contentssdiwc.net/ijcsdf/files/ijcsdf_vol3no4.pdf · 2017. 3. 3. · zte in q3 2013 and followed by...
TRANSCRIPT
CONTENTS
ORIGINAL ARTICLES Advances of Mobile Forensic Procedures in Firefox OS…………………………………………….. 183 Author/s: Mohd Najwadi Yusoff, Ramlan Mahmod, Ali Dehghantanha, Mohd Taufik Abdullah Alarming! Security Aspects of the Wireless Vehicle: Review……………………………………… 200 Author/s: Sabarathinam Chockalingam, Harjinder Singh Lallie A Survey on Digital Forensics Trends…………………………………………………………….…………… 209 Author/s: Ali Dehghantanha, Mohsen Damshenas, Ramlan Mahmoud e-Fraud Forensics Investigation Techniques with Formal Concept Analysis………………. 235 Author/s: WAZIRI Victor Onomza, Abdullahi Umar, MORUFU Olalere Security Breaches, Network Exploits and Vulnerabilities: A Conundrum and an Analysis……………………………………………………………………………………………………….. 246 Author/s: Oredola A. Soluade, Emmanuel U Opara
ISSN: 2305-0012 (online)
International Journal of Cyber-Security and Digital Forensics
Vol. 3, No. 4
Advances of Mobile Forensic Procedures in Firefox OS
Mohd Najwadi Yusoff, Ramlan Mahmod, Ali Dehghantanha, Mohd Taufik Abdullah Faculty of Computer Science & Information Technology,
Universiti Putra Malaysia, Serdang, Selangor, Malaysia.
[email protected],{ramlan,alid,taufik}@upm.edu.my
ABSTRACT The advancement of smartphone technology has attracted many companies in developing mobile operating system (OS). Mozilla Corporation recently released Linux-based open source mobile OS, named Firefox OS. The emergence of Firefox OS has created new challenges, concentrations and opportunities for digital investigators. In general, Firefox OS is designed to allow smartphones to communicate directly with HTML5 applications using JavaScript and newly introduced WebAPI. However, the used of JavaScript in HTML5 applications and solely no OS restriction might lead to security issues and potential exploits. Therefore, forensic analysis for Firefox OS is urgently needed in order to investigate any criminal intentions. This paper will present an overview and methodology of mobile forensic procedures in forensically sound manner for Firefox OS. KEYWORDS Forensic framework, mobile forensic, forensic investigation, forensic methodology, forensic procedures, Firefox OS. 1 INTRODUCTION Mobile devices are relatively small, portable and widely used by all ages of people in their daily life, business, entertainment, medical, as well as education. Mobile devices consist of mobile phones, smartphones, tablets, and personal digital assistant (PDA). The usage of mobile devices are gradually increase over the time especially smartphones and tablets. This increasing trends are due to its useful capability, numerous function and allowed many tasks which required personal computers as well as high processing power to be executed in mobile devices. Figure 1 shows the
World-Wide Smartphone Sales (Thousands of Units) classified by mobile OS from Q1 2007 to Q4 2013 [1]. The number of sales are not limited to the smartphone, but also included other mobile devices such as tablets and PDAs. It is because tablets and PDAs using the same mobile OS by smartphone.
Figure 1. World-Wide Smartphone Sales Latest analysis by Gartner shows that the total numbers of smartphone sold in Q4 2013 is about 282 million units, while the total numbers of smartphone sold in Q1 2007 is about 24 million units [2-3]. In just 7 years, the total numbers of smartphone sold in Q4 2013 is about 12 times more than the total numbers of smartphone sold in Q1 2007. The highest sales growth goes to Android while the second highest goes to Apple iOS, a huge gap between first and second place. On the other hand, the remaining mobile OS shows inconsistent sale and sales growth. Figure 2 shows World-Wide Smartphone Sales by percentage [1].
International Journal of Cyber-Security and Digital Forensics (IJCSDF) 3(4): 183-199The Society of Digital Information and Wireless Communications, 2014 (ISSN: 2305-0012)
183
Figure 2. World-Wide Smartphone Sales Percentage The growth of mobile devices has led to numerous companies to join in the market shares. In Q1 2007, smartphone sales was dominated by Symbian OS, followed by Windows Mobile and Research in Motion (RIM). However, with the coming of Apple iOS in Q2 2007 and Android in Q3 2008, domination by Symbian OS was slowly reduce. At present, there are no more Windows Mobile as it was replaced by Windows Phone in Q4 2010 and Samsung Bada join the race in Q2 2010. In 2014, mobile OS market share is dominated by Android, followed by Apple iOS, Windows Phone, RIM, Symbian OS, and Bada respectively. In Q1 2012, Mozilla Corporation joined the battle by releasing their own mobile OS, named as Firefox OS [4]. The OS is able to run on selected Android-compatible smartphones. The first ever Firefox OS phone was released by ZTE in Q3 2013 and followed by Alcatel, LG and Geeksphone [5-6]. Firefox OS is an open source mobile OS which is purely based on Linux-Kernel and Mozilla’s
Gecko technology [7]. Firefox OS boots into a Gecko-based runtime engine and thus allow users to run applications developed exclusively using HTML5, JavaScript, and other open web application APIs. According to Mozilla Developer Network, Firefox OS is free from proprietary technology but still a powerful platform; it offers application developers an opportunity to create tremendous products [7]. Mozilla introduced WebAPI by bridging the capability gap between
native frameworks and web applications. WebAPI will enable developers to build applications, and run it in any standards compliant browser without the need to rewrite their application for each platform. In addition, since the software stack is entirely HTML5, a large number of developers were already established, and users can embrace the freedom of pure HTML5 [8]. Unlike Apple iOS, Windows Phone, RIM and Android which full of manufacturer restriction, Firefox OS is based solely on HTML5, JavaScript as well as CSS, and those are totally open sources. By not having any restriction, security issues and potential exploit might come into question. According to Mozilla Developer Network, Firefox OS has designed and implemented multi-layered security model which deliver the best protection against security exploits [9]. In general, Firefox OS is using four layers security model, which are the mobile device itself, Gonk, Gecko and Gaia layers, in order to mitigate exploitation risks at every level. The mobile device is the phone running Firefox OS, while Gonk consists of the Linux-Kernel, system libraries, firmware, and device drivers. Gonk delivers features of the underlying mobile phone hardware directly to the Gecko layer. Gecko is the application runtime layer that delivers the framework for application execution, and implements the WebAPIs to access features in the mobile device. Gecko is operating as a gatekeeper that enforces security policies which designed to protect the mobile device from exploitation. Gecko also enforces permissions and preventing access of unauthorized requests. Last but not least, Gaia is the suite of web applications that delivers user experience [9]. The objective of this paper is to present an overview and methodology of mobile forensic procedures for forensic investigation in Firefox OS. This paper is organized as follows; Section (2) will explain about related work to-date. Section (3) will present the proposed methodology and detail steps in forensic procedure. Section (4) will give a brief conclusion and the future work to be considered. Acknowledgement and references are also presented at the end of this paper.
