SADFE 2015 Proceedings


The proceedings of SADFE 2015 conference are published by Safe Society Labs as open access, and
licensed under a Creative Commons Attribution- NonCommercial 4.0 International License.
Creative Commons License

© Copyright remains with authors of each publication. Authors retain the right to reproduce,
distribute, display, adapt and perform their own work for any purpose.

Accepted Papers

  • By Arnim Eijkhoudt, Sijmen Vos, Adrie Stander

    Abstract. With the current growth of data in digital investigations, one solution for forensic investigators is to visualise the data for the detection of suspicious activity. However, this process can be complex and difficult to achieve, as there few tools available that are simple and can handle a wide variety of data types. This paper describes the development of a flexible platform, capable of visualising many different types of related data. The platform’s back and front end can efficiently deal with large datasets, and support a wide range of MIME types that can be easily extended. The paper also describes the development of the visualisation front end, which offers flexible, easily understandable visualisations of many different kinds of data and data relationships. 

    Keywords: Cyber-forensics, e-discovery, visualisation, cyber-security, computer forensics, digital forensics, big data, data mining

    Full Paper in PDF

  • By Paulo R. Nunes de Souza, Pavel Gladyshev

    Abstract. This paper describes a technique to acquire statistical information on the type of data object that goes into volatile memory. The technique was designed to run in Android devices and it was tested in an emulated Android environment. It consists in inserting code in the Dalvik interpreter forcing that, in execution time, every data that goes into memory is logged alongside with its type. At the end of our tests we produced Probability Distribution information that allowed us to collect important statistical information that made us distinguish memory values between references (Class, Exception, Object, String), Float and Integer types. The result showed this technique could be used to identify data objects of interest, in a emulated environment, assisting in interpretation of volatile memory evidence extracted from real devices.

    Keywords: Android, Dalvik, memory analysis.

    Full Paper in PDF

  • By David Billard, Paul Vidonne

    Abstract. This work introduces an unpublished technique for extracting data from flash memory chips, especially from Ball Grid Array (BGA) components. This technique does not need any heating of the chip component, as opposed to infrared or hot air de-soldering. In addition, it avoids the need of re-balling BGA in case of missing balls at the wrong place. Thus it enhances the quality and integrity of the data extraction. However, this technique is destructive for the device motherboard and has limitations when memory chip content is encrypted. The technique works by subtracting matter by micro-milling, without heating. The technique has been extensively used in about fifty real cases for more than one year. It is named frigida via, compared to the calda via of infrared heating.

    Keywords: Chip-off forensics, data extraction, BGA, data integrity preservation, micro-milling, infrared heating.

    Full Paper in PDF

  • By Maria Angela Biasiotti, Mattia Epifani, Fabrizio Turchi

    Abstract. Based upon the assumption that the very nature of data and information held in electronic form makes it easier to manipulate than traditional forms of data, that all legal proceedings rely on the production of evidence in order to take place and that electronic evidence is no different from traditional evidence in that is necessary for the party introducing it into legal proceedings, to be able to demonstrate that it is no more and no less than it was, when it came into their possession the EVIDENCE Project aims at providing a road map (guidelines, recommendations, technical standards) for realising the missing Common European Framework for the systematic and uniform application of new technologies in the collection, use and exchange of evidence. This road map incorporating standardized solutions aims at enabling all involved stakeholders to rely on an efficient regulation, treatment and exchange of digital evidence, having at their disposal as legal/technological background a Common European Framework allowing them to gather, use and exchange digital evidences according to common standards, rules, practises and guidelines. EVIDENCE activities will also aim at enabling the implementation of a stable network of experts in digital forensics communicating and exchanging their opinions and contributing as well to the building up of a stable communication channel between the public and the private sectors dealing with electronic evidence.

    Keywords: Digital evidence, digital evidence exchange, metadata, formal languages.

