Shahzad Saleem

Evaluation of some tools for extracting e-evidence from mobile devices

In a digital world, even illegal behaviour and/or crimes may be termed as digital. This world is increasing becoming mobile, where the basic computation and communication entities are Small Scale Digital Devices (SSDDs or S2D2s) such as ordinary mobile phones, personal digital assistants, smart phones and tablets. The need to recover data, which might refer to unlawful and unethical activities gave rise to the discipline of mobile forensics, which has become an integral part of digital forensics. Consequently, in the last few years there is an abundance of mobile forensics tools, both commercial and open-source ones, whose vendors and developers make various assertions about the capabilities and the performance of their tools. The complexity and the diversity of both mobile devices and mobile forensics tools, coupled with the volatile nature of the digital evidence and the legal requirements of admissibility makes it difficult for forensics investigators to select the right tool. Hence, we have evaluated UFED Physical Pro 1.1.3.8 and XRY 5.0 following “Smartphone Tool Specifications Standard” developed by NIST, in order to start developing a framework for evaluating and referencing the “goodness” of the mobile forensic tools. The experiments and the results of the research against the core smart phone tool specifications and their associated test findings are presented in such a way that it should make it easier for the prospective mobile forensic examiner select the most adequate tool for a specific case.

Evaluation of security methods for ensuring the integrity of digital evidence

The omnipresence of e-services running on various instances of pervasive e-infrastructures that are fundamental to the contemporary information society generates an abundance of digital evidence. The evidence in a digital form stems from a myriad of sources ranging from stand alone computers and their volatile and non-volatile storages, to mobile small scale digital devices, network traffic, ever-present applications comprising social networks, ISP records, logs, Web pages, databases and both global and local information systems. The acquisition and the analysis of this evidence is crucial to understanding and functioning of the digital world, regardless of the positive or negative implications of the actions and the activities that generated the evidence. In the case of the later, when the evidence comes from illegal, illicit and malicious activities, the protection of digital evidence is of major concern for the law enforcement and legal institutions, namely for investigators and prosecutors. To protect the integrity of the digital evidence, a number of security methods are used. These methods differ in terms of performance, accuracy, security levels, computational complexity, potential errors and the statistical admissibility of the produced results, as well as the vulnerabilities to accidental or malicious modifications. The work presented deals with the evaluation of these security methods in order to study and understand their “goodness” and suitability to protect the integrity of the digital evidence. The immediate outcome of the evaluation is a set of recommendations to be considered for selecting the right algorithm to protect integrity of the digital evidence in general.

Evaluating and Comparing Tools for Mobile Device Forensics Using Quantitative Analysis

In this paper we have presented quantitative analysis technique to measure and compare the quality of mobile device forensics tools while evaluating them. For examiners, it will provide a formal mathematical base and an obvious way to select the best tool, especially for a particular type of digital evidence in a specific case. This type of comparative study was absent in both NIST’s evaluation process and our previous work (Evaluation of Some Tools for Extracting e-Evidence from Mobile Devices). We have evaluated UFED Physical Pro 1.1.3.8 and XRY 5.0. To compare the tools we have calculated Margin of Error and Confidence Interval (CI) based on the proportion of successful extractions from our samples in different scenarios. It is followed by hypothesis testing to further strengthen the CI results and to formally compare the accuracy of the tools with a certain level of confidence.

Quantifying Relevance of Mobile Digital Evidence As They Relate to Case Types: A Survey and a Guide for Best Practices

In this work, a survey was conducted to help quantify the relevance of nineteen types of evidence (such as SMS) to seven types of digital investigations associated with mobile devices (MD) (such as ...

Extended abstract digital forensics model with preservation and protection as umbrella principles

Abstract In this research, a literature review was conducted where twenty (n=20) frameworks and models highlighting preservation of the integrity of digital evidence and protection of basic human rights during digital forensic investigations were studied. The models not discussing the process at an abstract level were excluded. Therefore, thirteen (n=13) of the studied models were included in our analysis. The results indicated that published abstract models lack preserving the integrity of digital evidence and protecting the basic human rights as explicit overarching umbrella principles. To overcome this problem, we proposed an extension to Reiths abstract digital forensics model explicating preservation of integrity and protection of human rights as the two necessary umbrella principles.