International Journal of Cyber-Security and Digital Forensics (IJCSDF) 3(4): 183-199The Society of Digital Information and Wireless Communications, 2014 (ISSN: 2305-0012)
184
2 RELATED WORKS 2.1 SIM Cards Investigation In the earliest mobile forensic investigation, most of the digital evidences in mobile phone were stored in SIM cards. Research by Goode stated that, it is vital to acquire the data such as contacts and SMSs stored in SIM cards [10]. In addition, mobile phone memory and SIM cards also hold phone contacts which may contain critical evidences for an investigators. According to Goode, there are three evidence locations in mobile phone which are from SIM cards, identification information from a mobile phone (IMEI) and core network provider information. Similar work carried out by Willassen was by exploring SIM card and core network data in GSM phones [11]. According to Willassen, the SIM cards can provide information of network provider name with a unique identification number. The subscriber's name, phone number and address usually associated with the SIM cards. Consequently, phone records also can be retrieved from network providers. Furthermore, the contents of a SIM cards are binary data that can be taken, provided that the user has authentication either with a PIN or a PUK code. Programs or tools such as Cards4Labs and SIM-Surf Profi were used to decode the binary format into readable form. In addition, Willasen also able to recover the evidence such as phone logs, phone contacts, SMS, and phone IMEI obtained from both SIM cards and mobile phones. On the other hand, Casadei was used open source tools, both in Windows and Linux for digital extraction from SIM cards [12]. As the result, Casadei was able to acquire the raw data in Binary format from the SIM cards. Casadei also presented an interpretation of binary raw data at a higher level of abstraction and used an open source tool named SIMbrush to examine the raw data. SIMbrush was designed to acquire digital evidence from any SIM cards in GSM network but have not tested for any modules under D-AMPS, CDMA and PDC. Additionally, SIMbrush focus more towards GSM network because GSM is the biggest mobile network in the world at that time
and penetration in this network is rapidly increased. Marturana was extended the acquisition process in SIM cards by comparing data in SIM cards and smartphones [13]. According to Marturana, acquisition in the smartphone is much more complicated; this is due to the possibility of evidences are also stored in many places such as internal and flash memory. 2.2 Windows Mobile With the arrival of smartphones, focuses are more on the Windows Mobile OS due to its similarity in nature with desktop environment. Windows Mobile OS is a simplified version of Windows OS developed by Microsoft; mainly for mobile devices. Research by Chen was able to extract SMS, phone contacts, call recording, scheduling, and documents from Windows Mobile OS via Bluetooth, Infrared and USB mode using Microsoft ActiveSync [14]. Microsoft ActiveSync used Remote API (RAPI) to manage, control, and interact with the connection equipment from the desktop computer. The acquired data were came from mobile phone internal memory, SIM card as well as removable memory. Similar research was continued by Irwin and Hunt by extracting evidences over wireless connections. They used their own developed forensic tools called as DataGrabber, CTASms and SDCap. DataGrabber was used to retrieve information from both the internal memory and any external storage card, CTASms to extract information from the mobile device’s Personal Information Manager (PIM) while SDCap was used to extract all information from external storage card. They were successfully mapping internal and external phone’s memory and transfer all files and folder to
desktop computers [15]. By using RAPI function, acquisition process only capable to capture active data and capturing deleted data is not possible using this method. According to Klaver, physical acquisition method will be able to obtain non-active data in Windows Mobile OS [16]. Klaver was proposed a versatile method to investigate isolated volume of Windows Mobile OS database files for both active and deleted data. Klaver was used freely available
International Journal of Cyber-Security and Digital Forensics (IJCSDF) 3(4): 183-199The Society of Digital Information and Wireless Communications, 2014 (ISSN: 2305-0012)
185
tools of forensic application and explained the known methods of physical acquisition. Deleted data can be recovered by using advanced acquisition methods like chip extraction and this method was able to bypass password protection. Casey was extended the finding by describing various methods of acquiring and examining data on Windows Mobile devices. Casey was also able to capture text messages, multimedia, e-mail, web browsing, and registry entries [17]. Some of the captured data by Casey were locked by the OS itself, and require XACT from Micro Systemation and ItsUtils to work together with Microsoft ActiveSync. These tools will help to unlock certain files and convert the ASCII format in cemail.vol structure to a readable SMS. This research was also focused on potentially useful sources of evidences in Windows Mobile OS and addressed the potential evidences found in \temp folder. In the recent work, Kaart made an investigation by reverse-engineering the pim.vol volume files in Windows Mobile OS [18]. pim.vol is a Microsoft’s Embedded Database (EDB) volume that consists of information related to phone contacts, calendars, appointments, call history, speed-dial settings and tasks [18]. Kaart was successfully reverse-engineering important parts of EDB volume format which allow them to recover unallocated records. Kaart was also delivered the mapping from internal column identifiers into readable format for some familiar databases in pim.vol volumes and created a parser that can automatically extract all allocated records exist in a volume. Microsoft ActiveSync in Windows Mobile OS placing an agent into mobile devices. This action may alter the stored data in mobile devices such as the last synchronization date and time; or the name of the last computer synchronize with the devices. For this reason, Rehault was proposed a method of using boot-loader concept; which is non-rewritable and able to protect the evidences from being altered [19]. Rehault was also proposed an analysis method to process specific files with specific format. The main focus in this research was to obtain registry hives and the cemail.vol which contain deleted data. By reconstructing
back registry hives, digital evidence such as SMS, MMS as well as email can be obtained and retrieved from cemail.vol. On the other hand, Research by Grispos make a comparison of forensic tools using different approaches for acquisition and decode process [20]. According to Grispos, there are strengths and weaknesses of each types of acquisition. Grispos stated that, logical acquisition is more efficient for recovering user data, whereas physical acquisition can retrieve deleted files [20]; but this procedure can damage the device while it is being dismantled. Besides that, Kumar was proposed an agent based tool developed for forensically acquiring and analyzing in Windows Mobile OS [21]. This tool is develop based on client server approach, whereby client is installed on desktop PC and server agent is inject into mobile devices before acquisition process. As for analyzing process, this tool was able to display and decode the image created during acquisition. This research also make a comparison between Paraben's Device Seizure, Oxygen's Forensics Tool as well as Cellebrite UFED and claimed to perform better in Windows Mobile OS. On the other hand, Canlar was proposed LiveSD Forensics to obtain digital evidence from both the Random-Access Memory (RAM) and the Electronically Erasable Programmable Read Only Memory (EEPROM) of Windows Mobile OS. This research was claimed to generate the smallest memory alteration, thus the integrity of evidences is well preserved [22]. 2.3 Symbian OS Symbian OS is one of the famous mobile OS in the golden age of smartphone. Forensic work by Mokhonoana and Olivier was discussed about the development of an on-phone forensic logical acquisition tool for the Symbian OS [23]. Mokhonoana and Olivier was performed UNIX dd command to acquire the image from the phone. They also discussed different methods of retrieving data from a Symbian OS consists of manual acquisition, using forensic tools, logical acquisition, physical acquisition and data acquired from service providers. Additionally, Breeuwsma was proposed a low level approach for the forensic examination of flash memories and describes three
International Journal of Cyber-Security and Digital Forensics (IJCSDF) 3(4): 183-199The Society of Digital Information and Wireless Communications, 2014 (ISSN: 2305-0012)
186
low-level data acquisition methods for making full memory copies of flash memory devices [24]. Their work has been identified as pioneer in physical acquisition techniques using chip-off, JTAG and pseudo-physical. The work has been tested on Symbian OS devices. On the other hand, Rossi and Me was proposed a new methodology and a tool to obtain the data by using the removable memory [25]. A tool to obtain the data is stored in a removable memory and the acquisition process is performed locally. In addition, this tool not only performs acquisition process, but also compiles log and marks the data with some one-way hash algorithm to provide data integrity. Test result is divided into three condition of mobile devices and result obtained are different. Therefore, Rossi and Me suggest to maintain the device in the most possible original status. Besides that, Dellutri was proposed a novel methodology by applying data reverse-engineering on Symbian devices [26]. The proposed methodology also shows full potential when running on mobile operating systems which data formats are not open or not public. The investigation used Mobile Internal Acquisition Tool (MIAT) and run into more than 50 Symbian OS devices. Deluttri was able to capture personal data, Symbian OS personal data files format, obsolete data and hidden information during forensic process. Moreover, Yu was proposed a process model for forensic analysis in Symbian OS. The process model consists of five stages which are Preparation and Version Identification; Remote Evidence Acquisition; Internal Evidence Acquisition; Analysis and Presentation; and Review. According to Yu, this model can overcome some problems of forensic investigation in Symbian OS [27]. Savoldi and Gubain was presented an assessment about specifically forensic acquisition focusing on security features in Symbian OS [28]. They gave an overview about OS and file system architecture. According to Savoldi and Gubain, only physical acquisition was able to recover a bitwise copy of the flash memory without bypassing any security mechanisms. On the other hand, Pooters was created a forensic tool called Symbian Memory Imaging Tool (SMIT) to
be executed on the Symbian OS and created linear bitwise copies of the internal flash memory [29]. SMIT able to acquire the image of the internal flash memory and copies the images to a removable memory. SMIT has been tested on a Nokia E65, E70 and N78 model. Thing and Tan was proposed a method to acquire privacy-protected data from smartphones running the latest Symbian OS v9.4 and smartphones running the prior Symbian OS v9.3 [30]. They also presented reverse-engineering analysis work on the active and deleted SMS recovery from the on-phone memory of Symbian OS. In addition, Thing and Chua was proposed a forensics evidentiary acquisition tool for Symbian OS [31]. Their acquisition tool was built to support a low-level bit-by-bit acquisition of the phone’s internal flash
memory, including the unallocated space. They also conducted an analysis to perform a detail of the fragmentation scenarios in Symbian OS. Apart from that, Savoldi made a brief survey and comparison between mobile forensic investigation in Windows Mobile OS and Symbian S60 [32]. In his work, Savoldi acquired the evidences using both logical and physical methods. Savoldi was also illustrated the differences and identified possible common methodology for future forensic exploration. Conversely, Mohtasebi was studied four mobile forensic tools; namely Paraben Device Seizure, Oxygen Forensic Suite, MIAT, and MOBILedit! to extract evidences from Nokia E5-00 Symbian OS phone [33]. The comparison was to check the ability to extract evidence and to examine information types such as call logs, map history, and user data files. 2.4 Apple iOS Forensic investigation and examination in Apple iOS was practically started by Bader and Baggili. They performed investigation and examination on logical backup of the iPhone 3GS by using the Apple iTunes backup utility [34]. Significant forensic evidences such as e-mail messages, SMS, MMS, calendar events, browsing history, locations services, phone contacts, call history as well as voicemail recording was found and can be retrieved using this iPhone acquisition method.
