International Journal of Electronic Security and Digital Forensics (14 papers in press)
VolNet: A Framework for Analyzing Network based Artifacts From Volatile Memory
by Nilay Mistry, Mohindersinh Dahiya
Abstract: Volatile memory contains an affluence of information regarding the current state of the running system. Memory forensics techniques inspect RAM to extract information such as credentials, encryption keys, network activity and logs, malware, MFT records and the set of processes, open file descriptors currently executed by the operating system, etc. To achieve retrievability of potential artifacts, a memory dump should be taken prior to shutting down the system. It is the most vital aspect for carving information residing into the volatile memory. Volatile memory dump is used for offline investigation of volatile data. The analysis provides information regarding the activities being performed over the running system. This research focuses on our developed framework called as VolNet through which investigator can extract and analyze the artifacts related to network communication, social chats, cloud-based artifacts, private browsing and anonymous surfing and other potential artifacts that can be obtained from RAM dumps of live systems.
Keywords: Digital Forensics; Anonymous Surfing; Volatile; Random Access Memory; Credentials; Communication; Private Browsing.
Phishing URL Detection Based Feature Selection to Classifiers
by S. Carolin Jeeva, Elijah Blessing Rajsingh
Abstract: Phishing is an online scandalous act that occurs when a malevolent webpage impersonates as legitimate webpage in the intension of exploiting the confidential information from the user. Phishing attack continues to pose serious risk for web users and annoying threat in the field of electronic commerce. Feature selection is the process of removing unrelated features and thus reduces the dimensionality of the feature. This paper focuses on identifying the foremost features that categorize legitimate websites from phishing websites based on feature selection. In real world identifying phishing URL with low computational time and accuracy is very important and thus feature selection is considered in this work. A comparative study is carried out on different data mining classifiers before and after feature selection and the performance are evaluated in terms of accuracy and computational rate. The results indicate that the proposed approach detects phishing websites with considerable accuracy.
Keywords: Web security; Cyber-crime; Phishing; Attribute selection; classification and machine learning.
MODEL FOR DIGITAL EVIDENCE PRESERVATION IN CRIMINAL RESEARCH INSTITUTIONS PREDECI
by Fernando T. Molina Granja, Glen Dario Rodriguez Rafael
Abstract: This paper presents a model for the preservation of digital evidence in criminal research institutions. The objective of the model is to include features for the admissibility of evidence in court and provide support to fulfill the legal requirements and performance of this sector. This model is based on 14 preservation requirements of digital evidence and its admissibility, which were extracted from the literature review and a series of performance indicators to assess the fulfillment of the proposed goals. In addition to the model, there is an implementation guide based on the OAIS approach, consisting of NESTOR with three levels and eight frameworks, which includes an implementation plan, development plan, and evaluation plan. This is intended for criminal research institutions and can be used as a basis and reference for the preservation of digital evidence enabling them to align with business strategies and meet the needs of the institution. A preliminary assessment is presented for 74 players involved in the process of preservation and admissibility of evidence. This research proposes a framework to continue the preservation of digital evidence, which ensures the better integrity and increases the admissibility of the evidence supported by the techniques of long-term preservation based on the OAIS preservation model.
Keywords: Digital Preservation; Digital Evidence; Digital Repositories; OAIS; Admissibility; Digital Evidence Preservation.
An improved authenticated key agreement with anonymity for session initiation protocol
by Haoran Chen, Jianhua Chen, Han Shen
Abstract: As a lightweight and flexible signaling protocol, session initiation protocol (SIP) has been widely used for establishing, modifying and terminating the sessions in the multimedia environment. The increasing concerns about the security of communication sessions that run over the public Internet has made authentication protocols for SIP more desired. Recently, Lu et al. proposed an authentication scheme for SIP and claimed that their scheme is secure against various known attacks while maintaining efficiency. However, in this paper we will indicate that their protocol suffers from server spoofing attacks and failed to provide mutual authentication as they claimed. Further, we have presented an improved authentication protocol for SIP and proved its security using BAN logic. Though the security and performance analysis, we illustrate that the proposed scheme is more secure and flexible.
Keywords: mutual authentication; session initiation protocol; elliptic curve; key agreement; communication security.
