Gianluigi Me

A Case Study on Digital Forensics in the Cloud

Cloud computing and cloud forensics are probably the two most popular and debated IT topics in recent years, implying relevant technological and economic opportunities, the former, and open issues such as the ability to perform digital investigations in the cloud, the latter. In cloud forensics, the distributed nature of data processing in the cloud and the lack of physical access to digital artifacts on the server side represent, indeed, a serious concern for investigators and stakeholders, as traditional approaches to evidence collection and recovery may be no longer applicable. In this paper we discuss technical aspects of digital forensics in cloud computing environments and present results of a case study about user-cloud interaction, aimed at assessing whether existing digital forensics techniques are still applicable to cloud investigations. We conclude proposing a new methodology for automatic cloud-based artifact categorization as a future work.

A mobile based approach to strong authentication on Web

The rapid increase of the phishing phenomenon states that the Web authentication systems not based on one time password (OTP) are definitively ineffective in providing financial services. Existent Web authentication systems have been developed on the classic username/password mechanism using a single channel, either mobile or Web, generating an expensive or inadequate authentication system. The proposed solution is a combined Web/mobile authentication system. The basic authentication mechanism is integrated with a challenge/response process and an OTP. The challenge is issued from an authentication server and has to authenticate a mobile device, typically a cell phone. This device can communicate with any other involved parts through a fixed terminal, typically a personal computer, via a Bluetooth connection. The mobile device, once accepted, performs the authentication with the web site or application. This final step is accomplished using a temporary one-time password

Transaction Oriented Text Messaging with Trusted-SMS

The exponential growth of the Short Message Service(SMS) use has led this service to a widespread tool for social, marketing and advertising messaging. The mobile devices are quickly becoming Personal Trust Devices (PTD), embedding personal data, which allow sending/receiving private information from/to the PTD. This paper introduces our Trusted-SMS system, which allows users to exchange non-repudiable SMSs, digitally signed with the Elliptic Curve Digital Signature Algorithm (ECDSA). This system can fit in many scenarios, such as commercial transaction, bureaucratic delegation etc.. In fact, the few bytes signature is embedded into a single SMS, leaving many bytes, depending on the choice of the elliptic curve, for the SMS payload.

Local Authentication with Bluetooth enabled Mobile Devices

As the processing power of mobile devices such as PDAs and smartphones increase they constitute the target platforms for new value-added services and applications and excellent candidates for personal trusted devices (PTDs). Furthermore, handheld devices are increasingly networked and thus provide a natural and ubiquitous token for authentication purposes. This paper presents a framework and prototype system for exploiting these facts. A Bluetooth-enabled smartphone is used to protect a laptop from unauthorised access with an approach that improves convenience and usability from the users perspective. The main building blocks are a Diffie-Hellmann based two-party key agreement protocol with authentication mechanisms based on Java midlets and low-entropy human memorable passwords. The results are readily extended to other environments such as payment transactions, remote control of appliances and services, transactions on unattended dispensers of goods such as parking meters, petrol stations, etc

Fast User Classifying to Establish Forensic Analysis Priorities

In computer and common crimes, important evidence or clues are increasingly stored in the computers hard disks. The huge and increasing penetration of computers in the daily life together with a considerable increase of storage capacity in mass-market computers, pose, currently, new challenges to forensic operators. Usually a digital forensic investigator has to spend a lot of time in order to find documents, clues or evidence related to the investigation among the huge amount of data extracted from one or more sized hard drive. In particular, the seized material could be very huge, and, very often, only few devices are considered relevant for the investigation. In this paper we propose a methodology and a tool to support a fast computer user profiling via a classification into investigator-defined categories in order to quickly classify the seized computer user. The main purpose of the methodology discussed is to define the class of the user in order to establish an effective schedule with priorities based on the computer user content.

