Proceedings of the 5 Australian Digital Forensics Conference

Proceedings of the 5 Australian Digital Forensics Conference

Proceedings of The 5th Australian Digital Forensics Conference 3rd December 2007 Edith Cowan University Mount Lawley Campus Published By School of Computer and Information Science Edith Cowan University Perth, Western Australia Edited by Dr. Craig Valli and Dr. Andrew Woodward School of Computer and Information Science Edith Cowan University Perth, Western Australia Copyright 2007, All Rights Reserved ISBN 0-7298-0646-4 Table of Contents 1. Anti-Forensics and the Digital Investigator.............................................................................................. 1 2. An approach in identifying and tracing back spoofed IP packets to their sources ................................... 8 3. The effectiveness of investigative tools for Secure Digital (SD) Memory Card forensics..................... 22 4. An overview and examination of digital PDA devices under forensics toolkits .................................... 34 5. Profiling Through a Digital Mobile Device............................................................................................ 52 6. Forensic Analysis Avoidance Techniques of Malware .......................................................................... 59 7. ID Theft: A Computer Forensics’ Investigation Framework.................................................................. 67 8. Extracting Inter-arrival Time Based Behaviour from Honeypot Traffic using Cliques ......................... 79 9. Multi-Step Scenario Matching Based on Unification............................................................................. 88 10. Steganalysis in Computer Forensics....................................................................................................... 98 11. Managing Digital Forensic Knowledge An Applied Approach ........................................................... 109 12. ADSL Router Forensics Part 1: An introduction to a new source of electronic evidence.................... 119 13. An examination of the Asus WL-HDD 2.5 as a Nepenthes malware collector.................................... 128 14. A Proof-of-Concept Project for Utilizing U3 Technology in Incident Response................................. 136 15. Introduction to Mobile Phone Flasher Devices and Considerations for their Use in Mobile Phone Forensics............................................................................................................................................... 143 16. Pocket SDV with SDGuardian: A Secure & Forensically Safe Portable Execution Environment ...... 154 17. Can SDV Technology be Utilised in a Smartphone to Prevent Forensic Analysis?............................. 164 18. A forensically tested tool for identification of notebook computers to aid recovery: LIARS phase I proof of concept.................................................................................................................................... 179 19. Mood 300 IPTV decoder forensics....................................................................................................... 185 20. A Methodology for the Forensic Acquisition of the TomTom One Satellite Navigation System – A Research in Progress............................................................................................................................. 195 21. BLOGS: ANTI-FORENSICS and COUNTER ANTI-FORENSICS................................................... 199 22. An Overview of ADSL Homed Nepenthes Honeypots In Western Australia...................................... 204 23. Tracing USB Device artefacts on Windows XP operating system for forensic purpose...................... 210 24. Oops they did it again: The 2007 Australian study of remnant data contained on 2nd hand hard disks 219 Conference Foreword This year has seen the conference grow in size and magnitude yet again. There are several definite strands of established research and interest within the subject of computer based forensics these include disk sanitisation, honeypots and discovery techniques. We are seeing emergent papers in the areas of mobile device forensics including PDAs, mobile phones and GPS devices. The papers authors are drawn from a cross section of the forensics community from practitioners to academics. All papers were subject to a double blind peer review process and of the 42 papers submitted only 24 were accepted for final publication. Conferences such as these are simply not possible without willing volunteers who follow through with the commitment they have initially made and I would like to take this opportunity to thank the conference committee for their tireless efforts in this regard. These efforts have included but not been limited to the reviewing and editing of the conference papers, helping with the planning, organisation and execution of the conferences. To our sponsors also a vote of thanks for both the financial and moral support provided to the conference. Finally, to the administrative and technical staff of the School of Computer and Information Science for their contributions to the running of the conference. Dr Craig Valli Conference Chair