International Journal of Cyber-Security and Digital Forensics (IJCSDF) 3(4): 183-199The Society of Digital Information and Wireless Communications, 2014 (ISSN: 2305-0012)
187
Husain later extended the finding by proposed a simple and cost effective framework for iPhone forensic analysis [35]. Followed the same approached by Bader and Baggili, iTunes was used to force backup the iPhone and logical copy of backup data can be found in computer hard drive. This method can captured the entire data from iPhone without Jailbreak the devices. Jailbreak is a method to release the security features of the iDevice and permits a direct connect to the data inside. Husain was used MobileSyncBrowser to analyse the backup file which is in binary format; converting them into lists and databases. Furthermore, SQLite Database Browser was used to analyse database file and Plist Editor was used to analyse Apple Property List file. In the contrary, Husain and Sridhar was focused on Instant Messaging (IM) data in Apple iOS [36]. This research made an analysis to forecast the potential use of IMs that can lead to cyber bully and cyber stalking. Once the data captured, Paraben Device Seizure, Aesco Radio Tactics and Wolf Sixth Legion were used to analyse the data. The output of this analysis were included username, password, buddy list, last login time and conversation together with timestamp. Similarly, Jung was reviewed the types of Social Network Services (SNS) that available in Apple iPhone and made further studied on acquisition process in Apple iOS platform [37]. Jung made an analysis on eight SNS in Apple iOS which are Cyworld, Me2Day, Daum Yozm, Twitter, Facebook, NateOn UC., KakaoTalk and MyPeople. However, this method required root access to the devices. Therefore, Jung Jailbreak the device to get full access permission. The examination and analysis of SNS continued by Tso [38]. Tso was discussed five most popular mobile SNS applications in Apple iOS usages such as Facebook, WhatsApp Messenger, Skype, Windows Live Messenger and Viber. Tso was followed methods by Husain by forcing Apple iTunes to make a logical copy of backup data. Tso ran two experiment, the first data acquisition was after applications installation, while the second data acquisition was after applications deletion.
Moreover, Said was carried a research by comparing Facebook and Twitter in Apple iOS, Windows Mobile OS and RIM BlackBerry [39]. The aim of this research is to investigate the different types of logical backup and encryption techniques used in three mobile OS. In the same way, Mutawa later on made SNS comparison between Facebook, Twitter and MySpace in three different OS which are Apple iOS, Android and RIM BlackBerry [40]. The examination and analysis was started by uploading picture and post a comment from mobile devices using each SNS from different platform. The aimed of this analysis is to determine whether activities performed earlier are stored and can be captured from internal mobile devices memory. Similar research was published by Lee and Park by capturing the SNS data using different forensic tools [41]. On the other hand, Levinson explore an investigation for third party applications in iOS platform [42]. According to Levinson, most mobile forensic work emphasis on typical mobile telephony data such as contact information, SMS, and voicemail messages. However, there are heaps of third party application might leave forensically relevant artifacts in mobile devices. For investigation purpose, Levinson acquired data from 8 third party application in Apple iOS platform. As a result, Levinson found information about user accounts, timestamps, geo-locational references, additional contact information, native files, and various media files. All these data typically stored in plaintext format and can provide relevant information to a forensic investigators. Additionally, in order to create Apple iOS image, we need to install SSH server and transfer the Apple iOS internal storage via Wi-Fi into desktop computer. However, this approach may require up to 20 hours. Therefore, Gómez-Miralles and Arnedo-Moreno were presented a novel approach by using an iPad’s camera connection kit attached
via USB connection [43]. This approach was greatly reduces acquisition time. On the bad side, Jailbreak is required in order to gain full access and it is not considered as a forensically sound manner for forensic investigation. For that reason, Iqbal made a research to obtain an Apple iOS image without Jailbreak the device and run the
International Journal of Cyber-Security and Digital Forensics (IJCSDF) 3(4): 183-199The Society of Digital Information and Wireless Communications, 2014 (ISSN: 2305-0012)
188
acquisition process on the RAM level [44]. Apple iOS devices need to reboot and enter the recovery mode before connected to their own developed tools. The imaging process was less than 30 minutes and they were successfully developed an acquisition method that protects the integrity of the collected evidences. Recently, Ariffin was proposed an operational technique that allows digital forensic investigators to recover deleted image files by referring to Apple iOS journaling file system [45]. The proposed method was implemented on an iDevice that has been Jailbreak and used a customized RAM disk that was loaded into the device RAM. This technique was successfully recover deleted image files from the journal file and was tested on iPhone 3GS and iPhone 4. 2.5 Google Android Android becomes a new mobile forensic investigation emphasis due to its strong hold in the market share and currently have the biggest active user using Android platform. Android was built based on Linux-Kernel and user has the ability to rewrite the firmware, boot-loader and other root activities. Research by Lessard and Kessler were among the first in Android platform [46]. They performed logical acquisition on HTC Hero to acquire physical image. UNIX dd command was performed to get an image from \dev\mtd directory. The examination was done on flash memory and removable memory by AccessData Forensic Toolkit (FTK) Imager v2.5.1. Apart from that, Anti-forensic among the major consideration in Android investigation. Research by Distefano was preserved the data from being damaged by using anti-forensics approach through a local paradigm [47]. This approach was exported some critical data which need to be identified in XML format and save it into private directory and it is unreachable from any other applications. Albano also worked on anti-forensics to modify and erase, securely and selectively, the digital evidence in Android [48]. This technique do not use any cryptographic primitives or make any changes to the file system. Moreover, Azadegan introduce the design and implementation of three novel anti-
forensic approaches for data deletion and manipulation on three forensics tools [49]. This research also identify the limitation of current forensic tools flow design. Quick and Alzaabi was performed logical and physical acquisition on Sony Xperia 10i [50]. Logical acquisition was not able to acquire the full size of the file system, while physical acquisition achieved a bitwise acquisition of the flash memory. They also claimed that they has successfully generated a complete copy of the internal NAND memory. On the other hand, Sylve was presented the first methodology and toolset for acquisition of volatile physical memory from Android devices [51]. This method was created a new kernel module for dumping memory and Sylve has further develop a tool to acquire and analyse the data. Sylve was also presented an analysis of kernel structures using newly developed volatility functionality. On the contrary, Vidas was proposed a general method of acquiring process for Android by using boot modes [52]. This technique reconstructed the recovery partition and associated recovery mode of an Android for acquisition purposes. The acquired data has to be in recovery image format. Custom boot-loader method has become popular in Android because the user is able to get root permission; and able to acquire an image of the flash memory. Another research using boot-loader method was conducted by Park [53]. This research was mainly focused on fragmented flash memory due to the increase of flash memory deployment in mobile phones. In addition, Son was conducted an evaluation on Android Recovery Mode method in terms of data integrity preservation [54]. Son developed an Android Extractor to ensure the integrity of acquired data and presented a case study to test their tool’s ability. The test was conducted on seven Samsung smartphones with rooted Android capability and emphasis on YAFFS2 and Ext4 files. The results from the use of JTAG method was served as a comparison vector to the Recovery Mode. In the different research perspective, Racioppo and Murthy made a case study about physical and logical forensic acquisition in HTC Incredible
International Journal of Cyber-Security and Digital Forensics (IJCSDF) 3(4): 183-199The Society of Digital Information and Wireless Communications, 2014 (ISSN: 2305-0012)
189
[55]. AccessData Forensic Toolkit (FTK) Imager v3.0.1 was used to make an image from removable SD memory. After that, they root the device and gaining access to the root directory. They were able to create a bitwise copy of the seven MTDs presented in \dev\mtd directory. Examination was done using Ubuntu’s scalpel and claimed that the physical acquisition much more effective to discover corrupted or destroyed files. Moreover, Andriotis was proposed a method for acquiring forensic evidences from Android smartphones using open source tools [56]. The investigation was able to obtain information regarding the use of the Bluetooth technology and Wi-Fi networks on four Android running devices. They specified the files and folders to be targeted and highlighted some security problems that might occur by exposing user’s passwords in certain cases by the
Android system. In addition, Mylonas was extended the acquisition work and focusing on phone’s sensors as critical evidence sources [57]. They studied the involvement of sensor like accelerometer, proximity sensor, GPS, compasses, etc in forensic investigation procedures which can be used to infer the user’s context. However, they found that the sensor data are volatile and not available in post-mortem analysis. For that reason, they developed the tool named Themis to collect suspect’s data. Themis consists of two major parts, workstation version and the mobile agent in Android. They presented promising result but yet to prove its effectiveness in practice due to the need of bypass Android security mechanism and need to place mobile agent in each phone. The newly acquisition method is the live acquisition. Thing was proposed an automated system in acquiring evidences and claimed that this method consistently achieved 100% evidence acquisition rate for outgoing message and 75.6% to 100% evidence acquisition rate for incoming message [58]. Thing was used Android as the test platform and Message Script Generator, UI/Application Exerciser Monkey, Chat Bot, memgrab and Memory Dump Analyzer (MDA) as the forensic tools. Although the acquisition rate is high, this method was only tested by using their own developed chat bot and yet to be tested using
commercial IM. Another live acquisition research is by Lai. Lai was proposed data acquisition in Android; and deliver the data to the Google cloud server in real time [59]. This method really can delivered the intended data, but the integrity of the data is questionable. As for monitoring, Guido used live forensic to remotely monitor and audit malware activity on Android devices [60]. It consists of five elements, each one detecting changes in specific parts of the OS such as boot-loader, recovery, file system, deleted files and APK files. Even many successful detections, they discovered some malware false positive result and inability to detect some deleted entries. 2.6 RIM BlackBerry Another major player in mobile market share is BlackBerry. As for the BlackBerry, Fairbanks was presented a framework for an open source BlackBerry IPD file forensics tool [61]. Fairbanks was executed a python tool that parses the IPD file upon user request for specific resources. That tool is able to capture the messages, contacts, SMS records, memos, call logs, and the task list from an IPD file. This work was tested on BlackBerry 7290. The result was good but they did not provide enough data to the potential readers. On the other work, Sasidharan and Thomas generated BlackBerry image from Blackberry Acquisition and Analysis Tool (BAAT), which is injected on the device before acquisition process [62]. The tool also analyse the forensic image and shows phone contents in different file viewers. However, they unable to read and parse the SMS databases because the version of the BlackBerry JDE at that time does not supports API to access SMS databases from the device. In the recent BlackBerry research, Marzougy was presented the logical acquisition of the .bbb file produced by a Blackberry Playbook tablet [63]. They used the BlackBerry Desktop Management (BDM) software to perform the logical acquisition. The extracted information were varying from system information and user data and also failed to retrieve deleted entries. For future work, they plan to run more tests on a wide range of BlackBerry models.
