Digital Forensics - Science topic

thanks Rob for your prompt answer ... I assure you that Susan's email has been added to my list of unwanted senders ;).

Cordially

Intersecting the areas of Artificial Intelligence and Blockchain within Digital Forensics really presents an area filled with the prospects for new research but meaningful contributions can only take place when key challenges facing current literature are at least partially solved. An immutable, decentralized ledger by blockchain and predictive/pattern recognition capacities of AI present an unseen transformative potential, but there remain major gaps, mostly regarding scalability, legal compliance, and integration into existing forensic methodology. When blockchain technology is claimed to enhance the integrity of digital forensic evidence by being inherently distributed and tamper-proof, what is yet inadequately explored is how blockchain technology can really function under real-world forensic environments burdened with significant volumes of data and stringent chain-of-custody controls. Most notably, there is a serious gap in the area of scalability; it causes painstaking waits during transaction verification that is completely unacceptable for real-time evidence handling. Optimizations of the consensus algorithm, or layer-two solutions like state channels, could mitigate these latencies, but would make blockchain technology feasible to rapidly track forensic data. Doing more with the integration into forensic workflows than only keeping a record of data shall push the blockchain technology in ensuring data not only comes with proof of authenticity but also each transformation, as well as each access point, with strict compliance by forensic standards. AI in general has traditionally played a role of automating labor-intensive aspects in evidence analysis. Deep learning does an outstanding job of anomalies in vast datasets, although it significantly suffers in this field by being non-transparency and non-explainable which are important areas in judicial application. For experts in this domain, a contribution would be exploring how one can implement Explainable AI (XAI) in forensic context using blockchain as mechanisms for maintaining auditability, for example, XAI models can be used in deriving human-readable explanations for an output of a model, meanwhile blockchain ensures an immutable log of these decision pathways, strengthens the evidentiary basis upon which forensic findings are relied. This dual approach not only promotes transparency but also lifts the credibility of AI-based insights, so they are appropriate for court standards that require evidence to be clear and reproducible. This interplay between AI and blockchain within socio-technical frameworks of current research areas is a relatively untouched area. From purely technical exercises to socio-technological practice, digital forensics involves keeping in mind human behaviors alongside the technological tools for their implementation. AI-driven behavioral analysis such as understanding attacker patterns or identifying insider threats can be enhanced with blockchain's immutable records to give a comprehensive view of how an incident unfolded, and practitioners may connect dots between individual behaviors and data artifacts. It is challenging, however because one needs to move from the descriptive insight to causal understanding-through advanced techniques like causal inference models- to reconstruct events with precision and accountability. Then, research may extend into multi-party computation including stakeholders such as corporate entities, law enforcement and forensic labs that, under shared but privacy-preserving blockchain-backed data, collectively gather insights without compromising of research with considerable significance is the ethical and regulatory implications of embedding AI and blockchain in digital forensics. Blockchain's immutability conflicts with privacy standards such as GDPR's "right to be forgotten," posing a basic challenge to forensic data management. The directions in which mechanisms regarding selective mutability or time-limited evidence hashing can be evolved are such that they allow compliance with data privacy requirements while maintaining a verified chain-of-custody for admissibility in legal settings. Furthermore, ethical concerns about bias in the training data and even model accountability are legitimate in AI and should be addressed in a manner that ensures fairness where such biases can lead to wrongful incriminations. Building checks for fairness into the models of AI, and logging their outcomes on the blockchain, would help ensure that the integrity and trustworthiness demanded in high-stakes investigations cannot be compromised. Real life-application is also another dimension. This potential must be validated, however, by real-world cases in forensics to have any meaning. Consider, for instance the Colonial Pipeline ransomware incident or the SolarWinds attack-two prime examples in where blockchain could strengthen a chain of evidence and AI could accelerate analysis of attack vectors. Even based on these actual events, case studies can be elaborated not only to weigh how blockchain and AI might have helped in the process of investigation theoretically but also under the constraints that came at that point - be it computational, logistical, or even ethical. It would serve to bring the discussion along a track of speculative value into actual applied worth. Federated learning with blockchain-based security opens a pathway to applying AI models to forensic analysis without comprom­ising privacy. In federated learning, for instance, AI models could be trained across decentralized data without the sharing of raw data-vital in forensic cases where sensitive information may be involved. This would record immutably data provenance and model iterations when coupled with blockchain. The use of homomorphic encryption within this setup would further allow for the processing of encrypted data with confidentiality maintained throughout the pipeline of investigation. Finally, any consideration of these technologies must include their broader societal impact. The eventual end of blockchain and AI integration in digital forensics would be to add to the speed, reliability, and transparency of forensic investigations. A blockchain-backed AI solution could demystify forensic evidence to make it understandable and verifiable not only for legal professionals but to the general public. Consider a situation where cybercrime victims can independently verify that the evidence has not been tampered with. Transparency implies ethical considerations regarding privacy and the features of sensitive information being far too readily accessible. There is a fine balance that must be reached between transparency and privacy, and the possibility that your research would recommend multi-layered controls using smart contracts to apply differing access levels to forensic analysts, legal entities, or the affected individuals, among others, to different degrees. Thank you Sachin Gupta .

