Marcus K. Rogers

The future of computer forensics: a needs analysis survey

The current study was a pilot study and attempted to add to the growing body of knowledge regarding inherent issues in computer forensics. The study consisted of an Internet-based survey that asked respondents to identify the top five issues in computer forensics. Sixty respondents answered the survey using a free form text field. The results indicated that education/training and certification were the most reported issue (18%) and lack of funding was the least reported (4%). These findings are consistent with a similar law enforcement community study (Stambaugh, Beaupre, Icove, Cassaday, Williams. State and local law enforcement needs to combat electronic crime. National Institute of Justice Research in Brief (2001)). The findings emphasize the fragmented nature of the computer forensics discipline. Currently there is a lack of a national framework for curricula and training development, and no gold standard for professional certification. The findings further support the criticism that there is a disproportional focus on the applied aspects of computer forensics, at the expense of the development of fundamental theories. Further implications of the findings are discussed and suggestions for future research in the area are presented.

Computer Forensics Field Triage Process Model

With the proliferation of digital based evidence, the need for the timely identification, analysis and interpretation of digital evidence is becoming more crucial. In many investigations critical information is required while at the scene or within a short period of time - measured in hours as opposed to days. The traditional cyber forensics approach of seizing a system(s)/media, transporting it to the lab, making a forensic image(s), and then searching the entire system for potential evidence, is no longer appropriate in some circumstances. In cases such as child abductions, pedophiles, missing or exploited persons, time is of the essence. In these types of cases, investigators dealing with the suspect or crime scene need investigative leads quickly; in some cases it is the difference between life and death for the victim(s). The Cyber Forensic Field Triage Process Model (CFFTPM) proposes an onsite or field approach for providing the identification, analysis and interpretation of digital evidence in a short time frame, without the requirement of having to take the system(s)/media back to the lab for an in-depth examination or acquiring a complete forensic image(s). The proposed model adheres to commonly held forensic principles, and does not negate the ability that once the initial field triage is concluded, the system(s)/storage media be transported back to a lab environment for a more thorough examination and analysis. The CFFTPM has been successfully used in various real world cases, and its investigative importance and pragmatic approach has been amply demonstrated. Furthermore, the derived evidence from these cases has not been challenged in the court proceedings where it has been introduced. The current article describes the CFFTPM in detail, discusses the model’s forensic soundness, investigative support capabilities and practical considerations.

A cyber forensics ontology: Creating a new approach to studying cyber forensics

The field of cyber forensics, still in its infancy, possesses a strong need for direction and definition. Areas of specialty within a professional environment, certifications, and/or curriculum development are still questioned. With the continued need to standardize parts of the field, methodologies need to be created that will allow for uniformity and direction. This paper focuses on creating an ontological for the purpose of finding the correct layers for specialization, certification, and education within the cyber forensics domain. There is very little information available on this topic and what is present, seems to be somewhat varied. This underscores the importance of creating a method for defining the correct levels of education, certification and specialization. This ontology can also be used to develop curriculum and educational materials. This paper is meant to spark discussion and further research into the topic.

Self-reported computer criminal behavior: A psychological analysis

The current research study replicated a study by Rogers et al. (Rogers M, Smoak ND, Liu J. Self-reported criminal computer behavior: a big-5, moral choice and manipulative exploitive behavior analysis. Deviant Behavior 2006;27:1-24) and examined the psychological characteristics, moral choice, and exploitive manipulative behaviors of self-reported computer criminals and non-computer criminals. Seventy-seven students enrolled in an information technology program participated in the web-based study. The results of the study indicated that the only significant variable for predicting criminal/deviant computer behavior was extraversion. Those individuals self-reporting criminal computer behavior were significantly more introverted than those reporting no criminal/deviant computer behavior. This finding is contrary to the findings of the previous study. The current study confirmed that the four psychometric instruments were reliable for conducting research in the field of criminal/deviant computer behavior. The impact of the findings on the field of digital forensic investigations is discussed as well as possible reasons for the apparent contradiction between the two studies.