International Journal of Cyber-Security and Digital Forensics (IJCSDF) 3(4): 183-199The Society of Digital Information and Wireless Communications, 2014 (ISSN: 2305-0012)
190
3 PROPOSED WORK
In order to run forensic investigation and analysis,
we are proposing this methodology to be
conducted during the investigation process. It is
based on Smith and Petreski approach [64]. Our
methodology and approach consist of three
procedures. This methodology is a basic approach
and purely designed for Firefox OS. There will be
many type of files and analysis, thus it is designed
to have specific targeted data checklist. The use of
this checklist is to identify relevant data align with
specific analysis. This data checklist can be
updated from time to time.
3.1 Preparation and Preservation Procedure
START
Sufficient information to
start ?
Create system configuration. Setup forensic software and
hardware
Yes
START Acquisition
Firefox OS knowledge preparation
No
Knowledge ready
Firefox OS smartphone
Phone connectivity
Define forensic tools
Prepared relevant and non-relevant data list
Verify data and device integrity
Yes
Return package to requestor
No
Figure 3. Preparation and preservation procedure The first procedure is the Preparation and Preservation. This procedure starts with knowledge and information check. If the
knowledge about Firefox OS is not sufficient, knowledge gathering is required. It is vital to understand Firefox OS architecture before forensic investigation started. In general, Firefox OS architecture consist of 3 layers [65]. The first layer is an application layer called Gaia and work as user interface for smartphones. The second layer is open web platform interface. The second layer used Gecko engine and provide all support for HTML5, JavaScript as well as CSS. All the targeted evidence are stored in this layer. The third layer called Gonk is infrastructure layer and consist of Linux-Kernel. There are two types of storage in Firefox OS running phone which are internal SD storage and additional micro-SD card. Figure 4 shows an illustration version of Firefox OS architecture.
Figure 4. Firefox OS Architecture [65] The second step is to create a system configuration and setup forensic software as well as related hardware. In this step, we need to have a smartphone preinstalled with Firefox OS, forensic tools, physical and logical connectivity. We will
International Journal of Cyber-Security and Digital Forensics (IJCSDF) 3(4): 183-199The Society of Digital Information and Wireless Communications, 2014 (ISSN: 2305-0012)
191
use Geeksphone Peak as our test Firefox OS phone as per shows below
Figure 5. Geeksphone Peak Geeksphone Peak is among the first Firefox running OS phone released and was marketed under developer preview model. It was released in April 2013. This phone is equipped with Firefox OS version 1.1.1 as shows in Figure 6.
Figure 6. Geeksphone Peak information detail
Mozilla released an update for their OS regularly and any stable build can be update via over-the-air. Table 1 below shows the specification detail for this phone.
Table 1. Geeksphone Peak specification Hardware Detail
Processor 1.2 GHz Qualcomm Snapdragon S4 8225 processor (ARMv7)
Memory 512 MB Ram
Storage -Internal 4GB -Micro SD up to 16GB
Battery - 1800 mAh - micro-USB charging
Data Inputs Capacitive multi-touch IPS display
Display 540 × 960 px (qHD) capacitive touchscreen, 4.3"
Sensor -Ambient light sensor -Proximity sensor -Accelerometer
Camera 8 MP (Rear), 2 MP (Front)
Connectivity
-WLAN IEEE 802.11 a/b/g/n -Bluetooth 2.1 +EDR -micro-USB 2.0 -GPS -mini-SIM card -FM receiver
Compatible Network
- GSM 850 / 900 / 1800 / 1900 - HSPA (Tri-band) - HSPA/UMTS 850 / 1900 / 2100
Dimension -Width: 133.6 millimetres (5.26 in) -Height: 66 millimetres (2.6 in) -Thickness: 8.9 millimetres (0.35 in)
As for the phone connectivity, we are using micro-USB 2.0 port. Subsequently, we need to make a connection between the phone and the host machine. Firefox OS is based on Linux-Kernel and the design more or less are similar with Android. For that reason, we can easily access the phone using Android Debug Bridge (ADB). The ADB is a toolkit integrated in the Android SDK package and consists of both client and server-side codes. The codes are able to communicate with one another. We will run UNIX dd command from the ADB to acquire the phone image. After that, we will use AccessData Forensic Toolkit and HxD Hex Editor to further examine the acquired image during examination and analysis procedure.
International Journal of Cyber-Security and Digital Forensics (IJCSDF) 3(4): 183-199The Society of Digital Information and Wireless Communications, 2014 (ISSN: 2305-0012)
192
Next we need to prepare a list of relevant and non-relevant data. This list is very important to identify relevant data to be captured later. For example, if we conduct log analysis, relevant data will be chat log, call log, system log and other related information. The next step is to verify the integrity of data and device. Only if the integrity of data and device is confirmed, then we can proceed to Acquisition procedure. Else, the package need to be returned to requestor. 3.2 Acquisition Procedure
START
Acquisition Process
Mark data in the list
Is there unprocessed
data ?
What type of data ?
Yes
Document this data and attributes to Relevant data
list
Data relevant
Acquiring and imaging forensic data
Data not relevant
Consider advising requester of initial
finding
Targeted data acquired
START Analysis
No
Figure 7. Acquisition Procedure The second procedure in our proposed methodology is Acquisition Procedure. This procedure is mainly for acquiring and imaging the targeted data. Here, we will use several forensic tools; physical or logical depending on the targeted data to obtain. The process starts with acquiring and imaging targeted forensic data which falls under relevant list. From our observation, we found that the evidences can be captured from internal SD storage, micro-SD and other user partitions. Acquiring data from some part of the internal SD storage and micro-SD card are relatively easy; the phone only need to be
connected to the host machine and internal SD storage as well as micro-SD card can be mounted as removable drive. However, acquiring data from other user partitions in internal storage is quite a challenging tasks. An additional driver for Geeksphone Peak need to be installed into the host machine. We will use Windows 8 as an operating system in the host machine. Once connected using the micro-USB 2.0 port, Windows 8 will ask for the driver. The supported USB driver can be downloaded from Geeksphone web. Once the installation finished, Geeksphone Peak will appear in the Device Manager as shows in Figure 8 and internal SD storage as well as micro-SD card will be mounted into the host machine as Linux File-CD Gadget USB Device.
Figure 8. Mounted phone storage In order to access the storage from the host machine, we need to enable USB storage in the phone setting. To enable the storage, we need to go to phone Settings > Storage and enable USB storage as shows in Figure 9.
International Journal of Cyber-Security and Digital Forensics (IJCSDF) 3(4): 183-199The Society of Digital Information and Wireless Communications, 2014 (ISSN: 2305-0012)
193
Figure 9. Enable USB storage After that, we need to go to Media storage > Internal Storage and enable Share using USB as shows in Figure 10. This option will make an internal SD storage to be appear in the host machine
Figure 10. Share internal storage using USB To access the micro-SD card, repeat the same process by go to Media storage > SD Card Storage and enable it as shows in Figure 11.
Figure 11. Share micro-SD card storage using USB Now we can see both internal SD storage and micro-SD appear in the host machine as shows in Figure 12.
Figure 12. Phone storage mounted as removable storage From this way, we can access both internal SD storage and micro-SD card. However, only around 1GB storage can be access for internal storage, while the remaining 3GB internal storage still cannot be access. Figure 13 shows all the files in the internal SD storage.
International Journal of Cyber-Security and Digital Forensics (IJCSDF) 3(4): 183-199The Society of Digital Information and Wireless Communications, 2014 (ISSN: 2305-0012)
194
Figure 13. Phone storage At the time we were conducting this experiment, there is no single file was stored in the micro-SD card. As for the internal SD storage, we can simply copy all these files into the host machine and analyse it. For remaining part of the internal storage, we need to run UNIX dd command to acquire the whole image of the internal storage. In order to acquire the phone image, we will use UNIX dd command in ADB environment. Before we start the ADB, we must disable the USB storage support and unmounts micro-SD card from the host machine. After that, we run command prompt (CMD) and pointing the command start to %AndroidSDK%\sdk\platform-tools folder. To start ADB, type the following
adb shell
Figure 14. Root Access
This command will establish the connection between the phone and the host machine and root@android:/ # access will appear in the CMD. After that, we type the following to run dd command;
dd if=/dev/block/mmcblk0 of=/mnt/emmc/evidence.img
The image is pointing into the micro SD card and we does not put any block size, by default it is 512KB. The process will take up until 10 minutes depending the block size chosen and the acquired image is around 3.64GB (internal storage size). This acquired image will cover all partitions in the internal storage and also cover unallocated partition. In order to transfer the acquired image into the host machine, we need to mount back the micro SD card and follow the previous step in Figure 9 which is phone Settings > Storage and enable back the phone storage. The host machine will again detecting the removable drive and acquired image will be appear as shows in the Figure 15.