    Full Paper in PDF

  • By Donghoon Chang, Somitra Kr. Sanadhya, Monika Singh, Robin Verma

    AbstractDigital forensic investigators can take advantage of tools and techniques that have the capability of finding similar files out of thousands of files up for investigation in a particular case. Finding similar files could significantly reduce the volume of data that needs to be investigated. Sdhash is a well-known fuzzy hashing scheme used for finding similarity among files. This digest produces a ‘score of similarity’ on a scale of 0 to 100. In a prior analysis of sdhash, Breitinger et al. claimed that 20% contents of a file can be modified without influencing the final sdhash digest of that file. They suggested that the file can be modified in certain regions, termed ‘gaps’, and yet the sdhash digest will remain unchanged. In this work, we show that their claim is not entirely correct. In particular, we show that even if 2% of the file contents in the gaps are changed randomly, then the sdhash gets changed with probability close to 1. We then provide an algorithm to modify the file contents within the gaps such that the sdhash remains unchanged even when the modifications are about 12% of the gap size. On the attack side, the proposed algorithm can deterministically produce collisions by generating many di↵erent files corresponding to a given file with maximal similarity score of 100.

    KeywordsFuzzy hashing, similarity digest, collision, anti-forensics.

    Full Paper in PDF

  • By Stefan Nagy, Imani Palmer, Sathya Chandran Sundaramurthy, Xinming Ou, Roy Campbell

    AbstractThe forensic process relies on the scientific method to scrutinize recovered evidence that either supports or negates an investigative hypothesis. Currently, analysis of digital evidence remains highly subjective to the forensic practitioner. Digital forensics is in need of a deterministic approach to obtain the most judicious conclusions from evidence. The objective of this paper is to examine current methods of digital evidence analysis. It describes the mechanisms for which these processes may be carried out, and discusses the key obstacles presented by each. Lastly, it concludes with suggestions for further improvement of the digital forensic process as a whole.

    Keywords: Digital evidence, forensic reasoning, evidence reliability, digital forensics.

    Full Paper in PDF

  • By Joe Kong

    Abstract. In conducting criminal investigations it is quite common that forensic examiners need to recover evidentiary data from smartphones used by offenders. However, examiners encountered difficulties in acquiring complete memory dump from MTK Android phones, a popular brand of smartphones, due to a lack of technical knowledge on the phone architecture and that system manuals are not always available. This research will perform tests to capture data from MTK Android phone by applying selected forensic tools and compare their effectiveness by analyzing the extracted results. It is anticipated that a generic extraction tool, once identified, can be used on different brands of smartphones equipped with the same CPU chipset.

    Keywords: Mobile forensics, MTK Android phones, Android forensics, physical extraction, flash memory, MT6582.

    Full version of this paper is published in the Journal of Digital Forensics, Security and Law.

  • By Lee Tobin, Pavel Gladyshev

    Abstract. Cybercrime has been a growing concern for the past two decades. What used to be the responsibility of specialist national police has become routine work for regional and district police. Unfortunately, funding for law enforcement agencies is not growing as fast as the amount of digital evidence.

    In this paper, we present a forensic platform that is tailored for cost effectiveness, extensibility, and ease of use. The software for this platform is open source and can be deployed on practically all commercially available hardware devices such as standard desktop motherboards or embedded systems such as Raspberry Pi and Gizmosphere’s Gizmo board. A novel user interface was designed and implemented, based on Morphological Analysis.

    Keywords: Forensic device, open source, write-blocker, forensic imaging, morphological analysis, user interface design.

    Full version of this paper is published in the Journal of Digital Forensics, Security and Law.

  • By Alperen Şahin, Hüsrev T. Sencar

    Abstract. Recovery of fragmented files relies on the ability to accurately evaluate the adjacency of two fragments. Text-based files typically organize data in a very weakly structured manner; therefore, fragment re- assembly remains a challenging task. In this work, we evaluate existing adjacency measures that can be used for assembling fragmented test files. Our results show that individual performances of existing measures are far from adequately addressing this need. We then introduce a new approach that attempts to exploit the limited structural characteristics of text files which utilize constructs for description, presentation, and processing of file data. Our approach builds a statistical model of the ordering of file-type specific constructs and incorporates this information into adjacency measures for more reliable fragment reassembly. Results show that reassembly accuracy increases significantly with this approach.

    Keywords: File carving, text files, fragmentation, file reassembly.

    Full version of this paper is published in the Journal of Digital Forensics, Security and Law.

