Antonio Savoldi

SIM and USIM filesystem: a forensics perspective

The main purpose of this paper is to describe the real filesystem of SIM and USIM cards, enlightening what the official standard reference does not say. By analyzing the full filesystem of such embedded devices, it is possible to find a lot of undocumented files usable to conceal sensitive and arbitrary information that are unrecoverable with the standard tools normally used in a forensic field. In order to understand how it is possible to use a SIM/USIM for data hiding purposes, the paper will present a tool capable of extracting the entire observable memory of these devices together with the effective filesystem structure. Further, some practical examples regarding the data hiding procedure as a proof of concept will be analyzed and discussed.

Windows Pagefile Collection and Analysis for a Live Forensics Context

The aim of this paper is to present a new tool, the Page-file Collection Tool (PCT), which can be used to obtain a pagefile on a live Windows based system. It is a known fact that a pagefile on a live system is protected by the operating system, which uses it in the virtual memory context. By using the NTFS filesystem specifications we were able to reconstruct the full pagefile, which can be used by a forensics expert to carve out further and precious information in the memory analysis field.

Blind Multi-Class Steganalysis System Using Wavelet Statistics

The aim of this paper is to present an effective multi-class steganalysis system, based on high-order wavelet statistics, capable of attributing stego images to four popular stenographically algorithms, namely F5 [15], Outguess [11], JP Hide&Seek [9], and Steghide [6]. The proposed method, based on a clustering approach, provides significantly reliable results.

A Comparison between Windows Mobile and Symbian S60 Embedded Forensics

Privacy in business processes for providing personalized services is currently a matter of trust. Business processes require the disclosure of personal data to third parties and users are not able to control their usage and so their further disclosure. Existing privacy-enhancing technologies consider access control but not usage control of personal data. The current work on usage control mainly considers formalization of usage rules, i.e. obligations, and their enforcement by using the mechanisms of digital rights management, secure logging of access requests for ex post enforcement, and non-linkable delegation of access rights to personal data. However, either these enforcement mechanisms do not consider a disclosure of personal data to third parties or they assume trustworthy data consumers or data providers. We investigated digital watermarking as a way of enforcing obligations for further disclosure of personal data without mandatory trust in service providers.

Blurriness in Live Forensics: An Introduction

The Live Forensics discipline aims at answering basic questions related to a digital crime, which usually involves a computer-based system. The investigation should be carried out with the very goal to establish which processes were running, when they were started and by whom, what specific activities those processes were doing and the state of active network connections. Besides, a set of tools needs to be launched on the running system by altering, as a consequence of the Locard’s exchange principle [2], the system’s memory. All the methodologies for the live forensics field proposed until now have a basic, albeit important, weakness, which is the inability to quantify the perturbation, or blurriness, of the system’s memory of the investigated computer. This is the very last goal of this paper: to provide a set of guidelines which can be effectively used for measuring the uncertainty of the collected volatile memory on a live system being investigated.

Volatile Memory Collection and Analysis for Windows Mission-Critical Computer Systems

Most enterprises rely on the continuity of service guaranteed by means of a computer system infrastructure, which can often be based on the Windows operating system family. For such a category of systems, which might be referred to as mission-critical for the relevance of the service supplied, it is indeed fundamental to be able to define which approach could be better to apply when a digital investigation needs to be performed. This is the very goal of this paper: the definition of a forensically sound methodology which can be used to collect the full state of the machine being investigated by avoiding service interruptions. It will be pointed out why the entire volatile memory dump, with the necessary extension which is nowadays missing, is required with the purpose of being able to gather much more evidential data, by illustrating also, at the same time, the limitation and disadvantages of current state of-the-art approaches in performing the collection phase. [Article copies are available for purchase from InfoSci-on-Demand.com]

Towards the Virtual Memory Space Reconstruction for Windows Live Forensic Purposes

The aim of this paper is to demonstrate the usefulness of the pagefile in a live forensic context. The forensic science is striving to find new methodologies to analyze the massive quantity of data normally present in a medium-sized workstation, which can have up to several terabytes of storage devices. As a result, the live forensic approach seems to be the only one which can guarantee promptness in obtaining evidential data to be used in the investigative process. The current approach of volatile forensic analysis does not consider the pagefile as an important element to be used in the analysis. Therefore, we have developed a solution which permits to correlate evidential data within the pagefile to the relative process located in the RAM dump. This work can be considered a natural extension of our previous work on this topic.

On-the-spot digital investigation by means of LDFS: Live Data Forensic System ☆

The ever growing capacity of hard drives poses a severe problem to forensic practitioners who strive to deal with digital investigations in a timely manner. Therefore, the on-the-spot digital investigation paradigm is emerging as a new standard to select only that evidence which is important for the case being investigated. In the light of this issue, we propose an incident response tool which is able to speed up the investigation by finding crime-related evidence in a faster way compared with the traditional state-of-the-art post-mortem analysis tools. The tool we have implemented is called Live Data Forensic System (LDFS). LDFS is an on-the-spot live forensic toolkit, which can be used to collect and analyze relevant data in a timely manner and to perform a triage of a Microsoft Windows-based system. Particularly, LDFS demonstrates the ability of the tool to automatically gather evidence according to general categories, such as live data, Windows Registry, file system metadata, instant messaging services clients, web browser artifacts, memory dump and page file. In addition, unified analysis tools of ELF provide a fast and effective way to obtain a picture of the system at the time the analysis is done. The result of the analysis from different categories can be easily correlated to provide useful clues for the sake of the investigation.

A statistical method for detecting on-disk wiped areas

Abstract Data-wiping tools are meant to securely erase data. Malicious users may resort to such tools to eliminate traces of a crime they have committed. State-of-the-art wiping detection techniques rely on artifacts left by the use of such tools. However, in certain cases such artifacts can be obfuscated and the investigator is left with almost no clues that could point to a digital crime. Indeed, in this paper we would like to present a scenario involving an ideal data-wiping case (i.e. a method that does not leave any usual exploitable artifacts). In addition, we demonstrate an efficient statistical technique which allows the detection of on-disk wiped areas, both filled with random and periodic data. The performance and usability of the proposed techniques are discussed as well.

Uncertainty in Live Forensics

The goal of live digital forensics is to collect crucial evidence that cannot be acquired under the well-known paradigm of post-mortem analysis. Volatile information in computer memory is ephemeral by definition and can be altered as a consequence of the live forensic approach. Every running tool on an investigated system leaves artifacts and changes the system state. This paper focuses on the understanding and measurement of the uncertainty related to the important and emerging paradigm of live forensic investigations. It also presents some practical examples related to the evaluation of uncertainty.