Paula Thomas

An analysis of digital forensic examinations: Mobile devices versus hard disk drives utilising ACPO & NIST guidelines

Abstract The aims of this paper are to compare and contrast the current guidelines involved in the forensic examinations of mobile devices and hard disk drives. The paper then identifies areas of mobile device examinations where current guidelines are different and could be lacking strength and solidity. Guidelines and research into the forensic examination of hard disk drives is much more established when compared to that of mobile devices. Both the United Kingdom and the United States of America have published guidelines for the forensic analysis of mobile devices; these guidelines are examined throughout this paper. In the United Kingdom they are issued by ACPO (Association of Chief Police Officers) Good Practice Guide for Computer-Based Electronic Evidence. In the United States of America these are issued by NIST (National Institute of Standards and Technology). Special Publication 800-101, Guidelines on Cell Phone Forensics.

An Investigation into the Development of an Anti-forensic Tool to Obscure USB Flash Drive Device Information on a Windows XP Platform

When a USB flash drive is plugged into a Windows XP computer, a number of registry settings and log files are automatically updated that reflect the use of the USB flash drive. This information is often important in criminal proceedings where the use of a USB flash drive can be shown to have copied data to and from the computer. The aim of this work was to evaluate the information that can identify USB flash drive usage on a Windows XP computer and to understand how that information could be used by a computer forensics investigator. A tool was produced to perform a function that allowed the amendment of the information concerned with USB flash device usage. This amendment of data will be intentional and deliberate and can therefore be defined as being an anti forensics tool.

An Analysis of the Digital Forensic Examination of Mobile Phones

Digital evidence is proving increasingly pivotal in criminal investigations whether it is an arrest for a minor offence or a more serious activity. As people rely on mobile phones and their many functions, the digital trail of evidence continues to grow. The forensic examination of mobile phones is a relatively new discipline and research activity into the forensic analysis of these types of phones, and the information they may contain, is limited when compared to the exponential increase in ownership of these types of phones. The amount of ubiquitous information stored on mobile phones will continue to grow as their processing power and storage capacity increases and the phones incorporate more functionality and applications. Guidelines, publications and research into the more traditional digital forensic examination of computer hard disks are well documented, whereas for mobile phones, the publications and research are not that established. The aim of this paper is to examine the current methods involved in the forensic examination of mobile phones and to identify those areas of mobile phone examination where the current United Kingdom ACPO guidelines and the United States of America NIST guidelines are unclear or insubstantial.

Online ID theft techniques, investigation and response

ID theft, especially in its online form, is currently one of the most prevalent types of computer crime. The limited end-user awareness as well as the retention and business processing of large amounts of personal data in a manner that does not meet security and regulatory requirements provide plenty of opportunities to fraudsters. A number of organisations have produced guidelines of good practice targeted to individuals and organisations; however the matter is still on the rise. In this paper, we review computer-based techniques employed by fraudsters in order to steal IDs and refer to published guidelines and the documented good practice against those. We discuss the issues related to the investigation of such incidents and provide the grounds for the development of a framework to assist in their forensic examination.

An XML‐based architecture for data integration in vulnerability assessments

Purpose – One of the problems facing systems administrators and security auditors is that a security test/audit can generate a vast quantity of information that needs to be stored, analysed and cross referenced for later use. The current state‐of‐the‐art in security audit tools does not allow for information from multiple different tools to be shared and integrated. This paper aims to develop an Extensible Markup Language (XML)‐based architecture that is capable of encoding information from a variety of disparate heterogeneous sources and then unifying and integrating them into a single SQL database schema.Design/methodology/approach – The paper demonstrates how, through the application of the architecture, large quantities of security related information can be captured within a single database schema. This database can then be used to ensure that systems are conforming to an organisations network security policy.Findings – This type of data integration and data unification within a vulnerability assess...

Hard-drive disposal and identity fraud

A personal computer is often used to store personal information about the user. This information may be intentionally kept by the user or information maybe automatically stored as the result of the user’s activities. In this paper we investigate whether it is possible for identity fraud to occur as a result of post-disposal access to the residual data stored on a personal computer’s hard drive. We provide indicative types of information required to commit an identify fraud and examine the personal information contained in a series of second-hand personal computer hard disk drives, purchased as part of a wider research study.

Performing real-time threat assessment of security incidents using data fusion of IDS logs

The vulnerability of network infrastructure was illustrated in 1996 when the Internet Domain Name entry for East Timor was removed from various DNS servers. The net effect of this attack was that to all intents and purposes East Timor was removed from the Internet. Now imagine a time a few years in the further when the USA and Europe are all doing business online and imagine what would happen if all .com entries vanished from the Internet. Modern IDS systems simply log events, they do very little else with the data. In this paper, I will demonstrate how network traffic can be analysed to produce a system that is capable of performing real-time (or near-real time) threat analysis of an attack as it happens. This type of analysis offers us the ability to eventually deploy countermeasures thus stopping, or limiting, an attack.

An Analysis of the Curriculum Components of Computer Forensics Undergraduate Courses in the United Kingdom

Abstract A typical undergraduate curriculum of study in Computing contains a broad range of modules. Computer Forensics is a specialised area of Computing and if specialised modules are being introduced into a typical Computing subject curriculum then one or more of the more traditional subject modules must be removed or modified to provide space to accommodate the new material. This paper investigates the opinions of academic members of staff from several UK institutions on which Computing subject areas should be included in specialised curricula in Computer Forensics. It builds on work done during the third Annual HE Academy Workshop on Teaching Computer Forensics, where delegates were asked to contribute to an undergraduate curriculum design exercise. The delegates were mostly academic lecturing staff from HE institutions around the UK and they were primarily involved in the delivery of Computer Forensic courses at undergraduate and postgraduate levels. They were asked to design an undergraduate BSc (Hons) course in the subject area of Computer Forensics by selecting six modules for each level of a three year undergraduate BSc (Hons) course. There were no constraints on module selection apart from having to select six modules at each level from a list of module titles based on current modules used in UK universities. The paper summarises the results and comments upon principles of design for curricula in this particular subject area.