contentssdiwc.net/ijcsdf/files/ijcsdf_vol3no4.pdf · 2017. 3. 3. · zte in q3 2013 and followed by...

CONTENTS

ORIGINAL ARTICLES Advances of Mobile Forensic Procedures in Firefox OS…………………………………………….. 183 Author/s: Mohd Najwadi Yusoff, Ramlan Mahmod, Ali Dehghantanha, Mohd Taufik Abdullah Alarming! Security Aspects of the Wireless Vehicle: Review……………………………………… 200 Author/s: Sabarathinam Chockalingam, Harjinder Singh Lallie A Survey on Digital Forensics Trends…………………………………………………………….…………… 209 Author/s: Ali Dehghantanha, Mohsen Damshenas, Ramlan Mahmoud e-Fraud Forensics Investigation Techniques with Formal Concept Analysis………………. 235 Author/s: WAZIRI Victor Onomza, Abdullahi Umar, MORUFU Olalere Security Breaches, Network Exploits and Vulnerabilities: A Conundrum and an Analysis……………………………………………………………………………………………………….. 246 Author/s: Oredola A. Soluade, Emmanuel U Opara

ISSN: 2305-0012 (online)

International Journal of Cyber-Security and Digital Forensics

Vol. 3, No. 4

Advances of Mobile Forensic Procedures in Firefox OS

Mohd Najwadi Yusoff, Ramlan Mahmod, Ali Dehghantanha, Mohd Taufik Abdullah Faculty of Computer Science & Information Technology,

Universiti Putra Malaysia, Serdang, Selangor, Malaysia.

[email protected],{ramlan,alid,taufik}@upm.edu.my

ABSTRACT The advancement of smartphone technology has attracted many companies in developing mobile operating system (OS). Mozilla Corporation recently released Linux-based open source mobile OS, named Firefox OS. The emergence of Firefox OS has created new challenges, concentrations and opportunities for digital investigators. In general, Firefox OS is designed to allow smartphones to communicate directly with HTML5 applications using JavaScript and newly introduced WebAPI. However, the used of JavaScript in HTML5 applications and solely no OS restriction might lead to security issues and potential exploits. Therefore, forensic analysis for Firefox OS is urgently needed in order to investigate any criminal intentions. This paper will present an overview and methodology of mobile forensic procedures in forensically sound manner for Firefox OS. KEYWORDS Forensic framework, mobile forensic, forensic investigation, forensic methodology, forensic procedures, Firefox OS. 1 INTRODUCTION Mobile devices are relatively small, portable and widely used by all ages of people in their daily life, business, entertainment, medical, as well as education. Mobile devices consist of mobile phones, smartphones, tablets, and personal digital assistant (PDA). The usage of mobile devices are gradually increase over the time especially smartphones and tablets. This increasing trends are due to its useful capability, numerous function and allowed many tasks which required personal computers as well as high processing power to be executed in mobile devices. Figure 1 shows the

World-Wide Smartphone Sales (Thousands of Units) classified by mobile OS from Q1 2007 to Q4 2013 [1]. The number of sales are not limited to the smartphone, but also included other mobile devices such as tablets and PDAs. It is because tablets and PDAs using the same mobile OS by smartphone.

Figure 1. World-Wide Smartphone Sales Latest analysis by Gartner shows that the total numbers of smartphone sold in Q4 2013 is about 282 million units, while the total numbers of smartphone sold in Q1 2007 is about 24 million units [2-3]. In just 7 years, the total numbers of smartphone sold in Q4 2013 is about 12 times more than the total numbers of smartphone sold in Q1 2007. The highest sales growth goes to Android while the second highest goes to Apple iOS, a huge gap between first and second place. On the other hand, the remaining mobile OS shows inconsistent sale and sales growth. Figure 2 shows World-Wide Smartphone Sales by percentage [1].

International Journal of Cyber-Security and Digital Forensics (IJCSDF) 3(4): 183-199The Society of Digital Information and Wireless Communications, 2014 (ISSN: 2305-0012)

183

Figure 2. World-Wide Smartphone Sales Percentage The growth of mobile devices has led to numerous companies to join in the market shares. In Q1 2007, smartphone sales was dominated by Symbian OS, followed by Windows Mobile and Research in Motion (RIM). However, with the coming of Apple iOS in Q2 2007 and Android in Q3 2008, domination by Symbian OS was slowly reduce. At present, there are no more Windows Mobile as it was replaced by Windows Phone in Q4 2010 and Samsung Bada join the race in Q2 2010. In 2014, mobile OS market share is dominated by Android, followed by Apple iOS, Windows Phone, RIM, Symbian OS, and Bada respectively. In Q1 2012, Mozilla Corporation joined the battle by releasing their own mobile OS, named as Firefox OS [4]. The OS is able to run on selected Android-compatible smartphones. The first ever Firefox OS phone was released by ZTE in Q3 2013 and followed by Alcatel, LG and Geeksphone [5-6]. Firefox OS is an open source mobile OS which is purely based on Linux-Kernel and Mozilla’s

Gecko technology [7]. Firefox OS boots into a Gecko-based runtime engine and thus allow users to run applications developed exclusively using HTML5, JavaScript, and other open web application APIs. According to Mozilla Developer Network, Firefox OS is free from proprietary technology but still a powerful platform; it offers application developers an opportunity to create tremendous products [7]. Mozilla introduced WebAPI by bridging the capability gap between

native frameworks and web applications. WebAPI will enable developers to build applications, and run it in any standards compliant browser without the need to rewrite their application for each platform. In addition, since the software stack is entirely HTML5, a large number of developers were already established, and users can embrace the freedom of pure HTML5 [8]. Unlike Apple iOS, Windows Phone, RIM and Android which full of manufacturer restriction, Firefox OS is based solely on HTML5, JavaScript as well as CSS, and those are totally open sources. By not having any restriction, security issues and potential exploit might come into question. According to Mozilla Developer Network, Firefox OS has designed and implemented multi-layered security model which deliver the best protection against security exploits [9]. In general, Firefox OS is using four layers security model, which are the mobile device itself, Gonk, Gecko and Gaia layers, in order to mitigate exploitation risks at every level. The mobile device is the phone running Firefox OS, while Gonk consists of the Linux-Kernel, system libraries, firmware, and device drivers. Gonk delivers features of the underlying mobile phone hardware directly to the Gecko layer. Gecko is the application runtime layer that delivers the framework for application execution, and implements the WebAPIs to access features in the mobile device. Gecko is operating as a gatekeeper that enforces security policies which designed to protect the mobile device from exploitation. Gecko also enforces permissions and preventing access of unauthorized requests. Last but not least, Gaia is the suite of web applications that delivers user experience [9]. The objective of this paper is to present an overview and methodology of mobile forensic procedures for forensic investigation in Firefox OS. This paper is organized as follows; Section (2) will explain about related work to-date. Section (3) will present the proposed methodology and detail steps in forensic procedure. Section (4) will give a brief conclusion and the future work to be considered. Acknowledgement and references are also presented at the end of this paper.


184

2 RELATED WORKS 2.1 SIM Cards Investigation In the earliest mobile forensic investigation, most of the digital evidences in mobile phone were stored in SIM cards. Research by Goode stated that, it is vital to acquire the data such as contacts and SMSs stored in SIM cards [10]. In addition, mobile phone memory and SIM cards also hold phone contacts which may contain critical evidences for an investigators. According to Goode, there are three evidence locations in mobile phone which are from SIM cards, identification information from a mobile phone (IMEI) and core network provider information. Similar work carried out by Willassen was by exploring SIM card and core network data in GSM phones [11]. According to Willassen, the SIM cards can provide information of network provider name with a unique identification number. The subscriber's name, phone number and address usually associated with the SIM cards. Consequently, phone records also can be retrieved from network providers. Furthermore, the contents of a SIM cards are binary data that can be taken, provided that the user has authentication either with a PIN or a PUK code. Programs or tools such as Cards4Labs and SIM-Surf Profi were used to decode the binary format into readable form. In addition, Willasen also able to recover the evidence such as phone logs, phone contacts, SMS, and phone IMEI obtained from both SIM cards and mobile phones. On the other hand, Casadei was used open source tools, both in Windows and Linux for digital extraction from SIM cards [12]. As the result, Casadei was able to acquire the raw data in Binary format from the SIM cards. Casadei also presented an interpretation of binary raw data at a higher level of abstraction and used an open source tool named SIMbrush to examine the raw data. SIMbrush was designed to acquire digital evidence from any SIM cards in GSM network but have not tested for any modules under D-AMPS, CDMA and PDC. Additionally, SIMbrush focus more towards GSM network because GSM is the biggest mobile network in the world at that time

and penetration in this network is rapidly increased. Marturana was extended the acquisition process in SIM cards by comparing data in SIM cards and smartphones [13]. According to Marturana, acquisition in the smartphone is much more complicated; this is due to the possibility of evidences are also stored in many places such as internal and flash memory. 2.2 Windows Mobile With the arrival of smartphones, focuses are more on the Windows Mobile OS due to its similarity in nature with desktop environment. Windows Mobile OS is a simplified version of Windows OS developed by Microsoft; mainly for mobile devices. Research by Chen was able to extract SMS, phone contacts, call recording, scheduling, and documents from Windows Mobile OS via Bluetooth, Infrared and USB mode using Microsoft ActiveSync [14]. Microsoft ActiveSync used Remote API (RAPI) to manage, control, and interact with the connection equipment from the desktop computer. The acquired data were came from mobile phone internal memory, SIM card as well as removable memory. Similar research was continued by Irwin and Hunt by extracting evidences over wireless connections. They used their own developed forensic tools called as DataGrabber, CTASms and SDCap. DataGrabber was used to retrieve information from both the internal memory and any external storage card, CTASms to extract information from the mobile device’s Personal Information Manager (PIM) while SDCap was used to extract all information from external storage card. They were successfully mapping internal and external phone’s memory and transfer all files and folder to

desktop computers [15]. By using RAPI function, acquisition process only capable to capture active data and capturing deleted data is not possible using this method. According to Klaver, physical acquisition method will be able to obtain non-active data in Windows Mobile OS [16]. Klaver was proposed a versatile method to investigate isolated volume of Windows Mobile OS database files for both active and deleted data. Klaver was used freely available


185

tools of forensic application and explained the known methods of physical acquisition. Deleted data can be recovered by using advanced acquisition methods like chip extraction and this method was able to bypass password protection. Casey was extended the finding by describing various methods of acquiring and examining data on Windows Mobile devices. Casey was also able to capture text messages, multimedia, e-mail, web browsing, and registry entries [17]. Some of the captured data by Casey were locked by the OS itself, and require XACT from Micro Systemation and ItsUtils to work together with Microsoft ActiveSync. These tools will help to unlock certain files and convert the ASCII format in cemail.vol structure to a readable SMS. This research was also focused on potentially useful sources of evidences in Windows Mobile OS and addressed the potential evidences found in \temp folder. In the recent work, Kaart made an investigation by reverse-engineering the pim.vol volume files in Windows Mobile OS [18]. pim.vol is a Microsoft’s Embedded Database (EDB) volume that consists of information related to phone contacts, calendars, appointments, call history, speed-dial settings and tasks [18]. Kaart was successfully reverse-engineering important parts of EDB volume format which allow them to recover unallocated records. Kaart was also delivered the mapping from internal column identifiers into readable format for some familiar databases in pim.vol volumes and created a parser that can automatically extract all allocated records exist in a volume. Microsoft ActiveSync in Windows Mobile OS placing an agent into mobile devices. This action may alter the stored data in mobile devices such as the last synchronization date and time; or the name of the last computer synchronize with the devices. For this reason, Rehault was proposed a method of using boot-loader concept; which is non-rewritable and able to protect the evidences from being altered [19]. Rehault was also proposed an analysis method to process specific files with specific format. The main focus in this research was to obtain registry hives and the cemail.vol which contain deleted data. By reconstructing

back registry hives, digital evidence such as SMS, MMS as well as email can be obtained and retrieved from cemail.vol. On the other hand, Research by Grispos make a comparison of forensic tools using different approaches for acquisition and decode process [20]. According to Grispos, there are strengths and weaknesses of each types of acquisition. Grispos stated that, logical acquisition is more efficient for recovering user data, whereas physical acquisition can retrieve deleted files [20]; but this procedure can damage the device while it is being dismantled. Besides that, Kumar was proposed an agent based tool developed for forensically acquiring and analyzing in Windows Mobile OS [21]. This tool is develop based on client server approach, whereby client is installed on desktop PC and server agent is inject into mobile devices before acquisition process. As for analyzing process, this tool was able to display and decode the image created during acquisition. This research also make a comparison between Paraben's Device Seizure, Oxygen's Forensics Tool as well as Cellebrite UFED and claimed to perform better in Windows Mobile OS. On the other hand, Canlar was proposed LiveSD Forensics to obtain digital evidence from both the Random-Access Memory (RAM) and the Electronically Erasable Programmable Read Only Memory (EEPROM) of Windows Mobile OS. This research was claimed to generate the smallest memory alteration, thus the integrity of evidences is well preserved [22]. 2.3 Symbian OS Symbian OS is one of the famous mobile OS in the golden age of smartphone. Forensic work by Mokhonoana and Olivier was discussed about the development of an on-phone forensic logical acquisition tool for the Symbian OS [23]. Mokhonoana and Olivier was performed UNIX dd command to acquire the image from the phone. They also discussed different methods of retrieving data from a Symbian OS consists of manual acquisition, using forensic tools, logical acquisition, physical acquisition and data acquired from service providers. Additionally, Breeuwsma was proposed a low level approach for the forensic examination of flash memories and describes three


186

low-level data acquisition methods for making full memory copies of flash memory devices [24]. Their work has been identified as pioneer in physical acquisition techniques using chip-off, JTAG and pseudo-physical. The work has been tested on Symbian OS devices. On the other hand, Rossi and Me was proposed a new methodology and a tool to obtain the data by using the removable memory [25]. A tool to obtain the data is stored in a removable memory and the acquisition process is performed locally. In addition, this tool not only performs acquisition process, but also compiles log and marks the data with some one-way hash algorithm to provide data integrity. Test result is divided into three condition of mobile devices and result obtained are different. Therefore, Rossi and Me suggest to maintain the device in the most possible original status. Besides that, Dellutri was proposed a novel methodology by applying data reverse-engineering on Symbian devices [26]. The proposed methodology also shows full potential when running on mobile operating systems which data formats are not open or not public. The investigation used Mobile Internal Acquisition Tool (MIAT) and run into more than 50 Symbian OS devices. Deluttri was able to capture personal data, Symbian OS personal data files format, obsolete data and hidden information during forensic process. Moreover, Yu was proposed a process model for forensic analysis in Symbian OS. The process model consists of five stages which are Preparation and Version Identification; Remote Evidence Acquisition; Internal Evidence Acquisition; Analysis and Presentation; and Review. According to Yu, this model can overcome some problems of forensic investigation in Symbian OS [27]. Savoldi and Gubain was presented an assessment about specifically forensic acquisition focusing on security features in Symbian OS [28]. They gave an overview about OS and file system architecture. According to Savoldi and Gubain, only physical acquisition was able to recover a bitwise copy of the flash memory without bypassing any security mechanisms. On the other hand, Pooters was created a forensic tool called Symbian Memory Imaging Tool (SMIT) to

be executed on the Symbian OS and created linear bitwise copies of the internal flash memory [29]. SMIT able to acquire the image of the internal flash memory and copies the images to a removable memory. SMIT has been tested on a Nokia E65, E70 and N78 model. Thing and Tan was proposed a method to acquire privacy-protected data from smartphones running the latest Symbian OS v9.4 and smartphones running the prior Symbian OS v9.3 [30]. They also presented reverse-engineering analysis work on the active and deleted SMS recovery from the on-phone memory of Symbian OS. In addition, Thing and Chua was proposed a forensics evidentiary acquisition tool for Symbian OS [31]. Their acquisition tool was built to support a low-level bit-by-bit acquisition of the phone’s internal flash

memory, including the unallocated space. They also conducted an analysis to perform a detail of the fragmentation scenarios in Symbian OS. Apart from that, Savoldi made a brief survey and comparison between mobile forensic investigation in Windows Mobile OS and Symbian S60 [32]. In his work, Savoldi acquired the evidences using both logical and physical methods. Savoldi was also illustrated the differences and identified possible common methodology for future forensic exploration. Conversely, Mohtasebi was studied four mobile forensic tools; namely Paraben Device Seizure, Oxygen Forensic Suite, MIAT, and MOBILedit! to extract evidences from Nokia E5-00 Symbian OS phone [33]. The comparison was to check the ability to extract evidence and to examine information types such as call logs, map history, and user data files. 2.4 Apple iOS Forensic investigation and examination in Apple iOS was practically started by Bader and Baggili. They performed investigation and examination on logical backup of the iPhone 3GS by using the Apple iTunes backup utility [34]. Significant forensic evidences such as e-mail messages, SMS, MMS, calendar events, browsing history, locations services, phone contacts, call history as well as voicemail recording was found and can be retrieved using this iPhone acquisition method.


187

Husain later extended the finding by proposed a simple and cost effective framework for iPhone forensic analysis [35]. Followed the same approached by Bader and Baggili, iTunes was used to force backup the iPhone and logical copy of backup data can be found in computer hard drive. This method can captured the entire data from iPhone without Jailbreak the devices. Jailbreak is a method to release the security features of the iDevice and permits a direct connect to the data inside. Husain was used MobileSyncBrowser to analyse the backup file which is in binary format; converting them into lists and databases. Furthermore, SQLite Database Browser was used to analyse database file and Plist Editor was used to analyse Apple Property List file. In the contrary, Husain and Sridhar was focused on Instant Messaging (IM) data in Apple iOS [36]. This research made an analysis to forecast the potential use of IMs that can lead to cyber bully and cyber stalking. Once the data captured, Paraben Device Seizure, Aesco Radio Tactics and Wolf Sixth Legion were used to analyse the data. The output of this analysis were included username, password, buddy list, last login time and conversation together with timestamp. Similarly, Jung was reviewed the types of Social Network Services (SNS) that available in Apple iPhone and made further studied on acquisition process in Apple iOS platform [37]. Jung made an analysis on eight SNS in Apple iOS which are Cyworld, Me2Day, Daum Yozm, Twitter, Facebook, NateOn UC., KakaoTalk and MyPeople. However, this method required root access to the devices. Therefore, Jung Jailbreak the device to get full access permission. The examination and analysis of SNS continued by Tso [38]. Tso was discussed five most popular mobile SNS applications in Apple iOS usages such as Facebook, WhatsApp Messenger, Skype, Windows Live Messenger and Viber. Tso was followed methods by Husain by forcing Apple iTunes to make a logical copy of backup data. Tso ran two experiment, the first data acquisition was after applications installation, while the second data acquisition was after applications deletion.

Moreover, Said was carried a research by comparing Facebook and Twitter in Apple iOS, Windows Mobile OS and RIM BlackBerry [39]. The aim of this research is to investigate the different types of logical backup and encryption techniques used in three mobile OS. In the same way, Mutawa later on made SNS comparison between Facebook, Twitter and MySpace in three different OS which are Apple iOS, Android and RIM BlackBerry [40]. The examination and analysis was started by uploading picture and post a comment from mobile devices using each SNS from different platform. The aimed of this analysis is to determine whether activities performed earlier are stored and can be captured from internal mobile devices memory. Similar research was published by Lee and Park by capturing the SNS data using different forensic tools [41]. On the other hand, Levinson explore an investigation for third party applications in iOS platform [42]. According to Levinson, most mobile forensic work emphasis on typical mobile telephony data such as contact information, SMS, and voicemail messages. However, there are heaps of third party application might leave forensically relevant artifacts in mobile devices. For investigation purpose, Levinson acquired data from 8 third party application in Apple iOS platform. As a result, Levinson found information about user accounts, timestamps, geo-locational references, additional contact information, native files, and various media files. All these data typically stored in plaintext format and can provide relevant information to a forensic investigators. Additionally, in order to create Apple iOS image, we need to install SSH server and transfer the Apple iOS internal storage via Wi-Fi into desktop computer. However, this approach may require up to 20 hours. Therefore, Gómez-Miralles and Arnedo-Moreno were presented a novel approach by using an iPad’s camera connection kit attached

via USB connection [43]. This approach was greatly reduces acquisition time. On the bad side, Jailbreak is required in order to gain full access and it is not considered as a forensically sound manner for forensic investigation. For that reason, Iqbal made a research to obtain an Apple iOS image without Jailbreak the device and run the


188

acquisition process on the RAM level [44]. Apple iOS devices need to reboot and enter the recovery mode before connected to their own developed tools. The imaging process was less than 30 minutes and they were successfully developed an acquisition method that protects the integrity of the collected evidences. Recently, Ariffin was proposed an operational technique that allows digital forensic investigators to recover deleted image files by referring to Apple iOS journaling file system [45]. The proposed method was implemented on an iDevice that has been Jailbreak and used a customized RAM disk that was loaded into the device RAM. This technique was successfully recover deleted image files from the journal file and was tested on iPhone 3GS and iPhone 4. 2.5 Google Android Android becomes a new mobile forensic investigation emphasis due to its strong hold in the market share and currently have the biggest active user using Android platform. Android was built based on Linux-Kernel and user has the ability to rewrite the firmware, boot-loader and other root activities. Research by Lessard and Kessler were among the first in Android platform [46]. They performed logical acquisition on HTC Hero to acquire physical image. UNIX dd command was performed to get an image from \dev\mtd directory. The examination was done on flash memory and removable memory by AccessData Forensic Toolkit (FTK) Imager v2.5.1. Apart from that, Anti-forensic among the major consideration in Android investigation. Research by Distefano was preserved the data from being damaged by using anti-forensics approach through a local paradigm [47]. This approach was exported some critical data which need to be identified in XML format and save it into private directory and it is unreachable from any other applications. Albano also worked on anti-forensics to modify and erase, securely and selectively, the digital evidence in Android [48]. This technique do not use any cryptographic primitives or make any changes to the file system. Moreover, Azadegan introduce the design and implementation of three novel anti-

forensic approaches for data deletion and manipulation on three forensics tools [49]. This research also identify the limitation of current forensic tools flow design. Quick and Alzaabi was performed logical and physical acquisition on Sony Xperia 10i [50]. Logical acquisition was not able to acquire the full size of the file system, while physical acquisition achieved a bitwise acquisition of the flash memory. They also claimed that they has successfully generated a complete copy of the internal NAND memory. On the other hand, Sylve was presented the first methodology and toolset for acquisition of volatile physical memory from Android devices [51]. This method was created a new kernel module for dumping memory and Sylve has further develop a tool to acquire and analyse the data. Sylve was also presented an analysis of kernel structures using newly developed volatility functionality. On the contrary, Vidas was proposed a general method of acquiring process for Android by using boot modes [52]. This technique reconstructed the recovery partition and associated recovery mode of an Android for acquisition purposes. The acquired data has to be in recovery image format. Custom boot-loader method has become popular in Android because the user is able to get root permission; and able to acquire an image of the flash memory. Another research using boot-loader method was conducted by Park [53]. This research was mainly focused on fragmented flash memory due to the increase of flash memory deployment in mobile phones. In addition, Son was conducted an evaluation on Android Recovery Mode method in terms of data integrity preservation [54]. Son developed an Android Extractor to ensure the integrity of acquired data and presented a case study to test their tool’s ability. The test was conducted on seven Samsung smartphones with rooted Android capability and emphasis on YAFFS2 and Ext4 files. The results from the use of JTAG method was served as a comparison vector to the Recovery Mode. In the different research perspective, Racioppo and Murthy made a case study about physical and logical forensic acquisition in HTC Incredible


189

[55]. AccessData Forensic Toolkit (FTK) Imager v3.0.1 was used to make an image from removable SD memory. After that, they root the device and gaining access to the root directory. They were able to create a bitwise copy of the seven MTDs presented in \dev\mtd directory. Examination was done using Ubuntu’s scalpel and claimed that the physical acquisition much more effective to discover corrupted or destroyed files. Moreover, Andriotis was proposed a method for acquiring forensic evidences from Android smartphones using open source tools [56]. The investigation was able to obtain information regarding the use of the Bluetooth technology and Wi-Fi networks on four Android running devices. They specified the files and folders to be targeted and highlighted some security problems that might occur by exposing user’s passwords in certain cases by the

Android system. In addition, Mylonas was extended the acquisition work and focusing on phone’s sensors as critical evidence sources [57]. They studied the involvement of sensor like accelerometer, proximity sensor, GPS, compasses, etc in forensic investigation procedures which can be used to infer the user’s context. However, they found that the sensor data are volatile and not available in post-mortem analysis. For that reason, they developed the tool named Themis to collect suspect’s data. Themis consists of two major parts, workstation version and the mobile agent in Android. They presented promising result but yet to prove its effectiveness in practice due to the need of bypass Android security mechanism and need to place mobile agent in each phone. The newly acquisition method is the live acquisition. Thing was proposed an automated system in acquiring evidences and claimed that this method consistently achieved 100% evidence acquisition rate for outgoing message and 75.6% to 100% evidence acquisition rate for incoming message [58]. Thing was used Android as the test platform and Message Script Generator, UI/Application Exerciser Monkey, Chat Bot, memgrab and Memory Dump Analyzer (MDA) as the forensic tools. Although the acquisition rate is high, this method was only tested by using their own developed chat bot and yet to be tested using

commercial IM. Another live acquisition research is by Lai. Lai was proposed data acquisition in Android; and deliver the data to the Google cloud server in real time [59]. This method really can delivered the intended data, but the integrity of the data is questionable. As for monitoring, Guido used live forensic to remotely monitor and audit malware activity on Android devices [60]. It consists of five elements, each one detecting changes in specific parts of the OS such as boot-loader, recovery, file system, deleted files and APK files. Even many successful detections, they discovered some malware false positive result and inability to detect some deleted entries. 2.6 RIM BlackBerry Another major player in mobile market share is BlackBerry. As for the BlackBerry, Fairbanks was presented a framework for an open source BlackBerry IPD file forensics tool [61]. Fairbanks was executed a python tool that parses the IPD file upon user request for specific resources. That tool is able to capture the messages, contacts, SMS records, memos, call logs, and the task list from an IPD file. This work was tested on BlackBerry 7290. The result was good but they did not provide enough data to the potential readers. On the other work, Sasidharan and Thomas generated BlackBerry image from Blackberry Acquisition and Analysis Tool (BAAT), which is injected on the device before acquisition process [62]. The tool also analyse the forensic image and shows phone contents in different file viewers. However, they unable to read and parse the SMS databases because the version of the BlackBerry JDE at that time does not supports API to access SMS databases from the device. In the recent BlackBerry research, Marzougy was presented the logical acquisition of the .bbb file produced by a Blackberry Playbook tablet [63]. They used the BlackBerry Desktop Management (BDM) software to perform the logical acquisition. The extracted information were varying from system information and user data and also failed to retrieve deleted entries. For future work, they plan to run more tests on a wide range of BlackBerry models.


