Matthew Simon

Recovery of Skype Application Activity Data from Physical Memory

The use of Internet based communication technologies has become more prevalent in recent years. Technologies such as Skype provide a highly secure and decentralised method of communication. These technologies may also leave little evidence on static media causing conventional digital forensic processes to be ineffective. This research looks at exploiting physical memory to recover evidence from Internet based communication technologies where conventional methods cannot. The paper first proposes a set of generic target artefacts that defines information that may be targeted for recovery and the meaning that can be inferred from this. A controlled test was then undertaken where Skype was executed and the memory from the target machine collected. The analysis showed that it is feasible to recover the target data as applied to Skype, which would not be otherwise available. As this is the first set of tests of a series, the future direction is also discussed.

Enhancement of Forensic Computing Investigations through Memory Forensic Techniques

The use of memory forensic techniques has the potential to enhance computer forensic investigations. The analysis of digital evidence is facing several key challenges; an increase in electronic devices, network connections and bandwidth, the use of anti-forensic technologies and the development of network centric applications and technologies has lead to less potential evidence stored on static media and increased amounts of data stored off-system. Memory forensic techniques have the potential to overcome these issues in forensic analysis. While much of the current research in memory forensics has been focussed on low-level data, there is a need for research to extract high-level data from physical memory as a means of providing forensic investigators with greater insight into a target system. This paper outlines the need for further research into memory forensic techniques. In particular it stresses the need for methods and techniques for understanding context on a system and also as a means of augmenting other data sources to provide a more complete and efficient searching of investigations.

Recovery of Pidgin Chat Communication Artefacts from Physical Memory: A Pilot Test to Determine Feasibility

This research describes a study that looks at the feasibility of extracting remnant information about an instant message client from physical memory. The research goal was to gather information about the target application in order to assess the viability of creating methods to recover specific data about its use. The study consists of a formal experiment where the application is used and the physical memory collected at various points. The memory image was then interrogated to assess whether remnant data could be recovered. The study shows that it is feasible to recover data about the target application.

Legal and Technical Implications of Collecting Wireless Data as an Evidence Source

The collection of digital devices for forensic analysis is an area that requires constant revision. New technologies and connectivity options change what devices are able to hold electronic evidence and also the methods needed to secure it. This work focuses on the development of an 802.11-based wireless networking (Wi-Fi) forensic analysis tool that can aid in the identification and collection of evidence by identifying the presence of wireless networks and the devices to which they are attached. Specifically, this paper seeks to discuss the potential legal and technical challenges faced in the development of a wireless forensic tool.

Voice Over IP: Privacy and Forensic Implications

With the tremendous growth in popularity and bandwidth of the Internet, VoIP technology has emerged that allows phone calls to be routed over Internet infrastructure rather than the traditional Public Switched Telephone Network (PSTN) infrastructure. The issues faced by law enforcement authorities concerning VoIP are very different from that of traditional telephony. Wiretapping is not applicable to VoIP calls and packet capturing is negated by encryption. This article discusses experimental work carried out to explore methods by which electronic evidence may be collected from systems where VoIP conversations play an important role in suspected criminal activity or communications. It also considers the privacy issues associated with the growing use of VoIP.

Investigating Modern Communication Technologies: The effect of Internet-based Communication Technologies on the Investigation Process

Communication technologies are commonplace in modern society. For many years there were only a handful of communication technologies provided by large companies, namely the Public Switched Telephone Network (PSTN) and mobile telephony; these can be referred to as traditional communication technologies . Over the lifetime of traditional communication technologies has been little technological evolution and as such, law enforcement developed sound methods for investigating targets using them. With the advent of communication technologies that use the Internet – I nternet-based or contemporary communication technologies – law enforcement are faced with many challenges. This paper discusses these challenges and their potential impact. It first looks at what defines the two technologies then explores the laws and methods used for their investigation. It then looks at the issues of applying the current methodologies to the newer and fundamentally different technology. The paper concludes that law enforcement will be required to update their methods in order to remain effective against the current technology trends.

Forensic Computing Training, Certification and Accreditation: An Australian Overview

Training, certification and accreditation are concepts that are used in almost all aspects of professional life. This paper reviews current initiatives in Forensic Computing training and certification in Australia and the effect of this on National Accreditation processes.