Umit Karabiyik

User characterization for online social networks

Online social network analysis has attracted great attention with a vast number of users sharing information and availability of APIs that help to crawl online social network data. In this paper, we study the research studies that are helpful for user characterization as online users may not always reveal their true identity or attributes. We especially focused on user attribute determination such as gender and age; user behavior analysis such as motives for deception; mental models that are indicators of user behavior; user categorization such as bots versus humans; and entity matching on different social networks. We believe our summary of analysis of user characterization will provide important insights into researchers and better services to online users.

AUDIT: AUTOMATED DISK INVESTIGATION TOOLKIT

Software tools designed for disk analysis play a critical role today in forensics investigations. However, these digital forensics tools are often difficult to use, usually task specific, and generally require professionally trained users with IT backgrounds. The relevant tools are also often open source requiring additional technical knowledge and proper configuration. This makes it difficult for investigators without some computer science background to easily conduct the needed disk analysis. In this paper, we present AUDIT, a novel automated disk investigation toolkit that supports investigations conducted by non-expert (in IT and disk technology) and expert investigators. Our proof of concept design and implementation of AUDIT intelligently integrates open source tools and guides non-IT professionals while requiring minimal technical knowledge about the disk structures and file systems of the target disk image.

Advanced Automated Disk Investigation Toolkit

Open source software tools designed for disk analysis play a critical role in digital forensic investigations. The tools typically are onerous to use and rely on expertise in investigative techniques and disk structures. Previous research presented the design and initial development of a toolkit that can be used as an automated assistant in forensic investigations. This chapter builds on the previous work and presents an advanced automated disk investigation toolkit (AUDIT) that leverages a dynamic knowledge base and database. AUDIT has new reporting and inference functionality. It facilitates the investigative process by handling core information technology expertise, including the choice and operational sequence of tools and their configurations. The ability of AUDIT to serve as an intelligent digital assistant is evaluated using a series of tests that compare it against standard benchmark disk images and examine the support it provides to human investigators.

Pokémon GO Forensics: An Android Application Analysis

As the geolocation capabilities of smartphones continue to improve, developers have continued to create more innovative applications that rely on this location information for their primary function. This can be seen with Niantic’s release of Pokemon GO, which is a massively multiplayer online role playing and augmented reality game. This game became immensely popular within just a few days of its release. However, it also had the propensity to be a distraction to drivers, resulting in numerous accidents, and was used as a tool by armed robbers to lure unsuspecting users into secluded areas. This facilitates the need for forensic investigators to be able to analyze the data within the application in order to determine if it may have been involved in these incidents. Because this application is new, limited research has been conducted regarding the artifacts that can be recovered from the application. In this paper, we aim to fill the gaps within the current research by assessing what forensically-relevant information may be recovered from the application and understanding the circumstances behind the creation of this information. Our research focuses primarily on the artifacts generated by the Upsight analytics platform, those contained within the bundles directory and the Pokemon Go Plus accessory. Moreover, we present our new application-specific analysis tool that is capable of extracting forensic artifacts from a backup of the Android application and presenting them to an investigator in an easily-readable format. This analysis tool exceeds the capabilities of the well known mobile forensic tool Cellebrite’s UFED (Universal Forensic Extraction Device) Physical Analyzer in processing Pokemon GO application data.

The forensic effectiveness of virtual disk sanitization

It is a very likely situation for a digital forensics investigator to encounter a virtual machine during an investigation. The evidence found in a vmdk disk may not necessarily belong to the virtual machine. It is possible that a vmdk disk could contain previously deleted data from the host machine. In this paper we investigate the possibility of type 1 and type 2 hypervisor virtual disks to contain previously deleted data from the host machine. We specifically tested VMware Workstation 11 and ESXi vSphere 6.0 products for each type respectively. We also attempt to identify the disk sanitization strategies employed by these products, and locations within a virtual disk that could potentially contain unallocated host data.

Model of hierarchical disk investigation

Digital forensics investigators need specialized tools in order to retrieve evidence on hard disks. When using automated tools, only conventional areas of the disk are often analyzed and as a result potential evidence in hidden areas may be missed. One reason for this is the lack of a universal standard or approach with regards to the systematic disk investigation of the total disk area. In this paper, we present a new hierarchical disk investigation model that can be used to support automated digital forensics tools in systematically examining the disk in its totality, based on the disks physical and logical structures. We have implemented our proposed model in an open source tool called Automated Disk Investigation Toolkit for illustration.

IDENTIFYING PASSWORDS STORED ON DISK

This chapter presents a solution to the problem of identifying passwords on storage media. Because of the proliferation of websites for finance, commerce and entertainment, the typical user today often has to store passwords on a computer hard drive. The identification problem is to find strings on the disk that are likely to be passwords. Automated identification is very useful to digital forensic investigators who need to recover potential passwords when working on cases. The problem is nontrivial because a hard disk typically contains numerous strings. The chapter describes a novel approach that determines a good set of candidate strings in which stored passwords are very likely to be found. This is accomplished by first examining the disk for tokens (potential password strings) and applying filtering algorithms to winnow down the tokens to a more manageable set. Next, a probabilistic context-free grammar is used to assign probabilities to the remaining tokens. The context-free grammar is derived via training with a set of revealed passwords. Three algorithms are used to rank the tokens after filtering. Experiments reveal that one of the algorithms, the one-by-one algorithm, returns a password-rich set of 2,000 tokens culled from more than 49 million tokens on a large-capacity drive. Thus, a forensic investigator would only have to test a small set of tokens that would likely contain many of the stored passwords.