190

3 PROPOSED WORK

In order to run forensic investigation and analysis,

we are proposing this methodology to be

conducted during the investigation process. It is

based on Smith and Petreski approach [64]. Our

methodology and approach consist of three

procedures. This methodology is a basic approach

and purely designed for Firefox OS. There will be

many type of files and analysis, thus it is designed

to have specific targeted data checklist. The use of

this checklist is to identify relevant data align with

specific analysis. This data checklist can be

updated from time to time.

3.1 Preparation and Preservation Procedure

START

Sufficient information to

start ?

Create system configuration. Setup forensic software and

hardware

Yes

START Acquisition

Firefox OS knowledge preparation

No

Knowledge ready

Firefox OS smartphone

Phone connectivity

Define forensic tools

Prepared relevant and non-relevant data list

Verify data and device integrity

Yes

Return package to requestor

No

Figure 3. Preparation and preservation procedure The first procedure is the Preparation and Preservation. This procedure starts with knowledge and information check. If the

knowledge about Firefox OS is not sufficient, knowledge gathering is required. It is vital to understand Firefox OS architecture before forensic investigation started. In general, Firefox OS architecture consist of 3 layers [65]. The first layer is an application layer called Gaia and work as user interface for smartphones. The second layer is open web platform interface. The second layer used Gecko engine and provide all support for HTML5, JavaScript as well as CSS. All the targeted evidence are stored in this layer. The third layer called Gonk is infrastructure layer and consist of Linux-Kernel. There are two types of storage in Firefox OS running phone which are internal SD storage and additional micro-SD card. Figure 4 shows an illustration version of Firefox OS architecture.

Figure 4. Firefox OS Architecture [65] The second step is to create a system configuration and setup forensic software as well as related hardware. In this step, we need to have a smartphone preinstalled with Firefox OS, forensic tools, physical and logical connectivity. We will


191

use Geeksphone Peak as our test Firefox OS phone as per shows below

Figure 5. Geeksphone Peak Geeksphone Peak is among the first Firefox running OS phone released and was marketed under developer preview model. It was released in April 2013. This phone is equipped with Firefox OS version 1.1.1 as shows in Figure 6.

Figure 6. Geeksphone Peak information detail

Mozilla released an update for their OS regularly and any stable build can be update via over-the-air. Table 1 below shows the specification detail for this phone.

Table 1. Geeksphone Peak specification Hardware Detail

Processor 1.2 GHz Qualcomm Snapdragon S4 8225 processor (ARMv7)

Memory 512 MB Ram

Storage -Internal 4GB -Micro SD up to 16GB

Battery - 1800 mAh - micro-USB charging

Data Inputs Capacitive multi-touch IPS display

Display 540 × 960 px (qHD) capacitive touchscreen, 4.3"

Sensor -Ambient light sensor -Proximity sensor -Accelerometer

Camera 8 MP (Rear), 2 MP (Front)

Connectivity

-WLAN IEEE 802.11 a/b/g/n -Bluetooth 2.1 +EDR -micro-USB 2.0 -GPS -mini-SIM card -FM receiver

Compatible Network

- GSM 850 / 900 / 1800 / 1900 - HSPA (Tri-band) - HSPA/UMTS 850 / 1900 / 2100

Dimension -Width: 133.6 millimetres (5.26 in) -Height: 66 millimetres (2.6 in) -Thickness: 8.9 millimetres (0.35 in)

As for the phone connectivity, we are using micro-USB 2.0 port. Subsequently, we need to make a connection between the phone and the host machine. Firefox OS is based on Linux-Kernel and the design more or less are similar with Android. For that reason, we can easily access the phone using Android Debug Bridge (ADB). The ADB is a toolkit integrated in the Android SDK package and consists of both client and server-side codes. The codes are able to communicate with one another. We will run UNIX dd command from the ADB to acquire the phone image. After that, we will use AccessData Forensic Toolkit and HxD Hex Editor to further examine the acquired image during examination and analysis procedure.


192

Next we need to prepare a list of relevant and non-relevant data. This list is very important to identify relevant data to be captured later. For example, if we conduct log analysis, relevant data will be chat log, call log, system log and other related information. The next step is to verify the integrity of data and device. Only if the integrity of data and device is confirmed, then we can proceed to Acquisition procedure. Else, the package need to be returned to requestor. 3.2 Acquisition Procedure

START

Acquisition Process

Mark data in the list

Is there unprocessed

data ?

What type of data ?

Yes

Document this data and attributes to Relevant data

list

Data relevant

Acquiring and imaging forensic data

Data not relevant

Consider advising requester of initial

finding

Targeted data acquired

START Analysis

No

Figure 7. Acquisition Procedure The second procedure in our proposed methodology is Acquisition Procedure. This procedure is mainly for acquiring and imaging the targeted data. Here, we will use several forensic tools; physical or logical depending on the targeted data to obtain. The process starts with acquiring and imaging targeted forensic data which falls under relevant list. From our observation, we found that the evidences can be captured from internal SD storage, micro-SD and other user partitions. Acquiring data from some part of the internal SD storage and micro-SD card are relatively easy; the phone only need to be

connected to the host machine and internal SD storage as well as micro-SD card can be mounted as removable drive. However, acquiring data from other user partitions in internal storage is quite a challenging tasks. An additional driver for Geeksphone Peak need to be installed into the host machine. We will use Windows 8 as an operating system in the host machine. Once connected using the micro-USB 2.0 port, Windows 8 will ask for the driver. The supported USB driver can be downloaded from Geeksphone web. Once the installation finished, Geeksphone Peak will appear in the Device Manager as shows in Figure 8 and internal SD storage as well as micro-SD card will be mounted into the host machine as Linux File-CD Gadget USB Device.

Figure 8. Mounted phone storage In order to access the storage from the host machine, we need to enable USB storage in the phone setting. To enable the storage, we need to go to phone Settings > Storage and enable USB storage as shows in Figure 9.


193

Figure 9. Enable USB storage After that, we need to go to Media storage > Internal Storage and enable Share using USB as shows in Figure 10. This option will make an internal SD storage to be appear in the host machine

Figure 10. Share internal storage using USB To access the micro-SD card, repeat the same process by go to Media storage > SD Card Storage and enable it as shows in Figure 11.

Figure 11. Share micro-SD card storage using USB Now we can see both internal SD storage and micro-SD appear in the host machine as shows in Figure 12.

Figure 12. Phone storage mounted as removable storage From this way, we can access both internal SD storage and micro-SD card. However, only around 1GB storage can be access for internal storage, while the remaining 3GB internal storage still cannot be access. Figure 13 shows all the files in the internal SD storage.


194

Figure 13. Phone storage At the time we were conducting this experiment, there is no single file was stored in the micro-SD card. As for the internal SD storage, we can simply copy all these files into the host machine and analyse it. For remaining part of the internal storage, we need to run UNIX dd command to acquire the whole image of the internal storage. In order to acquire the phone image, we will use UNIX dd command in ADB environment. Before we start the ADB, we must disable the USB storage support and unmounts micro-SD card from the host machine. After that, we run command prompt (CMD) and pointing the command start to %AndroidSDK%\sdk\platform-tools folder. To start ADB, type the following

adb shell

Figure 14. Root Access

This command will establish the connection between the phone and the host machine and root@android:/ # access will appear in the CMD. After that, we type the following to run dd command;

dd if=/dev/block/mmcblk0 of=/mnt/emmc/evidence.img

The image is pointing into the micro SD card and we does not put any block size, by default it is 512KB. The process will take up until 10 minutes depending the block size chosen and the acquired image is around 3.64GB (internal storage size). This acquired image will cover all partitions in the internal storage and also cover unallocated partition. In order to transfer the acquired image into the host machine, we need to mount back the micro SD card and follow the previous step in Figure 9 which is phone Settings > Storage and enable back the phone storage. The host machine will again detecting the removable drive and acquired image will be appear as shows in the Figure 15.

Figure 15. Acquired image from the Firefox OS running phone


195

After the image is obtained, the relevant data list will be marked and updated. This step only involve specific files in the relevant data list. For example, if we want to run log analysis, only log file will be acquired. The second step is to verify the remaining data, if the remaining data in the smartphone is still relevant, the first process is repeated, and it will write down the details into relevant data list. After all relevant data is obtained, we will gather all initial finding and present it to the requester. Analysis procedure will start after all targeted data acquired. 3.3 Examination and Analysis Procedure

START

Examination and analysis using forensic tools

What application created, edited, modified, sent, received the file to be ?

Where was it found and where it come from ?

When it was created, accessed, modified, received, sent, viewed, deleted and launch ?

How was it created, transmitted, modified and used ?

Check registry entry and system log

Identify any other relevant information

Is there any data left for analysis ?

Yes

Documenting the result

No

Figure 16. Examination and Analysis procedure The last procedure in our methodology is Examination and Analysis Procedure. This procedure will focus on deeper attributes of acquired data. All the information will be analysed using additional tools such as SQL viewer to open the database file, HxD Hex Editor to open

unspecified format files or AccessData Forensic Toolkit to examine the image file. In this procedure, the acquired data will be examined and analysed to find the application involved in creating, editing, modifying, sending and receiving targeted file. Later, we will investigate the data origin; and the directory it came from. The third sub step is to find when the file was created, accessed, modified, received, sent, viewed, deleted and launched. The fourth sub step is to analyze how it was created, transmitted, modified and used. Registry entry and system log need to be checked and relevant information will be identified and rectified again. Last but not least, we need to repeat all the step, to ensure that there is no missing data during the analysis. Once completed, we can start documenting the result. As for this testing purposes, we try to find the tree directory of the files in the internal SD storage. Table 2 shows tree directory in internal SD storage.

Table 2. Tree directory in internal SD storage Evidence Tree Directory

Thumbnail in photo %Internal%\.gallery\previews\DCIM\100MZLLA

Alarms setting %Internal%\Alarms

Installed apps %Internal%\ Android\data

Photo gallery %Internal%\ DCIM\100MZLLA

Downloads %Internal%\ Download

Third party apps %Internal%\ external_sd\Android\data

Event logs %Internal%\ logs

Recovery folder %Internal%\ LOST.DIR

Video files %Internal%\ Movies

Audio files %Internal%\Music

Notifications log %Internal%\Notifications

Received picture %Internal%\Picture

Podcasts info %Internal%\Podcasts

Ringtones %Internal%\Ringtones

Screenshots %Internal%\screenshots

Temp folder %Internal%\tmp

Downloaded updates %Internal%\updates


196

This file analysis only covered for internal SD storage only. For remaining part of the internal storage, we need to further examine the phone image. For that reason, we use AccessData Forensic Toolkit to open the captured image. Once we open it, we can see the image consists of 21 partitions as shows in the Figure 17.

Figure 17. The list of the partition in the phone image The internal SD storage belongs to partition no 18, named Internal SD-FAT32. Other than partition no 3 which is NONAME-FAT16 and partition no 18, remaining partitions were detected as unknown by AccessData Forensic Toolkit. From our observation, we believe that these partition will covers the recovery image, boot partition, system files, local files, cache, user’s data and other useful information for forensic investigators. 4 CONCLUSION AND FUTURE WORK This paper explains about an overview and methodology of mobile forensic procedures in Firefox OS. To our concern, there will be no restriction in Firefox OS and it is design to have the freedom of HTML5. Therefore, we will not include any step for rooting the devices; hence the integrity of the data can be preserved. This new approach might be applicable with other mobile

platform but it is purely design for Firefox OS. Checklist will be used to classify targeted data during acquisition. Later on, we will work on file, log, system, memory and full data analysis, therefore checklist is very important during each procedures. In this paper we only demonstrated certain steps to show our approach are working perfectly for Firefox OS. Every steps in each procedure has been explained properly to show how we can conduct further experiments. Acknowledgments. Special thanks to academic staff of Universiti Putra Malaysia for providing continuous guide and support, and also to Ministry of Education Malaysia and Universiti Sains Malaysia for granting the scholarship to me. 5 REFERENCES 1. Mobile Operating System Market Share,

http://en.wikipedia.org/wiki/Mobile_operating_system#Market_share

2. Gartner says worldwide smartphone sales reached its lowest growth rate with 3.7 per cent increase in fourth quarter of 2008, http://www.gartner.com/it/page.jsp?id=910112

3. Gartner Says Annual Smartphone Sales Surpassed Sales of Feature Phones for the First Time in 2013, http://www.gartner.com/newsroom/id/2665715

4. First Look at Mozilla’s Web Platform for Phones: Boot to Gecko, TechHive, http://www.techhive.com/article/250879/first_look_at_mozilla_s_web_platform_for_phones_boot_to_gecko.html

5. First Firefox OS Smartphone Has Arrived: Telefonica Prices ZTE Open At $90 In Spain, Latin American Markets Coming Soon, TechCrunch, http://techcrunch.com/2013/07/01/first-firefox-os-phone/

6. Mozilla Corporation, Mozilla Announces Global Expansion for Firefox OS, http://blog.mozilla.org/press/2013/02/firefox-os-expansion/

7. Mozilla Developer Network, Firefox OS, https://developer.mozilla.org/en-US/docs/Mozilla/Firefox_OS

8. Mozilla’s Boot 2 Gecko and why it could change the

world, http://www.knowyourmobile.com/products/16409/mozillas-boot-2-gecko-and-why-it-could-change-world

9. Mozilla Developer Network, Firefox OS security overview, https://developer.mozilla.org/en-US/docs/Mozilla/Firefox_OS/Security/Security_model

10. Goode, A. J.: Forensic extraction of electronic evidence from GSM mobile phones, In: IEE Seminar on Secure


197

GSM and Beyond: End to End Security for Mobile Communications, pp. 9/1--9/6 (2003)

11. Willassen, S. Y.: Forensics and the GSM mobile telephone system, In: Int. J. Digit. Evid., vol. 2, no. 1, pp. 1--17, (2003)

12. Casadei, F., Savoldi, A., Gubian, P.: SIMbrush: an open source tool for GSM and UMTS forensics analysis, In: First International Workshop on Systematic Approaches to Digital Forensic Engineering (SADFE’05), pp. 105--119 (2005)

13. Marturana, P., Me, G., Berte, R., Tacconi, S.: A Quantitative Approach to Triaging in Mobile Forensics, In: 10th International Conference on Trust, Security and Privacy in Computing and Communications, pp. 582--588 (2011)

14. Chen, S., Hao, X., Luo, M.: Research of Mobile Forensic Software System Based on Windows Mobile, In: 2009 International Conference on Wireless Networks and Information Systems, pp. 366--369 (2009)

15. Irwin, D., Hunt, R.: Forensic information acquisition in mobile networks, In: 2009 IEEE Pacific Rim Conference on Communications, Computers and Signal Processing, pp. 163--168 (2009)

16. Klaver, C.: Windows Mobile advanced forensics, In: Digit. Investig., vol. 6, no. 3--4, pp. 147--167, May (2010)

17. Casey, E., Bann, M., Doyle, J.: Introduction to Windows Mobile Forensics, In: Digit. Investig., vol. 6, no. 3--4, pp. 136--146, May (2010)

18 Kaart, M., Klaver, C., van Baar, R. B.: Forensic access to Windows Mobile pim.vol and other Embedded Database (EDB) volumes, In: Digit. Investig., vol. 9, no. 3--4, pp. 170--192, Feb. (2013)

19. Rehault, F.: Windows mobile advanced forensics: An alternative to existing tools, In: Digit. Investig., vol. 7, no. 1--2, pp. 38--47, Oct. (2010)

20. Grispos, G., Storer, T., Glisson, W. B.: A comparison of forensic evidence recovery techniques for a windows mobile smart phone, In: Digit. Investig., vol. 8, no. 1, pp. 23--36, Jul. (2011)

21. Kumar, S. S., Thomas, B., Thomas, K. L.: An Agent Based Tool for Windows Mobile Forensics, In: Lect. Notes Inst. Comput. Sci. Soc. Informatics Telecommun. Eng., vol. 88, pp. 77--88 (2012)

22. Canlar, E. S., Conti, M., Crispo, B., Di Pietro, R.: Windows Mobile LiveSD Forensics, In: J. Netw. Comput. Appl., vol. 36, no. 2, pp. 677--684, Mar. (2013)

23. Mokhonoana, P. M., Olivier, M. S.: Acquisition of a Symbian Smart phone’s Content with an On-Phone Forensic Tool, In: Southern African telecommunication networks and applications conference pp. 1--7, (2007)

24. Breeuwsma, M., Jongh, M. De, Klaver, C., Knijff, R. Van Der, Roeloffs, M.: Forensic Data Recovery from Flash Memory, In: Small Scale Digit. Device Forensics J., vol. 1, no. 1, pp. 1--7, (2007)

25. Rossi, M., Me, G.: Internal forensic acquisition for mobile equipments, In: 2008 IEEE International Symposium on Parallel and Distributed Processing, pp. 1–7, (2008)

26. Dellutri, F., Ottaviani, V., Bocci, D., Italiano, G. F., Me, G.: Data reverse engineering on a smartphone, In: 2009 International Conference on Ultra Modern Telecommunications & Workshops, pp. 1–8, (2009)

27. Yu, X., Jiang, L., Shu, H., Yin, Q., Liu, T.: A Process Model for Forensic Analysis of Symbian, In: Commun. Comput. Inf. Sci. - Adv. Softw. Eng., vol. 59, pp. 86--93, (2009)

28. Savoldi, P. G. Antonio: Issues in Symbian S60 platform forensics, In: J. Commun. Comput., vol. 6, no. 3, (2009)

29. Pooters, I.: Full user data acquisition from Symbian smart phones, In: Digit. Investig., vol. 6, no. 3--4, pp. 125--135, (2010)

30. Thing, V. L. L., Tan, D. J. J.: Symbian Smartphone Forensics and Security: Recovery of Privacy-Protected Deleted Data, In: Lect. Notes Comput. Sci. - Inf. Commun. Secur., vol. 7618, pp. 240--251, (2012)

31. Thing, V. L. L., Chua, T.: Symbian Smartphone Forensics: Linear Bitwise Data Acquisition and Fragmentation Analysis, In: Commun. Comput. Inf. Sci. - Comput. Appl. Secur. Control Syst. Eng., vol. 339, pp. 62--69, (2012)

32. Savoldi, A., Gubian, P., Echizen, I.: A Comparison between Windows Mobile and Symbian S60 Embedded Forensics, In: Fifth International Conference on Intelligent Information Hiding and Multimedia Signal Processing, pp. 546--550 (2009)

33. Mohtasebi, S., Dehghantanha, A., Broujerdi, H. G.: Smartphone Forensics : A Case Study with Nokia E5-00 Mobile Phone, In: Int. J. Digit. Inf. Wirel. Commun., vol. 1, no. 3, pp. 651--655 (2012)

34. Bader, M., Baggili, I.: iPhone 3GS Forensics : Logical

Analysis Using Apple iTunes Backup Utility, In: Small Scale Digit. Device Forensics J., vol. 4, no. 1, pp. 1--15, (2010)

35. Husain, M. I., Baggili, I., Sridhar, R.: A Simple Cost-Effective Framework for iPhone, In: Lect. Notes Inst. Comput. Sci. Soc. Informatics Telecommun. Eng. - Digit. Forensics Cyber Crime, vol. 53, pp. 27--37 (2011)

36. Husain, M. I. Sridhar, R.: iForensics : Forensic Analysis of Instant Messaging on, In: Lect. Notes Inst. Comput. Sci. Soc. Informatics Telecommun. Eng. - Digit. Forensics Cyber Crime, vol. 31, pp. 9--18, (2010)

37. Jung, J., Jeong, C., Byun, K., Lee, S.: Sensitive Privacy Data Acquisition in the iPhone for Digital Forensic Analysis, In: Commun. Comput. Inf. Sci. - Secur. Trust Comput. Data Manag. Appl., vol. 186, pp. 172--186, (2011)

38. Tso, Y.-C., Wang, S.-J., Huang, C.-T., Wang, W.-J.: iPhone social networking for evidence investigations using iTunes forensics, In: Proceedings of the 6th International Conference on Ubiquitous Information Management & Communication - ICUIMC ’12, (2012)


198

39. Said, H., Yousif, A., Humaid, H.: IPhone forensics techniques and crime investigation, In: The 2011 International Conference and Workshop on Current Trends in Information Technology (CTIT 11), pp. 120--125 (2011)

40. Mutawa, N. Al , Baggili, I., Marrington, A.: Forensic analysis of social networking applications on mobile devices, In: Digit. Investig., vol. 9, pp. S24--S33, Aug. (2012)

41. Lee, J., Park, D.: A Study on Evidence Data Collection through iPhone Forensic, In: Commun. Comput. Inf. Sci. - Converg. Hybrid Inf. Technol., vol. 310, pp. 268--276, (2012)

42. Levinson, A., Stackpole, B., Johnson, D.: Third Party Application Forensics on Apple Mobile Devices, 44th Hawaii Int. Conf. Syst. Sci., pp. 1--9, Jan. (2011)

43. Gómez-Miralles L., Arnedo-Moreno, J.: Versatile iPad forensic acquisition using the Apple Camera Connection Kit, In: Comput. Math. with Appl., vol. 63, no. 2, pp. 544--553, Jan. (2012)

44. Iqbal, B., Iqbal, A., Al Obaidli, H.: A novel method of iDevice (iPhone, iPad, iPod) forensics without jailbreaking, In: 2012 International Conference on Innovations in Information Technology (IIT), pp. 238--243 (2012)

45. Ariffin, A., Orazio, C. D., Choo, K. R., Slay, J.: iOS Forensics : How can we recover deleted image files with

timestamp in a forensically sound manner ?, In: Eighth International Conference on Availability, Reliability and Security (ARES), pp. 375–382, (2013)

46. Lessard, J., Kessler, G. C.: Android Forensics :

Simplifying Cell Phone Examinations, In: Small Scale Digit. Device Forensics J., vol. 4, no. 1, pp. 1--12, (2010)

47. Distefano, A., Me, G., Pace, F.: Android anti-forensics through a local paradigm, In: Digit. Investig., vol. 7, pp. S83--S94, Aug. (2010)

48. Albano, P., Castiglione, A., Cattaneo, G., Santis, A. De: A Novel Anti-forensics Technique for the Android OS, In: 2011 International Conference on Broadband and Wireless Computing, Communication and Applications, pp. 380–385, (2011)

49. Azadegan, S., Yu, W., Liu, H., Sistani, M., Acharya, S.: Novel Anti-forensics Approaches for Smart Phones, In: 45th Hawaii International Conference on System Sciences, pp. 5424–5431, (2012)

50. Quick, D., Alzaabi, M.: Forensic analysis of the android file system YAFFS2, In: Proceedings of the 9th Australian Digital Forensics Conference, pp. 100–109, (2011)

51. Sylve, J., Case, A., Marziale, L., Richard, G. G.: Acquisition and analysis of volatile memory from android devices, In: Digit. Investig., vol. 8, no. 3--4, pp. 175--184, Feb. (2012)

52. Vidas, T., Zhang, C., Christin, N.: Toward a general collection methodology for Android devices, In: Digit. Investig., vol. 8, pp. S14--S24, Aug. (2011)

53. Park, J., Chung, H., Lee, S.: Forensic analysis techniques for fragmented flash memory pages in smartphones, In: Digit. Investig., vol. 9, no. 2, pp. 109--118, Nov. (2012)

54. Son, N., Lee, Y., Kim, D., James, J. I., Lee, S., Lee, K.: A study of user data integrity during acquisition of Android devices, In: Digit. Investig., vol. 10, pp. S3--S11, Aug. (2013)

55. Racioppo, C., Murthy, N.: Android Forensics : A Case

Study of the ‘ HTC Incredible ’ Phone, In: Proceedings of Student-Faculty Research Day, pp. 1--8, (2012)

56. Andriotis, P., Oikonomou, G., Tryfonas, T.: Forensic analysis of wireless networking evidence of Android smartphones, In: 2012 IEEE Int. Work. Inf. Forensics Secur., pp. 109--114, Dec. (2012)

57. Mylonas, A., Meletiadis, V., Mitrou, L., Gritzalis, D.: Smartphone sensor data as digital evidence, In: Comput. Secur., vol. 38, no. 2012, pp. 51--75, Oct. (2013)

58. Thing, V. L. L., Ng, K.-Y., Chang, E.-C.: Live memory forensics of mobile phones, In: Digit. Investig., vol. 7, pp. S74--S82, Aug. (2010)

59. Lai, Y., Yang, C., Lin, C., Ahn, T.: Design and Implementation of Mobile Forensic Tool for Android Smart Phone through Cloud Computing, In: Commun. Comput. Inf. Sci. - Converg. Hybrid Inf. Technol., vol. 206, pp. 196--203 (2011)

60. Guido, M., Ondricek, J., Grover, J., Wilburn, D., Nguyen, T., Hunt, A.: Automated identification of installed malicious Android applications, In: Digit. Investig., vol. 10, pp. S96--S104, Aug. (2013)

61. Fairbanks, K., Atreya, K., Owen, H.: BlackBerry IPD parsing for open source forensics, In: IEEE Southeastcon 2009, vol. 01, pp. 195--199, (2009)

62. Sasidharan, S. K., Thomas, K. L.: BlackBerry Forensics : An Agent Based Approach for Database Acquisition, In: Commun. Comput. Inf. Sci. - Adv. Comput. Commun., vol. 190, pp. 552--561, (2011)

63. Marzougy, M. Al, Baggili, I., Marrington, A.: LNICST 114 - BlackBerry PlayBook Backup Forensic Analysis, In: Lect. Notes Inst. Comput. Sci. Soc. Informatics Telecommun. Eng. - Digit. Forensics Cyber Crime, vol. 114, pp. 239--252, (2013)

64. Smith, D. C., Petreski, S.: A New Approach to Digital Forensic Methodology, In: DEFCON, 2007 https://www.defcon.org/images/defcon-18/dc-18-presentations/DSmith/DEFCON-18-Smith-SPM-Digital-Forensic-Methodlogy.pdf

65. Mozilla Developer Network, Firefox OS architecture, https://developer.mozilla.org/en-US/docs/Mozilla/Firefox_OS/Platform/Architecture


199

Alarming! Security Aspects of the Wireless Vehicle: Review

Sabarathinam Chockalingam 1, Kailash Nagar, First Street, Near Police Colony, Karaikudi – 630002, India.

[email protected]

Harjinder Singh Lallie University of Warwick, WMG, Coventry, United Kingdom, CV4 7AL.