Please let your conference rank at the CORE conference portal as per https://docs.google.com/document/d/11lyr_N7rnyhpvTnGJRVvrFIp73REt3lwTCmy0k8geJo!

Hi Expect the next edition of this conference in May.

Welcome Edidiong Asifa

Here are some recommendations for major recent cybersecurity topics to register for a Ph.D. in 2023:

These topics are all important and timely, and they offer the potential to make significant contributions to the field of cybersecurity.

Here are some specific examples of PhD research projects in these areas:

When choosing a PhD research topic, it is important to consider your own interests and expertise, as well as the availability of supervisors and funding. It is also important to choose a topic that is both challenging and feasible.

If you are interested in pursuing a PhD in cybersecurity, I encourage you to explore the topics listed above and to contact potential supervisors to discuss your research ideas.

I do not know how to give you a answer that incorporates all the solutions to your problem. However, in the article below (particularly the authors referenced) you will find people who are also working this or similar problems.

Mr. Wali Mohd Dar, thank you for this enlightening questions. I will try to answer them in my upcoming articles. I will send you an invite. Sincere regards

Digital forensics in cloud computing is an important area of study, as more and more organizations move their data and operations to the cloud. There are several tools, techniques, and best practices you can consider when performing digital forensics in a cloud environment.

Forensic data acquisition: Acquiring data from the cloud can be challenging due to the distributed nature of cloud environments. Tools such as Fast & Secure Protocol (FASP) can help transfer data quickly and securely. Additionally, cloud providers like Amazon Web Services (AWS), Microsoft Azure, and Google Cloud Platform (GCP) offer native tools to capture virtual machine (VM) snapshots, which can be valuable for forensic investigations.

Log analysis: Cloud platforms often provide extensive logging, which can be useful for investigating security incidents. Tools like Elastic Stack (Elasticsearch, Logstash, Kibana) or Splunk can help you analyze logs from various cloud sources.

Network forensics: Monitoring and analyzing network traffic is essential for detecting and investigating attacks. In a cloud environment, you can use tools like Wireshark and tcpdump to capture and analyze network packets. You can also use cloud-native tools like AWS VPC Flow Logs, Azure Network Watcher, and GCP VPC Flow Logs to monitor network traffic in your cloud infrastructure.

Memory forensics: Memory analysis can help you uncover hidden malware and other artifacts that may not be present on disk. Tools like Volatility and Rekall can be used to analyze memory dumps from cloud VMs.

Endpoint security: Monitoring endpoints for signs of compromise is important in cloud environments. Tools like OSSEC, Wazuh, and Sysmon can be used to monitor and log system events on cloud-based servers.

Incident response and automation: Automating incident response in the cloud is crucial due to the dynamic nature of cloud environments. You can use tools like AWS Security Hub, Azure Security Center, or GCP Security Command Center to centralize security alerts and automate response actions.

Integrating Kali Linux: Kali Linux comes with various forensic and penetration testing tools that can be useful in a cloud environment. Some of these tools include Autopsy (for disk forensics), Bulk Extractor (for data extraction), and John the Ripper (for password cracking).

Legal and regulatory compliance: In a cloud environment, it's important to ensure compliance with relevant laws and regulations, like GDPR, HIPAA, or PCI DSS. You can use tools like AWS Artifact, Azure Compliance Manager, or GCP Security Health Analytics to help you manage compliance in your cloud infrastructure.