Forensic Artifacts Associated with Intentionally Deleted User Accounts
by Mohammed Al-Saleh, Mona Al-Shamaileh
Abstract: Digital Forensics is an evolving discipline that looks for evidence in electronic devices. It is being utilized in investigating attacks and accusing cyber criminals. As in physical crimes, a cyber criminal might try every possible technique to hide responsibility about a crime. This can be done by manipulating all kinds of traces that could lead investigators to resolve cases. For example, a criminal can delete files, images, network traces, Operating System log files, or browsing history. rnrnAn easy procedure a criminal might follow to conceal crime activities is: (1) create a new user account, (2) commit a crime through the just-created account, and (3) delete the account along with all files and directories that belong to it. To counter this kind of anti-forensic actions, this paper collects evidence from deleted user accounts. We seek artifacts in Windows Event Logs, Registry hives, RAM, Pagefile, and Hard Drive. Interestingly, this paper shows that several clues about deleted accounts can be harvested. To the best of our knowledge, we are the first to tackle such a problem.
Keywords: Digital forensics; Deleted accounts; account recovery.
An Improved multi-signature scheme for specified group of verifiers
by Manoj Kumar Chande, Te-Yu Chen, Cheng-Chi Lee
Abstract: Zhang and Xiao presented a multi-signature scheme for a specified group of verifiers and showed that forging their signature is mathematically equivalent to forge Harn's signature. However, Zhang and Xiao's scheme is not secure against the rogue-key attack. In this paper, we show how to mount a rogue-key attack on Zhang and Xiao's scheme and propose an imporved multi-signature scheme for a specified group of verifiers. Our new sheme not only inherits the advantages of Zhang and Xiao's scheme, but also resists to known attacks including the rogue-key attack.
Keywords: Public Key Cryptography; Digital Signature; Discrete Logarithm Problem; Multi-signature Scheme.
Identifying Artifact on Microsoft OneDrive Client to Support Android Forensics
by Gandeva Bayu Satrya, A.A. Nasrullah, Soo Young Shin
Abstract: Microsoft software is perhaps the most widely used around the world. As computing technology has evolved they have been at the cutting edge and have developed a number of ground breaking and useful applications. Microsoft OneDrive is one such application. OneDrive is a cloud storage service offering 7GB free storage to users. This technology can be misused and through it laws governing the cyber world violated. Current solutions to this are to perform digital forensics when cybercrime has occurred. This research used two different vendors of Android smartphones as experimentation objects. A model has been developed in this research, which provides instructions for digital mobile forensics analysis in finding artifacts related to the client's activities on OneDrive cloud storage application. These artifacts can be used as digital evidence by digital forensics investigators and the research increases the knowledge of cyberlaw practitioners.
Keywords: artifacts; cybercrime; cloud storage; digital forensics; Android forensics; OneDrive analysis.
Security awareness and the use of location based services, technologies and games
by Jacques Barnard, Magda Huisman, Gunther Drevin
Abstract: Rapid expansion and development in the modern mobile technology market has created an opportunity for the use of location-based technologies and games. Because of this fast expanding market and new technology, it is important to be aware of the implications this expansive technology could have on computer security. This paper will endeavour to measure the impact of location-based technologies and games on the security awareness of first- to fourth-year computer science university students. A questionnaire, posted on the web, and completed by computer science students from different year groups, was used to collect the data for this study. The major results of this study are the following: There is a difference in the security awareness of students who use and play location-based services, technologies and games and those who do not. This study also determined that the computer science students are cautious of security implications although they do not take preventative measures.
Keywords: Technology use; mobile location-based games; mobile location-based service; security awareness;.
An Improved LSB Based RDH Technique with Better Reversibility
by Jayanta Mondal, Debabala Swain
Abstract: Lossless image recovery has significant importance in image transmission and security. In this aspect, lots of Reversible Data Hiding (RDH) techniques are available as literature. Still ample measures can be adhered to achieve better reversibility. This paper presents an improved reversible RDH technique to perform a quantitative study to evaluate the recovery of sent image without any distortion. In Reversible Data Hiding the original image has to go through the encryption and embedding process before transmitting to the receiver. In the proposed RDH technique a series of computations are done on the three LSB to embed secret bits in the encrypted image. Similarly the reverse computations are performed on the LSBs to extract the original image content from the decrypted image. Experimental analysis proves the achievement of the proposed technique through different parameters like, PSNR, SSIM etc.
Keywords: Reversible Data Hiding; LSB Based Encryption; Data Embedding; Lossless Recovery.
An Automobile Security Protocol: Side-channel Security against Timing and Relay Attacks
by Mohd Anuar Mat Isa
Abstract: Keyless Go, Automotive keyless systems (AKS), passive keyless entry and start (PKES) are names given to smart systems that allow a driver to unlock a car without pressing any key, and drive the car without inserting a smart key for starting or stopping the car engine. It is one of the debutant IoT applications in automotive sector. This work presents a 128-bit pairing security protocol (PSP 128 bits) lightweight cryptographic protocol as a security protocol authentication between owner and car. The PSP 128 security analysis in timing and relay attacks by an adversary will be discussed and its resilience proved using a theoretical security reduction method. The theoretical security reduction results are supported by findings from an experimental test bed using RaspberryPi board and radio frequency (RF) communication. Based on the experiment results, the PSP 128 can support up to 56 thousand authentication sessions between owner and car per typical usage. It is estimated that a standard automotive battery running the device can have a lifespan of up to 7 years with typical use.