[email protected]

ABSTRACT

The auto-mobile industry has grown to become an integral part of our day – to – day life. The introduction of wireless vehicles definitely have to pass through the analysis of potential security threats and vulnerabilities, and robust security architecture should be designed that are able to cope with these threats and vulnerabilities. In this work, we have identified various categories of research in 'Cyber Security of a wireless vehicle' and mainly focused on 'In – Vehicle Network' to identify various potential security threats and vulnerabilities as well as the suitable security solutions. In addition to providing a survey of related academic efforts, we have also outlined several key issues and open research questions.

KEYWORDS

In-Vehicle Network, Security, Threats, Vulnerabilities, Wireless Vehicle.

1 INTRODUCTION

Vehicle manufacturers started incorporating a lot of technological advancements which helps to replace mechanical solutions for vehicle control by software and electronic solutions ([1] and [2]). Nowadays people started demanding wireless internet access even in auto-mobile. They prefer toaccess internet even while driving on the highway. They also expect high data bit rates to surf the internet, to download files and to have a real time video conference calls through wireless communication similar to the wired communication's data bit rate [1]. Most

importantly manufacturers had implemented Vehicular Ad – Hoc Network (VANET) technology which creates mobile network by usingmoving vehicles as nodes in a network [1]. Importantly, these technological advancements in wireless vehicles brings in a lot of possibility for Cyber Attacks. So, we mainly focus on 'Cyber Security of a wireless vehicle' in this work.

2 LITERATURE REVIEW

In recent times, wires are being replaced by wireless technology in auto-mobile. There are a lotof benefits in removing all the wires within a vehicle and implementing wireless communicationin a vehicle. Some of which are,

1. It helps to avoid collision in the vehicle network by issuing an automatic warning which ensures safety ([1] and [2]).2. It enables users to know about directions, weather reports. Users could also check e-mails, social media, and download files thereby increasing the comfort level of passengers even while travelling ([1] and [2]).3. Installation cost of wireless technology in auto-mobile is cheaper compared to wired technology.4. Rapid Deployment, and Mobility [3].

Replacing wires with wireless communication in auto-mobile also brings in a lot of security challenges. 'Cyber security of a wireless vehicle' is the major concern in recent times which would be discussed in this section by reviewing various research conducted.

International Journal of Cyber-Security and Digital Forensics (IJCSDF) 3(4): 200-208

200

The Society of Digital Information and Wireless Communications, 2014 (ISSN: 2305-0012)

mailto:[email protected]


2.1 Firmware updates Over The Air (FOTA) and Wireless Diagnostics

Over the past decade there are a lot of research conducted with regard to FOTA and Wireless Diagnostics. FOTA help to save consumers' time and to reduce the labour costs of the manufacturers in service stations. This makes it simpler for manufacturers to fix the bug in a short time.

In 2005, Mahmud et al proposed an architecture for uploading software in vehicle after making a few assumptions such as all the vehicles would be equipped with wireless interface units, company would need to upload software in the vehicle they manufactured, set of keys would be installed in the vehicle at the time of manufacturing [4]. Those keys would ensure the authentic communication between manufacturer and/or software supplier with the vehicle. They had also recommended software suppliers to send at-least two copies of software with a message digest to the vehicle in-order to improve security [4]. But their work is limited as it help to upload software in only one vehicle at a time which means it could be used only for wireless diagnostics where manufacturer would need to fix a particular vehicle which have problems and also their work did not cover the aspects of key management.

In 2008, Nilsson et al proposed a protocol for FOTA which ensured data integrity, authentication, confidentiality, and data freshness [5]. They analysed the security aspects by conducting various experiments. But their work did not address a few major issues like privacy, key management.

In 2008, Nilsson et al assessed the risks that involved with wireless infrastructure and derived a set of guidelines for creating secured infrastructure to do wireless diagnostics and software updates [6]. They identified portal security risks such as Impersonation and Intrusion, communication link security risks such as Traffic Manipulation, and vehicle security risks such as Impersonation and Intrusion, and the consequences of these risks such

as Execution of Arbitrary Code, Disclosure of Information, and Denial of Service [6].But they did not analyse the risks involved with the Engine Control Unit (ECU). They suggested to explore the use of Intrusion Detection System (IDS) and Firewall in wireless vehicles to improve the security [6].

In 2011, Idrees et al proposed a protocol which guaranteed a secured FOTA in wireless vehicles [7]. They mainly focussed on hardware security mechanism. This helped to improve the standard of security compared to the other systems. Key issue still need to be addressed in FOTA is key management and uploading software in multiple vehicles at the same time securely.

2.2 Digital Forensic Investigation

Digital Forensic Investigation is important in-order to identify the criminal in-case of successful cyber attacks but till now there are only a few research conducted with regard to digital forensic investigation in wireless vehicles.

In 2004, Carrier et al proposed an event – based digital forensic investigation framework [8]. This is used by Nilsson et al as the base for their work. Nilsson et al derived a list of requirements for detection, data collection, and event reconstruction based on the attacker model and digital forensic investigation principles [9]. They have also recommended to use event data recorder which would play a major role in digital forensic investigation, a method to detect events in vehicle, and to trigger an alert about security violation which would help the investigators to initiate the investigation [9]. Storing current state vehicle information in a secured location prove to be one of the important information during digital forensic investigation [9]. Major limitation of this work would be that they did not explore detection techniques which would help digital forensic investigation.


201


2.3 In – Vehicle Network

In – Vehicle Network play an important role in wireless vehicles. There are a lot of research conducted in this area over the years. In 2003, Mahmud et al analysed blue-tooth and their security issues in wireless vehicles [10]. In 2008, Larsson et al proposed specification based attack detection techniques within the In-Vehicle network [11]. In 2008, Verendel et al proposed a system that make use of honeypot in-order to gather attackers' information [12]. In 2008, Nilsson et al categorised ECUs based on the safety and security characteristics [13]. In 2009, Nilsson, et al analysed FlexRay protocol by simulating attacks [14]. In 2010, Rouf et al evaluated security and privacy of wireless tire pressure monitoring systems [15]. In 2010, Koscher et al summarised the potential risks involved with wireless vehicles after conducting various experiments [16]. In 2011, Kleberger et al categorised the research areas with regard to security aspects of the In- Vehicle Network in wireless vehicles [17]. In 2012, Schweppe et al proposed an architecture that incorporates data flow tracking into In – Vehicle Network which would ensure security and privacy [18]. In 2012, Onishi analysed new risks in the wireless vehicles caused by Carry-In Devices and suggested suitable countermeasures [19]. Detailed analysis of these research would be carried out in Section 3.

2.4 Vehicle – Vehicle Communication

There were many research conducted in Vehicle – Vehicle communication which is one of the important aspects of wireless vehicle. In 2004, Mahmud et al proposed a technique to exchange messages between vehicles securely. They have also analysed about creating secure communication links between vehicles. After analysing, they concluded that this would be possible with the present technology [20]. This technique ensured authentication, authorisation, and data integrity. But they did not focus on the privacy aspect which is one of the important aspects in vehicle – vehicle communication [20].

In 2004, Hu et al analysed the wormhole attacks and they proposed how to detect the wormhole attacks using directional antennas [21].

In 2006, Raya et al analysed the vulnerabilities that exist in vehicular communication such as jamming, forgery, in – transit traffic tampering, impersonation, privacy violation, and on board tampering [22]. After analysing the hardware modules, they have recommended to use Event Data Recorder (EDR), and Tamper Proof Device (TPD) which would improve security. They concluded their work by listing open research problems in vehicular communication such as secure positioning, data verification, and Denial of Service (DOS) resilience [22].

In 2006, Moustafa et al proposed Authentication, Authorization, and Accounting (AAA) mechanism to authenticate vehicles on highways which would ensure secure data transfer between wireless vehicles. They considered Optimized Link State Routing (OLSR) protocol as the base to propose their reliable routing approach [23].

In 2007, Gerlach et al proposed a security architecture for vehicular communication using functional layer, organizational/component, reference model, and information centric views [24]. They suggested that this architecture could be used as a base for prototype implementation. Security level could be also analysed by conducting various practical experiments [24].

In 2008, Larson et al analysed the security issues of vehicle – vehicle communication. They used anti intrusion taxonomy introduced by Halme et al [25] as the base for discussing layers of defence – in – depth paradigm. They have also suggested vehicle manufacturers to adopt Defence – in – Depth approach in the future to improve security level in the wireless vehicles [26].

In 2008, Anurag et al introduced collision avoidance system using Global Positioning System (GPS). This system would ensure safety in wireless vehicles [27].


202


In 2010, Tripathi analysed problems that exist in Vehicular Ad-Hoc Networks which mainly focused on basic attacks such as cheating with sensor information, ID disclosure of other vehicles in order to track their location, Denial of Service (DoS), masquerading and also other sophisticated attacks such as hidden vehicles, tunnel, wormhole, and bush telegraph [28]. This work lacks practical analysis.

In 2010, Amirtahmasebi et al discussed about various attacks such as sybil attack, bogus information, Denial of Service, impersonation, alteration attack, replay attack, and illusion attack in vehicular communication as well as various securing techniques such as digital signatures, tamper proof device, data correlation, and WAVE (Wireless Access in Vehicular Environments - IEEE 1609.2) [29].

After reviewing various research conducted in 'Cyber Security of a Wireless Vehicle', we have identified four important categories of research in this area.

They are:

1. Firmware updates Over The Air (FOTA) and Wireless Diagnostics2. Digital Forensic Investigation3. In – Vehicle Network4. Vehicle – Vehicle Communication

3 IN-VEHICLE NETWORK

In–Vehicle Network is the combination of Engine Control Units (ECUs), and buses. Most common networks are Controller Area Network (CAN), Local Interconnect Network (LIN), Media Oriented Systems Transport (MOST), and Flex Ray ([9], [11], and [13]). CAN play a vital role in communication of safety – critical applications like Anti-lock braking system, and Engine management systems [11]. LIN play a major role in communication of non – safety critical sensors, and actuator systems [13]. MOST is the high speed technology which is used to carry audio, and

video data [13]. CAN is being replaced by FlexRay in the recent years. Data is transferred from one network to another using wireless gateways ([9], [11] and [13]). In – Vehicle Network is illustrated in Figure 1 [12].

Figure 1. In – Vehicle Network [12]

As discussed earlier in Section 2, there are a lot of research conducted with regard to 'In – Vehicle Network'. In 2003, Mahmud et al proposed a technique which would help to secure wireless In – Vehicle Blue-tooth networks. Short range communication between closer vehicles would help to avoid collision. This could be achieved using blue-tooth technology. Blue-tooth technology covers 10-100 metres in wireless communication [10]. They have also proposed a security architecture which make use of password protected Network Device Monitor (NDM) [10]. NDM help to activate devices which would want to take part in the wireless communication. It would make use of two different PINs: one for secured communication which should be changed after each session to encounter brute – force attack, and the another one for non – secured communication which is not necessary to change after each session [10]. NDM plays a major role in distributing PINs to devices which would be the suitable countermeasure against Man – in – the – Middle Attack [10]. This architecture could also be implemented at a very low cost. They concluded their work by addressing one of the important question “what happens if the activated

Wireless Communication

ECUs

In – Vehicle Network

Wireless Gateway

Wireless Vehicle


203


device got stolen or lost”?. They suggested in that case the owner would be able to deactivate that device manually using NDM [10]. But they failed to address “what happens if NDM malfunctions?” in their work. As there is no alternate solution, the entire system would be compromised in that case.

In 2008, Larson et al proposed a technique that help to detect cyber-attacks within the in – vehicle network. They have also suggested the location where the attack detector could be placed. Their work mainly focussed on CAN protocol version 2.0 and CANopen draft standard 3.01 which is used to create protocol – level security specifications [11]. They have also mentioned that the abnormal messages could be detected with the help of communication protocol security specifications and Illegal attempts to transmit or receive messages could be detected with the help of ECU communication parameters [11]. They recommended to place a detector on each ECU because if a detector is placed in CAN it is impossible to detect the source and destination of the message as it would not support unique ECU identifiers [11]. But if we place the detector on each ECU, this would be helpful as the object directory of ECU knows which one to transmit and to receive. They evaluated the attack detector using different attacker actions such as Flood, Read, Replay, Spoof, and Modify [11]. They concluded that still there are some attacks which would be possible even if the attack detector is placed. In-order to make this system effective and complete, they have suggested to implement alternate approach like firewalls to complement the attack detector [11].

In 2008, Verendel et al proposed a technique to gather attackers' information using honeypot which is simulated In – Vehicle network as shown in Figure 2 [12]. This would allow us to analyse the attackers' behaviour thereby we could prevent cyber-attacks. They suggested that honeypot should be placed in the vehicle and gathered information should be processed at the central location. Larson et al have identified the major attacks in the In – Vehicle network. Verendel et al

used it as the base to detect the attacks early which would help to ensure safety. But they did not focus on the security of gathered data which would be analysed at the processing centre. This data could be tampered.

Figure 2. Vehicle Honeypot [12]

In 2008, Nilsson et al classified ECUs into five categories based on the safety and security characteristics. They were Powertrain, Vehicle Safety, Comfort, Infotainment, and Telematics [13]. After analysing the attacker model, they concluded that communication link is the main target for the attackers where cyber-attacks such as eavesdropping, intercepting, modifying, and injecting messages would be possible [13]. They discussed the process of assigning Safety Integrity Levels (SIL) ranging from highest level 4 to lowest level 1 based on their controllability after failure. They assigned highest SIL 4 for powertrain and vehicle safety ECUs. Powertrain category consists of brake system which is highly important to ensure safety. In case of failure, driver would not be able to control the vehicle. Vehicle Safety category consists of tire pressure monitoring, air bag, collision avoidance system which are also highly safety critical. They have

SimulatedIn – Vehicle

Network

Wireless Communication

ECUs

Honeypot

Wireless Gateway

Wireless Vehicle


204


also assigned highest safety integrity level as in the case of failure, driver would not be able to control the vehicle [13]. They have assigned level 2 for comfort category as it would not affect the safety immediately. They have assigned level 1 for both infotainment and telematics. Infotainment category consists of audio and video systems, mobile communication is provided by the ECUs of telematics category which were not highly safety critical [13]. This work would help to prioritise the categories which need more protection to ensure safety in the wireless vehicles.

In 2009, Nilsson et al focused on FlexRay protocol. Their work answered the question 'why CAN is being replaced gradually by FlexRay over the years?'. FlexRay is different and effective in various aspects compared to CAN. Some of which were: FlexRay support different topologies, higher data rates, and continuous communication [14]. They also considered security properties such as data confidentiality, data integrity, data availability, data authentication, and data freshness to evaluate the security of FlexRay protocol [14]. They used Nilsson – Larson attacker model as their base and focussed on attacker actions such as read, and spoof. Read attack is possible due to lack of confidentiality, and Spoof attack is possible due to lack of authentication in FlexRay. They concluded their work by simulating these attacker actions. The major limitation of this work was that they did not provide any prevention techniques for these attacks [14]. This work could be further expanded by identifying a few more attacker actions, providing detection, and prevention techniques for these attacks which would guarantee secured FlexRay protocol [14].

In 2010, Rouf et al evaluated wireless Tire Pressure Monitoring System (TPMS). Air pressureinside the tires could be measured using TPMS continuously which would help to alert driver in-case of under inflated tires [15]. They have discussed about the security risks involved such as tracking auto-mobiles, and spoofing. They have also analysed TPMS experimentally and found out that the messages could be received up to 40m

away from the car with the help of low noise amplifier [15].

They have also discussed about TPMS architecture as shown in Figure 3 [15] which consists of TPM sensors fitted in each tire, TPM ECU/receiver, a TPM warning light at the dashboard, one or four antennas, and receiver is connected to the antennas. They have recommended to follow reliable software design for the software that run in the TPMS ECU which would help to prevent displaying false readings, to encrypt packets. Packet format should be improved in-order to limit eavesdropping, and spoofing attacks [15]. Eavesdropping is the major issue which need to be addressed in the future research to make this system effective. In future, this system could also be shielded to ensure that there is no chance of eavesdropping, and spoofing attacks.

Figure 3. TPMS Architecture [15]

In 2010, Koscher et al used two wireless vehicles of same make and model which was manufactured in 2009 to evaluate the issues of wireless vehicle by conducting various experiments [16]. They have conducted experiments in three different settings [16].

1. They extracted the hardware components and analysed them in lab [16].2. They elevated the car on jack stand and conducted various experiments to ensure safety [16].3. They drove the wireless vehicle on decommissioned airport runway and conducted various experiments to ensure safety [16].


205


They have also summarised the results of various experiments. Also they have discussed about the key security challenges in CAN such as broadcast nature, fragility to Denial of Service, no authenticator fields, and weak access controls [16]. In future, this work could be used as the base to design prevention techniques that would help to improve the security of wireless vehicles.

In 2011, Kleberger et al have reviewed various research related to 'in – vehicle network' and identified five categories of research. They were problems in the In – Vehicle network, architectural security features, Intrusion Detection Systems (IDS), Honeypots, and Threats and attacks [17]. They identified problems in the In – Vehicle network such as lack of sufficient bus protection, weak authentication, misuse of protocols, poor protocol implementation, and information leakage. They suggested to investigate IDS for FlexRay because both specification based and anomaly based IDS have been suggested for CAN [17]. This research did not provide any security solutions but this could be used as the base for designing security solutions for the In – Vehicle network.

In 2012, Schweppe, and Roudier proposed a system with taint tracking tools that would help to monitor data that flows between ECUs in the In – Vehicle network. Using taint tracking tools in auto-mobile guarantees privacy and security [18]. This system could be used with Rouf et al wireless Tire Pressure Monitoring System (TPMS) to prevent spoof attacks thereby ensuring security, and safety of that system.

In 2012, Onishi focussed on potential risks involved with wireless vehicles and assessed their severity using Common Vulnerability Scoring System (CVSS) [19]. They have identified that Carry – In – Devices (CID) creates major risks in wireless vehicles because virus, and malware could invade the system [19]. They have suggested to use certification - authority which would help to verify the content of CID and issue certificates for CID without any malicious contents [19]. They

have summarised the limitations of ECU such as low computational power, low memory, and online software update issues. They suggested that it is difficult to monitor CID always due to low computational power. But a few years back Nilsson et al prioritized ECU categories based on their Safety Integrity Level (SIL) which could be used with this research. Protecting powertrain and vehicle safety ECUs from virus, malware ensures vehicle to be in controllable state even if virus, malware invades infotainment ECUs. Onishi suggested to send warning alerts to driver if virus, malware invades highly safety critical ECUs which would help to prevent major accidents [19].We have identified several key issues by exploring various research conducted in 'In – Vehicle Network'. They are:

'Securing Gateway ECU' as it is the entry ➔ point for attackers. Successful attacks would give an opportunity for attackers to gain full control of the vehicle.

'Securing Communication Links' which ➔ could help us to prevent attacks like eavesdropping, interception, and modifying messages.

'Ensuring confidentiality, and privacy' in ➔ the system.

'Securing attackers' information at the➔ processing centre' as the information gathered using honeypot to be analysed at the processing centre lacks security.

'Monitoring Carry – In – Devices always' ➔ to ensure safety and security of the wireless vehicle.

We have also identified several open research questions. They are:

'How to configure firewall in the wireless➔ gateway?'

'How to improve the security of CAN,➔ FlexRay?'

'How to implement Intrusion Detection ➔ System in the In – Vehicle Network?'

'How to monitor Carry – In – Devices ➔ always in wireless vehicle?'

'How to shield the communication link from➔ attacks?'


206


4 CONCLUSION

After reviewing various research conducted in 'Cyber security of a Wireless Vehicle', we have identified four categories such as 'Firmware updates Over The Air (FOTA) and Wireless Diagnostics, Digital Forensic Investigation, In – Vehicle Network, and Vehicle – Vehicle Communication'. We focussed on 'In -Vehicle Network' and identified several key issues by reviewing various research conducted. It is evidentthat security lacks in the 'In – Vehicle network' from this work. We have also identified various research problems that have not been adequately addressed. This work could be used as a starting point in the future to address the identified open research questions and improve security in the 'In –Vehicle Network' as it highlights various security problems.

5 REFERENCES

1. C. Ribeiro, “Bringing Wireless Access to the Automobile: A Comparison of Wi-Fi, WiMAX, MBWA, and 3G”, 21st Computer Science Seminar, pp. 1–7, 2005.

2. A. Gandhi, and B.T. Jadhav, “Role of Wireless Technology for Vehicular Network,” International Journal of Computer Science & Information Technologies (IJCSIT), Vol. 3, No. 4, pp. 4823–4828, 2012.

3. P. Parikh, M.G. Kanabar, and T.S. Sidhu, “Opportunities and Challenges of Wireless Communication Technologies for Smart Grid Applications,” IEEE Power and Energy Society General Meeting, pp. 1-7, July 2010.

4. S.M. Mahmud, S. Shanker, and I. Hossain, “Secure Software Upload in an Intelligent Vehicle via Wireless Communication Links,” Proceedings of the IEEE Intelligent Vehicles Symposium, pp. 588–593, 2005.

5. D.K. Nilsson, and U.E. Larson, “Secure Firmware Updates over the Air in Intelligent Vehicles,” Communications Workshops, 2008. IEEE International Conference on, pp. 380–384, May 2008.

6. D.K. Nilsson, U.E. Larson, and E. Jonsson, “Creating a Secure Infrastructure for Wireless Diagnostics and Software Updates in Vehicles,” Proceedings of the 27th international conference on Computer Safety, Reliability, and Security, Vol. 5219/2008, pp. 207–220, 2008.

7. M.S. Idrees, H. Schweppe, Y. Roudier, M. Wolf, D. Scheuermann, and O. Henniger, “Secure Automotive On- Board Protocols : A Case of Over-the-Air Firmware Updates,” Proceedings of the third International Workshop on Communication Technologies for Vehicles,Vol. 6596, pp. 224–238, 2011.

8. B.D. Carrier and E.H. Spafford, “An Event-Based Digital Forensic Investigation Framework*,” Digital Forensic Research Workshop, pp. 1–12, 2004.

9. D.K. Nilsson and U.E. Larson, “Conducting Forensic Investigations of Cyber Attacks on Automobile In-Vehicle Networks,” International Journal of Digital Crime and Forensics, vol. 1, no. 2, pp. 28–41, 2009.

10. S.M. Mahmud and S. Shanker, “Security of Wireless Networks in Intelligent Vehicle Systems,” Proceedings of 3rd Annual Intelligent Vehicle Systems Symposium, NDIA, pp. 83–86, 2003.

11. U.E. Larson, D.K. Nilsson, and E. Jonsson, “An approach to specification-based attack detection for invehicle networks,” IEEE Intelligent Vehicles Symposium, pp. 220–225, June 2008.

12. V. Verendel, D.K. Nilsson, U.E. Larson, and E. Jonsson, “An Approach to using Honeypots in In-Vehicle Networks,” 68th IEEE Vehicular Technology Conference, pp. 1207–1211, 2008.

13. D.K. Nilsson, P.H. Phung, and U.E. Larson, “Vehicle ECU Classification Based on Safety – Security Characteristics,” Proceedings of 13th International Conference on Road Transport and Information Control (RTIC), pp. 1–7, 2008.

14. D.K. Nilsson, U.E. Larson, F. Picasso, and E. Jonsson, “A First Simulation of Attacks in the Automotive Network Communication Protocol FlexRay,” Proceedings of the International Workshop on Computational Intelligence in Security for Information Systems (CISIS'08), Vol. 53, pp. 84-91, 2009.

15. I. Rouf, R. Miller, H. Mustafa, T. Taylor, S. Oh, W. Xu, M. Gruteser, W. Trappe, and I. Seskar, “Security and Privacy Vulnerabilities of In-Car Wireless Networks : A Tire Pressure Monitoring System Case Study,” Proceedings of 19th USENIX Security Symposium, pp. 323 – 338, 2010.

16. K. Koscher, A. Czeskis, F. Roesner, S. Patel, T. Kohno, S. Checkoway, D. McCoy, B. Kantor, D. Anderson, H. Shacham, and S. Savage, “Experimental Security Analysis of a Modern Automobile,” IEEE Symposium on Security and Privacy, pp. 447–462, 2010.


207


17. P. Kleberger, T. Olovsson, and E. Jonsson, “Security aspects of the in-vehicle network in the connected car,” IEEE Intelligent Vehicles Symposium (IV), pp. 528–533, June 2011.

18. H. Schweppe and Y. Roudier, “Security and privacy for in-vehicle networks,” 1st IEEE International Workshop on Vehicular Communications, Sensing, and Computing (VCSC), pp. 12–17, June 2012.

19. H. Onishi, “Paradigm Change of Vehicle Cyber Security,” Proceedings of 4th International Conference on Cyber Conflict (CYCON), pp. 1-11, 2012.

20. S.M. Mahmud, S. Shanker, and S.R. Mosra, “Secure Inter-Vehicle Communications,” Proceedings of SAE World Congress, pp. 8-11, 2004.

21. L. Hu and D. Evans, “Using Directional Antennas to Prevent Wormhole Attacks,” Proceedings of Network and Distributed System Security Symposium (NDSS), pp. 1 - 11, 2004.

22. M. Raya, P. Papadimitratos, and J. Hubaux, “Intervehicular Communications – Securing Vehicular Communications,” IEEE Wireless Communications, Vol. 13, No. 5, pp. 8–15, 2006.

23. H. Moustafa, G. Bourdon, and Y. Gourhant, “Providing Authentication and Access Control in Vehicular Network Environment,” Proceedings of IFIP TC-11 21st International Information Security Conference (SEC), Vol.201, pp. 62–73, 2006.

24. M. Gerlach, A. Festag, T. Leinmuller, G. Goldacker, and C. Harsch, “Security Architecture for Vehicular Communication,” Proceedings of International Workshop on Intelligent Transportation (WIT), pp. 1 – 6, 2007.

25. L.R. Halme, and K.R. Bauer. “AINT Misbehaving: A taxonomy of anti-intrusion techniques,” Proceedings of 18th

National Information Systems Security Conference, pp. 163– 172, 1995.

26. U.E. Larson, and D.K. Nilsson, “Securing vehicles against cyber-attacks,” Proceedings of the 4th annual workshop on Cyber security and informaiton intelligence research: developing strategies to meet the cyber security and information intelligence challenges ahead – CSIIRW, pp. 1 – 3, 2008.

27. D. Anurag, S. Ghosh, S. Bandyopadhyay, "GPS based vehicular collision warning system using IEEE 802.15.4 MAC/PHY standard," 8th International Conference on ITS Telecommunications (ITST), pp.154-159, 2008.

28. K.P. Tripathi, “An Essential of Security in Vehicular Ad hoc Network,” International Journal of Computer Applications, Vol. 10, No. 2, pp. 11-16, 2010.