Remember, when conducting digital forensics in a cloud environment, you need to consider various factors, such as data privacy, legal requirements, and collaboration with cloud providers. Make sure to familiarize yourself with the specific features and tools offered by your cloud provider and stay up-to-date with the latest developments in the field of cloud forensics.

Thanks Len Leonid Mizrah

See the following useful RG link : https://onlinelibrary.wiley.com/journal/15564029

By "disssertation paper", do you mean your entire thesis as submitted for your degree? For most journals, it would be too long to submit as is, and would most likely require significant reformatting and rewriting. Also, papers in your field have a short lifespan so "old" may be too old. Tong Wu 's preprint archiving suggestion is best if you don't want to rework the thesis.

Insofar the strength of a digital evidence based on the ability to demonstrate the legal authorisation to obtain it, its authenticity, relevancy, reliability and integrity. Even when there is a reasonable doubt regarding the reliability of digital evidence, this does not necessarily make it inadmissible, but will reduce the amount of weight it is given by the court.

Case in point, United States v. Tank, although the defendant argued that the authenticity and relevance of the digital evidence was not adequately established, the prosecution used a number of witnesses to establish that the logs were authentic. Once a digital evidence is admitted, its reliability is assessed to determine its probative value. "In several cases, attorneys have argued that digital evidence was untrustworthy simply because there was a theoretical possibility that it could have been altered or fabricated. However, as judges become more familiar with digital evidence, they are requiring evidence to support claims of untrustworthiness."

notes:

i) Albert Antwi-Boasiako, Hein Venter. A Model for Digital Evidence Admissibility Assessment. 13th IFIP International Conference on Digital Forensics (DigitalForensics), Jan 2017, Orlando, FL, United States. pp.23-38, ff10.1007/978-3-319-67208-3_2ff. ffhal-01716394

ii) Digital Evidence and Computer Crime, Second Edition 7.2 Authenticity and Reliability

Below I briefly described the issues related to cybercrime and cybersecurity, which I researched and described in scientific publications that are available on the Research Gate portal. Over the past few years, the scale of cybercrime attacks on the IT systems of various institutions, including government institutions, on the databases of social media portals, on the ICT systems of banks, on electronic banking systems has been growing. Cybercriminals are increasingly attacking mobile online banking systems made available to Internet users and bank customers through mobile devices, mainly via smartphones. Research shows that the scale of cybercrime attacks on the IT systems of banks, institutions, etc. using social engineering combined with perfidiously created malicious software such as ransomware, i.e. encrypting access to data on disks or redirecting users to fake websites of banks and institutions on the Internet to phishing personal data, access passwords to electronic banking accounts and, as a result, to steal money. For several years, many mailbox users have appeared strange emails of unknown origin, which are sent as spam from private other email accounts or others with false information. Attachments containing false information are attached to many of these suspicious emails, usually sent by cybercriminals and hackers. Attachments are usually of the WORD * .doc document type, the Acrobat Reader * .pdf format, image files or other formats, and often contain Ransomware-type viruses. These are very dangerous viruses that encrypt access to a computer's disk. In addition, cyber criminals are increasingly using mailboxes set up on the e-mail portal to send infected e-mails to subsequent Internet users by generating fake emails so that they look like a specific user of the mailbox would send e-mails prepared by cybercriminals to their friends. These types of cybercrime techniques are becoming more common. Why are Internet technology companies that dominate the market and offer e-mail services do not improve the security of e-mail communication systems using e-mail boxes to significantly reduce cybercriminals' activity harmful to citizens? This question is still valid. On the other hand, internet banks and technology internet companies, technology fintechs are constantly improving cyber security techniques. The development of Business Intelligence business intelligence, Blockchain technology, data analysis in Big Data database systems, artificial intelligence to track movements and attacks made by cybercriminals, for prognostic analyzes, etc. can be helpful in the process of improving IT systems risk management. Therefore, the skilful and efficient use of data science technology can be helpful in combating cybercrime, but it all depends on how these technologies will be used and, as a consequence, who will win in the following years in this IT, information "arms race". I conduct research in this area. Conclusions from the research I published in scientific publications that are available on the Research Gate website. I invite you to scientific cooperation.

