Ewa Huebner

Data hiding in the NTFS file system

In this paper we examine the methods of hiding data in the NTFS file system. Further we discuss the analysis techniques which can be applied to detect and recover data hidden using each of these methods. We focus on sophisticated data hiding where the goal is to prevent detection by forensic analysis. Obvious data hiding techniques, for example setting the hidden attribute of a file, will not be included. Hidden data can be further obfuscated by file system independent approaches like data encryption and steganography. This paper is only concerned with the methods which are made possible by the structure of the NTFS file system, and with the recovery of hidden data, not its interpretation.

User data persistence in physical memory

In this paper we present the results of experiments we conducted on Suse Linux and Windows XP systems to determine the age of user process data in physical memory. To be able to measure the age of pages we used an artificial load program which time-stamps data segment and block device cache pages. Our goal was to compare the behaviour of both systems and to determine whether the rate of decay for user data depends on the demand for physical memory. Our findings show that Windows and Linux systems preserve almost the same number of pages with user data, and the age distribution of these pages does not change significantly with the level of demand.

Persistent systems techniques in forensic acquisition of memory

In this paper we discuss how operating system design and implementation influence the methodology for computer forensics investigations, with the focus on forensic acquisition of memory. In theory the operating system could support such investigations both in terms of tools for analysis of data and by making the system data readily accessible for analysis. Conventional operating systems such as Windows and UNIX derivatives offer some memory-related tools that are geared towards the analysis of system crashes, rather than forensic investigations. In this paper we demonstrate how techniques developed for persistent operating systems, where lifetime of data is independent of the method of its creation and storage, could support computer forensics investigations delivering higher efficiency and accuracy. It is proposed that some of the features offered by persistent systems could be built into conventional operating systems to make illicit activities easier to identify and analyse. We further propose a new technique for forensically sound acquisition of memory based on the persistence paradigm.

Forensic Extraction of EFS-Encrypted Files in Live System Investigation

Encrypted files captured by acquiring a bit-by-bit image in the process of conventional forensic investigation are practically impossible to decrypt without knowing the key and the method of encryption. The Windows operating system provides the option to encrypt files using an encryption driver bundled with the New Technology File System (NTFS) file system, the so-called encrypting file system (EFS). EFS files can be manipulated transparently by the owner and the system administrator as long as they reside in an NTFS file system. In this article we demonstrate the methodology of extracting EFS-decrypted files from a live system. The method of extraction is built around a software utility, Robocopy, which does not modify any metadata of the file system during extraction. The hash value for the encrypted data calculated before and after the extraction is identical, so this approach can be considered to be forensically sound. We present a scenario that shows that live system investigation is indispensable in obtaining complete information about the system being examined. This information would be lost if conventional methods were applied, even when supplemented by the capture and analysis of physical memory.

Formalizing Computer Forensics Process with UML

This paper introduces modeling methodologies to computer forensics to provide formalism and structured approach to computer forensics activities. It studies how to use UML diagrams to model and visualize various aspects of a computer forensics system. It first applies UML to model the basic components of a computer forensic process and their relationships. It then uses UML to further visualize the activities carried out for each component. The formal graphical model provides a well-defined and straightforward semantics to the computer forensics process making it easier to understand by various parties involved.

Computer Forensics Tertiary Education in Australia

The number of computer forensics related courses in Australian universities tripled in the last three years. This unprecedented growth is fuelled by the growth of the discipline itself and the increase in demand for specialists by both law enforcement agencies and business organisations. This paper presents an overview of current computer forensics education in Australian tertiary institutions. We also discuss the position of computer forensics in the body of knowledge and the issues of curriculum development, including the involvement of professional societies.

Methodology and Tools of IS Audit and Computer Forensics --- The Common Denominator

Information system audit and computer forensics each developed its own set of standards based on a separate discipline of knowledge. In this paper we analyse the tools and methodology used by IS auditors and computer forensic experts in the contemporary world, with the focus on emerging similarities between their needs and goals. We demonstrate the benefits which could be derived from the increased convergence of tools and methodology used in both areas, and we discuss possible modifications to existing tools and methodology to fulfill this goal.

Computer Forensics Education – the Open Source Approach

In this chapter we discuss the application of the open source software tools in computer forensics education at tertiary level. We argue that open source tools are more suitable than commercial tools, as they provide the opportunity for students to gain in-depth understanding and appreciation of the computer forensic process as opposed to familiarity with one software product, however complex and multi-functional. With the access to all source programs the students become more than just the consumers of the tools as future forensic investigators. They can also examine the code, understand the relationship between the binary images and relevant data structures, and in the process gain necessary background to become the future creators of new and improved forensic software tools. As a case study we present an advanced subject, Computer Forensics Workshop, which we designed for the Bachelor’s degree in computer science at the University of Western Sydney. We based all laboratory work and the main take-home project in this subject on open source software tools. We found that without exception more than one suitable tool can be found to cover each topic in the curriculum adequately. We argue that this approach prepares students better for forensic field work, as they gain confidence to use a variety of tools, not just a single product they are familiar with.

A global hierarchical Z space algorithm for cluster parallel graphics architectures

In this paper we present a new global hierarchical Z-space sort-last algorithm for cluster parallel graphics architectures that improves upon algorithms used so far for high performance super-graphics. The new algorithm bypasses limitations of sort-last tile based parallelization paradigms, and solves some known Z-space parallelization inefficiencies. The algorithm is implemented as a global hierarchical-Z system which allows GPUs to perform high frequency global intra-frame Z-culling and distributed final frame Z-determination. The new algorithm allows for full one-to-one process-GPU coupling with minimal inter-process and inter-GPU communications. This enables maximal input bandwidth, maximum GPU utilization levels, near optimal load balances and improved efficiency when scaled to larger configurations.