifically how past security challenges are inherited o...
Book
This book constitutes the refereed proceedings of the 7th International Conference on Digital Forensics and Cyber Crime, ICDF2C 2015, held in Seoul, South Korea, in October 2015. The 14 papers and 3 abstracts were selected from 40 submissions and cover diverse topics ranging from tactics of cyber crime investigations to digital forensic education,...
Poster
Full-text available
Timestamps are commonly used in digital investigations to show the time that specific events occurred. These timestamps, however, may not accurately reflect the time of the action due to delays in the system as well as delays in the process chain that occurs when the action takes place. This poster demonstrates a more accurate calculation of when t...
Presentation
Full-text available
Digital investigation often seek to establish time sand actions that occurred on the device. While investigators tend to focus on data sources that directly relate to actions, many data source, such as collections of system files, are not analyzed. This work demonstrates that it is possible to infer various indirect actions through the analysis of...
Article
Full-text available
This work examines the problem of case prioritization in digital investigations for better utilization of limited criminal investigation resources. Current methods of case prioritization, as well as observed prioritization methods used in digital forensic investigation laboratories are examined. After, a multi-stakeholder approach to case prioritiz...
Article
Full-text available
As the amount of digital devices suspected of containing digital evidence increases, case backlogs for digital investigations are also increasing in many organizations. To ensure timely investigation of requests, this work proposes the use of signature-based methods for automated action instance approximation to automatically reconstruct past user...
Article
Full-text available
This work proposes a method for the measurement of a country's digital investigation capacity and saturation for the assessment of future capacity expansion. The focus is on external, or international, partners being a factor that could negatively affect the return on investment when attempting to expand investigation capacity nationally. This work...
Article
Full-text available
Digital technologies are constantly changing, and with it criminals are finding new ways to abuse these technologies. Cybercrime investigators, then, must also keep their skills and knowledge up to date. This work proposes a holistic training development model - specifically focused on cybercrime investigation - that is based on improving investiga...
Article
Full-text available
The United States government, via the “We the People” portal (petitions.whitehouse.gov), was petitioned by Dylan K. [1] to “Make, distributed denial-of-service (DDoS), a legal form of protest”. The petition states that: With the advance in [Internet technology], comes new grounds for protesting. Distributed denial-of-service (DDoS), is not any for...
Article
Full-text available
The use of automation in digital forensic investigations is not only a technological issue, but also has political and social implications. This work discusses some challenges with the implementation and acceptance of automation in digital forensic investigation, and possible implications for current digital forensic investigators. Current attitude...
Chapter
Full-text available
This chapter aims to be a high-level introduction into the fundamental concepts of both digital forensic investigations and cloud computing for non-experts in one or both areas. Once fundamental concepts are established, this work begins to examine cloud computing security-related questions, specifically how past security challenges are inherited o...
Conference Paper
Full-text available
Digital forensic investigators commonly use dynamic malware analysis methods to analyze a suspect executable found during a post-mortem analysis of the victim's computer. Unfortunately, currently proposed dynamic malware analysis methods and sandbox solutions have a number of limitations that may lead the investigators to ambiguous conclusions. In...
Article
Full-text available
Online social media has changed the way many people, businesses and even governments interact with each other. Because of Twitter's popularity and its ability to broadcast small pieces of information to a large number of people, it is an effective form of mass communication. However, ease in communication that allows the public to freely communicat...
Conference Paper
Full-text available
A call for formalizing digital forensic investigations has been proposed by academics and practitioners alike [1, 2]. Many currently proposed methods of malware analysis for forensic investigation purposes, however, are derived based on the investigators’ practical experience. This paper presents a formal approach for reconstructing the activities...
Conference Paper
Full-text available
As cloud adoption grows, the importance of preparing for forensic investigations in cloud environments also grows. A recent survey of digital forensic professionals identified that missing terms and conditions regarding forensic activities in service level agreements between cloud providers and cloud consumers is a significant challenge for cloud f...
Conference Paper
Full-text available
After an intrusion has propagated between hosts, or even between networks, determining the propagation path is critical to assess exploited network vulnerabilities, and also to determine the vector and intent of the initial intrusion. This work proposes a novel method for malware intrusion attack path reconstruction that extends post-mortem system...
Conference Paper
This presentation will cover the Automated Network Triage and Rapid Evidence Acquisition Project. This project is focused on easy to use, low cost digital forensic investigation tools that allow for the automation of each phase of the digital investigation process. The project’s philosophy and goals concerning process automation in digital forensic...
Conference Paper
Full-text available
This paper introduces a novel approach to user event reconstruction by showing the practicality of generating and implementing signature-based analysis methods to reconstruct high-level user actions from a collection of low-level traces found during a post-mortem forensic analysis of a system. Traditional forensic analysis and the inferences an inv...
Conference Paper
Full-text available
This paper proposes a novel method for checking the consistency of forensic registry artifacts by gathering event information from the artifacts and analyzing the event sequences based on the associated timestamps. The method helps detect the use of counter-forensic techniques without focusing on one particular counter-forensic tool at a time. Seve...
Article
Full-text available
This paper describes a methodology for the reconstruction of digital events by comparing states captured in time. Microsoft Windows Restore Point data is used to illustrate how to organize captured state information into a useful timeline of user and system events. It is shown that by comparing consecutive states, events can be uncovered that would...
Article
Full-text available
Built into Microsoft Windows is the ability for the operating system to track user window viewing preferences specific to Windows Explorer. This information, which is called “ShellBag” information, is stored in several locations within the Windows Registry in the Windows Operating System. This paper introduces a novel method to examine ShellBag inf...
Conference Paper
Full-text available
The Microsoft Windows registry is an important resource in digital forensic investigations. It contains information about operating system configuration, installed software and user activity. Several researchers have focused on the forensic analysis of the Windows registry, but a robust method for associating past events with registry data values e...
Conference Paper
Full-text available
This paper expands upon the finite state machine approach for the formal analysis of digital evidence. The proposed method may be used to support the feasibility of a given statement by testing it against a relevant system model. To achieve this, a novel method for modeling the system and evidential statements is given. The method is then examined...

Network

Cited By

Projects

Projects (3)
Project
A study on the effectiveness of the exchange of digital evidence using mutual legal assistance requests.
Project
Investigatory study if IoT networks and application of current digital forensic techniques.
Project
Application of Peacekeeping to cyber conflict.