29. K. Amirtahmasebi and R.S. Jalalinia, “Vehicular Networks – Security , Vulnerabilities and Countermeasures,” Master of Science Thesis in the program Networks and Distributed Systems, Chalmers University of Technology, pp. 1–55, June 2010.


208


A Survey on Digital Forensics Trends

1Mohsen Damshenas,

2*Ali Dehghantanha,

3Ramlan Mahmoud

1, 2, 3 Faculty of Computer Science and Information Technology, University Putra Malaysia

*Corresponding Author

[email protected], {alid, ramlan}@upm.edu.my

1. ABSTRACT Digital forensic has evolved from addressing

minor computer crimes to investigation of

complex international cases with massive effect

on the world. This paper studies the evolution of

the digital forensic; its origins, its current

position and its future directions. This paper sets

the scene with exploring past literature on digital

forensic approaches followed by the assessment

and analysis of current state of art in both

industrial and academic digital forensics

research. The obtained results are compared and

analyzed to provide a comprehensive view of the

current digital forensics landscape. Furthermore,

this paper highlights critical digital forensic

issues that are being overlooked and not being

addressed as deserved. The paper finally

concludes with offering future research

directions in this area.

Keywords Digital Forensic, Mobile Device Forensic,

Forensic Framework, Network Forensic, String

Analysis

2. INTRODUCTION The term computer crime, first used in 1976 in a

book by Donn Parker titled “crime in computer”

[1],[2] stepped into the legal system by Florida

Computer Crimes Act 1978 dealing with

unauthorized deletion or modification of data in

a computer system [3]. However, the first actual

computer analysis and response team was

established by FBI in 1984 to conduct advanced

digital forensic investigation of the crime scenes

[4].

One of the first complicated digital forensic

investigation cases was performed in 1986,

pursuing a hacker named Markus Hess [5]. Hess

had gained unauthorized access to Lawrence

Berkeley National Laboratory (LBL) and was

detected and investigated by Mr. Clifford Stoll.

At the time of the incident, there was not any

standard digital forensic investigation

framework in place so Clifford had to do the

investigation on his own. As Clifford’s objective

was discovering the identity of the hacker, he

did not change anything in the system and only

collect the possible traces. By tracking the

hacker for months using so called alarms which

send notification when the attacker was active,

he finally managed to discover the identity and

location of the attacker by cooperation with the

FBI and the Telco Company. Since the case was

involved different military, academic and

individual bodies in U.S and Germany the

jurisdiction of the case became a big issue [6].

The day by day improvement of digital devices

makes digital crime way more complicated than

it was back in 1986. Nowadays crimes are

happening over cloud which mandates cross

national forensic investigation. It is therefore an

essential demand for the security experts to

realize their strengths in investigation of

complex digital crimes via studying the history

and current trends in the field. Specialists need

to understand that digital forensics is not about

looking at the past because of having an attack

history; neither looking at the present in fear of

being attacked; nor about looking at the future

with uncertainty about what might befall us but

about to being ready all the times for the moving

target.

This survey offers a critical review and

investigation over:

Origins of digital forensics

its evolvement to its current the current

position

And its future trends and directions

Vividly, using a map without knowing the

current position is difficult; realizing the future

can only be possible if the current and the past

are clear. Hence, section 2 of this paper rectifies

history of events and researches in the field in


209


the period of 2002 to 2007 while section 3

concentrates only on recent research works in

the period of 2008 and 2013 and offers

categorization of major fields and a statistical

comparison between industrial and academic in

the field. Finally, we look into overlooked issues

and offer several future research directions in the

field.

3. DIGITAL FORENSICS: THEN The formal beginning of academic community

research in the area of digital forensic

investigation was in 2002 with an article called

“Network Forensics Analysis” authored by

Corey et al. [7] who studied Network Forensic

Analysis Tool (NFAT) and highlighted its

benefits in regard to traffic capture, traffic

analysis and security issues.

In 2004, Stevens [8] illuminated the issue of

comparing and correlating time stamps between

different time sources and proposed a clock

model to address these timing issues by

simulating the behavior of each independent

time stamp (A.K.A independent clock). This

model can be used to remove the expected clock

errors from time stamps and develop a more

accurate timeline analysis of the events. Forte

[9] studied tools and techniques which were

widely used for digital forensic investigation

namely “GLIMPSE” and “GREP” and explained

their syntax and applications. GREP as one of

the most popular text search tool was covered

comprehensively in this article. Carrier and

Grand [10] studied the essential requirements for

volatile memory acquisition and proposed a

hardware based method to acquire memory data

with the least possible changes. This method

employed a hardware expansion card (PCI slot

card) to create a forensic image of volatile

memory with the push of a button. However,

this technique required pre-installation of the

card on the victim machine. Mocas [11]

identified basic properties and abstractions of

digital forensic investigation process and

proposed a comprehensive framework for

unifying all characteristics of digital forensic.

Vaughan [12] presented a methodology for

evaluating the evidential value of an Xbox game

console system. Moreover, he proposed a

methodology for evidence extraction and

examination from a suspect Xbox system.

Nikkel [13] outlined the forensic investigation

analysis of IP networks and domain names. This

article defined point of concerns of a presence

which automatically collects evidences related to

the Internet presences, time-stamped these

evidences, store the evidences in a neat manner,

generate the integrity hash checksum of the

evidence and finally produced an official report

of the discovered information. Buchholz and

Spafford [14] studied the effects of metadata on

digital forensics to find out which information

can be useful in a computer forensic

investigation. Moreover, they demonstrated

potentials of metadata in computer forensic

investigation and analyzed issues in obtaining

and storing these data.

In 2005, Francia and Clinton [15] outlined the

required resources and procedures to establish a

forensic lab and presented a cost efficient

Computer Security and Forensic Analysis

(CSFA) experimental lab design and

implementation. Nikkel [16] discussed forensic

investigation challenges in file and contents

recovery of magnetic tape data acquisition and

analysis and proposed a methodology for

determination of tapes content. Jansen and Ayers

[17] provided an overview of the available

forensic investigation tools for Personal Digital

Assistants (PDA) devices and PDAs software

and hardware. They utilized some basic

scenarios to evaluate those tools in a simulated

environment using simulated evidentiary

situations and offered a snapshot of how these

tools work under provided situations. Bedford

[18] explained the forensic investigation

challenges of Host Protected Area (HPA) in IDE

drives. The HPA is a part of a hard drive that is

hidden from the operating system and the user

whichis often used to hide sensitive data and as

such is a good source of evidence.

In 2006, Harrison [19] described a project for

explaining real-life issues in digital forensic

investigation and utilized a group-based project

for practicing computer investigation in

academic environments. Laurie [20] studied

well-known Bluetooth security flaws and

available techniques and tools to exploit those

flaws; and then discussed the effects of these

attacks on common digital forensic investigation

practices. Nikkel [21] described concepts of

distributed network-based evidences, forensic


210


techniques of evidence acquisition over the

network and the weaknesses of these techniques.

In addition, he suggested some improvements to

conquer challenges in network data collection.

Ieong [22] highlighted major principles of

digital forensic investigation and outlined eight

roles with their responsibilities in common

digital investigation frameworks. The paper

proposed a framework named FORZA which is

based on Zachman’s framework [23]. Harris

[24] studied and analyzed several anti-forensic

techniques and classified them to achieve a

standard method for addressing anti-forensics

issues and then outlined general strategies to

preserve forensic integrity during investigation.

Garfinkel [25] proposed Forensic Feature

Extraction (FFE) and Cross Drive Analysis

(CDA) techniques to analyze large data sets of

disk images and other types of forensic data.

These two methods were used for prioritizing

and systematically identifying social networks

usage in the suspect’s system. Schuster [26]

explored the structure of memory containing

processes’ data and then proposed a search

pattern to scan the whole memory dump for

traces of physical memory objects independent

of kernel’s list of memory objects. As a proof of

concept, an implementation of the technique

successfully revealed some hidden and

terminated processes and threads even after

rebooting the system. Jeyaraman and Atallah

[27] proposed an approach to examine the

accuracy and effectiveness of automated event

reconstruction techniques based on their

capabilities to identify relations between case

entities. They then quantified the rate of false

positives and false negatives and scalability in

terms of both computational burden and

memory-usage. Alink et. al., [28] introduced a

novel XML based approach for storing and

retrieving forensic traces derived from digital

evidences which was implemented in a

prototype system called XIRAF. This system

runs the available forensic analysis tools against

the evidence file and then exports the result in an

XML database. Johnston and Reust [29] outlined

procedures for investigation of an attack which

includes compromising of several systems with

sensitive data and discussed challenges involved

in this process. Mead [30] studied the National

Software Reference Library (NSRL) repository

of known software, file profiles, and file

signatures by examining the uniqueness of the

signatures produced in NSLR repository. This

repository is essentially vital for digital forensic

investigators to improve the speed of data

analysis by omitting the file analysis of trusted

files according to the retrieved hash checksum

from NSRL. Nikkel [31] presented a forensic

evidence collector tool using promiscuous

packet capture on an embedded hardware using

open source software. This tool operates as a

standalone tool in different modesandcan be pre-

configured by the investigator.

In 2007, Wang et al. [32] analyzed methods and

applications of cryptography in digital forensic

investigation, and highlighted differences

between these methods. Afterwards, the authors

discussed the weaknesses of SHA-1 and

approaches to crack SHA-1 in order to highlight

the issue of potential clashes in checksum

verification and possible effects on related

applications. Peisert et al. [33] presented the

importance of examining the order of function

calls for forensic analysis and showed its

usefulness in isolating the causes and effects of

the attack through intrusion detection systems.

This analysis, not only detects unexpected

events in the order of function calls, but also

detects absence of expected events. Castiglione

et al. [34] investigated the issues of hidden

metadata in compound documents that use

opaque format and could be exploited by any

third party. The authors proposed a

steganography system for Microsoft Office

documentsand introduced FTA and StegOle as

tools to improve the forensic analysis of

Microsoft Office documents. Murphey [35]

proposed a method to automatically recover,

repair and analyze Windows NT5 (XP and 2003)

events logs. Authors implemented a proof of

concept code to repair common corruptions of

multiple event logs in one simple step without

any manual user intervention. Spruill and Pavan

[36] studied the U3 technology for portable

applications and illustrated different artifacts left

behind from a committed crime through a

portable application. This research also

investigated some of the common applications

used on U3 drives. Turner [37] questioned

usefulness of the common digital forensic

investigation approaches in live incident


211


investigation and demonstrated the applications

of Digital Evidence Bag (DEB) storage format

in dynamic environments. Richard et al. [38]

explained Data Evidence Container (DEC)

format to bundle arbitrary metadata associated

with evidence along with the actual evidences.

Authors then explored the challenges of utilizing

this container and proposed Forensic Discovery

Auditing Module (FDAM) as a complementary

mechanism Nikkel [39] demonstrated digital

forensic investigation principles for IPv6

networks and discussed about IPv6 addressing,

packet structure, supported protocols and

information collection from public registrars

such as WHOIS. They finally presented some

IPv6 tools for collection and analysis of network

traffic and investigation of remote IPv6 nodes.

Masters and Turner [40] demonstrated

techniques of magnetic swipe card data

manipulation in different types of devices and

proposed the application of Digital Evidence

Bag (DEB) as a suitable format for bulking the

evidences obtained from a magnetic swipe card.

Lyle and Wozar [41] studied challenges in

making a forensic image of a hard disk and

addressed practical problems like resolving

some faulty sectors causing difficulties in

imaging process. Arasteh et al. [42] proposed a

formal model checking technique for forensic

analysis of system logs and provided a proof of

concept system using tableau-based proof

checking algorithm. Arasteh and Debbabi [43]

presented a forensic analysis method to extract

threads history by using threads stack. The

technique used a process model to retrieve data

from a thread stack and then compared against

an assembly model to verify extracted

properties. Schatz [44] proposed a technique for

obtaining volatile memory from arbitrary

operating systems and provide a “point in time”

snapshot of the volatile memory. Body Snatcher,

an implementation of this method was used for

presenting the proof of concept of the proposed

technique. Barik et al. [45] studied the issues of

Ex2 file system in terms of authenticity of the

OS created timestamps andproposed a solution

to preserve authentic date and time stamp for the

studied issues using Loadable Kernel Modules

(LKMs).

An overview of the above mentioned researches,

as indicated in Figure 1, shows a smooth growth

in the number of digital forensic investigation

research articles published in main relevant

journals namely "Digital Investigation",

"Information Forensics and Security, IEEE

Transactions on", "Computers & Security",

"Computer Law & Security Review",

"Multimedia Tools and Applications",

"Computer Standards & Interfaces", "Computers

& Mathematics with Applications",

"Information Sciences", "Selected Areas in

Communications, IEEE Journal on".

Figure 1: number of articles in digital forensics in the period of 2002 – 2008

(No articles matched our search criteria in 2003)


212


All the studied articles are extracted by

searching the term “forensic” in the abstract of 4

main computer science indexing services known

as Science Direct, Springer, IEEE and ACM;

though the search was limited only to articles

published in computer science during the period

of 2002 – 2008.

4. NOW From the very first days of digital forensic

investigation’s life up to now, there were vast

improvements in digital forensics techniques

ranging from recovering deleted evidences and

searching the megabytes storage devices to deal

with petabytes storage devices [46], cloud based

investigations [47], mobile device examinations

[48], wireless network investigations [49], and

database forensics [50]. Generally, the current

perspective of digital forensic investigation can

be categorized into four main types namely

Computer Forensic, Smart Device Forensic,

Network Forensic and Database Forensic.

Among mentioned categories, computer

forensics has attracted the most attention of

academicians and professionals. On the other

hand, digital criminals and intruders are trying to

minimize footprints of their actions utilizing

anti-forensic techniques. Some of the common

approaches of anti-forensics are using

cryptography [51], steganography [52], meta-

data tempering [53], program packing [54],

generic data-hiding [52], and even disk

sanitizing [55], [56].

In spite of all studies in the field of digital

forensic investigation we are yet to have a

comprehensive reliable study which offers

analysis of related scientific research trends in

the field. To address the aforementioned issue,

we started this survey with searching in

computer science research journals indexed by

four main scientific database namely Science

Direct, Springer, IEEE and ACM for papers

published in the period of Jan 2008- Mar 2013

that include “forensic” as an author keyword or

in the paper abstract. The result of the search

contained articles published in main journals in

the field namely "Digital Investigation",

"Information Forensics and Security, IEEE

Transactions on", "Computers & Security",

"Computer Law & Security Review",

"Multimedia Tools and Applications",

"Computer Standards & Interfaces", "Computers

& Mathematics with Applications",

"Information Sciences", "Selected Areas in

Communications, IEEE Journal on".

After several brainstorming sessions to identify

main journals in the field, it was decided to keep

our focus only on journals which published 2 or

more papers in our searching period as shown in

Table 1.

Table 1 – Final result of participated Journals with number of related papers in each

Journal Name Number of Related Papers

Digital Investigation 117

IEEE Transactions on Information Forensics and Security 20

Computers & Security 9

Computer Law & Security Review 4

Multimedia Tools and Applications 3

ACM Computing Surveys 2

Computer Standards & Interfaces 2

Computers & Mathematics with Applications 2

Information Sciences 2

Personal and Ubiquitous Computing 2

IEEE Journal on Selected Areas in Communications 2


213


Figure 2 – Number of forensics relevant papers from Jan2008 –to Mar2013

Figure 2 offers a ratio of the position; “Digital

Investigation” journal (indexed in “Science

Direct”) with 117 published articles (66% of

total articles in the studied period) has the

highest number of published articles followed by

“IEEE Transactions on Information Forensics

and Security” journal (indexed in “IEEE”) with

20 published articles (12% of total articles in the

studied period) and “Computers & Security”

journal (indexed in “Science Direct”) with 9

articles (5% of total articles in the studied

period).

Not being an exception, this research faced some

limitations. The main limitation of this study

was to include all perspectives of digital forensic

using trust worthy sources. The most important

selection factor for us was creditability of our

sources so we can provide a trustable review of

current forensics landscape. As such, we just

selected papers from reputable sources which

indirectly implicates that we ignored possibly

relevant papers which were not published in

reputable sources. Selecting journals was not

only based on the mere number of articles they

published (2 or more) in a specific period (2008-

2013), but to make sure only papers of very

relevant journals which are reflecting realistic

view of the field are selected. Moreover, to

improve the reliability of the given perspective

in addition to reputable academic sources some

articles from the SANS reading room were

included as the representative of the industrial

research.

4.1. Results Obtained The data collection process began with

brainstorming among authors to identify major

types of digital forensic investigation to classify

and rank research papers appropriately. For

example, all topics related to smartphone

investigation, iPad data acquisition, GPS data

analysis and similar subjects were categorized

under mobile forensics. ISO9660 analysis, meta-

data analysis, cluster and all investigations

relevant to the science of file systems grouped as

file system forensics. The same approach was

taken for all other categories as well as shown in

Figure 3. Finally, papers in topics like digital

audio forensics, malware forensics [57],

database forensic and cloud forensic which were

not fall in previously mentioned categories and

there were 5 or lesser papers in those topics were

grouped as “Others” as shown in Figure 4.

Identification of general categories was more

difficult than it was expected as there were

difficulties in categorizing inter-disciplinary

papers or papers with wide range of focus. For

example, papers under collecting volatile


214


memory of mobile phones could be categorized

in both volatile memory acquisition and in

mobile phones investigation category.

Obviously, we could not count a paper multiple

times and in such cases, the team carefully read

the paper thoroughly to find out the major focus

of the paper with specific attention to the paper

abstract, keywords and conclusion. Afterwards,

we categorized the paper in the most relevant

category. It is notable that, the classification of

this study is exclusively the opinion of the

authors and although all relevant scientific and

statistical techniques were employed to ensure

correctness and comprehensiveness of the study

but all conclusions are subjective to author’s

view-points only. Moreover, there were several

publications contain news section or discussion

that cannot be qualified to be called full article.

Each of these papers were analyzed carefully

and included in this survey if they offer valuable

knowledge or results about the current state of

the art in digital forensic.

When investigating each of the journals

separately, it is interesting to note different

topics emphasized in each journal. Table 2 lists

the number of publications in each journal in

each topic. Outstanding result indicates that the

“Digital Image Forensic” topic took the lead

with 20 articles, followed by “Mobile Device

Forensic” with 14 articles, “forensic framework”

at 12, “forensic tools” and “file system forensic”

both at 9 that constitute the top six topics. In

“IEEE Transactions on Information Forensics

and Security”, articles on anti-forensics were

more than all other categories (3 articles),

followed by “digital image forensic”, “forensic

tools” and “string analysis” with only 1.

Figure 3 – Digital forensic investigation categories in period of 2008 - 2013


215


Figure 4 – Digital forensic investigation topics with less than 5 papers (“Other” category)

Table 2 – List of journals and number of published articles grouped by the category


216


4.1.1. Topics covered by SANS This subsection of the study analyzes articles

published in the SANS reading room as a well-

established organization known as a pioneer in

non-academic digital forensic investigation

research. SANS papers are considered as a

reliable source for studying industrial digital

forensic research trends. However, the quantitiy

of SANS forensics articles is just a few in

compare to the academic journals as publication

is not included in the main duties of the

forensics practitioners.

We have identified 24 papers in SANS reading

room and categorize them similar to the

academic papers. The outcome includes “File

Forensic”, “File System investigation”,

“Forensic Framework Development”, “Forensic

Tools Investigation”, “Legal Aspects of Digital

Forensics”, “Mobile Device Investigation”,

“Operation System Investigation”, “Database

Investigation”, “Network Investigation”,

“Steganography” and “String Analysis”

categories as shown in Figure 5.

Figure 5 – Categories of SANS articles

The further analysis of the SANS articles

indicates the differences between academic and

industrial research trends. The results show that

the share of forensic framework, network

forensic and forensic tools from overall SANS

articles is %21, %17 and %17; while they have

only %8, %5 and %8 of academic journals. On

the other hand, in academic environment, digital

image forensic, mobile device forensic and

forensic tools were the leading topics.

Figure 6 is the result of comparing the common

topics between SANS and academic journals

while the SANS topics lacks some of the topics

covered in academic environments. Figure 7

clearly indicate the results by providing the

share of each topic in SANS and academic

journals.


217


Figure 6 – Comparison of common categories in academic and SANS publications in term of number of

articles

Figure 7 – SANS vs. Academic Journals (the “Other” in academic journals indicates the topics which

were not covered in SANS articles)


218


4.2. Discussion and Analysis In this section, we offer detailed analysis of

each of 10 most categories identified in the

previous sections namely digital image forensic,

mobile device forensic, forensic tools, volatile

memory forensics, network forensics, anti-

forensic, data recovery, application forensics,

file system forensics and forensic frameworks.

We critically analyze trends and current state of

the art in each category and rectify possible

future trends.

4.2.1. Digital Image Forensics Since the wild increase in usage of digital

images, the crimes involving digital images such

as image forgery are increased consequently and

detection of the image tampering brought many

difficulties to forensic investigators and forensic

researchers. The major detectable research

topics in digital image forensics are image

authenticity, image correction, steganography,

image processing and source detection.

Image authenticity as the most popular topic in

Digital Image Forensic category concerns about

the reliability of the evidence. Amerini et al.

[58] proposed a SIFT based algorithm to detect

multiple copy-move attacks on an image. This

technique extracts and matches the image

features to identify similar local region on the

image and then makes a hierarchical cluster of

the extracted features to identify the cloned

areas. In case the image is classified as

unauthentic, the geometrical transformation will

be identified to discover the original area and the

copy-moved area. Gou et al. [59] introduced a

source identification technique with the ability

of recognizing various post-processing

operations on scanned image. Utilizing the noise

analyses through wavelet analysis, neighborhood

detection and image de-noising, made this

approach capable of detecting the model of

scanner used to scan the image and type of the

image source (scanner, digital camera or

computer generated). Chen et al. [60] introduced

a source digital camera identification technique

with integrity verification capability based on

Photo Response Non-uniformity Noise (PRNU)

imaging sensor fingerprint. The PRNU is

generated through the maximum likelihood

principle derived from normalized model of the

sensor output and then compare to a pre-

generated experimental dataset. Yuan [61]

introduced a novel method for detection of

median filtering in digital images. The key

points of this method were the capability of

median filtering detection for low resolution,

JPEG compressed images, and tampering

detection in case a median-filtered part is

inserted in a non-median-filtered image and vice

versa. Mahdian and Saic [62] studied the

addition of locally random noise to tampered

image regions for anti-forensic purposes and

introduced a segmentation technique for

dividing the digital image into various partitions

based on homogenous noise levels. Their novel

approach utilized tiling the high pass wavelet

coefficients at the highest resolution with non-

overlapping blocks, to estimate the local noise

level and median based method to estimate the

standard noise level of the image. Farid and

Bravo [63] introduced a novel methodology for

computer aided differentiation of photorealistic

computer generated images and photographic

image of people using images with different

resolution, JPEG compression, and color

mixture of the image. Kornblum [64] studied the

quantization tables in JPEG compression and

explained how quantization tables can be used

for differentiating between images processed by

software and intact images. Authors utilized

other factors such as the presence or absence of

EXIF data, signatures of known programs, and

color signatures of real skin to increase the

success rate of the detections. Mahalakshmi et

al. [65] proposed an approach for detection of

image manipulations through available

interpolation related spectral signature method.

This method could detect common forgeries like

re-sampling (rotation, rescaling), contrast

enhancement and histogram equalization.

Moreover, a set of techniques were introduced

for detection of global and local contrast

enhancement and histogram equalization.

Source detection explicitly tries to identify the

source device with which the image is taken or

edited. Tsai et al. [66], the author employed

support vector machines and decision fusion to

identify the camera source model of an image.

The evaluation result of the proposed model

indicates 91.66% accuracy for images take by 26

cameras. Choi et al. [67] proposed a new

approach for color laser printer identification of


219


an unknown printed image, based on the noisy

texture analysis and support vector machine.

This method identifies the invisible noises of the

schema according to wiener-filter and the 2D

Discrete Wavelet Transform (DWT) filter and

then the texture of the noise is analyzed via gray

level co-occurrence matrix (GLCM).

Image processing involves the analysis of the

image to find specific patterns for variety of

purposes. Islam et al. [68] proposed a framework

for detection of children skin in images which

utilized a novel vision model based on the

Markov Random Fields (MRF) prior by

employing a skin model and human affine-

invariant geometric descriptor to identify skin

regions containing pornographic. Steel and Lu

[69] proposed a system called Automated

Impersonator Image Identification System

(AIIIS), which tracks the used image in

impersonation attack back to the original source

by employing digital watermarking technique.

This technique it encoded access details of the

image (like IP address, server and the download

date-time) and download them to the image. In

[70], the author utilized demosaicing artifacts to

identify the digital camera model. The process

includes estimating demosaicing parameters,

extracting periodicity features of the image for

the purpose of detecting simple forms of

demosaicing and finally defining a set of image

characteristics as features to be used for

designing classifiers that distinguish between

digital cameras.

Image correction as another hot topic in image

forensic, mainly intends to ease the analysis of

the image. Tang et al. [71] developed a

Knowledge Based (KB) approach to remove

JPEG blocking artifacts in skin images. The

approach utilized a Markov model based

algorithm and a one-pass algorithm to

implement the inference; plus a block synthesis

algorithm for handling the cases with no prior

record in dataset. Moreover, in order to reduce

the search time in the dataset, the author

proposed a multi-dimension indexing algorithm.

Lin et al. [72] introduced a method for detecting

the image source encoder alongside the

estimation of all coding parameters based on the

intrinsic fingerprints of the image source

encoder. The evaluation of this approach

indicated the success rate of more than 90% for

transform-based encoders, sub-band encoders,

and DPCM encoders when PSNR is higher than

36dB.

Steganography as one of anti-forensic

techniques in digital images plays a significant

role for identification of the evidence. Huang

[73] provided a solution for detection of double

JPEG compression using the “proper” randomly

perturbed ratio. This approach is highly

dependent on finding the correct ratio; thus a

novel random perturbation strategy is utilized on

the JPEG coefficients of the recompressed

image. Kirchner and Bohme [74] challenged the

current image tampering detection techniques by

presenting types of image transformation

operation that cannot be detected using the

available resampling detection tools. Among

these attacks, resampling with edge-modulated

geometric distortion and the dual-path approach

are nearly impossible to be detected.

4.2.2. Mobile Device Forensics Due to the wild incline in usage of mobile

devices such as smart phones, tablets and GPS

devices, investigation of such devices is

significantly vital; thus obtaining and analyzing

the evidence from mobile devices has a great

value. In continue Mobile live memory, Mobile

forensic framework, Mobile forensic tools and

Mobile on-scene triage topics are discussed.