Greetings,

Dariusz Prokopowicz

Hi Osama, I am also working on this topic as you did before. I just want to know that what can be implications with the rise of smartphones

One more contact:

https://harpershaw.co.uk/contact/

Derivatives, moments, or polynomial coefficients?

Yes, you can. Many literature does it.

[1] Abboud, George, Jeffrey Marean, and Roman V. Yampolskiy. "Steganography and visual cryptography in computer forensics." 2010 Fifth International Workshop on Systematic Approaches to Digital Forensic Engineering. IEEE, 2010.

[2] Abboud, George, Jeffrey Marean, and Roman V. Yampolskiy. "Steganography and visual cryptography in computer forensics." 2010 Fifth International Workshop on Systematic Approaches to Digital Forensic Engineering. IEEE, 2010.

The most important is the eMMC memory chip. Often the data is also stored in external media, usually microSD. Mobile devices are often also doors that allow access to user's cloud resources. Familiarize yourself with the materials on the websites: https://rusolut.com/ https://www.cellebrite.com/en/products/ufed-ultimate/ There is a lot of marketing in it, but do not expect that you can find a lot of technical data, especially those related to data security on these devices in open access.

One author recommended in this area is Eoghan Casey. Other authors are Dan Farmer and Wietse Venema. They talk about various aspects of computer forensics.

It depends on what are you looking for, commercial or open source. However, here is a wiki list that contains both categories with a brief description for each software/tool.

You might be also interested in the IoT Forensics Challenge provided by DFRWS. Have a look here.

Dibakar,

This is not a definitional issue but an operational and practical one. In my experience courts are skeptical of network traces and give more weight to dead system forensics ( electronic discovery and malware forensics have different requirements and in my case the focus is on electronic discovery).

In my view more emphasis is needed to do procedures on VM image acquisitions such as novel procedures on hashing temporal variations of the VM, validating integrity of host against escaping/jail breaking (without access to the underlying machine), minimization of impact of image acquisition through the VM OS, etc. Each provider and service provides different levels of access to the platform and procedures should be flexible enough to provide the necessary information and integrity to stand up to scrutiny.

Network forensics is very lacking in integrity procedures such as built in hashing of network traces, cross validation procedures against spoofing , etc.  Tying the trace to the machine to the user is extremely difficult to show in court without additional evidence that lies outside network forensics and this should be the focus in my view

There are many tools  are available esp for Ransomware virus.

Trend Micro has released a Ransomware File Decryptor tool to attempt to decrypt files encrypted by the various ransomware families.

TeslaCrypt V1

AutoLocky

BadBlock

Stampado

Kaspersky's RakhniDecryptor tool is also designed to decrypt such files

Try this method : https://www.cyberciti.biz/tips/linux-ext3-ext4-deleted-files-recovery-howto.html A straight hex editor is just going to be hard work as you need to parse the journal to locate the file fragments post-deletion.

its a fantastic work dr.min especially for the freshers into CLOUD..CONGRATULATIONS

Hi Khaja

Start by doing a Google Book search on cloud forensics. You will be able to access many books, some of which you will be able to read for free. Check also the major cloud forensic conferences for suitable cloud forensic papers.

I have added a list of papers from a broad range of diciplines that you can get access to to see how forensics are viewed across disciplines.

Digital forensics are challenging, but cloud brings much more difficulty to forensic investigations, introducing special technical complexities to the equation.

I hope that will get you started.

Regards

Bob

The problem with takedowns of botnet command and control servers is partially a legal issue, since some internet service providers in some countries do not respond to such requests. Some of these may even profit from being a safe haven for cyber crime. It is also very much harder to stop the growth of a botnet than to grow one, since it is opportunistic and may only need one exploitable vulnerability to successfully infect new hosts, whereas to protect against such attacks all vulnerabilities must be covered. I do not think the sofistication of the attack tools is to blame, it is more the opportunity from huge amounts of poorly implemented or nonexisting cyber security.

ACPO guidline. ISO, NIST etc guidelines shows metadata forensic is important but it depends upon case requirements...

Hello Victor,

In addition to NTP,you shall also make the systems to sync the date with google servers.This is also applicable if your application is distributed in different geographical locations.