Figure 15. Acquired image from the Firefox OS running phone
International Journal of Cyber-Security and Digital Forensics (IJCSDF) 3(4): 183-199The Society of Digital Information and Wireless Communications, 2014 (ISSN: 2305-0012)
195
After the image is obtained, the relevant data list will be marked and updated. This step only involve specific files in the relevant data list. For example, if we want to run log analysis, only log file will be acquired. The second step is to verify the remaining data, if the remaining data in the smartphone is still relevant, the first process is repeated, and it will write down the details into relevant data list. After all relevant data is obtained, we will gather all initial finding and present it to the requester. Analysis procedure will start after all targeted data acquired. 3.3 Examination and Analysis Procedure
START
Examination and analysis using forensic tools
What application created, edited, modified, sent, received the file to be ?
Where was it found and where it come from ?
When it was created, accessed, modified, received, sent, viewed, deleted and launch ?
How was it created, transmitted, modified and used ?
Check registry entry and system log
Identify any other relevant information
Is there any data left for analysis ?
Yes
Documenting the result
No
Figure 16. Examination and Analysis procedure The last procedure in our methodology is Examination and Analysis Procedure. This procedure will focus on deeper attributes of acquired data. All the information will be analysed using additional tools such as SQL viewer to open the database file, HxD Hex Editor to open
unspecified format files or AccessData Forensic Toolkit to examine the image file. In this procedure, the acquired data will be examined and analysed to find the application involved in creating, editing, modifying, sending and receiving targeted file. Later, we will investigate the data origin; and the directory it came from. The third sub step is to find when the file was created, accessed, modified, received, sent, viewed, deleted and launched. The fourth sub step is to analyze how it was created, transmitted, modified and used. Registry entry and system log need to be checked and relevant information will be identified and rectified again. Last but not least, we need to repeat all the step, to ensure that there is no missing data during the analysis. Once completed, we can start documenting the result. As for this testing purposes, we try to find the tree directory of the files in the internal SD storage. Table 2 shows tree directory in internal SD storage.
Table 2. Tree directory in internal SD storage Evidence Tree Directory
Thumbnail in photo %Internal%\.gallery\previews\DCIM\100MZLLA
Alarms setting %Internal%\Alarms
Installed apps %Internal%\ Android\data
Photo gallery %Internal%\ DCIM\100MZLLA
Downloads %Internal%\ Download
Third party apps %Internal%\ external_sd\Android\data
Event logs %Internal%\ logs
Recovery folder %Internal%\ LOST.DIR
Video files %Internal%\ Movies
Audio files %Internal%\Music
Notifications log %Internal%\Notifications
Received picture %Internal%\Picture
Podcasts info %Internal%\Podcasts
Ringtones %Internal%\Ringtones
Screenshots %Internal%\screenshots
Temp folder %Internal%\tmp
Downloaded updates %Internal%\updates
International Journal of Cyber-Security and Digital Forensics (IJCSDF) 3(4): 183-199The Society of Digital Information and Wireless Communications, 2014 (ISSN: 2305-0012)
196
This file analysis only covered for internal SD storage only. For remaining part of the internal storage, we need to further examine the phone image. For that reason, we use AccessData Forensic Toolkit to open the captured image. Once we open it, we can see the image consists of 21 partitions as shows in the Figure 17.
Figure 17. The list of the partition in the phone image The internal SD storage belongs to partition no 18, named Internal SD-FAT32. Other than partition no 3 which is NONAME-FAT16 and partition no 18, remaining partitions were detected as unknown by AccessData Forensic Toolkit. From our observation, we believe that these partition will covers the recovery image, boot partition, system files, local files, cache, user’s data and other useful information for forensic investigators. 4 CONCLUSION AND FUTURE WORK This paper explains about an overview and methodology of mobile forensic procedures in Firefox OS. To our concern, there will be no restriction in Firefox OS and it is design to have the freedom of HTML5. Therefore, we will not include any step for rooting the devices; hence the integrity of the data can be preserved. This new approach might be applicable with other mobile
platform but it is purely design for Firefox OS. Checklist will be used to classify targeted data during acquisition. Later on, we will work on file, log, system, memory and full data analysis, therefore checklist is very important during each procedures. In this paper we only demonstrated certain steps to show our approach are working perfectly for Firefox OS. Every steps in each procedure has been explained properly to show how we can conduct further experiments. Acknowledgments. Special thanks to academic staff of Universiti Putra Malaysia for providing continuous guide and support, and also to Ministry of Education Malaysia and Universiti Sains Malaysia for granting the scholarship to me. 5 REFERENCES 1. Mobile Operating System Market Share,
http://en.wikipedia.org/wiki/Mobile_operating_system#Market_share
2. Gartner says worldwide smartphone sales reached its lowest growth rate with 3.7 per cent increase in fourth quarter of 2008, http://www.gartner.com/it/page.jsp?id=910112
3. Gartner Says Annual Smartphone Sales Surpassed Sales of Feature Phones for the First Time in 2013, http://www.gartner.com/newsroom/id/2665715
4. First Look at Mozilla’s Web Platform for Phones: Boot to Gecko, TechHive, http://www.techhive.com/article/250879/first_look_at_mozilla_s_web_platform_for_phones_boot_to_gecko.html
5. First Firefox OS Smartphone Has Arrived: Telefonica Prices ZTE Open At $90 In Spain, Latin American Markets Coming Soon, TechCrunch, http://techcrunch.com/2013/07/01/first-firefox-os-phone/
6. Mozilla Corporation, Mozilla Announces Global Expansion for Firefox OS, http://blog.mozilla.org/press/2013/02/firefox-os-expansion/
7. Mozilla Developer Network, Firefox OS, https://developer.mozilla.org/en-US/docs/Mozilla/Firefox_OS
8. Mozilla’s Boot 2 Gecko and why it could change the
world, http://www.knowyourmobile.com/products/16409/mozillas-boot-2-gecko-and-why-it-could-change-world
9. Mozilla Developer Network, Firefox OS security overview, https://developer.mozilla.org/en-US/docs/Mozilla/Firefox_OS/Security/Security_model
10. Goode, A. J.: Forensic extraction of electronic evidence from GSM mobile phones, In: IEE Seminar on Secure
International Journal of Cyber-Security and Digital Forensics (IJCSDF) 3(4): 183-199The Society of Digital Information and Wireless Communications, 2014 (ISSN: 2305-0012)
197
GSM and Beyond: End to End Security for Mobile Communications, pp. 9/1--9/6 (2003)
11. Willassen, S. Y.: Forensics and the GSM mobile telephone system, In: Int. J. Digit. Evid., vol. 2, no. 1, pp. 1--17, (2003)
12. Casadei, F., Savoldi, A., Gubian, P.: SIMbrush: an open source tool for GSM and UMTS forensics analysis, In: First International Workshop on Systematic Approaches to Digital Forensic Engineering (SADFE’05), pp. 105--119 (2005)
13. Marturana, P., Me, G., Berte, R., Tacconi, S.: A Quantitative Approach to Triaging in Mobile Forensics, In: 10th International Conference on Trust, Security and Privacy in Computing and Communications, pp. 582--588 (2011)
14. Chen, S., Hao, X., Luo, M.: Research of Mobile Forensic Software System Based on Windows Mobile, In: 2009 International Conference on Wireless Networks and Information Systems, pp. 366--369 (2009)
15. Irwin, D., Hunt, R.: Forensic information acquisition in mobile networks, In: 2009 IEEE Pacific Rim Conference on Communications, Computers and Signal Processing, pp. 163--168 (2009)
16. Klaver, C.: Windows Mobile advanced forensics, In: Digit. Investig., vol. 6, no. 3--4, pp. 147--167, May (2010)
17. Casey, E., Bann, M., Doyle, J.: Introduction to Windows Mobile Forensics, In: Digit. Investig., vol. 6, no. 3--4, pp. 136--146, May (2010)
18 Kaart, M., Klaver, C., van Baar, R. B.: Forensic access to Windows Mobile pim.vol and other Embedded Database (EDB) volumes, In: Digit. Investig., vol. 9, no. 3--4, pp. 170--192, Feb. (2013)
19. Rehault, F.: Windows mobile advanced forensics: An alternative to existing tools, In: Digit. Investig., vol. 7, no. 1--2, pp. 38--47, Oct. (2010)
20. Grispos, G., Storer, T., Glisson, W. B.: A comparison of forensic evidence recovery techniques for a windows mobile smart phone, In: Digit. Investig., vol. 8, no. 1, pp. 23--36, Jul. (2011)
21. Kumar, S. S., Thomas, B., Thomas, K. L.: An Agent Based Tool for Windows Mobile Forensics, In: Lect. Notes Inst. Comput. Sci. Soc. Informatics Telecommun. Eng., vol. 88, pp. 77--88 (2012)