Mobile live memory concerns about imaging

and analyzing mobile devices volatile memory.

In [75] the authors presented a novel approach to

obtain forensic image of an Apple iPad device

through iPad camera connection kit and a USB

storage device. The results of the evaluation

indicated that this method can obtain image up

to 30 times faster than acquiring image through

the usual method utilizing Wi-Fi channel. Thing

et al. [76] proposed a system for real-time digital

forensic analysis of mobile memory with

focusing on dynamic properties of memory. The

system evaluation consists of investigation of

different communication variables (i.e. message

length, message interval, dump interval, key-

press interval) which resulted in 95.6% and

97.8% for dump intervals of 40 and 60 seconds.

Sylve et al. [77] illustrated the process of live

memory collection of the android devices, the

new memory dump module (named DMD or

LiME (Linux Memory Extractor)) and the

challenges of device independent memory


220


acquisition; it then proposed a memory

collection method which can dump memory to

SD card or network storage. The proposed

method operates via “rooting” the android

device with methods like “Rage against the

Cage” and other privilege escalation techniques.

Depends on the type of device, utilizing the right

mobile forensic tool always plays a noteworthy

role. In [78] authors enriched their previously

published methodology for smartphone evidence

acquisition (Mobile Internal Acquisition Tool) in

term of improvements and assessments. The

MIAT can be executed from a memory card like

MMC and explores recursively the file system

tree and copy each entry to a backup volume.

The behavior of MIAT is also evaluated by

comparing to Paraben Device Seizure as a well-

known tool. Vidas et al. [79] illustrated the

digital forensics collection method of Android

device via a modified boot loader from recovery

bootimg. The advantage of this method is

mainly because it only slightly changes the

recovery partition and no user or system

partition is affected during the collection stage

of the investigation unlike normal approaches

which “root” the android device for image

acquisition.

Mobile forensic framework discusses different

procedures and frameworks for mobile device

forensics. In [80], the authors investigated the

use of mobile phone flash boxes in a forensic

framework and proposed a validation procedure

to ensure the integrity of the acquired evidence

in this new method. Unfortunately using mobile

phone flash boxes do not provide forensically

sound evidence; even though this proposed

method increased the percentage of the

reliability of the evidence, it still lacks the

sufficient evidence integrity proof and demand

to be lifted up by further research. Owen and

Thomas [81] studied the available framework

for mobile forensic investigations and

highlighted the lacks and strength of each in

comparison with the common digital forensic

investigation practices of hard disk drives.

Grispos et al. [82] compared the available

mobile forensic toolkit for discovering to what

extend these tools can operate and how much

they are reliable. The result of this comparison

indicated the limitations of using file carvers for

information recovery, conflicts of diverse

methods of information recovery, several

differences between the documented capabilities

of the CUFED and its actual performance, and

the fragility of existing mobile forensic toolkits

when recovering data from partially corrupted

file system images.

Mobile on-scene triage determines the priority

of evidence collection in mobile devices. In [48],

the author presented a methodology for

obtaining and analyzing evidences in webOS

system partition; the article provides solution for

obtaining different types of evidence (i.e. Call

logs, contacts, calendar events and etc.). The

article also provided approaches for recovering

deleted files from a webOS operating system.

Eijk and Roeloffs [83] discussed the challenges

of obtaining evidence from TomTom GPS

device and approaches to acquire volatile

memory of the device via either JTAG signals or

loading a small Linux distribution to the GPS

memory. The article described the structure of

data on GPS device and technique for analyzing

the obtained data. In [84] the author studied the

available framework for forensic investigation of

windows mobile equipped mobile phones and

showed the similarities of windows mobile

investigation with normal windows investigation

on PC systems. This work demonstrated that

Windows mobile phone investigation obeys the

common digital forensic investigation

framework and the analysis of collected data is

very much similar to windows operating system.

Mislan et al. [85] studied the on-scene triage of

mobile devices and compare its requirements

with common digital forensic investigation

requirements; it formalized the on-scene triage

process and provides guidelines for

standardization of the process. At the end, it

defined the basic requirements of an automated

on-scene triage.

4.2.3. Forensic Tools Employing different tools in the process of

digital forensic is inevitable for the investigator,

yet choosing the most suitable tool can affect the

result of the investigation. The identified

research topics of this category would be as

forensic formats, new forensic tools, and

forensic tools examination.

This topic, new forensic tools, reviews novel

tools discussed in forensic articles. In [86]

authors presented a forensic investigation tool


221


named Cyber Forensic Time Lab which help the

investigator to sort all evidences according to

their time variables for generating Temporal

analysis of the crime. Klaver [87] introduced the

forensic application of available tools on

Windows CE (Windows Mobile) after studying

the typical hardware information and software

components. The author explained the usage of

current tools for forensic investigation of

Windows CE mobile phones. Joyce et al. [88]

discussed the Mac OS x forensic investigation

approaches and introduced MEGA, a

comprehensive tool for analyzing Mac OS x

files from an image. MEGA offers ease of

access to Spotlight metadata, content search and

FileVault encrypted home directories. In [89],

authors described their novel techniques to

develop a memory analysis tool for variety of

operating systems. Inoue et al. [90] provided a

new tool for volatile memory imaging of the

Mac OS x and then compared it using four

metrics of completeness, correctness, speed and

interference. Moreover, a visualization method

called the density plot is introduced for

indicating the density of repeated pages in an

image.

There is always a demand for testing approaches

to examine the performance and accuracy of the

tools. In [91] the first generation of computer

forensic tools is challenged by the authors as

they have limitations and flaws in processing

speed, data design, auditability, task analysis,

automation and data abstraction; and then the

second generation tools requirements is

discussed and some available tools is suggested

for handling each deficiency. Pan and Batten

[92] presented a performance testing approach

for digital forensic tools offering testing with

good quality via a limited number of

observations. The proposed method is specially

designed for forensic tool testing and claimed of

being the best available software among forensic

tool performance testers.

Choosing the forensic format of the evidence has

an important role in the forensic investigation

process; in continue four novel forensic formats

are proposed by different authors. In [46], the

author introduced a redesign of the Advanced

Forensic Format (AFF) based on the ZIP file

format specification. This file format support

full compatibility with previous versions of AFF

while it offers the capability of storing multiple

type of evidence from various devices in one

archive and an improved separation between the

underlying storage mechanism and forensic

software. Garfinkel [93] studied the Digital

Forensic XML (DFXML) language and

discussed motivations, design and utilization of

this language in processing forensic

investigation information. Levine and Liberatore

[94] introduced DEX, an XML format for

recording digital evidence provenance, which

enable investigators to use the raw image file

and reproduced the evidence by other tools with

same functionality. Conti et al. [95] studied

automated tools of mapping large binary objects

like physical memory, disk image and

hibernation files via classifying of regions using

a multi-dimensional, information-theoretic

technique.

4.2.4. Volatile Memory Forensics Extracting potential evidences from volatile

memories is another challenge for forensic

investigators as the basic requirements of

knowing the structure of memory is not

satisfied. The detectable volatile memory

forensic topics are data extraction from volatile

memory, volatile memory mapping and forensic

imaging of volatile memory.

Data extraction from volatile memory involves

utilizing different tools and techniques to

analyze and obtain available evidences. In [96],

authors studied the tools and techniques of

extracting Windows registry data directly from

physical memory dump and then presented an

attack against on-disk registry analysis

techniques by modifying the cashed registry

values in physical memory. Maartmann-Moe et

al. [51] proposed a novel technique for

identification of cryptographic keys stored in

volatile memory and support the method by a

proof of concept, Interrogate, which can identify

AES, Serpent and Twofish cryptography keys.

Baar et al. [97] described a novel approach for

identifying and recovering files mapped in

physical memory to recognize the source of the

data and the usage of them via three different

algorithms (carving allocated file-mapping

structures, unallocated file-mapping structures

and unidentified file pages). Schuster [98]

studied nonpaged pool area of the physical

memory and its potential in containing massive


222


amount of information about the cunning and

even closed processes. In continue the author

demonstrated the Microsoft Windows operating

system pool allocation technique.

Volatile memory mapping is an essential

research area as it is the primary requirement for

volatile memory analysis and data extraction. In

[99], the author described an algorithm for

detecting paging structure of processes in

physical memory dump; this method is based on

hardware layer and works on both Windows and

Linux with minor tweaking. Stevens and Casey

[100] introduced a methodology for recognizing

and extracting user command line history in

Microsoft Windows operating system after

studying the structure of command line data on

physical memory dumps. At the end authors

provided a proof of concept tool for Microsoft

Windows XP. Hejazi et al. [101] introduced a

unique technique for collecting case-sensitive

information from extracted memory content

based on analyzing the call stack and security

sensitive APIs. The method is limited to

Microsoft Windows XP (SP1, SP2). In [102],

authors explained the debugging structures in

physical memory and Microsoft Program’s

Database (PDB) to extract configurations,

network activities and processes information

from any Windows NT family operating system.

J. Okolica and Peterson [103] demonstrated the

significance of the clipboard information in

digital forensic investigation and described the

structure and the procedure of retrieving

copy/paste information from Microsoft

Windows XP, Vista, and 7. This technique can

obtain information from the software which the

data have copied from (i.e. Notepad or

WordPad). J. Okolica and Peterson [104]

proposed a novel efficient methodology for

reverse engineering the Windows drivers and

dynamic link libraries. In addition, the authors

have revealed the network connection

information structure on physical memory which

eases the analysis part of the investigation.

Even though there is a lack of scientific forensic

imaging technique for volatile memories, there

is only one research found in the scope of this

survey. Rabaiotti and Hargreaves [105]

presented a novel method for obtaining forensic

image of an embedded device by exploiting a

buffer overflow vulnerability and execute

customized code for creating the image of the

console memory. The current work only covered

Microsoft Xbox gaming console while the idea

is applicable to any type of embedded device.

4.2.5. Network Forensics Obtaining evidences from network traffics is a

great challenge for investigators mainly due to

the live characteristic of network packets.

Beverly et al. [106] showed that IP packets,

Ethernet frames and other network related data

is available in physical memory and these data

can be retrieved from hibernation files or

memory images. Additionally, the authors

proposed the network carving algorithm,

techniques and essential tools to identify and

extract the information. Thonnard and Dacier

[107] presented an analysis framework for

extracting known attack patterns from massive

amount of honeynet data sets. This method

allows the analyst to select different feature

vectors and appropriate similarity metrics for

creating clusters. Shebaro and Crandall [108]

described the privacy related challenges of

network flow recording for different purposes

and then introduced a network flow recording

technique by utilizing identity based

cryptography and privacy preserving semantics.

Zhu [109] introduced an iterative algorithm to

discover network based attack patterns via

network traffic logs; this method used a unique

feedback mechanism to propagate the chance of

being under attack or suspicious score and then

pass it to the next iteration without any

dependency to human supervision (i.e. defining

threshold).

Tracking the source of traffic in networks is

another challenge when network address

translation and other types of network services

interfere in the communication. In [110], the

author studied the forensic investigation

challenges of Network Address Translation

(NAT) service enabled networks and proposed a

model and algorithm for discovering of observed

traffic into the source behind the NAT; the

model used specific correlation of NAT gateway

artifacts left overs to identify the source.

Takahashi et al. [49] focused on reviewing IEEE

802.11 wireless network characteristics based on

the traffic pattern of nodes; in order to recognize

user fingerprints, rogue access points and media

access control protocol missuses. Hsu et al.


223


[111] proposed a forensic approach for

identifying the voice over IP (VoIP) call source

via network operators (NWO) and service

providers (SvP) without depending on routers

logs.

4.2.6. Anti-Forensic The procedure of forensic investigation can be

affected by the criminals via anti-forensic

action; researchers challenge the integrity of

forensic process by demonstrating new types of

anti-forensic method. Evidence collection and

common attacks are two identified topics in this

area. Distefano et al. [112] analyzed anti-

forensic attacks on mobile devices and presented

some fully automated examples of these attacks.

The authors then examined the effectiveness and

strength of the implementations, by using them

against cursory examination of the device and

tools for obtaining the internal memory image.

Sun et al. [113] proposed two anti-forensic

steganography approaches based on exploiting

modification direction (EMD) technique for

storing and extracting data in image. The

highlight of EMD (HoEMD) and the adaptive

EMD (AdEMD) are high efficient and high

quality methods introduced in this work. Stamm

and Liu [114] introduced anti-forensic

approaches for removing forensically important

indicators of compression such as image

compression history from an image. This

technique utilized a novel approach to identify

and omit the compression fingerprints of an

image’s transform coefficients. Khan et al. [115]

presented a novel approach to hide data in a

deniable way (to use plausible deniability) by

storing sensitive data on a cluster based

filesystem; to do so, a covert channel encodes

the data via altering the fragmentation pattern in

the cluster distribution of the secret file.

Rekhis and Boudriga [116] studied the digital

forensic investigation techniques of anti-forensic

attacks and then characterized secure evidence,

provable and non-provable attacks. As the main

contribution of this research, the authors

developed an anti-forensic attack aware forensic

approach using a state-based logic. Casey et al.

[117] explained the challenges of full disk

encryption (FDE) for digital forensic

investigators and provided a guidance to take

necessary items from the crime scene, to ease

the access to encrypted data or live forensic

acquisition of the running system. The provided

measures can help obtaining evidences in an

unencrypted state or finding the encryption key

or passphrase.

4.2.7. Data Recovery As one of the most essential stage of evidence

identification and collection, data recovery can

be affected by different variables like file system

type; below some of the data recovery

techniques are reviewed. In [118], the author

analyzed the main properties of the Firefox

SQLite database and its use in forensic

investigation. Moreover, a novel algorithm is

proposed to recover deleted records from

unallocated space based on the fact that Firefox

utilizes temporary transaction files. Jang et al.

(Jang et al., 2012) described the integrity issue

of forensic image corruption after acquisition

and provided a novel algorithm for recovering

and protecting the evidence image using

recovery blocks. The recovery process is

applicable when data blocks (generate by

recovery blocks) are damaged. Yoo et al. [119]

highlighted the challenges of multimedia file

carving and NTFS compressed file carving; and

proposed solutions for these challenges. The

solution for multimedia file carvings is based on

the characteristics of AVI, WAV and MP3 files.

In [120], the author discussed the structure of

Windows registry data and the behavior of

Windows in deleting the registry records. In

continue a technique is developed for identifying

the deleted Windows registry records and

recovery of deleted keys, values and other

attributes of records. Garfinkel et al. [121]

studied the usage of cryptographic hashes of

data blocks for finding data in sectors and

introduced the concept of “distinct disk sector”.

Moreover it provided some approaches for better

detection of JPEG, MPEG and other compressed

data files. Chivers and Hargreaves [122]

explored the structure of Windows search

database and the challenge of recovering the

deleted records after the file is deleted; it then

proposed a novel record carving approach for

identifying and recovering the deleted database

records from database unused space or

filesystem. King and Vidas [123] compared the

solid state disk (SSD) with normal HDD and

proved the TRIM command can affect the

investigation process. The analysis from 16


224


different disks shows that TRIM enabled disks

has almost 0% recoverable data while the SSDs

with disabled TRIM has the average of %100

success rate.

4.2.8. Application Forensics The forensic investigation of applications is

quite advantageous as these applications usually

store specific evidences. Identifying and

collecting these evidences demands for prior

research on the application behavior. In [124],

the authors studied Internet Download Manager

(IDM) activities recorded and effects on

different files such as log files, Windows

registry and history from artifacts point of view.

This study demonstrated approaches and told to

detect different attributes of download requests

like URL, download time and login credentials.

Garfinkel (Garfinkel, 2012b) shared the

experience of construction a Korean Reference

Data Set (KRDS) based on National Software

Reference Library RDS (NSRL RDS) and

developed a model for both effective importing

of NSRL data sets and adding Korean specific

data sets. Lallie and Briggs [125] explored three

well-known peer-to-peer network clients

(BitTorrent, µTorrent and Vuze) and analyzed

their artifacts on Windows registry using the

effects created by installation and working with

these clients.

In [126], the authors outlined the significance of

web browsers in forensic investigation and

proposed a methodology for evidence collection

and analysis from web browsers log files.

Lewthwaite and Smith [127] looked into the

Limewire artifacts remained in Windows

registry and other log files. It also has developed

a tool, AScan, to identify and recover evidences

from unallocated spaces and slack spaces of hard

disk drives. Fellows [128] described the

significance of recovering the WinRAR

temporary files and studied the behavior of

WinRAR in creating these temporary files. The

results of this research indicated that there is a

chance to detect and recover the evidence file

from deleted temporary folders while the

original file is protected by cryptographic

solutions.

4.2.9. File System Forensics Conducting research on file systems structures

and attributes is extremely important mainly due

to the need to extract evidence from these file

system which can be failed in case of unknown

file systems. In [53], the authors studied the

structure of file time attributes in the NTFS file

system and analyzed the modifications in access,

modification and creation time attributes of

files/folders by the user under different

operating system. Grier [129] proposed a

methodology for examining filesystems and

detecting emergent patterns unique to copying

via stochastically modeling filesystem behavior

through routine activity and emergent patterns in

MAC timestamps. Beebe et al. [130] explained

the functionality, architecture and disk layout of

ZFS file system and then discussed the forensic

investigation methods available for ZFS. This

work also brought some of the forensic

challenges of ZFS to light. Carrier [131]

investigated the credibility of ISO9660 file

system in forensic investigation and the fact that

this file system can be used for data hiding. The

details of data hiding process is studied and then

used to create an image with hidden data for

examining the available forensic toolkits.

In [132], authors presented a novel approach to

identify the disk cluster size without relying on

meta data of file system; instead, by detecting

the difference between the entropy difference

distributions of the non-cluster boundaries and

cluster boundaries. Kavallaris and Katos [133]

introduced a technique for identification of past

pod slurping type of attacks using information

stored in filesystem time stamp. This technique

infers a file’s transfer rate from access time

attribute and correlate it to the common rate of

the suspicious USB (obtained from Windows

registry) to identify the victim USB device.

4.2.10. Forensic Frameworks Obviously, the forensic frameworks are the basis

of the forensic process and developing new

frameworks can guarantee the adaptation of

forensic science with new technologies. In

[134], authors made an extensive survey of

available network forensic framework

implementations and proposed a generic digital

forensic investigation model with comparison to

the available models. Finally, the

implementation techniques of the proposed

model are discussed. Beckett and Slay [135]

highlighted the demand for adapting the new

technologies with the science of forensic

investigation so the digital forensics becomes a


225


true forensic science. This article examined the

roots of scientific methods to establish principles

of digital forensic as a science.

In [136], authors discussed the lack of

standardized data sets, corpora, as a necessary

requirement of forensic research; and presented

a taxonomy for defining several available

corpora. Guo et al. [137] studied the scientific

description of computer forensic characteristics

via identifying the basic functionalities of

computer forensic investigation procedure; and

introduced a functionality oriented validation

and verification framework for digital forensic

tools by using function mapping approach.

Shields et al. [138] proposed PROOFS, a

continuous forensic evidence collection tool,

which utilizes data retrieval methods on file

system forensic. PROOFS generate and save

signature for files that are copied, deleted or

altered6 over the network.

In [139], the authors analyzed the possible

effects of a fictitious P2P model on committing

a copyright violation crime while dealing with

the illegal distribution of digital contents. Cohen

et al. [140] introduced an open-source enterprise

forensic investigation tool that provides remote

access to memory and raw disk on multiple

platforms. In continue, it described the

architecture of the tool and how it performs

enterprise forensic investigation regularly.

Kahvedžić and Kechadi [141] presented a novel

digital investigation ontology (DIALOG) for the

management, reuse and analysis of digital

investigation knowledge via creating a general

vocabulary capable of describing the

investigation at any level. Case et al. [142]

explained the issue of correlation between

digital investigation tools and then proposed a

framework for automatic evidence identification

with support of different targets. The

implemented prototype presents the integrated

analysis of configuration log file, memory

image, disk image and network traffic captures.

In [143], the author shared the experience of

forensic investigation of a commercial closed

circuit television digital video recorder by using

raw disk analysis of the storage disk. The result

of investigation showed that with extra effort on

processing the raw video data, it might be

possible to extract the evidence in cases where

the recording device is not functional. Kao et al.

[144] proposed three analytical tools for

clarifying forensic investigation issues of

cybercrime using three strategies: Multi-faceted

Digital Forensics Analysis (MDFA), Ideal Log

and M-N model; in same order, they covered the

basic elements of cyber-crime using new

definitions of the forensic investigation,

traceable elements of the evidence, and finally

the ISP log records. Serrano et al. [145]

designed a multi-agent system (MAS)

debugging framework for developing a forensic

analysis (in cases where MASs indicate complex

tissues of connection among agents) by utilizing

the pathfinder networks (PFNETs).

4.3. Critical overlooked issues Privacy issues caused by digital forensic

investigation is one of the topics which deserves

more research in future as the issue rises where

the investigation can threat the secrecy of

unrelated data. The same challenge became even

more complicated when the cloud computing

and massive shared resources get involved.

Neglect in conducting effective researches may

lead to a direct conflict with citizens` right of

privacy can cause the digital forensic face a

deadlock where the law enforcers cannot

differentiate between potential evidences and

other private data. Studying the available works

in users right of privacy shows that the solution

can be in successful identification of related

evidence objects based on existing privacy

policies. The current feasible solution is using

formal method to tag pieces if data according to

the privacy policy and only then start collecting

evidences [146], [147].

Thanks to cloud computing concept, many

conflicts introduced to the digital forensic

investigation [148]–[150]. The jurisdiction of

the data is one of the most challenging topics

which seem to be overlooked. The digital

forensic community should realize that this

conflict will cause massive obstacle in legal

aspects of the investigation. Developing a

suitable cross national low is one of the solution

which has been working on in the past couple of

years but it demands much more affords to be

feasible [151], [152].

Moreover, only a few articles discuss digital

forensic investigation science and digital

forensic awareness. It is utterly vital to


226


understand that the bests of forensic frameworks

may have conflicts with the true nature of

forensic science; the majority of these conflicts

end up affecting the integrity of precious

evidence. As an instance, imaging the physical

memory in a forensic manner is one of the

challenges which did not attract much of the

researchers` attention. It is for this reason that

forensic science has emerged as a significant

aspect of digital forensics. A well-conducted

awareness campaign can help teach and make

digital investigators and forensic researchers

aware of these challenges. This may also help to

update the investigators about the latest

technologies and their new conflicts with

forensic investigation disciplines on a regular

bases; not only a once-off exercise.

5. CONCLUSION AND FUTURE WORKS Digital crime is a moving target, from the era of

telephone hackers up to the current state of the

complex malware intrusions. With new

developments and innovations, new types of

crime came along. This survey result has shown

that as we entered the twenty-first century, the

scope of digital forensic investigation has

widened and its focus is fast shifting toward

mobile device and cloud based investigations.

Digital forensics now requires a more

coordinated and focused effort from the national

and international society, governments and the

private sector. It is no coincidence that the study

shows a shift towards mobile device and cloud

forensic while the true nature of forensic science

becomes the essence of investigation

frameworks. This survey results have also

shown that most of today’s forensic challenges

are to a greater extent in direct conflict with

common digital forensic practices. All indicators

points to a scientific approach in the future

development of the digital forensic discipline.

However, as we move forward to address the

new challenges it is also critical that we continue

strengthening the technologies. Finally, New

research efforts is required that minimize the gap

between regulatory issues and technical

implementations.

6. REFERENCES [1] M. Pollitt, “A History of Digital

Forensics,” in Advances in Digital

Forensics VI, vol. 337, K.-P. Chow and

S. Shenoi, Eds. Berlin, Heidelberg:

Springer Berlin Heidelberg, 2010, pp. 3–

15.

[2] D. B. Parker, Crime by computer.

Scribner, 1976.

[3] E. Casey, Digital Evidence and

Computer Crime. Academic Press, 2004.

[4] P. Sommer, “The future for the policing

of cybercrime,” Computer Fraud &

Security, vol. 2004, no. 1, pp. 8–12, Jan.

2004.

[5] S. L. Garfinkel, “Digital forensics

research: The next 10 years,” Digital

Investigation, vol. 7, Supplement, pp.

S64 – S73, 2010.

[6] C. Stoll, “Stalking the wily hacker,”

Communications of the ACM, vol. 31, no.

5, pp. 484–497, May 1988.

[7] V. Corey, C. Peterman, S. Shearin, M. S.

Greenberg, and J. Van Bokkelen,

“Network forensics analysis,” IEEE

Internet Computing, vol. 6, no. 6, pp. 60

– 66, Dec. 2002.

[8] M. W. Stevens, “Unification of relative

time frames for digital forensics,” Digital

Investigation, vol. 1, no. 3, pp. 225–239,

Sep. 2004.

[9] D. Forte, “The importance of text

searches in digital forensics,” Network

Security, vol. 2004, no. 4, pp. 13–15,

Apr. 2004.

[10] B. D. Carrier and J. Grand, “A hardware-

based memory acquisition procedure for

digital investigations,” Digital


Feb. 2004.

[11] S. Mocas, “Building theoretical

underpinnings for digital forensics

research,” Digital Investigation, vol. 1,

no. 1, pp. 61–68, Feb. 2004.

[12] C. Vaughan, “Xbox security issues and

forensic recovery methodology (utilising

Linux),” Digital Investigation, vol. 1, no.

3, pp. 165–172, Sep. 2004.

[13] B. J. Nikkel, “Domain name forensics: a

systematic approach to investigating an

internet presence,” Digital Investigation,

vol. 1, no. 4, pp. 247–255, Dec. 2004.

[14] F. Buchholz and E. Spafford, “On the

role of file system metadata in digital


227


forensics,” Digital Investigation, vol. 1,

no. 4, pp. 298–309, Dec. 2004.

[15] G. A. Francia and K. Clinton, “Computer

forensics laboratory and tools,” Journal

of Computing Sciences in Colleges, vol.

20, no. 6, pp. 143–150, Jun. 2005.

[16] B. J. Nikkel, “Forensic acquisition and

analysis of magnetic tapes,” Digital

Investigation, vol. 2, no. 1, pp. 8–18, Feb.

2005.

[17] W. Jansen and R. Ayers, “An overview

and analysis of PDA forensic tools,”

Digital Investigation, vol. 2, no. 2, pp.

120–132, Jun. 2005.

[18] M. Bedford, “Methods of discovery and

exploitation of Host Protected Areas on

IDE storage devices that conform to

ATAPI-4,” Digital Investigation, vol. 2,

no. 4, pp. 268–275, Dec. 2005.

[19] W. Harrison, “A term project for a course

on computer forensics,” Journal on

Educational Resources in Computing,

vol. 6, no. 3, p. 6–es, Sep. 2006.