  • By Yanbin Tang, Zheng Tan, K.P. Chow, S.M. Yiu

    Abstract. Voice chat of instant message (IM) apps are getting popular. Huge amount of manpower is required to listen, analyze, and identify relevant chat files of IM apps in a forensic investigation. This paper proposes a semi-automatic integrated framework to deal with audio forensic investigation for IM apps by applying modern technologies. The main objective is to reduce the amount of manpower in the investigation. This is the first work that applies speech to text technology in voice chat of IM apps forensic. Both text and audio features are extracted to reconstruct the dialog conversation. Experiments with real case data show that the framework is promising. The framework is able to translate dialog into readable text and improve the efficiency during investigation with reconstructed conversation.

    Keywords: Audio, voice chat, instant message, smartphone, digital forensics.

    Full version of this paper is published in the Journal of Digital Forensics, Security and Law.

  • By Jason Farina, M-Tahar Kechadi, Mark Scanlon

    Abstract. In April 2015, BitTorrent Inc. released their distributed peer-to-peer powered browser Project Maelstrom into public beta. The browser facilitates a new alternative website distribution paradigm to the traditional HTTP based, client-server model. This decentralised web is powered by each of the users accessing each Maelstrom hosted website. Each user shares their copy of the website with other new visitors to the website. As a result, a Maelstrom hosted website cannot be taken offline by law enforcement or any other parties. Due to this open distribution model, a number of interesting censorship, security and privacy considerations are raised. This paper explores the application, its protocol, sharing Maelstrom content and its new visitor powered “web-hosting” paradigm.

    Keywords: Project Maelstrom, BitTorrent, decentralised Web, alternative Web, browser forensics.

    Full version of this paper is published in the Journal of Digital Forensics, Security and Law.

  • By Ibtesam Al Awadhi, Janet C Read, Andrew Marrington, Virginia N. L. Franqueira

    Abstract. In Digital Forensics, person-hours spent on investigation is a key factor which needs to be kept to a minimum whilst also paying close attention to the authenticity of the evidence. The literature describes challenges behind increasing person-hours and identifies several factors which contribute to this phenomenon. This paper reviews these factors and demonstrates that they do not wholly account for increases in investigation time. Using real case records from the Dubai Police, an extensive study explains the contribution of other factors to the increase in person-hours. We conclude this work by emphasizing on several factors affecting the person-hours in contrast to what most of the literature in this area proposes.

    Keywords: Cyber forensics, digital forensics, empirical data, forensic investigation, Dubai Police.

    Full version of this paper is published in the Journal of Digital Forensics, Security and Law.

  • By Ken Yau, Kam-Pui Chow

    Abstract. Supervisory Control and Data Acquisition (SCADA) system is an industrial control automated system. It is built with multiple Programmable Logic Controllers (PLCs). PLC is a special form of microprocessor-based controller with proprietary operating system. Due to the unique architecture of PLC, traditional digital forensic tools are difficult to be applied. In this paper, we propose a program called Control Program Logic Change Detector (CPLCD), it works with a set of Detection Rules (DRs) to detect and record undesired incidents on interfering normal operations of PLC. In order to prove the feasibility of our solution, we set up two experiments for detecting two common PLC attacks. Moreover, we illustrate how CPLCD and network analyzer Wireshark could work together for performing digital forensic investigation on PLC.

    Keywords: PLC forensics, SCADA security, Ladder Logic Programming.

    Full version of this paper is published in the Journal of Digital Forensics, Security and Law.

  • By Robert van Voorst, M-Tahar Kechadi, Nhien-An Le-Khac

    Abstract. There are many applications available for personal computers and mobile devices that facilitate users in meeting potential partners. There is, however, a risk associated with the level of anonymity on using instant message applications, because there exists the potential for predators to attract and lure vulnerable users. Today Instant Messaging within a Virtual Universe (IMVU) combines custom avatars, chat or instant message (IM), community, content creation, commerce, and anonymity. IMVU is also being exploited by criminals to commit a wide variety of offenses. However, there are very few researches on digital forensic acquisition of IMVU applications. In this paper, we discuss first of all on challenges of IMVU forensics. We present a forensic acquisition of an IMVU 3D application as a case study. We also describe and analyse our experiments with this application.

    Keywords: Instant Messaging, forensic acquisition, virtual universe 3D, forensic process, forensic case study.

    Full version of this paper is published in the Journal of Digital Forensics, Security and Law.