22. Canlar, E. S., Conti, M., Crispo, B., Di Pietro, R.: Windows Mobile LiveSD Forensics, In: J. Netw. Comput. Appl., vol. 36, no. 2, pp. 677--684, Mar. (2013)
23. Mokhonoana, P. M., Olivier, M. S.: Acquisition of a Symbian Smart phone’s Content with an On-Phone Forensic Tool, In: Southern African telecommunication networks and applications conference pp. 1--7, (2007)
24. Breeuwsma, M., Jongh, M. De, Klaver, C., Knijff, R. Van Der, Roeloffs, M.: Forensic Data Recovery from Flash Memory, In: Small Scale Digit. Device Forensics J., vol. 1, no. 1, pp. 1--7, (2007)
25. Rossi, M., Me, G.: Internal forensic acquisition for mobile equipments, In: 2008 IEEE International Symposium on Parallel and Distributed Processing, pp. 1–7, (2008)
26. Dellutri, F., Ottaviani, V., Bocci, D., Italiano, G. F., Me, G.: Data reverse engineering on a smartphone, In: 2009 International Conference on Ultra Modern Telecommunications & Workshops, pp. 1–8, (2009)
27. Yu, X., Jiang, L., Shu, H., Yin, Q., Liu, T.: A Process Model for Forensic Analysis of Symbian, In: Commun. Comput. Inf. Sci. - Adv. Softw. Eng., vol. 59, pp. 86--93, (2009)
28. Savoldi, P. G. Antonio: Issues in Symbian S60 platform forensics, In: J. Commun. Comput., vol. 6, no. 3, (2009)
29. Pooters, I.: Full user data acquisition from Symbian smart phones, In: Digit. Investig., vol. 6, no. 3--4, pp. 125--135, (2010)
30. Thing, V. L. L., Tan, D. J. J.: Symbian Smartphone Forensics and Security: Recovery of Privacy-Protected Deleted Data, In: Lect. Notes Comput. Sci. - Inf. Commun. Secur., vol. 7618, pp. 240--251, (2012)
31. Thing, V. L. L., Chua, T.: Symbian Smartphone Forensics: Linear Bitwise Data Acquisition and Fragmentation Analysis, In: Commun. Comput. Inf. Sci. - Comput. Appl. Secur. Control Syst. Eng., vol. 339, pp. 62--69, (2012)
32. Savoldi, A., Gubian, P., Echizen, I.: A Comparison between Windows Mobile and Symbian S60 Embedded Forensics, In: Fifth International Conference on Intelligent Information Hiding and Multimedia Signal Processing, pp. 546--550 (2009)
33. Mohtasebi, S., Dehghantanha, A., Broujerdi, H. G.: Smartphone Forensics : A Case Study with Nokia E5-00 Mobile Phone, In: Int. J. Digit. Inf. Wirel. Commun., vol. 1, no. 3, pp. 651--655 (2012)
34. Bader, M., Baggili, I.: iPhone 3GS Forensics : Logical
Analysis Using Apple iTunes Backup Utility, In: Small Scale Digit. Device Forensics J., vol. 4, no. 1, pp. 1--15, (2010)
35. Husain, M. I., Baggili, I., Sridhar, R.: A Simple Cost-Effective Framework for iPhone, In: Lect. Notes Inst. Comput. Sci. Soc. Informatics Telecommun. Eng. - Digit. Forensics Cyber Crime, vol. 53, pp. 27--37 (2011)
36. Husain, M. I. Sridhar, R.: iForensics : Forensic Analysis of Instant Messaging on, In: Lect. Notes Inst. Comput. Sci. Soc. Informatics Telecommun. Eng. - Digit. Forensics Cyber Crime, vol. 31, pp. 9--18, (2010)
37. Jung, J., Jeong, C., Byun, K., Lee, S.: Sensitive Privacy Data Acquisition in the iPhone for Digital Forensic Analysis, In: Commun. Comput. Inf. Sci. - Secur. Trust Comput. Data Manag. Appl., vol. 186, pp. 172--186, (2011)
38. Tso, Y.-C., Wang, S.-J., Huang, C.-T., Wang, W.-J.: iPhone social networking for evidence investigations using iTunes forensics, In: Proceedings of the 6th International Conference on Ubiquitous Information Management & Communication - ICUIMC ’12, (2012)
International Journal of Cyber-Security and Digital Forensics (IJCSDF) 3(4): 183-199The Society of Digital Information and Wireless Communications, 2014 (ISSN: 2305-0012)
198
39. Said, H., Yousif, A., Humaid, H.: IPhone forensics techniques and crime investigation, In: The 2011 International Conference and Workshop on Current Trends in Information Technology (CTIT 11), pp. 120--125 (2011)
40. Mutawa, N. Al , Baggili, I., Marrington, A.: Forensic analysis of social networking applications on mobile devices, In: Digit. Investig., vol. 9, pp. S24--S33, Aug. (2012)
41. Lee, J., Park, D.: A Study on Evidence Data Collection through iPhone Forensic, In: Commun. Comput. Inf. Sci. - Converg. Hybrid Inf. Technol., vol. 310, pp. 268--276, (2012)
42. Levinson, A., Stackpole, B., Johnson, D.: Third Party Application Forensics on Apple Mobile Devices, 44th Hawaii Int. Conf. Syst. Sci., pp. 1--9, Jan. (2011)
43. Gómez-Miralles L., Arnedo-Moreno, J.: Versatile iPad forensic acquisition using the Apple Camera Connection Kit, In: Comput. Math. with Appl., vol. 63, no. 2, pp. 544--553, Jan. (2012)
44. Iqbal, B., Iqbal, A., Al Obaidli, H.: A novel method of iDevice (iPhone, iPad, iPod) forensics without jailbreaking, In: 2012 International Conference on Innovations in Information Technology (IIT), pp. 238--243 (2012)
45. Ariffin, A., Orazio, C. D., Choo, K. R., Slay, J.: iOS Forensics : How can we recover deleted image files with
timestamp in a forensically sound manner ?, In: Eighth International Conference on Availability, Reliability and Security (ARES), pp. 375–382, (2013)
46. Lessard, J., Kessler, G. C.: Android Forensics :
Simplifying Cell Phone Examinations, In: Small Scale Digit. Device Forensics J., vol. 4, no. 1, pp. 1--12, (2010)
47. Distefano, A., Me, G., Pace, F.: Android anti-forensics through a local paradigm, In: Digit. Investig., vol. 7, pp. S83--S94, Aug. (2010)
48. Albano, P., Castiglione, A., Cattaneo, G., Santis, A. De: A Novel Anti-forensics Technique for the Android OS, In: 2011 International Conference on Broadband and Wireless Computing, Communication and Applications, pp. 380–385, (2011)
49. Azadegan, S., Yu, W., Liu, H., Sistani, M., Acharya, S.: Novel Anti-forensics Approaches for Smart Phones, In: 45th Hawaii International Conference on System Sciences, pp. 5424–5431, (2012)
50. Quick, D., Alzaabi, M.: Forensic analysis of the android file system YAFFS2, In: Proceedings of the 9th Australian Digital Forensics Conference, pp. 100–109, (2011)
51. Sylve, J., Case, A., Marziale, L., Richard, G. G.: Acquisition and analysis of volatile memory from android devices, In: Digit. Investig., vol. 8, no. 3--4, pp. 175--184, Feb. (2012)
52. Vidas, T., Zhang, C., Christin, N.: Toward a general collection methodology for Android devices, In: Digit. Investig., vol. 8, pp. S14--S24, Aug. (2011)
53. Park, J., Chung, H., Lee, S.: Forensic analysis techniques for fragmented flash memory pages in smartphones, In: Digit. Investig., vol. 9, no. 2, pp. 109--118, Nov. (2012)
54. Son, N., Lee, Y., Kim, D., James, J. I., Lee, S., Lee, K.: A study of user data integrity during acquisition of Android devices, In: Digit. Investig., vol. 10, pp. S3--S11, Aug. (2013)
55. Racioppo, C., Murthy, N.: Android Forensics : A Case
Study of the ‘ HTC Incredible ’ Phone, In: Proceedings of Student-Faculty Research Day, pp. 1--8, (2012)
56. Andriotis, P., Oikonomou, G., Tryfonas, T.: Forensic analysis of wireless networking evidence of Android smartphones, In: 2012 IEEE Int. Work. Inf. Forensics Secur., pp. 109--114, Dec. (2012)
57. Mylonas, A., Meletiadis, V., Mitrou, L., Gritzalis, D.: Smartphone sensor data as digital evidence, In: Comput. Secur., vol. 38, no. 2012, pp. 51--75, Oct. (2013)
58. Thing, V. L. L., Ng, K.-Y., Chang, E.-C.: Live memory forensics of mobile phones, In: Digit. Investig., vol. 7, pp. S74--S82, Aug. (2010)
59. Lai, Y., Yang, C., Lin, C., Ahn, T.: Design and Implementation of Mobile Forensic Tool for Android Smart Phone through Cloud Computing, In: Commun. Comput. Inf. Sci. - Converg. Hybrid Inf. Technol., vol. 206, pp. 196--203 (2011)
60. Guido, M., Ondricek, J., Grover, J., Wilburn, D., Nguyen, T., Hunt, A.: Automated identification of installed malicious Android applications, In: Digit. Investig., vol. 10, pp. S96--S104, Aug. (2013)
61. Fairbanks, K., Atreya, K., Owen, H.: BlackBerry IPD parsing for open source forensics, In: IEEE Southeastcon 2009, vol. 01, pp. 195--199, (2009)
62. Sasidharan, S. K., Thomas, K. L.: BlackBerry Forensics : An Agent Based Approach for Database Acquisition, In: Commun. Comput. Inf. Sci. - Adv. Comput. Commun., vol. 190, pp. 552--561, (2011)
63. Marzougy, M. Al, Baggili, I., Marrington, A.: LNICST 114 - BlackBerry PlayBook Backup Forensic Analysis, In: Lect. Notes Inst. Comput. Sci. Soc. Informatics Telecommun. Eng. - Digit. Forensics Cyber Crime, vol. 114, pp. 239--252, (2013)
64. Smith, D. C., Petreski, S.: A New Approach to Digital Forensic Methodology, In: DEFCON, 2007 https://www.defcon.org/images/defcon-18/dc-18-presentations/DSmith/DEFCON-18-Smith-SPM-Digital-Forensic-Methodlogy.pdf
65. Mozilla Developer Network, Firefox OS architecture, https://developer.mozilla.org/en-US/docs/Mozilla/Firefox_OS/Platform/Architecture
International Journal of Cyber-Security and Digital Forensics (IJCSDF) 3(4): 183-199The Society of Digital Information and Wireless Communications, 2014 (ISSN: 2305-0012)
199
Alarming! Security Aspects of the Wireless Vehicle: Review
Sabarathinam Chockalingam 1, Kailash Nagar, First Street, Near Police Colony, Karaikudi – 630002, India.