[20] A. Laurie, “Digital detective –

Bluetooth,” Digital Investigation, vol. 3,

no. 1, pp. 17–19, Mar. 2006.

[21] B. J. Nikkel, “Improving evidence

acquisition from live network sources,”


89–96, Jun. 2006.

[22] R. S. C. Ieong, “FORZA–Digital

forensics investigation framework that

incorporate legal issues,” digital

investigation, vol. 3, pp. 29–36, 2006.

[23] J. P. Zachman, “The Zachman

FrameworkTM

Evolution,” EA Articles

(page intentionally left blank), 2009.

[24] R. Harris, “Arriving at an anti-forensics

consensus: Examining how to define and

control the anti-forensics problem,”

Digital Investigation, vol. 3, Supplement,

pp. 44–49, Sep. 2006.

[25] S. L. Garfinkel, “Forensic feature

extraction and cross-drive analysis,”


pp. 71–81, Sep. 2006.

[26] A. Schuster, “Searching for processes

and threads in Microsoft Windows

memory dumps,” Digital Investigation,

vol. 3, Supplement, pp. 10–16, Sep.

2006.

[27] S. Jeyaraman and M. J. Atallah, “An

empirical study of automatic event

reconstruction systems,” Digital


108–115, Sep. 2006.

[28] W. Alink, R. A. F. Bhoedjang, P. A.

Boncz, and A. P. de Vries, “XIRAF –

XML-based indexing and querying for

digital forensics,” Digital Investigation,


2006.

[29] A. Johnston and J. Reust, “Network

intrusion investigation – Preparation and

challenges,” Digital Investigation, vol. 3,

no. 3, pp. 118–126, Sep. 2006.

[30] S. Mead, “Unique file identification in

the National Software Reference

Library,” Digital Investigation, vol. 3, no.

3, pp. 138–150, Sep. 2006.

[31] B. J. Nikkel, “A portable network

forensic evidence collector,” Digital


Sep. 2006.

[32] S.-J. Wang, H.-J. Ke, J.-H. Huang, and

C.-L. Chan, “Concerns about Hash

Cracking Aftereffect on Authentication

Procedures in Applications of

Cyberspace,” IEEE Aerospace and

Electronic Systems Magazine, vol. 22,

no. 1, pp. 3 –7, Jan. 2007.

[33] S. Peisert, M. Bishop, S. Karin, and K.

Marzullo, “Analysis of Computer

Intrusions Using Sequences of Function

Calls,” IEEE Transactions on

Dependable and Secure Computing, vol.

4, no. 2, pp. 137 –150, Jun. 2007.

[34] A. Castiglione, A. De Santis, and C.

Soriente, “Taking advantages of a

disadvantage: Digital forensics and

steganography using document

metadata,” Journal of Systems and

Software, vol. 80, no. 5, pp. 750–764,

May 2007.

[35] R. Murphey, “Automated Windows event

log forensics,” Digital Investigation, vol.

4, Supplement, pp. 92–100, Sep. 2007.

[36] A. Spruill and C. Pavan, “Tackling the

U3 trend with computer forensics,”

Digital Investigation, vol. 4, no. 1, pp. 7–

12, Mar. 2007.


228


[37] P. Turner, “Applying a forensic approach

to incident response, network

investigation and system administration

using Digital Evidence Bags,” Digital


Mar. 2007.

[38] G. G. Richard, V. Roussev, and L.

Marziale, “Forensic discovery auditing of

digital evidence containers,” Digital


Jun. 2007.

[39] B. J. Nikkel, “An introduction to

investigating IPv6 networks,” Digital


Jun. 2007.

[40] G. Masters and P. Turner, “Forensic data

recovery and examination of magnetic

swipe card cloning devices,” Digital

Investigation, vol. 4, Supplement, pp. 16–

22, Sep. 2007.

[41] J. R. Lyle and M. Wozar, “Issues with

imaging drives containing faulty sectors,”


pp. 13–15, Sep. 2007.

[42] A. R. Arasteh, M. Debbabi, A. Sakha,

and M. Saleh, “Analyzing multiple logs

for forensic evidence,” Digital


91, Sep. 2007.

[43] A. R. Arasteh and M. Debbabi, “Forensic

memory analysis: From stack and code to

execution history,” Digital Investigation,


2007.

[44] B. Schatz, “BodySnatcher: Towards

reliable volatile memory acquisition by

software,” Digital Investigation, vol. 4,

Supplement, pp. 126–134, Sep. 2007.

[45] M. S. Barik, G. Gupta, S. Sinha, A.

Mishra, and C. Mazumdar, “An efficient

technique for enhancing forensic

capabilities of Ext2 file system,” Digital


61, Sep. 2007.

[46] M. Cohen, S. Garfinkel, and B. Schatz,

“Extending the advanced forensic format

to accommodate multiple data sources,

logical evidence, arbitrary information

and forensic workflow,” Digital


S57 – S68, 2009.

[47] M. Taylor, J. Haggerty, D. Gresty, and D.

Lamb, “Forensic investigation of cloud

computing systems,” Network Security,

vol. 2011, no. 3, pp. 4 – 10, 2011.

[48] E. Casey, A. Cheval, J. Y. Lee, D. Oxley,

and Y. J. Song, “Forensic acquisition and

analysis of palm webOS on mobile

devices,” Digital Investigation, vol. 8, no.

1, pp. 37 – 47, 2011.

[49] D. Takahashi, Y. Xiao, Y. Zhang, P.

Chatzimisios, and H.-H. Chen, “IEEE

802.11 user fingerprinting and its

applications for intrusion detection,”

Computers & Mathematics with

Applications, vol. 60, no. 2, pp. 307 –

318, 2010.

[50] M. S. Olivier, “On metadata context in

Database Forensics,” Digital

Investigation, vol. 5, no. 3–4, pp. 115 –

123, 2009.

[51] C. Maartmann-Moe, S. E. Thorkildsen,

and A. Årnes, “The persistence of

memory: Forensic identification and

extraction of cryptographic keys,” Digital


S132 – S140, 2009.

[52] B. R. Mallio, “Message hiding using

steganography, and forensic approaches

for discovery,” J. Comput. Sci. Coll., vol.

23, no. 3, pp. 6–6, Jan. 2008.

[53] J. Bang, B. Yoo, and S. Lee, “Analysis of

changes in file time attributes with file

manipulation,” Digital Investigation, vol.

7, no. 3–4, pp. 135 – 144, 2011.

[54] V. G. Cerf, “Defense against the Dark

Arts,” IEEE Internet Computing, vol. 16,

no. 1, p. 96, Feb. 2012.

[55] A. Savoldi, M. Piccinelli, and P. Gubian,

“A statistical method for detecting on-

disk wiped areas,” Digital Investigation,

vol. 8, no. 3–4, pp. 194 – 214, 2012.

[56] F. N. Dezfoli, A. Dehghantanha, R.

Mahmoud, N. F. B. M. Sani, and F.

Daryabar, “DIGITAL FORENSIC

TRENDS AND FUTURE,” International

Journal of Cyber-Security and Digital

Forensics (IJCSDF), vol. 2, no. 2, pp.

48–76, 2013.

[57] M. Damshenas, A. Dehghantanha, and R.

Mahmoud, “A SURVEY ON

MALWARE PROPAGATION,


229


ANALYSIS, AND DETECTION,”

International Journal of Cyber-Security

and Digital Forensics (IJCSDF), vol. 2,

no. 4, pp. 10–29, 2013.

[58] I. Amerini, L. Ballan, R. Caldelli, A. Del

Bimbo, and G. Serra, “A SIFT-Based

Forensic Method for Copy–Move Attack

Detection and Transformation

Recovery,” Information Forensics and

Security, IEEE Transactions on, vol. 6,

no. 3, pp. 1099–1110, 2011.

[59] H. Gou, A. Swaminathan, and M. Wu,

“Intrinsic sensor noise features for

forensic analysis on scanners and scanned

images,” Information Forensics and

Security, IEEE Transactions on, vol. 4,

no. 3, pp. 476–491, 2009.

[60] M. Chen, J. Fridrich, M. Goljan, and J.

Lukás, “Determining image origin and

integrity using sensor noise,” Information

Forensics and Security, IEEE

Transactions on, vol. 3, no. 1, pp. 74–90,

2008.

[61] H. D. Yuan, “Blind forensics of median

filtering in digital images,” Information

Forensics and Security, IEEE

Transactions on, vol. 6, no. 4, pp. 1335–

1345, 2011.

[62] B. Mahdian and S. Saic, “Using noise

inconsistencies for blind image

forensics,” Image and Vision Computing,

vol. 27, no. 10, pp. 1497 – 1503, 2009.

[63] H. Farid and M. J. Bravo, “Perceptual

discrimination of computer generated and

photographic faces,” Digital


235, 2012.

[64] J. D. Kornblum, “Using JPEG

quantization tables to identify imagery

processed by software,” Digital


S21 – S25, 2008.

[65] S. D. Mahalakshmi, K. Vijayalakshmi,

and S. Priyadharsini, “Digital image

forgery detection and estimation by

exploring basic image manipulations,”

Digital Investigation, vol. 8, no. 3–4, pp.

215 – 225, 2012.

[66] M.-J. Tsai, C.-S. Wang, J. Liu, and J.-S.

Yin, “Using decision fusion of feature

selection in digital forensics for camera

source model identification,” Computer

Standards & Interfaces, vol. 34, no.

3, pp. 292 – 304, 2012.

[67] J. H. Choi, H. Y. Lee, and H. K. Lee,

“Color laser printer forensic based on

noisy feature and support vector machine

classifier,” Multimedia Tools and

Applications, pp. 1–20, 2011.

[68] M. Islam, P. A. Watters, and J.

Yearwood, “Real-time detection of

children’s skin on social networking sites

using Markov random field modelling,”

Information Security Technical Report,

vol. 16, no. 2, pp. 51 – 58, 2011.

[69] C. M. S. Steel and C.-T. Lu,

“Impersonator identification through

dynamic fingerprinting,” Digital

Investigation, vol. 5, no. 1–2, pp. 60 – 70,

2008.

[70] S. Bayram, H. T. Sencar, and N. Memon,

“Classification of digital camera-models

based on demosaicing artifacts,” Digital


2008.

[71] C. Tang, A. W. K. Kong, and N. Craft,

“Using a Knowledge-Based Approach to

Remove Blocking Artifacts in Skin

Images for Forensic Analysis,”

Information Forensics and Security,

IEEE Transactions on, vol. 6, no. 3, pp.

1038–1049, 2011.

[72] W. S. Lin, S. K. Tjoa, H. V. Zhao, and K.

J. R. Liu, “Digital image source coder

forensics via intrinsic fingerprints,”



460–475, 2009.

[73] F. Huang, J. Huang, and Y. Q. Shi,

“Detecting double JPEG compression

with the same quantization matrix,”



848–856, 2010.

[74] M. Kirchner and R. Bohme, “Hiding

traces of resampling in digital images,”



582–592, 2008.

[75] L. Miralles and J. Moreno, “Versatile

iPad forensic acquisition using the Apple

Camera Connection Kit,” Computers


230


& Mathematics with Applications,

vol. 63, no. 2, pp. 544 – 553, 2012.

[76] V. L. L. Thing, K.-Y. Ng, and E.-C.

Chang, “Live memory forensics of

mobile phones,” Digital Investigation,

vol. 7, Supplement, pp. S74 – S82, 2010.

[77] J. Sylve, A. Case, L. Marziale, and G. G.

Richard, “Acquisition and analysis of

volatile memory from android devices,”


175 – 184, 2012.

[78] A. Distefano and G. Me, “An overall

assessment of Mobile Internal

Acquisition Tool,” Digital Investigation,

vol. 5, Supplement, pp. S121 – S127,

2008.

[79] T. Vidas, C. Zhang, and N. Christin,

“Toward a general collection

methodology for Android devices,”


pp. S14 – S24, 2011.

[80] K. Jonkers, “The forensic use of mobile

phone flasher boxes,” Digital


178, 2010.

[81] P. Owen and P. Thomas, “An analysis of

digital forensic examinations: Mobile

devices versus hard disk drives utilising

ACPO & NIST guidelines,” Digital

Investigation, vol. 8, no. 2, pp. 135 – 140,

2011.

[82] G. Grispos, T. Storer, and W. B. Glisson,

“A comparison of forensic evidence

recovery techniques for a windows

mobile smart phone,” Digital

Investigation, vol. 8, no. 1, pp. 23 – 36,

2011.

[83] O. van Eijk and M. Roeloffs, “Forensic

acquisition and analysis of the Random

Access Memory of TomTom GPS

navigation systems,” Digital


188, 2010.

[84] F. Rehault, “Windows mobile advanced

forensics: An alternative to existing

tools,” Digital Investigation, vol. 7, no.

1–2, pp. 38 – 47, 2010.

[85] R. P. Mislan, E. Casey, and G. C.

Kessler, “The growing need for on-scene

triage of mobile devices,” Digital


124, 2010.

[86] J. Olsson and M. Boldt, “Computer

forensic timeline visualization tool,”


pp. S78 – S87, 2009.

[87] C. Klaver, “Windows Mobile advanced


no. 3–4, pp. 147 – 167, 2010.

[88] R. A. Joyce, J. Powers, and F. Adelstein,

“MEGA: A tool for Mac OS X operating

system and application forensics,”


pp. S83 – S90, 2008.

[89] A. Case, L. Marziale, and G. G. R. III,

“Dynamic recreation of kernel data

structures for live forensics,” Digital


S32 – S40, 2010.

[90] H. Inoue, F. Adelstein, and R. A. Joyce,

“Visualization in testing a volatile

memory forensic tool,” Digital


S42 – S51, 2011.

[91] D. Ayers, “A second generation computer

forensic analysis system,” Digital


S34 – S42, 2009.

[92] L. Pan and L. M. Batten, “Robust

performance testing for digital forensic

tools,” Digital Investigation, vol. 6, no.

1–2, pp. 71 – 81, 2009.

[93] S. Garfinkel, “Digital forensics XML and

the DFXML toolset,” Digital


174, 2012.

[94] B. N. Levine and M. Liberatore, “DEX:

Digital evidence provenance supporting

reproducibility and comparison,” Digital


S48 – S56, 2009.

[95] G. Conti, S. Bratus, A. Shubina, B.

Sangster, R. Ragsdale, M. Supan, A.

Lichtenberg, and R. Perez-Alemany,

“Automated mapping of large binary

objects using primitive fragment type

classification,” Digital Investigation, vol.

7, Supplement, pp. S3 – S12, 2010.

[96] B. Dolan-Gavitt, “Forensic analysis of

the Windows registry in memory,”


231



pp. S26 – S32, 2008.

[97] R. B. van Baar, W. Alink, and A. R. van

Ballegooij, “Forensic memory analysis:

Files mapped in memory,” Digital


S52 – S57, 2008.

[98] A. Schuster, “The impact of Microsoft

Windows pool allocation strategies on

memory forensics,” Digital Investigation,


[99] K. Saur and J. B. Grizzard, “Locating

×86 paging structures in memory

images,” Digital Investigation, vol. 7, no.

1–2, pp. 28 – 37, 2010.

[100] R. M. Stevens and E. Casey, “Extracting

Windows command line details from

physical memory,” Digital Investigation,


[101] S. M. Hejazi, C. Talhi, and M. Debbabi,

“Extraction of forensically sensitive

information from windows physical

memory,” Digital Investigation, vol. 6,

Supplement, pp. S121 – S131, 2009.

[102] J. Okolica and G. L. Peterson, “Windows

operating systems agnostic memory

analysis,” Digital Investigation, vol. 7,


[103] J. Okolica and G. L. Peterson,

“Extracting the windows clipboard from

physical memory,” Digital Investigation,


2011.

[104] J. S. Okolica and G. L. Peterson,

“Windows driver memory analysis: A

reverse engineering methodology,”

Computers & Security, vol. 30, no.

8, pp. 770 – 779, 2011.

[105] J. R. Rabaiotti and C. J. Hargreaves,

“Using a software exploit to image RAM

on an embedded system,” Digital


103, 2010.

[106] R. Beverly, S. Garfinkel, and G.

Cardwell, “Forensic carving of network

packets and associated data structures,”


pp. S78 – S89, 2011.

[107] O. Thonnard and M. Dacier, “A

framework for attack patterns’ discovery

in honeynet data,” Digital Investigation,


2008.

[108] B. Shebaro and J. R. Crandall, “Privacy-

preserving network flow recording,”


pp. S90 – S100, 2011.

[109] Y. Zhu, “Attack Pattern Discovery in

Forensic Investigation of Network

Attacks,” Selected Areas in

Communications, IEEE Journal on, vol.

29, no. 7, pp. 1349–1357, 2011.

[110] M. I. Cohen, “Source attribution for

network address translated forensic

captures,” Digital Investigation, vol. 5,

no. 3–4, pp. 138 – 145, 2009.

[111] H.-M. Hsu, Y. S. Sun, and M. C. Chen,

“Collaborative scheme for VoIP

traceback,” Digital Investigation, vol. 7,

no. 3–4, pp. 185 – 195, 2011.

[112] A. Distefano, G. Me, and F. Pace,

“Android anti-forensics through a local

paradigm,” Digital Investigation, vol. 7,


[113] H. M. Sun, C. Y. Weng, C. F. Lee, and C.

H. Yang, “Anti-forensics with

steganographic data embedding in digital

images,” Selected Areas in

Communications, IEEE Journal on, vol.

29, no. 7, pp. 1392–1403, 2011.

[114] M. C. Stamm and K. J. R. Liu, “Anti-

forensics of digital image compression,”



1050–1065, 2011.

[115] H. Khan, M. Javed, S. A. Khayam, and F.

Mirza, “Designing a cluster-based covert

channel to evade disk investigation and

forensics,” Computers & Security,

vol. 30, no. 1, pp. 35 – 49, 2011.

[116] S. Rekhis and N. Boudriga, “A System

for Formal Digital Forensic Investigation

Aware of Anti-Forensic Attacks,”



635–650, 2012.

[117] E. Casey, G. Fellows, M. Geiger, and G.

Stellatos, “The growing impact of full

disk encryption on digital forensics,”


129 – 134, 2011.


232


[118] M. T. Pereira, “Forensic analysis of the

Firefox 3 Internet history and recovery of

deleted SQLite records,” Digital


103, 2009.

[119] B. Yoo, J. Park, S. Lim, J. Bang, and S.

Lee, “A study on multimedia file carving

method,” Multimedia Tools and

Applications, pp. 1–19, 2012.

[120] T. D. Morgan, “Recovering deleted data

from the Windows registry,” Digital


S33 – S41, 2008.

[121] S. Garfinkel, A. Nelson, D. White, and V.

Roussev, “Using purpose-built functions

and block hashes to enable small block

and sub-file forensics,” Digital


S13 – S23, 2010.

[122] H. Chivers and C. Hargreaves, “Forensic

data recovery from the Windows Search

Database,” Digital Investigation, vol. 7,

no. 3–4, pp. 114 – 126, 2011.

[123] C. King and T. Vidas, “Empirical

analysis of solid state disk data retention

when used with contemporary operating

systems,” Digital Investigation, vol. 8,


[124] M. Yasin, A. R. Cheema, and F. Kausar,

“Analysis of Internet Download Manager

for collection of digital forensic

artefacts,” Digital Investigation, vol. 7,

no. 1–2, pp. 90 – 94, 2010.

[125] H. S. Lallie and P. J. Briggs, “Windows 7

registry forensic evidence created by

three popular BitTorrent clients,” Digital


134, 2011.

[126] J. Oh, S. Lee, and S. Lee, “Advanced

evidence collection and analysis of web

browser activity,” Digital Investigation,


[127] J. Lewthwaite and V. Smith, “Limewire

examinations,” Digital Investigation, vol.

5, Supplement, pp. S96 – S104, 2008.

[128] G. Fellows, “WinRAR temporary folder

artefacts,” Digital Investigation, vol. 7,

no. 1–2, pp. 9 – 13, 2010.

[129] J. Grier, “Detecting data theft using

stochastic forensics,” Digital


S71 – S77, 2011.

[130] N. L. Beebe, S. D. Stacy, and D. Stuckey,

“Digital forensic implications of ZFS,”


pp. S99 – S107, 2009.

[131] B. D. Carrier, “Different interpretations

of ISO9660 file systems,” Digital


S129 – S134, 2010.

[132] M. Xu, H.-R. Yang, J. Xu, Y. Xu, and N.

Zheng, “An adaptive method to identify

disk cluster size based on block content,”


48 – 55, 2010.

[133] T. Kavallaris and V. Katos, “On the

detection of pod slurping attacks,”

Computers & Security, vol. 29, no.

6, pp. 680 – 685, 2010.

[134] E. S. Pilli, R. C. Joshi, and R. Niyogi,

“Network forensic frameworks: Survey

and research challenges,” Digital


2010.

[135] J. Beckett and J. Slay, “Scientific

underpinnings and background to

standards and accreditation in digital


no. 2, pp. 114 – 121, 2011.

[136] S. Garfinkel, P. Farrell, V. Roussev, and

G. Dinolt, “Bringing science to digital

forensics with standardized forensic

corpora,” Digital Investigation, vol. 6,


[137] Y. Guo, J. Slay, and J. Beckett,

“Validation and verification of computer

forensic software tools—Searching

Function,” Digital Investigation, vol. 6,


[138] C. Shields, O. Frieder, and M. Maloof,

“A system for the proactive, continuous,

and efficient collection of digital forensic

evidence,” Digital Investigation, vol. 8,


[139] S.-J. Wang, D.-Y. Kao, and F. F.-Y.

Huang, “Procedure guidance for Internet

forensics coping with copyright

arguments of client-server-based P2P

models,” Computer Standards &

Interfaces, vol. 31, no. 4, pp. 795–800,

Jun. 2009.


233


[140] M. I. Cohen, D. Bilby, and G. Caronni,

“Distributed forensics and incident

response in the enterprise,” Digital


S101 – S110, 2011.

[141] D. Kahvedžić and T. Kechadi,

“DIALOG: A framework for modeling,

analysis and reuse of digital forensic

knowledge,” Digital Investigation, vol. 6,


[142] A. Case, A. Cristina, L. Marziale, G. G.

Richard, and V. Roussev, “FACE:

Automated digital evidence discovery

and correlation,” Digital Investigation,


[143] N. R. Poole, Q. Zhou, and P. Abatis,

“Analysis of CCTV digital video

recorder hard disk storage system,”


85 – 92, 2009.

[144] D.-Y. Kao, S.-J. Wang, and F. F.-Y.

Huang, “SoTE: Strategy of Triple-E on

solving Trojan defense in Cyber-crime

cases,” Computer Law & Security

Review, vol. 26, no. 1, pp. 52 – 60, 2010.

[145] E. Serrano, A. Quirin, J. Botia, and O.

Cordón, “Debugging complex software

systems by means of pathfinder

networks,” Information Sciences, vol.

180, no. 5, pp. 561 – 583, 2010.

[146] A. Dehghantanha, N. Udzir, and R.

Mahmod, “Evaluating user-centered

privacy model (UPM) in pervasive

computing systems,” Computational

Intelligence in Security for Information

Systems, pp. 272–284, 2011.

[147] C. Sagaran, A. Dehghantanha, and R.

Ramli, “A User-Centered Context-

sensitive Privacy Model in Pervasive

Systems,” in Communication Software

and Networks, 2010. ICCSN’10. Second

International Conference on, 2010, pp.

78–82.

[148] S. Biggs and S. Vidalis, “Cloud

Computing: The impact on digital

forensic investigations,” in Internet

Technology and Secured Transactions,

2009. ICITST 2009. International

Conference for, 2009, pp. 1 –6.

[149] M. Damshenas and A. Dehghantanha,

“Forensics Investigation Challenges in

Cloud Computing Environments,”

presented at the The International

Conference on Cyber Security, Cyber

Warfare and Digital Forensic, Kuala

Lumpur, Malaysia, 2012, pp. 190–194.

[150] F. Daryabar, A. Dehghantanha, N. I.

Udzir, N. F. binti M. Sani, and S. bin

Shamsuddin, “A REVIEW ON

IMPACTS OF CLOUD COMPUTING

ON DIGITAL FORENSICS,”

International Journal of Cyber-Security

and Digital Forensics (IJCSDF), vol. 2,

no. 2, pp. 77–94, 2013.

[151] T. Hasani and A. Dehghantanha, “A

Guideline to Enforce Data Protection and

Privacy Digital Laws in Iran,”

Proceedings of International Conference

on Software and Computer Applications

(ICSCA 2011), pp. 3–6, 2011.

[152] P. Hunton, “The stages of cybercrime

investigations: Bridging the gap between

technology examination and law

enforcement investigation,” Computer

Law & Security Review, vol. 27, no.

1, pp. 61 – 67, 2011.


234


e-Fraud Forensics Investigation Techniques with

Formal Concept Analysis

1WAZIRI, Victor Onomza,

2Abdullahi Umar,

3MORUFU Olalere,

1,,3Cyber Security Science Department,

2Department of Computer Science

School of Information and Communication Technology

Federal University of Technology,

Minna-Nigeria

Abstract

One of the cardinal impacts of Cyber Security (CS) is the combating of financial e-fraud and other

related crimes. Formal Concept Analysis (FCA) could serve as a great useful weapon in the

detection and retrieving of various crime activities perpetrated on the cyberspace. This paper

proposes a CS-based investigation process through visualization and data analysis of mobile

communication devices using the formal Concept Analysis which is a data analysis technique based

on lattice theory and propositional Calculus. The method to be employed visualizes the lattice that

maybe conceived as a set of common and distinct attributes of data in such a way that classifications

are done based on related data with respect to time and events of the crime performance within a

some Internet geographical space. The lattices were then built using Galicia 3.2 Lattice building

software using the data connected of criminal activities that were collected from the mobile phones,

Laptops etc.. The results obtained were used in building a more defined and conceptualized system

for analysis of e-fraud data in the cyberspace that could be easily visualized and intelligently

analysed by the cyberspace computational systems processes.

Keywords: Financial Crime, lattice Theory, Formal Concepts analysis, data analysis and

visualization

1. INTRODUCTION

Radim (2008), propounded Formal Concept

Analysis (FCA) as a method of data analysis

that describes relationship between a particular

set of objects and a particular set of attributes.

FCA produces two kinds of attributes from the

input data. The first is concept lattice which is

a collection of formal concept in the data that

are hierarchically ordered by a sub-concept-

superconcept relationship.

The formal concepts are particularly clusters

which represent natural human-like concepts

such as may be visualized in an international

network of botnet syndicates. The second

output of FCA consists of attributes

implication which describes a particular

dependency that is valid in the data in the

syndicate cycle of operations. The most

important feature of FCA is the integration of

three components (a, b, c) (where ―a‖ signifies

Discovery, ―b‖ reasoning and ―c‖ output) of

conceptual processing of data and knowledge.