Conference Organising Committee Dr Craig Valli Conference Chair & Co – Editor Edith Cowan University Dr Andrew Woodward Conference Editor Edith Cowan University Chris Bolan Committee Member Edith Cowan University Dr Trish Williams Committee Member Edith Cowan University Professor Bill Hutchinson Committee Member Edith Cowan University Lisa McCormack Committee Member Edith Cowan University Rebecca Treloar-Cook Committee Member Edith Cowan University Sponsors Secure Systems Best Paper Award Cengage Best Presentation Award Research Network for Secure Australia Proceedings of The 5th Australian Digital Forensics Conference Anti-Forensics and the Digital Investigator Gary C. Kessler Champlain College Burlington, VT, USA [email protected] Edith Cowan University Mount Lawley, WA, Australia Abstract Viewed generically, anti-forensics (AF) is that set of tactics and measures taken by someone who wants to thwart the digital investigation process. This paper describes some of the many AF tools and methods, under the broad classifications of data hiding, artefact wiping, trail obfuscation, and attacks on the forensics tools themselves. The concept of AF is neither new nor solely intended to be used by the criminal class; it also has legitimate use by those who wish to protect their privacy. This paper also introduces the concept of time-sensitive anti- forensics, noting that AF procedures might be employed for the sole purpose of delaying rather than totally preventing the discovery of digital information. Keywords Anti-forensics, data hiding, artefact wiping, trail obfuscation, attacks on computer forensics tools, privacy INTRODUCING ANTI-FORENSICS The term anti-forensics (AF) has recently entered into the vernacular of digital investigators. Although conceptually not new, it is instructive to observe that there is no clear industry definition (Harris, 2006). Rogers (2006), a practicing digital forensics educator and investigator, defines AF as "attempts to negatively affect the existence, amount, and/or quality of evidence from a crime scene, or make the examination of evidence difficult or impossible to conduct." Liu and Brown (2006), practicing creators of AF methods and tools, offer a slightly darker definition: "application of the scientific method to digital media in order to invalidate factual information for judicial review." The term forensics is significant and quite specific -- whatever AF is pertains to the scientific analysis of evidence for court. Anti-forensics, then, is that set of tools, methods, and processes that hinder such analysis. It is difficult to think of any legitimate uses of AF processes and tools. Indeed, most -- if not all -- digital investigators find AF to be the bane of their existence and only used by someone who has something to hide. But AF might also be employed by the person who just wants to be left alone. An early text about computer forensics devoted significant time to the examination process as well as ways to thwart that process, all in the name of privacy (Caloyannides, 2001). One can argue that it is a fine line between protecting one's privacy and preventing a court-sanctioned search, but that line has existed for centuries -- only with digital devices does a letter that the writer burned well in the past continue to hang around on a hard drive or backup tape. And there are those that will argue that AF techniques can protect a Good Person from a Bad Government. Of course, those same tools can block a Good Government from investigating a Bad Person and that, of course, is the rub. Laws, traditions, mores, and culture affect a society's view of privacy. Many nations purport to value people's privacy on the one hand but also recognize that the "right to privacy" -- should that right exist in a particular jurisdiction -- is not absolute. CATEGORIES OF ANTI-FORENSICS METHODS Much of the recent discussion in articles, conferences, and blogs seems to suggest that AF tools and methods have appeared suddenly (Harris, 2006; Liu & Brown, 2006; Rogers, 2006). While this is certainly true in some cases, it is also important to note that many forms of AF -- although not created to hinder the detection of evidence, per se -- have been around for quite some time. Page 1 Proceedings of The 5th Australian Digital Forensics Conference Rogers (2006) suggests that there are four basic categories of AF: data hiding, artefact wiping, trail obfuscation, and

View Full Text

Details

  • File Type
    pdf
  • Upload Time
    -
  • Content Languages
    English
  • Upload User
    Anonymous/Not logged-in
  • File Pages
    227 Page
  • File Size
    -

Download

Channel Download Status
Express Download Enable

Copyright

We respect the copyrights and intellectual property rights of all users. All uploaded documents are either original works of the uploader or authorized works of the rightful owners.

  • Not to be reproduced or distributed without explicit permission.
  • Not used for commercial purposes outside of approved use cases.
  • Not used to infringe on the rights of the original creators.
  • If you believe any content infringes your copyright, please contact us immediately.

Support

For help with questions, suggestions, or problems, please contact us