Triage-based automated analysis of evidence in court cases of copyright infringement

Over the past few years, the number of crimes related to the worldwide diffusion of digital devices with large storage and broadband network connections has increased dramatically. In order to better address the problem, law enforcement specialists have developed new ideas and methods for retrieving evidence more effectively. In accordance with this trend, our research aims to add new pieces of information to the automated analysis of evidence according to Machine Learning-based “post mortem” triage. The scope consists of some copyright infringement court cases coming from the Italian Cybercrime Police Unit database. We draw our inspiration from this “low level” crime which is normally sat at the bottom of the forensic analysts queue, behind higher priority cases and dealt with the lowest priority. The present work aims to bring order back in the analysts queue by providing a method to rank each queued item, e.g. a seized device, before being analyzed in detail. The paper draws the guidelines for drive-under-triage classification (e.g. hard disk drive, thumb drive, solid state drive etc.), according to a list of crime-dependent features such as installed software, file statistics and browser history. The model, inspired by the theory of Data Mining and Machine Learning, is able to classify each exhibit by predicting the problem dependent variable (i.e. the class) according to the aforementioned crime-dependent features. In our research context the “class” variable identifies with the likelihood that a drive image may contain evidence concerning the crime and, thus, the associated item must receive an high (or low) ranking in the list.

Searching the Web for illegal content: the anatomy of a semantic search engine

In this paper, we describe the challenges in the realization of a semantic search engine, suited to help law enforcements in the fight against the online drug marketplaces, where new psychoactive substances are sold. This search engine has been developed under the Semantic Illegal Content Hunter (SICH) Project, with the financial support of the Prevention of and Fight Against Crime Programme ISEC 2012 European Commission. The SICH Project-specific objective is to develop new strategic tools and assessment techniques, based on semantic analysis on texts, to support the dynamic mapping and the automatic identification of illegal content over the Net. In particular, a Web search engine can be roughly divided into three main components: (a) the crawler that is in charge of collecting the Web pages to be indexed, (b) the indexer that parses and stores the collected data and (c) the query processor that interacts with the user parsing a query and returning the relevant document; in this paper, we detail each of these components of the SICH search engine, highlighting the differences from a traditional Web search engine.

Fast smartphones forensic analysis results through mobile internal acquisition tool and forensic farm

Market penetration of smartphones and the enriched capabilities of new devices lead to the storage of lot of data in their internal memory, providing a silent witness of digital crimes and private facts as well. This article proposes a new methodology and a tool for data acquisition by using the removable memory cards (e.g. SD, mini SD, MMC, etc.) to execute in crime scene situ. The presented methodology relies on a forensic farm where Symbian and Windows Mobile devices file system images, acquired via the tool and sent through the forensic operator mobile device, are automatically processed by a piece of software, in order to provide quick and standard results. The purpose of this quick (and general, not ad-hoc) response is to provide essential investigative information to the crime scene operator in the lowest time, in order to collect further evidences, related to the content of the sized smartphone.

Searching the Web for Illegal Content: The Anatomy of a Semantic Search Engine

In this paper we describe the challenges in the realization of a semantic search engine, suited to help law enforcements in the fight against the online drug marketplaces, where New Psychoactive Substances (NPS) are sold. This search engine has been developed under the Semantic Illegal Content Hunter (SICH) Project, with the financial support of the Prevention of and Fight Against Crime Programme ISEC 2012 European Commission. The SICH Project specific objective is to develop new strategic tools and assessment techniques, based on semantic analysis on texts, to support the dynamic mapping and the automatic identification of illegal content over the Net.

Data reverse engineering on a smartphone

In this paper we propose a novel methodology which applies data reverse engineering on a smartphone, which aims at helping the operator to identify in which files the personal information are contained and how to decode them, in order to be converted in a more suitable format. The proposed methodology shows its full potential when applied to mobile operating systems for which data formats are not open or not public. The work in this paper follows the MIAT (Mobile Internal Acquisition Tool) open source tool to support investigation from the data acquisition to the data analysis, but the decoded information can be used to serve other areas beyond mobile forensics.