These FCA components are Discovery and

Reasoning which underlines the formation of

concepts in data lattices or a network

syndicate. Discovery and Reasoning involve

dependencies in database; visualizing of the

database, picturing the conceptualization of


235


the dependencies with the current folding or

unfolding capabilities outputs. This could be

visualized conceptually as in figure 1:

Figure 1: Concept Lattice that shows a

visualized construe of FCA. This could be

construed as a botnet syndicate over some

specified geographical space

Virtually, all societies in the modern world

are troubled by some related fraud activities

such as e-fraud in some abstracted cybercrime

environment in this modern cyberspace

advancement. Most of these cybercrimes are

carried out by individuals or organized groups

in the form of syndicate over large

geographical territories. While cybercrime

rate may vary from one country to another

and from one region to another, black hackers

behaviour remains a case for concern

amongst most members of the public

commercial and governmental institutions;

thus hinder e-Governance and e-commerce

efficient utilization of administrative secret

information and gaining substantial benefits

in financial realizations respectively.

Cybercrime prevention and control have been

government’s prerogatives through various

enacted law enforcement agencies. With the

increasing use of the computerized systems to

track cybercrimes penetrations and malware

detections, computer data analysis have

begun to assist law enforcement agencies and

detectives to speed up the process of

preventing crimes in various ramifications

especially in digital forensics analysis.

The most efficient and effective way of

fighting cybercrimes today cannot be

construed without geographical profiling.

Black Hacks activities have become very

complex in such a way that rapid monitory

can only be achieved by using intelligent

sensors within geographical components

(Kester, 2013) and analyzing using analytical

efficient tools. Digital Forensic investigative

approaches are needed to analyse connected

series of crimes data on the Internet to

determine the most probable area of offender

residence (but this could be difficult due to

the application of proxies used by botnet

masters). By incorporating both qualitative

and quantitative methods, we shall assist in

understanding spatial behaviour of an

offender and focussing the investigation to a

smaller area of the local network.

Typically used in cases of serial murder or

theft, the technique could help the police

detectives to prioritize information in large-

scale major crime investigations that often

involve hundreds of interconnected nodes and

informants (Wikipedia 2013). A criminal

pattern of network computer analysis in some

given location on the Internet is very crucial

in cybercrimes detection. Discovering the

relationship between Computer systems on

the Local networks have to be engaged in

order to gather and interpret intelligence so as

to control the network interrelationship

connectivity as well as influence effective

decision making as can be conceptualized


236


below diagrammatically in figure

Figure2: Pattern analysis theory

Figure 2 describes some unary binary relationship that exists between some crime pivotal spot as the root for discovery through Intelligence analysis being applied to decipher the crime, therefore, deduces some intelligence decision that would make impacts over the crime interoperable scene and the root.

This paper proposes a CS-based digital

forensic investigation for some abstractive

abstractive e-fraud environment by

visualizing and analyzing data of mobile

communication devices using Formal context

and Galois lattices, a data analysis technique

based on Lattice Theory Propositional

Calculus. This method considered the set of

common and distinct attributes of data in such

a way that categorizations are done based on

related data found on evidence nodes with

respect to time and events. All these

deductions are done without concrete adduced

dataset.

This will help in building a more defined and

efficient conceptualized systems for analysis

of digital forensics data that could easily be

intelligently analyzed and visualized by

computer systems on the mobile computing

space.

The rest of the paper is structured as follows:

Section 2 reviews some literatures on ground,

section 3 gives an in-depth theoretical

Methodology of the FCA, Section 4 depicts

some experimental evidences of section 3 and

their interpretations, giving three basic

visualization figures for an intelligent

abstraction, section 5 summarizes the

research through some short statements and

some vital recommendations for future

research work.

2.0 RELATED WORKS

Cyber Crimes activities are geospatial

phenomena through the Internet and as such

are geospatially, thematically and temporally

correlated. Thus, Cyber crime datasets must

be interpreted and analysed in conjunction

with various factors that can contribute to the

formulation of some specific crime on the

Internet. Discovering these correlations

allows a deeper insight into the complex

nature of Cyber criminal behavioural pattern

(McGarrell & Schlegel, 1993). There are

challenges faced in today’s world in terms of

Cyber crime analysis when it comes to

graphical visualization of the crime patterns.

Geographical representation of cybercrime

scenes and crime types has become very

important in gathering intelligence about

crimes. This provides a very dynamic and

easy way of monitoring cyber criminal

activities and analysing them as well as

producing effective countermeasures and

preventive measures in solving them.

Kester, (ibid) proposed a new method of

visualizing and analysing crime patterns

based on geographical crime data. In the

United States, the FBI collaborates with local

law enforcement and prosecutors to share

intelligence and efforts through teamwork has

demonstrated effectiveness in addressing

traditional crime involving drugs, weapons,

gangs, and violence (McGarrell & Schlegel,

1993; Russell-Einhorn, 2004). By extension,

many scholars and practitioners has asserted


237


the importance of forming comparable teams

to combat digital forensics crime with the

hope of similar positive outcomes (Conly &

McEwen, 1990).

Rogerson and Sun (2001) described a new

procedure for testing changes over time in the

spatial pattern of point events, combining the

nearest neighbour statistic and cumulative

sum methods. The method results in the rapid

detection of deviations from expected

geographical patterns. The method was

illustrated using 1996 arson data from the

Buffalo, NY, Police Department. The

appearance of patterns could be found in

different modalities of a domain, where the

different modalities refer to the data sources

that constitute different aspects of a domain.

Particularly, the domain that refers to crime

and the different modalities refer to different

data sources within the crime domain such as

offender data, Weapon data, etc. In addition,

patterns also exist in different levels of

granularity for each modality. In order to

have a thorough understanding of a domain, it

is important to reveal hidden patterns through

the data explorations at different levels of

granularity and for each modality. Therefore,

Yee Ling Boo and Alahakoon, D presented a

new model for identifying patterns that exist

in different levels of granularity for different

modes of crime data.

A hierarchical clustering approach – growing

self organizing maps (GSOM) has been

deployed. The model was further enhanced

with experiments that exhibit the significance

of exploring data at different granularities

(Boo and Alahakoon, 2008).

Formal Concept Analysis (FCA) is a method

of data analysis with growing popularity

across various domains that can easily be

extended to the cyberspace similarity. FCA

analyses data that describes relationship

between a particular set of objects and a

particular set of attributes. Such data

commonly appear in many areas of human

activities.

FCA produces two kinds of output from the

input data. The first is a concept lattice. As

concept lattice is a collection of formal

concepts in the data which is hierarchically

ordered by a sub-concept super concept

relations. Formal concepts are particular

clusters which represent natural human-like

concepts such as ―organism living in the

water‖, ―car with all wheel drive system‖,

―number divisible by 3 and 4‖, etc. The

second output of FCA is a collection of so-

called attribute implications. An attributes

implication describes a particular dependency

which is valid in the data such as ―every

number divisible by 3 and 4 is divisible by 6‖,

every respondent with age over 60 is retired‖,

etc (Radim, 2008).

Modern police organizations and intelligence

services are adopting the use of FCA in crime

pattern analysis for tracking down criminal

suspects through the integration of

heterogeneous data sources and visualising

this information so that a human expert can

gain insight in the data (Russsell and Einhorn,

2004).

3.0 METHODOLOGY

In this section, we give a detail mathematical

theory representation of the FCA analysis

[12]. It could also be used in data analysis,

information retrieval ( a useful tool for Digital

Forensics and Internet Network Security

analyses), and Knowledge discovery. It could

also be useful in the application as a a

conceptual clustering method, which clusters

simultaneously objects and gives formative

clearance for their descriptions. It is


238


applicable for efficiently computing

association rules. Thus, FCA makes concepts

as units of thoughts, that consists of two main

parts:

a. The extension consists of all objects

belonging to the concept; and

b. The intension consists of all attributes

common to all those objects

Thus as outlined [12, 13] we present the FCA

Algorithm as follow:

In FCA as a formal concept consists

of a set of objects, G, a set of

attributes, M, and a relation between

G and M, I ⊑ G × M; where I is a

binary relation of G and M. A formal

concept is a pair (A, B) where A ⊑ G

and B ⊑ M. Every object in A has

every attribute in B. For every

object in G that is not in A, there

is an attribute in B that object does

not have. For every attribute in M

that is not in B, there is an object

in A that does not have that

attribute. A is called the extent of

the concept and B is called the

intent of the concept. Abstractive

details of FCA runs as these:

If g ∈ A and m ∈ B then <g, m> ∈ I,

or g I m.

A formal concept is a triple <G, M,

I>; where

G is a set of object;

M is a set of attributes; and

•I is a relation between G and

M.

<g, m> ∈ I is read as

―object g has attribute m‖.

For A ⊆ G, we define

A´:= {m ∈ M | ⩝g ∈ A :< g, m> ∈ I

}.

For B ⊆ M, we define dually

B´:= {g ∈ G | ⩝m ∈ B :< g, m> ∈I }.

For A, A1, A2 ⊆ G holds:

A - A

B - B

A formal concept is a pair (A, B)

where

• A is a set of objects (the extent

of the concept),

• B is a set of attributes (the

intent of the concept),

•A—— B and B —— A

The concept lattice of a formal context (G,

I) is the set of all formal concepts of (G,

I)

Together with the partial order

(A1, B1)

B is a set of attributes (the

intent of the concept),

A – B and B – A.

The concept lattice of a formal context (G, M,

I) is the set of all formal concepts of (G, M, I)

together with the partial order

(A1, B1) ≤ (A2, B2): - A1 ⊑ A2 (

B1⊑ B2)

The concept lattice is denoted by (G, M, I)

Theorem: The concept lattice is a lattice,

i.e. for two concepts (A1, B1) and (A2,

B2), there is always;

A greatest common super-concept:

(A1⋂A2, (B1⋃ B2) ´´)


239


And a least common super-concept:

((A1 ⋃ A2) ´´, B1⋂B2)

More general, it is even a complete lattice, i.e. the

greatest common sub-concept and the least

common super-concept exist for all (finite and

infinite) sets of concepts.

Corollary: The set of all concept intents of a

formal context is a closure system. The

corresponding closure operator is h(X):= X``.

An implication X→Y holds in a context, if every

object having all attributes in Y also has all

attributes in X.

Def.: Let X ⊆M. The attributes in Y are

independent, if there are no trivial dependencies

between them.

4.0 EXPERIMENTAL RESULTS

Let us consider e-fraud events such that F is

the set of events and E1, E2….En are subsets

off. Let figure E = [E1, E2……En] =

(Financial fraud, Money Laundering, ATM

Bombing, ...). Let the objects be the events in

some sub-geographical jurisdiction regions

(internet network) for thr e-fraud (in case the

e-fraud is Covered by some syndicates that

involves different geographical regions

through hacking connectivity arrangement

such as botnet) in which the events

occurrence is a set depected by the zombie

nodes (A, B, C, D, E, F, G, H, I, J and K) as

indicated on the Figure 3 map. Note that each

cluster in figure 3 may consist of zombies; a

set of compromised computational nodes. Let

P be the set of suspects intending to be

investigated and PI, P2…..Pn are the elements

that belong to P.

The concept lattice of context <G, M, I> as

shown n figure 4, is the set of all formal

concepts of <G, M, I> which are aggregated to

form clusters

Figure 3: e-Fraud Syndicate Network Connectivity

Table1: Events x (Geographical locations and Persons)


240


Figure 4: Galois lattices of Intent and Extent


241


Figure 5: Galois lattice of <G, M, I>

INTERPRETATION

Galois lattice (graph) is generated from the input

data table (formal context) in figure 2. The object

(Event or Crime etc) is represented in a row and

attributes (Suspects/persons) are represented in a

column. The symbol X indicates a binary relation

between the objects and the attributes.

The numbers 1, 2, 3…….n in the column represents

the objects or Crime and letters a, b, c……. k

represents geographical locations where the

offences are commuted as can be seen from figure

1, and P1, P2……..Pn represents the suspects

involved in the various crime.

The graph (Galois lattice) is made up of the

following features:

The concept in hierarchical order represented

by values in small ellipse

The line diagram showing the relationship

The objects (Event or crime) otherwise called

―Extent‖ (E)

The attributes (people involved in the crime)

otherwise called ―Intent‖ (I)

The geographical locations a, b, e, f…….. k.

Note:

Concept – represents the set of Events sharing the

same values for certain set of attributes.

In this paper, we consider the attributes of the

concepts, 24, 25, 26, and 49 in relation to the

attributes of concept 28 from figure 3, as indicated

in the second hierarchy of the concept. Thus;


242


Figure 6: Extraction of figure 3

works. FCA tools need further improvement since

those used today were designed in the early 20’s.

It is hoped that past knowledge can be assimilated

with current observations of computer-related

criminality to inform and guide the science of

police investigations in the future.

Formal Concept Analysis (FCA) was used to

analyze crime data-based on information gathered

from suspects’ mobile communication devices

such as mobile phone, tablets etc. Visualization of

relationships between the occurrences of various

crime events within different geographical areas

was achieved successfully. This method

considered the set of common and distinct

attributes of data in such away that categorization

was done based on relationships between

concepts. The result from the approach will help

in building a more defined and conceptual

systems that will make data relationships to be

easily visualized and intelligently analyzed by

ICT-based investigation systems.

5.0 RECOMMENDATION/ CONCLUSION

Nowadays, Cybercrimes are increasing over all

over the Internet are increasing by leaps.

Cybercrimes require more intelligent law

enforcement departments toward successfully

identifying and retrieving details from the

harddisks for scientific analysis and preparing

them for comprehensive presentations in the

courts of law. Nonetheless, retrieving the crimes

deatails needs some development of efficient

software through intensive research

References

[1] Hinduja, S. (2007): Computer crime

investigations in the United States:

leveraging Knowledge from the past to

address the future. International Journal of

Cyber Criminology, 1(1), 1-26.

[2] QA Kester (2013): Visualization and

analysis of geographical crime patterns

using formal concept analysis.

International Journal of Remote Sensing

and Geo-science (IJRSG) 2 (1), 30-35

[3] A Geographic profiling retrieved from

http://en.wikipedia.org/wiki/Geographicgrof

iling #citeref-2

[4] Russell-Einhorn, M. L. (2004): Federal-

Local Law Enforcement Collaboration in

Investigating and Prosecuting Urban Crime,

1982-1999: Drugs, Weapons, and Gangs

(No. NCJ201782): National Institute of

Justice.

McGarrell, E. F & Schlegel, K. (1993): The

implementation of federally funded multi


243


http://en.wikipedia.org/wiki/Geographicgrofiling

http://en.wikipedia.org/wiki/Geographicgrofiling

jurisdictional taskforces: Organizational

structure and inter agency relationships.

Journal of Criminal Justice, 21(3), 231-244.

[6] Conley, C. H., & McEwen, J. T. (1990):

Computer crime, U.S. Department of

Justice. National Institute of Justice.

[7] P. Rogerson, Y. Sun (November, 2001,)

Spatial monitoring of geographic patterns:

an application to crime analysis

Computers, Environment and Urban

Systems, Volume 25, Issue 6, Pages 539—

556

Yee Ling Boo; Alahakoon, D (Dec. 2008),

"Mining Multi-modal Crime Patterns at

Different Levels of Granularity Using

Hierarchical Clustering, "Computational

Intelligence for Modelling Control &

Automation, 2008 International

Conference on, vol., no., pp.1268-

1273,10- 12

[9] Radimb ―Elohl Avek introduction to

formal concept analysis Olomouc; 2008.

[10] Security Informatics, Special issues on

Formal Concept Analysis in Intelligence and

Security Informatics Springer, 2012.

[11] Analysis Home page from:

http://www.upriss.org.uk/tea/tea.html

[12] Gard Stumme [2002]: A Tutorial on

Formal Concept Analysis

[13] Radim, Belohlavek (2008): Introduction to

Concept Analysis, Department of Computer

Science, Palacky University, Olomouc

Bibliography

Dr. Victor O. Waziri is an Associate Professor in the

Department of Cyber Security, Federal Federal

University of Technology, Minna-Nigeria. His

Computational Research is based on Computational

Intelligence with Applications on Cyber Security

related problems. In most cases, Matlab, Maple and

Mathematica are the basis for his accessory in

modeling and Simulations in Modern Cryptographic

analyses. His researches area also extends into

Computational Optimization and in Zero-day

Malware Detections. He has published many papers

in reputable Journals at both International and Local

Levels. He Lectures various courses in the

Department that include Cryptography, Network

Security, Clouds Security, Data Mining,

Computational Theory, Automata and Programming

Languages

Morufu Olalere was born in Ode-omu, Osun state, Nigeria in 1980. He has B.Tech Industrial

mathematics/computer science and M.Sc. in

Computer science (Biometrics) from Federal

University of Technology, Akure and University of

Ilorin, Nigeria in 2005 and 2011 respectively. He is

a LECTURER from department of Cyber Security

Science, Federal University of Technology Minna,

Nigeria and currently on study fellowship as a PhD

student in the faculty of computer Science and

Information Technology, University Putra Malaysia.

His research interest includes biometric, network

security, cryptography and security in Bring Your

Own Devices. Mr. Olalere is a member of Computer

Professionals Registration Council of Nigeria (CPN),

a member of Nigeria Computer Society (NCS) and a

member of Association for Information Systems

(AIS). he is a certified ethical hacker.


244


http://www.upriss.org.uk/

Abdullahi Bn Umar is a lecturer in the department of computer science Federal College of Education, Kano. He bagged PGDE, TRCN, B. TECH in Computer Physics from Federal University of Technology, Minna and currently undergoing M. TECH degree program in computer science in the same University (FUTMIN). Abdullahi Bn Umar is a member of African Educational Research Network (AERN) and has contributed to literature through article publications in reputable journals.


245


Security Breaches, Network Exploits and Vulnerabilities: A Conundrum and an Analysis

Oredola A. Soluade

Iona College Hogan School of Business

New Rochelle - New York 10801 [email protected]

Emmanuel U Opara College of Business

Prairie View A&M University Prairie View - Texas U.S.A.

[email protected]

ABSTRACT

Enterprise systems are continuously on cyber-attacks as struggle for solutions are sort. Today, these organizations spend over $70 billion on IT security, but are unable to protect the organization since cyber criminals routinely discover exploits and breach those defenses with zero-day attacks that bypass traditional technologies. These attacks occur during the vulnerability window that exists in the time between when a loophole is first exploited and when software developers start to develop and publish a counter to that threat. Many organizations had been breached by the zero-day attack concept. This means that at least one attacker had bypassed all layers of organization defense-in depth architecture. Using data from our survey of 202 participants, this study analyses how attacks are changing the cyber platform and why traditional and legacy defenses are functioning below par and expectations.

KEYWORDS: Security Breaches, Vulnerabilities, Threats, Malware, Adware, Exploits.

1 INTRODUCTION

Enterprise systems function in a globally-connected world, which constantly are witnessing globally-distributed cyber threats. Study has indicated, these threats are not restricted by geographical boundaries, but are targeted at all technologies, hardware/software/service providers, end-users, consumers, private and the public sector alike. The cost and frequency of these incidences are on the rise. There threats have evolved as a new dimension of interest and concerns, gaining political and societal attention. Understanding the exponential growth and magnitude of cyber threats, the future tasks and responsibilities associated with cybersecurity is critical to enterprise systems competitiveness, survival and profitability.

Cyber-attacks are now facts of organizational concerns because the rates of occurrences are growing exponentially [1]. Today's security defenses are failing because organization's legacy platforms leverage technologies have been dependent on signatures as security authentication mechanisms. These platforms may be good at blocking basic malware that


246




are known and documented, however legacy platform technologies do not stand a chance against today's sophisticated, dynamic cyber-attacks that occur across multiple vectors and stages of the cyber platform. Examples are biological weaponries, nukes, climate change, zero-day attacks, and transactional crimes. An example for bio-threats is the public health community’s dream making the arrival and spread of communicable diseases as easy to predict and track as weather. This study found that potential exploits, and threat levels have escalated to the point that with time, motivation, and funding, a resolute criminal will likely be able to penetrate any system that is accessible directly from the Internet

In 2013, Hackers concentrated on placing malware content on enterprise systems and organization’s Websites as a means to gain entrance into the network. These criminals employ “drive-by-downloads” from fake websites as well as “water hole to exploit potential vulnerabilities. Also in same year, a press report describes pages on an official U.S. Government website that contain content promoting third-parties products that were enriched with malicious payloads. As these threats evolve, they could infiltrate the interior of the network, the core, the distribution layer and the user access edge where the defense and visibility is minimal. Once inside a system, the payload quietly target specific assets and individuals in the enterprise system. Most of the objectives of such attacks are to collect and exfiltrate intellectual property of state/trade secrets for competitive advantage within industry, and use for economy and sociopolitical ends [2].

The fact remains that current antivirus solutions are not capable of eradicating

targeted attacks. Study has shown that organization’s Industrial Control System [ICS] platforms are targets for cyber attackers. These include automation, process control, access control devices, system accounts and asset information that are considered valuable to attackers. Cyber criminals can leverage the lack of corporate security policies, procurement languages, asset inventory that are present in many Industrial Control Systems [ICS]. A coordinated and known security exploit can be combated by a structured and adequately designed security infrastructure that includes preventive mechanisms such as intrusion prevention, antivirus, content security and internal and external firewalls. However, targeted threats designed for specific exploits could pose a tougher challenge. Further attackers could come from nation states, insiders and other trusted parties such as contractors or vendors. Hacktivists or politically motivated attackers and script kiddies are also included in this group. Based on these facts, the potential-risk and challenges are very high.

The key in this study is to identify what’s at stake and the key challenges in gaining visibility to customized threats. Also to create threat awareness in areas where systems could be vulnerable. These include but not limited to the following areas: [I] Network Access: Malware can spread vertically through the network by trusted system to system connections of VPN because it is easy for it to maneuver undetected through a controlled platform. [II] System Management; when there are extensive delays by security professionals in patching and operating systems upgrades, attackers can exploit such systems. Further, criminals can leverage default usernames and


247


passwords or weak authentication mechanism. [III] Supply Chain; Criminals can attack third party vendors, contractors or integrator in an attempt to exploit an ICS environment asset owner or multiple enterprise systems. [IV]Interconnects; Criminals can attack ICS systems by exploiting applications that communicate through network segmentation because many ICS platforms are susceptible to network-based Man in the Middle attacks. This study will provide actionable intelligence to ensure enterprise systems breach discover and mitigate exploits as they occur in the organization.

In our survey questions 8 – 22 [appendix 1], we asked in the survey, who the top cyber-threats, that are facing their organization? This question was raised because, most members of security teams, do not agree on what constitutes the significant threats to their organizations. We also asked survey respondents the type of proactive tools they use to counter zero-day attacks and Advanced Persistent Threat [APT]. This is a commonly use term to define remote attacks employed by sophisticated threats actors. These actors could be nation states or their intelligence services. Some of the intelligence services include these:

• Malware • Outbound Traffic • Rogue Device • Geolocation of IP Traffic • Distribution intrusion detection

systems (DIDS) • Deep Packet Inspection [DPI] • External Footprint • Co-operating security managers

(CSM) • Watermarking/tagging

The findings from this study, will articulate the current cyber security measures enterprise systems will have to deploy to counter vulnerabilities, potential breaches and threats.

2 LITERATURE REVIEW

In 2013, study showed that at least ten major banks were attacked by “hacktivists: These attacks were motivated by individuals whose exploit achievement is to destroy the reputation of the firm or its principals by employing techniques such as defacing websites to leaking enterprise private content. JPMorgan Chase, Bank of America, Citigroup, Wells Fargo and others have faced such attacks [3]. Baldor [4] in their study noted that a data security breach at Montana State health records compromised the social security numbers and other important information of about 1.5 people. These cyber-criminal gained access to a computer server tied to the Montana Department of Public Health and Human Services, exposing sensitive or confidential information of current and former medical patients, health agency employees and contractors. Oyemade [5], among others, cited that information technology faces a constant flood of alerts from every system, challenging organization’s security expert’s to find the critical threats in a sea of false alerts or insignificant events. They noted that ultimate protection means the near elimination of false positive and remediation of infected endpoints. Tester, [6]) in their report noted that more zero-day vulnerabilities were discovered in 2013 than any other year. The 26 zero-day


248


vulnerabilities discovered represent an 81 percent increase over 2012 and are more than the three previous years combined. Zero-day vulnerabilities are coveted because they give attackers the means to silently infect their victim without depending on social engineering. Target Corp and Neiman Marcus as a study summarized are not the only U.S. retailers whose networks were breached over the holiday shopping season last year, however, it reported that smaller breaches on of at least three other well-known U.S. retailers took place and were conducted using similar techniques as the one on Target, [13]. A recent study found that restaurant chain “P.F. Chang's China Bistro” had a breach on its card processing systems that could have resulted in theft of customer payment card information at 33 of its 210 U.S. locations. The potentially stolen data includes card numbers, cardholder's name and/or the card's expiration date and other relevant information [7].

In another report [8], it was stated that the 9/11 Commission, in its 10th anniversary report, cautions Americans and the U.S. government to treat cyber threats more seriously than they did terrorist threats in the days and weeks leading to Sept. 11, 2001.

Steinbart [13], in their study also indicated that baby monitors, security cameras and routers, were famously hacked in 2013. Furthermore, security researchers demonstrated attacks against smart televisions, automobiles and medical equipment. This gives this study a preview of the security challenge presented by the rapid adoption of the Internet of Things (IoT).

Later studies, [9], [10], among others summarized that data shows that companies are learning from past cyber-attacks and breaches. There is evidence companies are becoming better at managing the costs incurred to resolve a data breach incident and for the first time in seven years both the organization cost of a data breach and the cost per lost or stolen record declined in 2012.