  • By Michael Losavio, Pavel Pastukov, Svetlana Polyakova

    Abstract. With ubiquitous computing and the growth of the Internet of Things, there is vast expansion in the deployment and use of event data recording systems in a variety of environments. From the ships’ logs of antiquity through the evolution of personal devices for recording personal and environmental activities, these devices offer rich forensic and evidentiary opportunities that smash against rights of privacy and personality. The technical configurations of these devices provide for greater scope of sensing, interconnection options for local, near, and cloud storage of data, and the possibility of powerful analytics. This creates the unique situation of near-total data profiles on the lives of others. We examine legal and ethical issues of such in the American and transnational environment.

    Keywords: Event, data, recorder, legal, ethical, privacy.

    Full version of this paper is published in the Journal of Digital Forensics, Security and Law.

  • By Xiao-Xi Fan, Kam-Pui Chow

    Abstract. The growing popularity of cyberlocker service has led to significant impact on the Internet that it is considered as one of the biggest contributors to the global Internet traffic estimated to be illegally traded content. Due to the anonymity property of cyberlocker, it is difficult for investigators to track user identity directly on cyberlocker site. In order to find the potential relationships between cyberlocker users, we propose a framework to collect cyberlocker related data from public forums where cyberlocker users usually distribute cyberlocker links for others to download and identity information can be gathered easily. Different kinds of sharing behaviors of forum user are extracted to build the profile, which is then analyzed with statistical techniques. The experiment results demonstrate that the framework can effectively detect profiles with similar behaviors for identity tracking and produce a taxonomy of forum users to provide insights for investigating cyberlocker-based piracy.

    Keywords: Identity tracking, taxonomy, user profiling, behavior analysis, cyberlocker, piracy.

    Full version of this paper is published in the Journal of Digital Forensics, Security and Law.

  • By Tina Wu, Jason R.C. Nurse

    Abstract. The Stuxnet malware attack has provided strong evidence for the development of a forensic capability to aid in thorough post-incident investigations. Current live forensic tools are typically used to acquire and examine memory from computers running either Windows or Unix. This makes them incompatible with embedded devices found on SCADA systems that have their own bespoke operating system. Currently, only a limited number of forensics tools have been developed for SCADA systems, with no development of tools to acquire the program code from PLCs. In this paper, we explore this problem with two main hypotheses in mind. Our first hypothesis was that the program code is an important forensic artefact that can be used to determine an attacker’s intentions. Our second hypothesis was that PLC debugging tools can be used for forensics to facilitate the acquisition and analysis of the program code from PLCs. With direct access to the memory addresses of the PLC, PLC debugging tools have promising functionalities as a forensic tool, such as the “Snapshot” function that allows users to directly take values from the memory addresses of the PLC, without vendor specific software. As a case example we will focus on PLC Logger as a forensic tool to acquire and analyse the program code on a PLC. Using these two hypotheses we developed two experiments. The results from Experiment 1 provided evidence to indicate that it is possible to acquire the program code using PLC Logger and to identify the attacker’s intention, therefore our hypothesis was accepted. In Experiment 2, we used an existing Computer Forensics Tool Testing (CFTT) framework by NIST to test PLC Logger’s suitability as a forensic tool to analyse and acquire the program code. Based on the experiment’s results, this hypothesis was rejected as PLC Logger had failed half of the tests. This suggests that PLC Logger in its current state has limited suitability as a forensic tool, unless the shortcomings are addressed.

    Keywords: PLC debugging, program code, SCADA, digital forensics, NIST, PLCs, attackers.

    Full version of this paper is published in the Journal of Digital Forensics, Security and Law.

  • By Mohammed Alzaabi, Thomas Martin, Kamal Taha, Andy Jones

    Abstract. Digital forensics investigators face a constant challenge in keeping track with evolving technologies such as smartphones. Analyzing the contents of these devices to infer useful information is becoming more time consuming as the volume and complexity of data are increasing. Typically, such analysis is undertaken by a human, which makes it dependent on the experience of the investigator. To overcome such impediments, an automated technique can be utilized in order to aid the investigator to quickly and efficiently analyze the data. In this paper, we propose F-DOS; a set of ontologies that models the smartphone content for the purpose of forensic analysis. F-DOS can form a knowledge management component in a forensic analysis system. Its importance lies in its ability to encode the semantics of the smartphone content using concepts and their relationships that are modeled by F-DOS.

    Keywords: Digital forensics, forensic analysis, ontology.

    Full version of this paper is published in the Journal of Digital Forensics, Security and Law.