Harjinder Singh Lallie University of Warwick, WMG, Coventry, United Kingdom, CV4 7AL.
ABSTRACT
The auto-mobile industry has grown to become an integral part of our day – to – day life. The introduction of wireless vehicles definitely have to pass through the analysis of potential security threats and vulnerabilities, and robust security architecture should be designed that are able to cope with these threats and vulnerabilities. In this work, we have identified various categories of research in 'Cyber Security of a wireless vehicle' and mainly focused on 'In – Vehicle Network' to identify various potential security threats and vulnerabilities as well as the suitable security solutions. In addition to providing a survey of related academic efforts, we have also outlined several key issues and open research questions.
KEYWORDS
In-Vehicle Network, Security, Threats, Vulnerabilities, Wireless Vehicle.
1 INTRODUCTION
Vehicle manufacturers started incorporating a lot of technological advancements which helps to replace mechanical solutions for vehicle control by software and electronic solutions ([1] and [2]). Nowadays people started demanding wireless internet access even in auto-mobile. They prefer toaccess internet even while driving on the highway. They also expect high data bit rates to surf the internet, to download files and to have a real time video conference calls through wireless communication similar to the wired communication's data bit rate [1]. Most
importantly manufacturers had implemented Vehicular Ad – Hoc Network (VANET) technology which creates mobile network by usingmoving vehicles as nodes in a network [1]. Importantly, these technological advancements in wireless vehicles brings in a lot of possibility for Cyber Attacks. So, we mainly focus on 'Cyber Security of a wireless vehicle' in this work.
2 LITERATURE REVIEW
In recent times, wires are being replaced by wireless technology in auto-mobile. There are a lotof benefits in removing all the wires within a vehicle and implementing wireless communicationin a vehicle. Some of which are,
1. It helps to avoid collision in the vehicle network by issuing an automatic warning which ensures safety ([1] and [2]).2. It enables users to know about directions, weather reports. Users could also check e-mails, social media, and download files thereby increasing the comfort level of passengers even while travelling ([1] and [2]).3. Installation cost of wireless technology in auto-mobile is cheaper compared to wired technology.4. Rapid Deployment, and Mobility [3].
Replacing wires with wireless communication in auto-mobile also brings in a lot of security challenges. 'Cyber security of a wireless vehicle' is the major concern in recent times which would be discussed in this section by reviewing various research conducted.
International Journal of Cyber-Security and Digital Forensics (IJCSDF) 3(4): 200-208
200
The Society of Digital Information and Wireless Communications, 2014 (ISSN: 2305-0012)
2.1 Firmware updates Over The Air (FOTA) and Wireless Diagnostics
Over the past decade there are a lot of research conducted with regard to FOTA and Wireless Diagnostics. FOTA help to save consumers' time and to reduce the labour costs of the manufacturers in service stations. This makes it simpler for manufacturers to fix the bug in a short time.
In 2005, Mahmud et al proposed an architecture for uploading software in vehicle after making a few assumptions such as all the vehicles would be equipped with wireless interface units, company would need to upload software in the vehicle they manufactured, set of keys would be installed in the vehicle at the time of manufacturing [4]. Those keys would ensure the authentic communication between manufacturer and/or software supplier with the vehicle. They had also recommended software suppliers to send at-least two copies of software with a message digest to the vehicle in-order to improve security [4]. But their work is limited as it help to upload software in only one vehicle at a time which means it could be used only for wireless diagnostics where manufacturer would need to fix a particular vehicle which have problems and also their work did not cover the aspects of key management.
In 2008, Nilsson et al proposed a protocol for FOTA which ensured data integrity, authentication, confidentiality, and data freshness [5]. They analysed the security aspects by conducting various experiments. But their work did not address a few major issues like privacy, key management.
In 2008, Nilsson et al assessed the risks that involved with wireless infrastructure and derived a set of guidelines for creating secured infrastructure to do wireless diagnostics and software updates [6]. They identified portal security risks such as Impersonation and Intrusion, communication link security risks such as Traffic Manipulation, and vehicle security risks such as Impersonation and Intrusion, and the consequences of these risks such
as Execution of Arbitrary Code, Disclosure of Information, and Denial of Service [6].But they did not analyse the risks involved with the Engine Control Unit (ECU). They suggested to explore the use of Intrusion Detection System (IDS) and Firewall in wireless vehicles to improve the security [6].
In 2011, Idrees et al proposed a protocol which guaranteed a secured FOTA in wireless vehicles [7]. They mainly focussed on hardware security mechanism. This helped to improve the standard of security compared to the other systems. Key issue still need to be addressed in FOTA is key management and uploading software in multiple vehicles at the same time securely.
2.2 Digital Forensic Investigation
Digital Forensic Investigation is important in-order to identify the criminal in-case of successful cyber attacks but till now there are only a few research conducted with regard to digital forensic investigation in wireless vehicles.
In 2004, Carrier et al proposed an event – based digital forensic investigation framework [8]. This is used by Nilsson et al as the base for their work. Nilsson et al derived a list of requirements for detection, data collection, and event reconstruction based on the attacker model and digital forensic investigation principles [9]. They have also recommended to use event data recorder which would play a major role in digital forensic investigation, a method to detect events in vehicle, and to trigger an alert about security violation which would help the investigators to initiate the investigation [9]. Storing current state vehicle information in a secured location prove to be one of the important information during digital forensic investigation [9]. Major limitation of this work would be that they did not explore detection techniques which would help digital forensic investigation.
International Journal of Cyber-Security and Digital Forensics (IJCSDF) 3(4): 200-208
201
The Society of Digital Information and Wireless Communications, 2014 (ISSN: 2305-0012)
2.3 In – Vehicle Network
In – Vehicle Network play an important role in wireless vehicles. There are a lot of research conducted in this area over the years. In 2003, Mahmud et al analysed blue-tooth and their security issues in wireless vehicles [10]. In 2008, Larsson et al proposed specification based attack detection techniques within the In-Vehicle network [11]. In 2008, Verendel et al proposed a system that make use of honeypot in-order to gather attackers' information [12]. In 2008, Nilsson et al categorised ECUs based on the safety and security characteristics [13]. In 2009, Nilsson, et al analysed FlexRay protocol by simulating attacks [14]. In 2010, Rouf et al evaluated security and privacy of wireless tire pressure monitoring systems [15]. In 2010, Koscher et al summarised the potential risks involved with wireless vehicles after conducting various experiments [16]. In 2011, Kleberger et al categorised the research areas with regard to security aspects of the In- Vehicle Network in wireless vehicles [17]. In 2012, Schweppe et al proposed an architecture that incorporates data flow tracking into In – Vehicle Network which would ensure security and privacy [18]. In 2012, Onishi analysed new risks in the wireless vehicles caused by Carry-In Devices and suggested suitable countermeasures [19]. Detailed analysis of these research would be carried out in Section 3.
2.4 Vehicle – Vehicle Communication
There were many research conducted in Vehicle – Vehicle communication which is one of the important aspects of wireless vehicle. In 2004, Mahmud et al proposed a technique to exchange messages between vehicles securely. They have also analysed about creating secure communication links between vehicles. After analysing, they concluded that this would be possible with the present technology [20]. This technique ensured authentication, authorisation, and data integrity. But they did not focus on the privacy aspect which is one of the important aspects in vehicle – vehicle communication [20].
In 2004, Hu et al analysed the wormhole attacks and they proposed how to detect the wormhole attacks using directional antennas [21].
In 2006, Raya et al analysed the vulnerabilities that exist in vehicular communication such as jamming, forgery, in – transit traffic tampering, impersonation, privacy violation, and on board tampering [22]. After analysing the hardware modules, they have recommended to use Event Data Recorder (EDR), and Tamper Proof Device (TPD) which would improve security. They concluded their work by listing open research problems in vehicular communication such as secure positioning, data verification, and Denial of Service (DOS) resilience [22].
In 2006, Moustafa et al proposed Authentication, Authorization, and Accounting (AAA) mechanism to authenticate vehicles on highways which would ensure secure data transfer between wireless vehicles. They considered Optimized Link State Routing (OLSR) protocol as the base to propose their reliable routing approach [23].