Testing Framework for Mobile Device Forensics Tools

The proliferation of mobile communication and computing devices, in particular smart mobile phones, is almost paralleled with the increasing number of mobile device forensics tools in the market. Each mobile forensics tool vendor, on one hand claims to have a tool that is best in terms of performance, while on the other hand each tool vendor seems to be using different standards for testing their tools and thereby defining what support means differently. To overcome this problem, a testing framework based on a series of tests ranging from basic forensics tasks such as file system reconstruction up to more complex ones countering antiforensic techniques is proposed. The framework, which is an extension of an existing effort done in 2010, prescribes a method to clearly circumscribe the term support into precise levels. It also gives an idea of the standard to be developed and accepted by the forensic community that will make it easier for forensics investigators to quickly select the most appropriate tool for a particular mobile device.

Forensic analysis of three social media apps in windows 10

Social media facilitates communication and provides easy way of reaching out to people. However, it also poses a risk of disclosure of personal details which, if exploited, can lead to privacy issues and also crimes such as blackmailing, identity theft etc. In this regard, it is essential to study social media from a forensics point of view. In this paper we have explored the remnants of Facebook, Viber and Skype. All work is carried out for Windows 10 technical preview. The potential locations are explored and examined to find artifact locations and their details. An effort has also been made to recover the items from unallocated space, which also includes those that were permanently deleted from Windows.

Protecting Digital Evidence Integrity by Using Smart Cards

RFC 3227 provides general guidelines for digital evidence collection and archiving, while the International Organization on Computer Evidence offers guidelines for best practice in the digital forensic examination. In the light of these guidelines we will analyze integrity protection mechanism provided by EnCase and FTK which is mainly based on Message Digest Codes (MDCs). MDCs for integrity protection are not tamper proof, hence they can be forged. With the proposed model for protecting digital evidence integrity by using smart cards (PIDESC) that establishes a secure platform for digitally signing the MDC (in general for a whole range of cryptographic services) in combination with Public Key Cryptography (PKC), one can show that this weakness might be overcome.

Forensic Investigation of Smartphone Cloud Storage Applications

Advancement in technology allows people to access the data through smartphones regardless of the time and place. Because of widespread applications of users’ interest, the dependency on the mobile devices has increased. Cloud storage applications are attracting user’s attention rapidly and will continue enjoying this ever increasing popularity in the near future as well. This makes them an important potential container of evidence during the investigation. So, it is important for forensic practitioners to match their pace with technological advancements. This paper has addressed the above-mentioned problem as per NIST methodology; bit-by-bit image(s) of android phone is analyzed for exploring the containers for retrieving important artifacts of user activities. The study aims to possibly help the investigative process by scrutinizing cloud storage applications namely: Cubby and IDrive. As a result, interesting locations were identified from where security vulnerabilities and other short comings were exposed. Overall the study concludes that security of Cubby is far better than IDrive.

Comments on “A method and a case study for the selection of the best available tool for mobile device forensics using decision analysis” [Digit Investig 16S, S55–S64]

1. Our research is a case study where specific forensics tools and mobile devices were only used to illustrate the utility of a formal method called decision analysis. To the best of our knowledge such a technique for tool testing has not been published in a peer-reviewed journal in the past. 2. Decision theory and analysis draw on a very serious body of work from probability, utility, and epistemic and doxastic reasoning about uncertainty theories. Indeed, decisions analysis have been applied, inter alia, in various situations such as for instance (a) devising national strategies to deal with different types of natural disasters, and (b) conflict resolution in policy matters where diverse and opposing stakeholders have been involved. 3. The results in the paper are not intended to be conclusive, but rather to illustrate the applicability and the rationale of using a formal method paradigm. 4. The numbers generated by the application of the formal method and after mathematically balancing the requirements for both performance and relevance using DecideIT (a decision support system, developed at the DSV, Stockholm University) are published for both the alternatives. The test datasets generated on older phone models were only used for the purpose of demonstrating how the formal method can be utilised in testing digital forensic tools. 5. The forensic tools and the mobile devices as posited in (4) were old. It is worthy to note that with regards to newer versions of