Keywords: keyless; automotive; relay attack; side-channel attack; iot; lightweight; cryptography; rf security; raspberrypi.
A Proposal for curriculum development of educating and training Brazilian police officers in digital forensics investigation and cybercrime prosecution
by Ilane Cunha, Jefferson Cavalcante, Ahmed Patel
Abstract: The Internet and computer systems are infested by cybercrimes. Like any other crime, it needs investigations and analysis to prosecute the criminal. It is against this backdrop that it is important to have educated and trained staff not only to fight cybercrimes but to comprehensively investigate them objectively for the purpose of prosecution. This article presents a proposal for the curriculum development, education, training and certified qualification of Brazilian police officers for preparing them to be as knowledgeable, reliable, efficient and effective as possible. The proposal presents two types of training and qualification: police officers as first responders who are likely to encounter cybercrime activities and police officers as cybercrime investigators and analyst as highly skilled world class investigator specialists. To meet this target, the proposal after presenting the background concepts and requirements presents, the syllabus and laboratory practical sessions for each level of training to evolve specialist investigators
Keywords: Cybercrime training; cybercrime investigators; cybercrime prosecutors; computer and digital investigations; digital forensic; computer forensics; security; security threats; privacy; curriculum development; syllabus development; accreditation; qualification.
A review of Video Falsifying Techniques and Video Forgery Detection Techniques
by Mei Choo ANG, Manar A. Mizher, Ahmad A. Mazhar, Manal A. Mizher
Abstract: The term video attack has gained attention under the name video forgery. The simplest type of video forgery is copy-move tampering which can be detected by human eyes. The complex type of video forgery is video falsifying which is more professional than copy-move as highly improved techniques are needed to detect a falsified video. The difficulty of detecting video falsifying attack because of changing the semantic meaning of the original videos by creating fake videos; this can be conducted by editing, combining or generating a new video content. In this paper, several types of video falsifying techniques and video forgery detection techniques are studied and classified, challenges with existing forgery detection techniques are given, and a conclusion of recommended suggestions is presented. Recommendations focus on advanced forgeries such as object motion interpolation forgeries, and dynamic texture inpainting to increase the security against these types of tampering on key frames.
Keywords: video falsifying; forgery detection; spatio-temporal attacks; secure system; fingerprint framework; keyframes extraction.
An Investigation into the Forensic Implications of the Windows 10 Operating System: Recoverable Artefacts and Significant Changes from Windows 8.1
by Diana Hintea, Robert Bird, Michael Green
Abstract: With the release of Microsofts latest operating system, Windows 10, forensic investigators must examine it in order to determine the changes implemented from Windows 8.1 and the addition of new artefacts. This study is an analysis of Windows 10 and its new features in order to distinguish these artefacts. The tools used include: VMware Fusion, FTK Imager, Process Monitor, Process Explorer, ESEDatabase View and Registry Explorer. The paper also determines if artefacts have changed in Windows 10 in comparison to the previous version of Windows, Windows 8.1. When comparing the two it was found that many of the pre-existing artefacts found within Windows 8.1 are still present in Windows 10. Slight differences are noted in the way Prefetch files are compressed and also the Thumbnail databases. Significant artefacts related to the new features in Windows 10 are also reported.
Keywords: Windows 10; Forensic Analysis; Digital Forensic Acquisition.
An Evidence Collection and Analysis of Windows Registry
by DINESH PATIL, Bandu Meshram
Abstract: The cyber crimes are committed internally or externally. The malwares and the remote access are the means of committing the cyber crimes externally, whereas the trusted insider in an organization causes industrial espionage internally. On the Windows System, the Registry is a source of evidence against the cyber criminal as it maintains the details of the activity on the system. The digital forensic investigation of the Windows Registry helps in collecting forensic information relevant to the case. The Registry maintains a very large amount of system and user related information. In order to gather the potential evidence about the malicious activities of the user, the forensic investigator is needed to search the entire Registry; resulting in the wastage of the time and the effort. This raises the need for an evidence collection and analysis methodology to identify, extract and analyze the evidence specifically related to the user activities on the system. After considering the existing research, this paper suggests a framework with the improved evidence collection and analysis methodology to aid in the process of Digital Forensic Investigation of Registry for identifying the potential malicious insider.
Keywords: Registry; Registry Key; Hives; Integrated Analysis; Timeline.