You could look at application of Provenance for forensic/compliance (I think a lot of work left to be done in that area). The following papers are not necessarily directly relevant but may give you a good intuition.

That is what I expected: 8 bit gray scale makes max. 48 dB from the pixel values (20 * log (MaxI). (Less, if you have images not reaching the 0xFF white level.)

Anything beyond that comes from very small MSE-Values. MSE 0.01 would add 11.6 dB, but I guess you have much lower values in some images. Could be from a lack of edges at all, could be from "soft edges".

So, everything is according to the theory. When looking at an explanation, the term spitting the PSNR into terms for image content and MSE contribution should help assessing the "meaning" of PSNR values below/above 100 dBs.

Good luck and have fun

Mr John Kingathia, Thanks for your input. What you mentioned is the problem that i was asking but you forgot something small. My focus in this is not the generic aspect of forensics. While the domain is literally enormous i am inclined towards Digital Forensics/Computer forensics. Well while i concur about what you suggest about the standards, it is worth noting that currently we do not have any acceptable digital forensic standards that can spearhead the process. I am currently working alongside a recently published  ISO  standard that my research group proposed and it was seconded worldwide but its focus is on the proactive side. Now the reason why professional bodies might be void in this context is because, the legal considerations again regarding "digital forensic evidence" will vary always, you cannot impose to a jurisdiction to accept what they feel is not supported by their law. Something else that i mentioned again was the aspect of the cloud, the servers that holds some objects might reside in a different jurisdiction while the crime might occur in a totally different jurisdiction. How would you provide the provenance? As Arturo Geigel quoted up there we should try and look into that important aspect per se "comprehensive global risk assessment guidelines for cloud services that include risks incurred when doing a forensic data acquisition. Once consensus is reached on the risks, then proper mitigation through legislation or forensic guidelines/ technology can be developed". How will the rule of evidence apply? What tools will be novel in this case? How will you prove evidential data is what it should be? What are the evidential requirements with respect to the cloud? How will you perform segregation? What will be different from what exist now? What is the current-state-of art? That is why i introduce the Cloud forensic architectures.

Thanks Sergio, ...... lookin into the book contents.....

We use AssecData FTK 5, Encase 7, and X-Ways. Additionally OS Forensics is also a good and cheap tool. For Smartphone forensics we use Oxygen Forensic Suite.

Smart devices are complex devices for forensic investigations. Different Operating System, Various Hardware combinations, No standard tools which support whole smart device base. So Mobile Forensic is a big challenge to us. Technically said each phone separate investigation tool is needed. No standard procedure to follow for evidence analysis.

Dear Aissa Boukhari, Read the article accessible at link given below. Check how much it is useful for you. With best wishes, Good Luck!

I am assuming that your question is directed at dead system forensic analysis and will answer based on this assumption.

I have used:

*EnCase (~197699.95 INR)https://www.encase.com/products/Pages/encase-forensic/overview.aspx

*FTK (do not know current price, but when I bought it was about the same as Encase) http://www.accessdata.com/products/digital-forensics/ftk

*X-ways forensics(~94313.11)http://www.x-ways.net/order.html

These are costly to maintain and if you can sit down for a while and read the code you can in principle testify on the validity of open source tools such as:

* dd, md5sum, sha512sum, Autopsy and the Sleuthkit which are already available to install on most Linux distributions. Another alternative is that you can download Backtrack or its more recent incarnation of Kali (which I have not personally used but is the rewrite of Backtrack) which already comes with the software to use on external media.

An additional benefit from Linux distribution in external media is that the applications will not run using your computer hard drive and that is a plus in case it is requested as evidence.

Note: Most of the investigations I have carried out I do first on open source tools and validate with commercial ones.

hope this helps

"MAC address filtering for wireless networking isn’t real “security"

"You can spoof a MAC address when using Nmap with nothing more than a –spoof-mac command line option for Nmap itself to hide the true source of Nmap probes. If you give it a MAC address argument of “0″, it will even generate a random MAC address for you."

I Think you don't pay attention to the matter that the image representation in spatial (color) domain contains only integer numbers, so if your watermarking is sensitive to the fractional part it will be discarded.

At the most of the practical methods, parameters are set in way that the method became robust against this quantization error.