A two-dimensional circumplex approach to the development of a hacker taxonomy

The current paper extends the earlier taxonomy framework of the author [Rogers M. Psychology of hackers: steps toward a new taxonomy. Retrieved October 15, 2001 from ; 1999], and provides a preliminary two-dimensional classification model. While there is no one generic profile of a hacker, studies indicate that there are at least eight primary classification variables: Novices (NV), Cyber-Punks (CP), Internals (IN), Petty Thieves (PT), Virus Writers (VW), Old Guard hackers (OG), Professional Criminals (PC), and Information Warriors (IW), and two principal components, skill and motivation. Due to the complex nature and interactions of these variables and principal components, the traditional one-dimensional continuum is inadequate for model testing. A modified circular order circumplex is presented as an alternative method for developing a preliminary hacker taxonomy. The paper discusses the importance of developing an understanding of the hacker community and the various sub-groups. Suggestions for future research are also discussed.

Forensic Analysis of Volatile Instant Messaging

Older instant messaging programs typically require some form of installation on the client machine, enabling forensic investigators to find a wealth of evidentiary artifacts. However, this paradigm is shifting as web-based instant messaging becomes more popular. Many traditional messaging clients (e.g., AOL Messenger, Yahoo! and MSN), can now be accessed using only a web browser. This presents new challenges for forensic examiners due to the volatile nature of the data and artifacts created by web-based instant messaging programs. These web-based programs do not write to registry keys or leave configuration files on the client machine. Investigators are, therefore, required to look for remnants of whole or partial conversations that may be dumped to page files and unallocated space on the hard disk. This paper examines the artifacts that can be recovered from web-based instant messaging programs and the challenges faced by forensic examiners during evidence recovery. An investigative framework for dealing with volatile instant messaging is also presented.

Does deviant pornography use follow a Guttman-like progression?

Abstract This study investigated whether deviant pornography use followed a Guttman-like progression in that a person transitions from being a nondeviant to deviant pornography user. In order to observe this progression, 630 respondents from Survey Sampling International’s (SSI) panel Internet sample completed an online survey assessing adult-only, bestiality, and child pornography consumption. Respondents’ “age of onset” for adult pornography use was measured to determine if desensitization occurred in that individuals who engaged in adult pornography at a younger age were more likely to transition into deviant pornography use. Two hundred and 54 respondents reported the use of nondeviant adult pornography, 54 reported using animal pornography, and 33 reported using child pornography. The child pornography users were more likely to consume both adult and animal pornography, rather than just solely consuming child pornography. Results suggested deviant pornography use followed a Guttman-like progression in that individuals with a younger “age of onset” for adult pornography use were more likely to engage in deviant pornography (bestiality or child) compared to those with a later “age of onset”. Limitations and future research suggestions are discussed.

DETECTING SOCIAL ENGINEERING

This paper focuses on detecting social engineering attacks perpetrated over phone lines. Current methods for dealing with social engineering attacks rely on security policies and employee training, which fail because the root of the problem, people, are still involved. Our solution relies on computer systems to analyze phone conversations in real time and determine if the caller is deceiving the receiver. The technologies employed in the proposed Social Engineering Defense Architecture (SEDA) are in the proof-of-concept phase but are, nevertheless, tractable. An important byproduct of this work is the generation of real-time signatures, which can be used in forensic investigations.

Digital Forensics: Meeting the Challenges of Scientific Evidence

This paper explores three admissibility considerations for scientific evidence currently engaged in U.S. courts: reliability, peer review and acceptance within the relevant community. Any tool used in a computer forensic investigation may be compared against these considerations, and if found wanting, evidence derived using the tool may be restricted. The ability to demonstrate the reliability and validity of computer forensic tools based on scientific theory is an important requirement for digital evidence to be admissible. A trusted third party certification model is discussed as an approach for addressing this issue.

Low neuroticism and high hedonistic traits for female internet child pornography consumers

Limited research has attempted to identify and understand the personality characteristics of female consumers of Internet child pornography (ICP). In the current study, female respondents (N = 162) from the Seigfried et al. study were analyzed to determine if personality characteristics differed between female users (n = 10, 6.2%) and female non-users (n = 152, 93.8%) of ICP. An exploratory backward stepwise (Wald) logistic regression revealed a predictive model, with female ICP consumers scoring: low on neuroticism, high on moral choice hedonism, and self-reporting a non-white racial identity. The relationship between female ICP consumption, neuroticism, hedonism, and race are discussed, along with the studys limitations and future research suggestions in the area of computer deviance.