According to a study by [12], citing rising number of high profile cyber-attacks — most recently at Twitter, LinkedIn and Yahoo— it was noted that governmental agencies are stepping up its scrutiny of cyber security. This is leading to increased calls for legislation and regulation, placing the burden on companies to demonstrate that the information provided by customers and clients is properly safeguarded online. Another studies by [10], also summarized that despite the fact that cyber risks and cyber security are widely acknowledged to be a serious threat, a majority of companies today still do not purchase cyber risk insurance, though this is changing. Their study suggests that more companies are now purchasing cyber coverage and that insurance has a key role to play as companies and individuals look to better manage and reduce their potential financial losses from cyber risks in future. 3 METHODOLOGY

In order to pilot test the cyber-security concerns, the authors constructed, distributed and collected responses from survey questionnaires at a cyber-security business professional conference in May 2013 at San Antonio Texas. The survey population comprises of professionals who publish research findings and work in their respective fields. These are


249


http://pfchangs.com/security/

http://bipartisanpolicy.org/sites/default/files/files/%20BPC%209-11%20Commission.pdf

experts with extensive history in teaching and in the business world. Survey data was distributed to senior IT professionals from midmarket (100 to 999 employees) and enterprise-class (1000 employees or more] organizations. The survey questionnaires were distributed to 320 attendees. The number completed and returned was 202. Overall, we consider these as an equitable representative random sample. Most of the survey items were Likert scale types, yes/no responses or categorical, ordinal items, gender, ranks of personnel. The study conducted a survey of 24 questions covering a range of security issues that are of importance and of concern to IT and security administrators in small and medium size businesses [SMBs]. The questions were designed and conducted to obtain a snapshot of the state of security issues in SMBs and to confirm issues that have been raised in other security studies.

4 FINDINGS/RESULTS A series of hypotheses were tested to determine the extent of awareness of potential threats to data at rest. and attitude of the respondents to security in their organization. The first hypothesis is to determine the extent to which the respondent’s attitude to hackers, current and former employees, foreign nation-states, organized crime, malware analysis, Geolocation of IP traffic, Subscription Services, External footprints, and Document Watermarking and Tagging on the other affect their feeling of security in their organization. H0: There is no dependence between feeling secure in an organization on the one hand, and their attitude to hackers, current and former employees, foreign nation-states, organized crime, malware analysis, Geolocation of IP traffic, Subscription Services, External

footprints, and Document Watermarking and Tagging on the other. H1: The sense of feeling secure in an organization depends on a number of factors – including: their attitude to hackers, current and former employees, foreign nation-states, organized crime, malware analysis, Geolocation of IP traffic, Subscription Services, External footprints, and Document Watermarking and Tagging. Conclusion: Attitude to hackers, current and former employees, foreign nation-states, organized crime, malware analysis, Geolocation of IP traffic, Subscription Services, External footprints, and Document Watermarking and Taggings, do not significantly impact the feeling of respondents about the security in their organization. The second hypothesis is to determine the extent to which the male respondent’s attitude to hackers, current and former employees, foreign nation-states, organized crime, malware analysis, Geolocation of IP traffic, Subscription Services, External footprints, and Document Watermarking and Tagging on the other affect their feeling of security in their organization. H0: For male respondents, there is no dependence between feeling secure in an organization on the one hand, and their attitude to hackers, current and former employees, foreign nation-states, organized crime, malware analysis, Geolocation of IP traffic, Subscription Services, External footprints, and Document Watermarking and Tagging on the other. H1: For male respondents, the sense of feeling secure in an organization depends on a number of factors – including: their attitude to hackers, current and former employees, foreign nation-


250


states, organized crime, malware analysis, Geolocation of IP traffic, Subscription Services, External footprints, and Document Watermarking and Tagging. Conclusion: When this analysis is controlled for gender, it turns out that male respondents, who have confidence in their company network, also believe that Rogue Device Scanning is the most proactive activity/technique to counter persistent threats to their organization. This dependency is found to be significant at the 1% significance level with a p-value of 0.008) The third hypothesis is to determine the extent to which the female respondent’s attitude to hackers, current and former employees, foreign nation-states, organized crime, malware analysis, Geolocation of IP traffic, Subscription Services, External footprints, and Document Watermarking and Tagging on the other affect their feeling of security in their organization. H0: For female respondents, the sense of feeling secure in an organization depends on a number of factors – including: their attitude to hackers, current and former employees, foreign nation-states, organized crime, malware analysis, Geolocation of IP traffic, Subscription Services, External footprints, and Document Watermarking and Tagging. H1: For female respondents, the sense of feeling secure in an organization depends on a number of factors – including: their attitude to hackers, current and former employees, foreign nation-states, organized crime, malware analysis, Geolocation of IP traffic, Subscription Services, External footprints, and Document Watermarking and Tagging. Conclusion: When this analysis is controlled for gender, it turns out that female respondents who have confidence in their company

network is independent of their attitude to hackers, current and former employees, foreign nation-states, organized crime, malware analysis, Geolocation of IP traffic, Subscription Services, External footprints, and Document Watermarking and Tagging. In order to determine whether there is dependence between the assessments of the effectiveness of an organization’s network system on the one hand, and their attitude to hackers, current and former employees, foreign nation-states, organized crime, malware analysis, Geolocation of IP traffic, Subscription Services, External footprints, and Document Watermarking and Tagging on the other, the following hypothesis was tested. H0: There is no dependence between the assessment of the effectiveness of an organization’s network system on the one hand, and their attitude to hackers, current and former employees, foreign nation-states, organized crime, malware analysis, Geolocation of IP traffic, Subscription Services, External footprints, and Document Watermarking and Tagging on the other. H1: There is dependence between the assessment of the effectiveness of an organization’s network system on the one hand, and their attitude to hackers, current and former employees, foreign nation-states, organized crime, malware analysis, Geolocation of IP traffic, Subscription Services, External footprints, and Document Watermarking and Tagging on the other. Conclusion: Attitude of respondents to hackers, current and former employees, foreign nation-states, organized crime, malware analysis, Geolocation of IP traffic, Subscription Services, External footprints, and Document Watermarking and Tagging, does not significantly impact the assessment of the effectiveness of an organization’s


251


network system and their feelings about the security in their organization. The hypothesis was then tested for a subset of male respondents. The result is as follows: H0: There is no dependence between the assessment by male respondents, of the effectiveness of an organization’s network system on the one hand, and their attitude to hackers, current and former employees, foreign nation-states, organized crime, malware analysis, Geolocation of IP traffic, Subscription Services, External footprints, and Document Watermarking and Tagging on the other. H1: There is dependence between the assessment by male respondents, of the effectiveness of an organization’s network system on the one hand, and their attitude to hackers, current and former employees, foreign nation-states, organized crime, malware analysis, Geolocation of IP traffic, Subscription Services, External footprints, and Document Watermarking and Tagging on the other. Conclusion: Attitude of male respondents to hackers, current and former employees, foreign nation-states, organized crime, malware analysis, Geolocation of IP traffic, Subscription Services, External footprints, and Document Watermarking and Taggings, does not significantly impact the assessment of the effectiveness of an organization’s network system and their feelings about the security in their organization. When the hypothesis was tested for a subset of female respondents, the result is as follows: H0: There is no dependence between the assessment by female respondents, of the effectiveness of an organization’s network system on the one hand, and their attitude to

hackers, current and former employees, foreign nation-states, organized crime, malware analysis, Geolocation of IP traffic, Subscription Services, External footprints, and Document Watermarking and Tagging on the other. H1: There is dependence between the assessment by female respondents, of the effectiveness of an organization’s network system on the one hand, and their attitude to hackers, current and former employees, foreign nation-states, organized crime, malware analysis, Geolocation of IP traffic, Subscription Services, External footprints, and Document Watermarking and Tagging on the other. Conclusion: Attitude of female respondents to hackers, current and former employees, foreign nation-states, organized crime, malware analysis, Geolocation of IP traffic, Subscription Services, External footprints, and Document Watermarking and Taggings, does not significantly impact the assessment of the effectiveness of an organization’s network system and their feelings about the security in their organization. Another hypothesis that was tested is to determine if there is dependence between Investment in cybersecurity as best solution for cyber-attacks on the one hand, and their attitude to hackers, current and former employees, foreign nation-states, organized crime, malware analysis, Geolocation of IP traffic, Subscription Services, External footprints, and Document Watermarking and Tagging on the other. The resultant test is as follows: H0: There is no dependence between Investment in cybersecurity as best solution for cyber-attacks on the one hand, and their attitude to hackers, current and former


252


employees, foreign nation-states, organized crime, malware analysis, Geolocation of IP traffic, Subscription Services, External footprints, and Document Watermarking and Tagging on the other. H1: There is dependence between Investment in cybersecurity as best solution for cyber-attacks on the one hand, and their attitude to hackers, current and former employees, foreign nation-states, organized crime, malware analysis, Geolocation of IP traffic, Subscription Services, External footprints, and Document Watermarking and Tagging on the other. Conclusion: Attitude of respondents to hackers, current and former employees, foreign nation-states, organized crime, malware analysis, Geolocation of IP traffic, Subscription Services, External footprints, and Document Watermarking and Taggings, do not significantly impact Investment in cybersecurity as best solution for cyber-attacks. The hypothesis was then tested for a subset of male respondents. The result is as follows:

H0: There is no dependence between male Investment in cybersecurity as best solution for cyber-attacks on the one hand, and their attitude to hackers, current and former employees, foreign nation-states, organized crime, malware analysis, Geolocation of IP traffic, Subscription Services, External footprints, and Document Watermarking and Tagging on the other. H1: There is dependence between male Investment in cybersecurity as best solution for cyber-attacks on the one hand, and their attitude to hackers, current and former employees, foreign nation-states, organized crime, malware analysis, Geolocation of IP traffic, Subscription Services, External footprints, and Document Watermarking and Tagging on the other. Conclusion: At the 5% significance level, it is determined that the attitude of male respondents to foreign nation-states, do significantly impact male Investment in cybersecurity as best solution for cyber-attacks.

Table 1. Regression output of attitude of male respondents to Foreign Nation-States

Coefficients

Unstandardized Coefficients

Standardized Coefficients t Sig.

B Std.

Error Beta Var014: Foreign Nation-states are perceived as the groups that pose the greatest cybersecurity threat to the organizations of male respondents -0.398 0.173 -0.23 -2.301 0.024

When the hypothesis was tested for a subset of female respondents, the result is as follows: H0: There is no dependence between female Investment in cybersecurity as best solution

for cyber-attacks on the one hand, and their attitude to hackers, current and former employees, foreign nation-states, organized crime, malware analysis, Geolocation of IP traffic, Subscription Services, External


253


footprints, and Document Watermarking and Tagging on the other. H1: There is dependence between female Investment in cybersecurity as best solution for cyber-attacks on the one hand, and their attitude to hackers, current and former employees, foreign nation-states, organized crime, malware analysis, Geolocation of IP traffic, Subscription Services, External

footprints, and Document Watermarking and Tagging on the other. Conclusion: At the 5% significance level, it is determined that the attitude of female respondents to organized crime do significantly impact Investment in cybersecurity as best solution for cyber-attacks in their organization.

Table 2. Regression output of attitude of female respondents to Organized Crime groups

Coefficientsa

Model


Standardized Coefficients

t Sig. B Std.

Error Beta (Constant) -1.426 3.282 -.434 .665

Var015: Organized crime groups are perceived as the groups that pose the greatest cybersecurity threat the organizations of female respondents

.384 .128 .345 3.003 .004

a. Dependent Variable: Var005: Do you agree that investment in cybersecurity in 2013-2014....will provide the best systems solutions to thwart cyber-attacks?

Another hypothesis that was tested is to determine if there is dependence between Rating Downtime as the greatest IT concern of their organization on the one hand, and their attitude to hackers, current and former employees, foreign nation-states, organized crime, malware analysis, Geolocation of IP traffic, Subscription Services, External footprints, and Document Watermarking and Tagging on the other. The result of that test is as follows: H0: There is no dependence between Rating Downtime as the greatest IT concern of their organization on the one hand, and their attitude to hackers, current and former employees, foreign nation-states, organized crime, malware analysis, Geolocation of IP traffic, Subscription Services, External

footprints, and Document Watermarking and Tagging on the other. H1: There is dependence between Rating Downtime as the greatest IT concern of their organization on the one hand, and their attitude to hackers, current and former employees, foreign nation-states, organized crime, malware analysis, Geolocation of IP traffic, Subscription Services, External footprints, and Document Watermarking and Tagging on the other. Conclusion: At the 5% significance level, it is determined that the attitude of respondents to hackers (p-value 0.047) and organized crime (p-value 0.037) do significantly impact Rating Downtime as the greatest IT concern of their organization.


254


Table 3. Regression output of attitude of respondents to Hackers and Organized Crime groups

Coefficientsa

Model



t Sig. B Std.

Error Beta 1 (Constant) 4.219 .815 5.175 .000

Var012: Hackers are the groups that pose the greatest cybersecurity threat to your organization

.098 .049 .141 2.002 .047

Var015: Organized crime are the groups that pose the greatest cybersecurity threat to your organization

-.076 .036 -.153 -2.097 .037

a. Dependent Variable: Var006: Rate your company's IT concerns with regard to Downtime

The hypothesis was then tested for a subset of male respondents. The result is as follows: H0: There is no dependence between male Rating Downtime as the greatest IT concern of their organization on the one hand, and their attitude to hackers, current and former employees, foreign nation-states, organized crime, malware analysis, Geolocation of IP traffic, Subscription Services, External footprints, and Document Watermarking and Tagging on the other. H1: There is dependence between male Rating Downtime as the greatest IT concern of their

organization on the one hand, and their attitude to hackers, current and former employees, foreign nation-states, organized crime, malware analysis, Geolocation of IP traffic, Subscription Services, External footprints, and Document Watermarking and Tagging on the other. Conclusion: At the 5% significance level, it is determined that the attitude of male respondents to hackers (p-value 0.029) does significantly impact Rating Downtime as the greatest IT concern of their organization


255


Table 4. Regression output of attitude of male respondents to Hackers Coefficientsa

Model



t Sig. B Std. Error Beta (Constant) 3.421 1.344 2.545 .013

Var012: Hackers are perceived as the group that poses the greatest cybersecurity threat to the organizations of male respondents

.164 .074 .235 2.214 .029


When the hypothesis was tested for a subset of female respondents, the result is as follows: H0: There is no dependence between female Rating Downtime as the greatest IT concern of their organization on the one hand, and their attitude to hackers, current and former employees, foreign nation-states, organized crime, malware analysis, Geolocation of IP traffic, Subscription Services, External footprints, and Document Watermarking and Tagging on the other.

H1: There is dependence between female Rating Downtime as the greatest IT concern of their organization on the one hand, and their attitude to hackers, current and former employees, foreign nation-states, organized crime, malware analysis, Geolocation of IP traffic, Subscription Services, External footprints, and Document Watermarking and Tagging on the other. Conclusion: At the 5% significance level, it is determined that the attitude of female respondents to organized crime (p-value 0.020) does significantly impact Rating Downtime as the greatest IT concern of their organization.

Table 5. Regression output of attitude of male respondents to Hackers

Coefficientsa

Model



t Sig. B Std.

Error Beta 1 (Constant) 4.393 1.169 3.758 .000

Var015: Organized crime is perceived as the group that poses the greatest cybersecurity threat to the organizations of female respondents.

-.108 .046 -.279 -2.378 .020



256


Another hypothesis that was tested is to determine if there is dependence between Rating of Compliance as the greatest IT concern of their organization on the one hand, and their attitude to hackers, current and former employees, foreign nation-states, organized crime, malware analysis, Geolocation of IP traffic, Subscription Services, External footprints, and Document Watermarking and Tagging on the other. The result is as follows: H0: There is no dependence between Rating of Compliance as the greatest IT concern of their organization on the one hand, and their attitude to hackers, current and former employees, foreign nation-states, organized crime, malware analysis, Geolocation of IP traffic, Subscription Services, External footprints, and Document Watermarking and Tagging on the other. H1: There is dependence between Rating of Compliance as the greatest IT concern of their organization on the one hand, and their attitude to hackers, current and former employees, foreign nation-states, organized

crime, malware analysis, Geolocation of IP traffic, Subscription Services, External footprints, and Document Watermarking and Tagging on the other. Conclusion: Attitude of respondents to hackers, current and former employees, foreign nation-states, organized crime, malware analysis, Geolocation of IP traffic, Subscription Services, External footprints, and Document Watermarking and Taggings, do not significantly impact Rating Compliance as the greatest IT concern of their organization The hypothesis was then tested for a subset of male respondents. The result is as follows: H0: There is no dependence between male Rating of Compliance as the greatest IT concern of their organization on the one hand, and their attitude to hackers, current and former employees, foreign nation-states, organized crime, malware analysis, Geolocation of IP traffic, Subscription Services, External footprints, and Document Watermarking and Tagging on the other.

H1: There is dependence between male Rating of Compliance as the greatest IT concern of their organization on the one hand, and their attitude to hackers, current and former employees, foreign nation-states, organized crime, malware analysis, Geolocation of IP traffic, Subscription Services, External footprints, and Document Watermarking and Tagging on the other. Conclusion: Attitude of respondents to hackers, current and former employees, foreign nation-states, organized crime, malware analysis, Geolocation of IP traffic, Subscription Services, External footprints, and Document Watermarking and Taggings, does not significantly impact male Rating

Compliance as the greatest IT concern of their organization. When the hypothesis was tested for a subset of female respondents, the result is as follows: H0: There is no dependence between female Rating of Compliance as the greatest IT concern of their organization on the one hand, and their attitude to hackers, current and former employees, foreign nation-states, organized crime, malware analysis, Geolocation of IP traffic, Subscription Services, External footprints, and Document Watermarking and Tagging on the other. H1: There is dependence between female Rating of Compliance as the greatest IT


257


concern of their organization on the one hand, and their attitude to hackers, current and former employees, foreign nation-states, organized crime, malware analysis, Geolocation of IP traffic, Subscription Services, External footprints, and Document Watermarking and Tagging on the other.

Conclusion: At the 5% significance level, it is determined that the attitude of female respondents to Penetration Testing (p-value 0.021), and Examination of External Footprints (p-value 0.050) as the most proactive activity/techniques used to counter persistent threats to their organization, significantly impact Rating Compliance as the greatest IT concern of their organization.

Table 6. Regression output of attitude of female respondents to Penetration Testing & External Footprints

Coefficientsa

Model



t Sig. B Std.

Error Beta 1 (Constant) 4.705 1.037 4.536 .000

Var017: Penetration Testing is the most proactive activity/technique used to counter persistent threats to your organization

.219 .093 .253 2.357 .021

Var022: Examining External Footprint is the most proactive activity/technique used to counter persistent threats to your organization

-.144 .072 -.230 -1.992 .050

a. Dependent Variable: Var007: Rate your company's IT concerns with regard to Compliance

5 OVERALL CONCLUSION

Despite the tremendous amount of money organizations pour into traditional security measures every year, attackers are able to penetrate security defenses and compromising networks at will. As this study shows, it doesn’t matter what vendor or combination of security in-depth tools an organization employs, hackers will continue to hack a system when they can exploit vulnerabilities in a network. At a minimum, organizations should include reducing waste

on redundancy, backward-looking technologies and redeploying those resources on defenses designed to find and stop today’s zero-day and advanced attacks.

6 IMPLICATION FOR PRACTIONERS AND RESEARCHERS

As this study has indicated, today’s attacks often involve malware tailored to compromise a single vector. When such attack commences, they never stop until the objective is achieved. Typical security in-depth architecture


258


comprising of framework of discrete layers that include anti-virus software, intrusion-prevention systems, next generation firewalls, Web gateways, are poorly equipped to combat today’s advanced attacks. However, without a comprehensive and cohesive analysis across all attack vectors, the current defense mechanism can miss the signs that an attacker has breached organization defenses.

7 CHALLENGES A bigger challenge is foundational. The reason is because the cores in the typical architecture rely on a mix of binary signatures, blacklists, and reputation to identify threats. As the study showed, signatures are ineffective because antivirus (AV) vendors are not able to keep up with the speed of new malware binaries. This is because the malware is custom-made for specific target and as result, AV vendors will never be able to detect the malware and create signature for its defense. Other concerns include many attacks that exploit zero-day vulnerabilities and application blacklist that are blind to attacks because it uses encrypted binaries or hijack legitimate apps and processes. Further, reputable defenses such as Web gateways and IPS are not poised to stop

attacks from newly setup universal resource locators [URLs] or compromised websites that are used as drive-by-downloads.

8 SUMMARY AND CONCLUSIONS The study reveals that IT professionals were generally optimistic about the levels of their policies, technical control and mitigation implementation strategies; however, our finding proved that organizations could better align its investments and resources in order to cope with the advanced exposures and attacks as they develop. Phishing attacks, compliance policy violations, unsanctioned device and applications use, unauthorized data access, comprise the top list issues of concerns. Network device intelligence and system integrity, core components of all compliance frameworks and security best practices should be beefed up. The study concludes by noting that without a security policy, the availability of a network can be compromised. An adequate policy comprises of assessment of the risk to the network, organizing a response team, implementing a security change management practice, monitoring the network for security violations, maintaining a review process that modifies the existing policy and adapt to lessons learned.


259


9 REFERENCES

1. Anderson, Kerry A.; “A Case for a Partnership Between Information Security and Records Information Management,” ISACA Journal, vol. 2, 2012, www.isaca.org/archives

2. Ashford, Warwick; (2013), “Why Has DLP

Never Taken Off?,” Computer Weekly, 22 January 2013, www.computerweekly.com/news/2240176414/Why-has-DLP-never-taken-off

3. Steinbart, Paul John; Robyn L. Raschke;

Graham Gal; William N. Dilla; “Information Security Professionals’ Perceptions about the Relationship between the Information Security and Internal Audit Functions,” forthcoming in the Journal of Information Systems, 2013

4. Baldor, Lolita C. (2013), ““US Ready to Strike

Back Against China Cyberattacks,” Yahoo News, 19 February 2013, http://news.yahoo.com/us-ready-strike-back-against-china-cyberattacks-225730552--finance.html

5. Oyemade, Ronke; “Effective IT Governance

Through the Three Lines of Defense, Risk IT and COBIT,” ISACA Journal, volume 1, 2012, www.isaca.org/archives

6. Tester, Darlene; “Is the TJ Hooper Case

Relevant for Today’s Information Security Environment?” ISACA Journal, vol. 2, 2013

7. Constantin, Lucian; “South Carolina Reveals Massive Data Breach,” PC World, 27 October 2012, www.pcworld.com/article/2013186/south-carolina-reveals-massive-data-breach.html

8. Forrester,(2012), “Rethinking DLP:

Introducing the Forrester DLP Maturity Grid,” September 2012, www.forrester.com/Rethinking+DLP+Introducing+The+Forrester+DLP+Maturity+Grid/fulltext/-/E-RES61231

9. Gelbstein, Ed; “Strengthening Information

Security Governance,” ISACA Journal, vol. 2, 2012, www.isaca.org/archives

10. Mashable, “How Much Does Identity Theft

Cost?,” 28 January 2011, http://mashable.com/2011/01/28/identity-theft-infographic

11. Romanosky, Sasha; David Hoffman,

Alessandro Acquisti, (2014), “Empirical Analysis of Data Breach Litigation,” Temple University Beasley School of Law, Legal Studies research paper no. 2012-29, 2012, https://papers.ssrn.com/sol3/papers.cfm?abstract_id=1986461

12. Goldman, C. FreeWave Technologies.

www.elp.com/articles/powergrid_international/print/volume-17/, 2012.

13. Steinbart, Paul John; Robyn L. Raschke;

Graham Gal; William N. Dilla; “The Influence of Internal Audit on Information Security Effectiveness: Perceptions of Internal Auditors,” working paper, 2013


260


http://www.isaca.org/archives

http://www.computerweekly.com/news/2240176414/Why-has-DLP-never-taken-off

http://www.computerweekly.com/news/2240176414/Why-has-DLP-never-taken-off

http://news.yahoo.com/us-ready-strike-back-against-china-cyberattacks-225730552--finance.html



http://www.isaca.org/archives

http://www.pcworld.com/article/2013186/south-carolina-reveals-massive-data-breach.html

http://www.pcworld.com/article/2013186/south-carolina-reveals-massive-data-breach.html

http://www.forrester.com/Rethinking+DLP+Introducing+The+Forrester+DLP+Maturity+Grid/fulltext/-/E-RES61231



http://www.isaca.org/Journal/Past-Issues/Pages/default.aspx

http://mashable.com/2011/01/28/identity-theft-infographic

http://mashable.com/2011/01/28/identity-theft-infographic

https://papers.ssrn.com/sol3/papers.cfm?abstract_id=1986461

https://papers.ssrn.com/sol3/papers.cfm?abstract_id=1986461

1 2 3 4 5

Var001: Gender Male Female

Var002: Executive or Senior IT Administrator? Exec Snr. IT

Var003: How secure is the company network? Very Secure Secure Somewhat Secure Not Very Secure Don't Know

Var004: How effective is the network security system of your organization? Extremely Effective

Moderately Effective Effective Not Effective Don't Know

Var005: Do you agree that investment in cybersecurity in 2013-2014....will provide the best systems solutions to thwart cyberattacks? Extremely Agree Moderately

Agree Agree Disagree Don't Know

Var006: Downtime is the greatest IT concern of my organization Strongly Disagree Disagree Not Sure Agree Strongly Agree

Var007: Compliance is the greatest IT concern of my organization Strongly Disagree Disagree Not Sure Agree Strongly Agree

Var008: eDiscovery is the greatest IT concern of my organization Strongly Disagree Disagree Not Sure Agree Strongly Agree

Var009: Security Issues is the greatest IT concern of my organization Strongly Disagree Disagree Not Sure Agree Strongly Agree

Var010: Network Growth is the greatest IT concern of my organization Strongly Disagree Disagree Not Sure Agree Strongly Agree

Var011: User support is the greatest IT concern of my organization Strongly Disagree Disagree Not Sure Agree Strongly Agree

Var012: Hackers are the groups that pose the greatest cybersecurity threat to your organization

Strongly Disagree Disagree Not Sure Agree Strongly Agree

Var013: Current & former employees are the groups that pose the greatest cybersecurity threat to your organization


Var014: Foreign Nation-states are the groups that pose the greatest cybersecurity threat to your organization


Var015: Organized crime are the groups that pose the greatest cybersecurity threat to your organization


Var016: Malware Analysis is the most proactive activity/technique used to counter persistent threats to your organization


Var017: Penetration Testing is the most proactive activity/technique used to counter persistent threats to your organization


Var018: Rogue Device Scanning is the most proactive activity/technique used to counter persistent threats to your organization


Var019: Analysis & Geolocation of IP Traffic is the most proactive activity/technique used to counter persistent threats to your organization


Var020: Subscription Services is the most proactive activity/technique used to counter persistent threats to your organization


Var021: Deep Packet Inspection is the most proactive activity/technique used to counter persistent threats to your organization


Var022: Examining External Footprint is the most proactive activity/technique used to counter persistent threats to your organization


Var023: Don't Know/Not Sure of the most proactive activity/technique used to counter persistent threats to your organization


Var024: Document Watermarking & Tagging is the most proactive activity/technique used to counter persistent threats to your organization


Appendix I: Cybersecurity Survey Questionnaire


261


contentssdiwc.net/ijcsdf/files/ijcsdf_vol3no4.pdf · 2017. 3. 3. · zte in q3 2013 and followed by...

Documents