Benjamin Turnbull

Towards a Formalization of Digital Forensics

While some individuals have referred to digital forensics as an art, the literature of the discipline suggests a trend toward the formalization of digital forensics as a forensic science. Questions about the quality of digital evidence and forensic soundness continue to be raised by researchers and practitioners in order to ensure the trustworthiness of digital evidence and its value to the courts. This paper reviews the development of digital forensic models, procedures and standards to lay a foundation for the discipline. It also points to new work that provides validation models through a complete mapping of the discipline.

Wi-Fi Network Signals as a Source of Digital Evidence: Wireless Network Forensics

802.11-based wireless networking has significantly altered the networking means and topology for cities, offices, homes and coffee shops over the last five years. A second generation of wireless devices has extended what was once a computer-to-computer protocol into the area of embedded functional devices. Accompanying this widespread usage is the presence of crime; the more popular technology, the more opportunity exists for its misuse. This work studies the 802.11-based wireless networking environment from a forensic computing perspective. It seeks to understand the current state of wireless misuse: present misuses; potential forms of misuse involving 802.11-based wireless networks; and current tools and techniques used in its identification, containment and analysis. The research highlights the lack of current tools and procedures for forensic computing investigations that are able to effectively handle the presence of wireless devices and networks, and that there are forms of misuse that may escape detection by forensic investigation teams.

Wireless Forensic Analysis Tools for Use in the Electronic Evidence Collection Process

This paper discusses the need for both a series of electronic tools and procedural changes to the evidence collection process to accommodate the possibilities of wireless technologies. 802.11-based wireless technologies in particular pose an issue to the collection of electronic evidence, as devices that appear isolated may be tirelessly accessed during the collection phase, leading to after-seizure communications and a tampering of evidence in custody. Whilst forensic acquisition and analysis procedural guides are yet to discuss the acquisition of wireless devices, one of the core issues in collecting wireless devices is that there is no indication for the number or type of devices connected to a wireless network, should one exist in an area of interest. It is proposed that a series of forensic software tools be developed to aid in the detection, analysis and control of wireless networks that are in the process of being seized for forensic analysis. Through control of the wireless medium, information regarding connected devices may be gathered and methods to prevent communication between devices during and after evidence seizure are also examined

The Anatomy of Electronic Evidence Quantitative Analysis of Police E-Crime Data

By understanding the past and present, the future can be predicted. This work seeks to understand how an Australian policing agency is currently receiving and analyzing sources of electronic evidence in the investigation of criminal activity. It shows how many devices are received, what kinds of device make up each analysis job, and for investigation into which crimes. From this, trends and workloads may be understood and future investments in equipment and research direction can be decided. The outcomes of this work may also allow for strategies to maximize training to non-technical staff and highlight investigative areas that may benefit from more use of electronic evidence. Finally, charting the trends in how commonly different electronic devices are analysed may allow for better handling of crime scenes and expand what is collected for different crime types. This work seeks to understand which types of crime are making most use of electronic evidence sources, to prepare for future changes in the discipline.

The Need for a Technical Approach to Digital Forensic Evidence Collection for Wireless Technologies

Whilst 802.11a/b/g wireless security is well documented by academic literature, there is little work discussing the forensic issues associated with the technology. This paper aims to discuss how 802.11-based wireless technologies may be misused compared with current electronic evidence collection and analysis techniques. The lack of procedural guides in the identification of wireless networks is noted, and the need for a technological solution in the evidence collection process of potential electronic evidence

Enhancing Computer Forensics Investigation through Visualisation and Data Exploitation

This paper focuses on establishing the need for new architectures on which to build visualisation systems that enhance computer forensic investigation of digital evidence. The issues surrounding processing of large quantities of digital evidence are established. In addition, the current state of visualisation and data analysis techniques for computer forensics are highlighted. This paper suggests need for new visualisation techniques in order to display data in familiar visual forms that facilitate efficient insight gaining into digital evidence. Visualisations techniques also require a source of processed data that contains context relevant information to present to an investigator. To this end this paper introduces the notion of data exploitation as a way to describe techniques that provide opportunistic data analysis across multiple sources of digital evidence. Data exploitation techniques provide normalisation techniques, event correlation, relationship extraction and investigative domain knowledge processing to occur across a set of evidence. This enables a visual representation of digital evidence to highlight relationships and events across many data sources, support an investigator throughout the entire data analysis process and enable an investigator to focus on the context of the current crime.

The 802.11 Technology Gap - Case Studies in Crime

Much has been written discussing the security vulnerabilities with 802.11 based networks, and what constitutes legal and illegal activity within the area. However, there is little academic literature available discussing whether this technology is being exploited for criminal purposes, and if it is, for what purposes. This paper investigates all public prosecutions where the accused have misused 802.11 wireless networks and the consequent outcomes. From this, it can be observed how similar crimes are being investigated, and possible future crimes may be examined.

The "Explore, Investigate and Correlate' (EIC) Conceptual Framework for Digital Forensics Information Visualisation

Establishing effective and novel techniques that are able to represent digital evidence in an efficient and understandable manner to investigators is a significant challenge within the digital forensics domain. Current tools and techniques do not scale well with the increasing volumes of evidence required for analysis. This paper defines a high-level conceptual framework to address issues surrounding scalability and comprehension of digital evidence. The aim of the Explore, Investigate and Correlate (EIC) framework is to provide a set of streamlined processes and tasks that enable digital evidence to be presented in a manner that can be rapidly understood, easily focused and to minimize the overall workload of a forensic analyst.

Generating realistic intrusion detection system dataset based on fuzzy qualitative modeling

Prior to deploying any intrusion detection system, it is essential to obtain a realistic evaluation of its performance. However, the major problems currently faced by the research community is the lack of availability of any realistic evaluation dataset and systematic metric for assessing the quantified quality of realism of any intrusion detection system dataset. It is difficult to access and collect data from real-world enterprise networks due to business continuity and integrity issues. In response to this, in this paper, firstly, a metric using a fuzzy logic system based on the Sugeno fuzzy inference model for evaluating the quality of the realism of existing intrusion detection system datasets is proposed. Secondly, based on the proposed metric results, a synthetically realistic next generation intrusion detection systems dataset is designed and generated, and a preliminary analysis conducted to assist in the design of future intrusion detection systems. This generated dataset consists of both normal and abnormal reflections of current network activities occurring at critical cyber infrastructure levels in various enterprises. Finally, using the proposed metric, the generated dataset is analyzed to assess the quality of its realism, with its comparison with publicly available intrusion detection system datasets for verifying its superiority. HighlightsA fuzzy qualitative modeling based metric is proposed for evaluating the quality of an IDS dataset.A new IDS dataset is generated over multimillion scale Cyberrange testbed and provided publically.The proposed fuzzy qualitative modeling based metric is applied to proposed and existing major public IDS datasets to assess their quality of realism and to demonstrate the capability of proposed metric in examining the quality of an IDS dataset.

Development of InfoVis Software for Digital Forensics

Information Visualisation techniques are one method that may be used to combat the growing complexity and data sizes associated with digital forensic investigations. This work outlines the processes, challenges, trials and tribulations of developing proof-of-concept forensic software designed to create interactive Information Visualisations from digital evidence sources.