In 2007, Gerlach et al proposed a security architecture for vehicular communication using functional layer, organizational/component, reference model, and information centric views [24]. They suggested that this architecture could be used as a base for prototype implementation. Security level could be also analysed by conducting various practical experiments [24].
In 2008, Larson et al analysed the security issues of vehicle – vehicle communication. They used anti intrusion taxonomy introduced by Halme et al [25] as the base for discussing layers of defence – in – depth paradigm. They have also suggested vehicle manufacturers to adopt Defence – in – Depth approach in the future to improve security level in the wireless vehicles [26].
In 2008, Anurag et al introduced collision avoidance system using Global Positioning System (GPS). This system would ensure safety in wireless vehicles [27].
International Journal of Cyber-Security and Digital Forensics (IJCSDF) 3(4): 200-208
202
The Society of Digital Information and Wireless Communications, 2014 (ISSN: 2305-0012)
In 2010, Tripathi analysed problems that exist in Vehicular Ad-Hoc Networks which mainly focused on basic attacks such as cheating with sensor information, ID disclosure of other vehicles in order to track their location, Denial of Service (DoS), masquerading and also other sophisticated attacks such as hidden vehicles, tunnel, wormhole, and bush telegraph [28]. This work lacks practical analysis.
In 2010, Amirtahmasebi et al discussed about various attacks such as sybil attack, bogus information, Denial of Service, impersonation, alteration attack, replay attack, and illusion attack in vehicular communication as well as various securing techniques such as digital signatures, tamper proof device, data correlation, and WAVE (Wireless Access in Vehicular Environments - IEEE 1609.2) [29].
After reviewing various research conducted in 'Cyber Security of a Wireless Vehicle', we have identified four important categories of research in this area.
They are:
1. Firmware updates Over The Air (FOTA) and Wireless Diagnostics2. Digital Forensic Investigation3. In – Vehicle Network4. Vehicle – Vehicle Communication
3 IN-VEHICLE NETWORK
In–Vehicle Network is the combination of Engine Control Units (ECUs), and buses. Most common networks are Controller Area Network (CAN), Local Interconnect Network (LIN), Media Oriented Systems Transport (MOST), and Flex Ray ([9], [11], and [13]). CAN play a vital role in communication of safety – critical applications like Anti-lock braking system, and Engine management systems [11]. LIN play a major role in communication of non – safety critical sensors, and actuator systems [13]. MOST is the high speed technology which is used to carry audio, and
video data [13]. CAN is being replaced by FlexRay in the recent years. Data is transferred from one network to another using wireless gateways ([9], [11] and [13]). In – Vehicle Network is illustrated in Figure 1 [12].
Figure 1. In – Vehicle Network [12]
As discussed earlier in Section 2, there are a lot of research conducted with regard to 'In – Vehicle Network'. In 2003, Mahmud et al proposed a technique which would help to secure wireless In – Vehicle Blue-tooth networks. Short range communication between closer vehicles would help to avoid collision. This could be achieved using blue-tooth technology. Blue-tooth technology covers 10-100 metres in wireless communication [10]. They have also proposed a security architecture which make use of password protected Network Device Monitor (NDM) [10]. NDM help to activate devices which would want to take part in the wireless communication. It would make use of two different PINs: one for secured communication which should be changed after each session to encounter brute – force attack, and the another one for non – secured communication which is not necessary to change after each session [10]. NDM plays a major role in distributing PINs to devices which would be the suitable countermeasure against Man – in – the – Middle Attack [10]. This architecture could also be implemented at a very low cost. They concluded their work by addressing one of the important question “what happens if the activated
Wireless Communication
ECUs
In – Vehicle Network
Wireless Gateway
Wireless Vehicle
International Journal of Cyber-Security and Digital Forensics (IJCSDF) 3(4): 200-208
203
The Society of Digital Information and Wireless Communications, 2014 (ISSN: 2305-0012)
device got stolen or lost”?. They suggested in that case the owner would be able to deactivate that device manually using NDM [10]. But they failed to address “what happens if NDM malfunctions?” in their work. As there is no alternate solution, the entire system would be compromised in that case.
In 2008, Larson et al proposed a technique that help to detect cyber-attacks within the in – vehicle network. They have also suggested the location where the attack detector could be placed. Their work mainly focussed on CAN protocol version 2.0 and CANopen draft standard 3.01 which is used to create protocol – level security specifications [11]. They have also mentioned that the abnormal messages could be detected with the help of communication protocol security specifications and Illegal attempts to transmit or receive messages could be detected with the help of ECU communication parameters [11]. They recommended to place a detector on each ECU because if a detector is placed in CAN it is impossible to detect the source and destination of the message as it would not support unique ECU identifiers [11]. But if we place the detector on each ECU, this would be helpful as the object directory of ECU knows which one to transmit and to receive. They evaluated the attack detector using different attacker actions such as Flood, Read, Replay, Spoof, and Modify [11]. They concluded that still there are some attacks which would be possible even if the attack detector is placed. In-order to make this system effective and complete, they have suggested to implement alternate approach like firewalls to complement the attack detector [11].
In 2008, Verendel et al proposed a technique to gather attackers' information using honeypot which is simulated In – Vehicle network as shown in Figure 2 [12]. This would allow us to analyse the attackers' behaviour thereby we could prevent cyber-attacks. They suggested that honeypot should be placed in the vehicle and gathered information should be processed at the central location. Larson et al have identified the major attacks in the In – Vehicle network. Verendel et al
used it as the base to detect the attacks early which would help to ensure safety. But they did not focus on the security of gathered data which would be analysed at the processing centre. This data could be tampered.
Figure 2. Vehicle Honeypot [12]
In 2008, Nilsson et al classified ECUs into five categories based on the safety and security characteristics. They were Powertrain, Vehicle Safety, Comfort, Infotainment, and Telematics [13]. After analysing the attacker model, they concluded that communication link is the main target for the attackers where cyber-attacks such as eavesdropping, intercepting, modifying, and injecting messages would be possible [13]. They discussed the process of assigning Safety Integrity Levels (SIL) ranging from highest level 4 to lowest level 1 based on their controllability after failure. They assigned highest SIL 4 for powertrain and vehicle safety ECUs. Powertrain category consists of brake system which is highly important to ensure safety. In case of failure, driver would not be able to control the vehicle. Vehicle Safety category consists of tire pressure monitoring, air bag, collision avoidance system which are also highly safety critical. They have
SimulatedIn – Vehicle
Network
Wireless Communication
ECUs
Honeypot
Wireless Gateway
Wireless Vehicle
International Journal of Cyber-Security and Digital Forensics (IJCSDF) 3(4): 200-208
204
The Society of Digital Information and Wireless Communications, 2014 (ISSN: 2305-0012)
also assigned highest safety integrity level as in the case of failure, driver would not be able to control the vehicle [13]. They have assigned level 2 for comfort category as it would not affect the safety immediately. They have assigned level 1 for both infotainment and telematics. Infotainment category consists of audio and video systems, mobile communication is provided by the ECUs of telematics category which were not highly safety critical [13]. This work would help to prioritise the categories which need more protection to ensure safety in the wireless vehicles.
In 2009, Nilsson et al focused on FlexRay protocol. Their work answered the question 'why CAN is being replaced gradually by FlexRay over the years?'. FlexRay is different and effective in various aspects compared to CAN. Some of which were: FlexRay support different topologies, higher data rates, and continuous communication [14]. They also considered security properties such as data confidentiality, data integrity, data availability, data authentication, and data freshness to evaluate the security of FlexRay protocol [14]. They used Nilsson – Larson attacker model as their base and focussed on attacker actions such as read, and spoof. Read attack is possible due to lack of confidentiality, and Spoof attack is possible due to lack of authentication in FlexRay. They concluded their work by simulating these attacker actions. The major limitation of this work was that they did not provide any prevention techniques for these attacks [14]. This work could be further expanded by identifying a few more attacker actions, providing detection, and prevention techniques for these attacks which would guarantee secured FlexRay protocol [14].
In 2010, Rouf et al evaluated wireless Tire Pressure Monitoring System (TPMS). Air pressureinside the tires could be measured using TPMS continuously which would help to alert driver in-case of under inflated tires [15]. They have discussed about the security risks involved such as tracking auto-mobiles, and spoofing. They have also analysed TPMS experimentally and found out that the messages could be received up to 40m
away from the car with the help of low noise amplifier [15].
They have also discussed about TPMS architecture as shown in Figure 3 [15] which consists of TPM sensors fitted in each tire, TPM ECU/receiver, a TPM warning light at the dashboard, one or four antennas, and receiver is connected to the antennas. They have recommended to follow reliable software design for the software that run in the TPMS ECU which would help to prevent displaying false readings, to encrypt packets. Packet format should be improved in-order to limit eavesdropping, and spoofing attacks [15]. Eavesdropping is the major issue which need to be addressed in the future research to make this system effective. In future, this system could also be shielded to ensure that there is no chance of eavesdropping, and spoofing attacks.
Figure 3. TPMS Architecture [15]
In 2010, Koscher et al used two wireless vehicles of same make and model which was manufactured in 2009 to evaluate the issues of wireless vehicle by conducting various experiments [16]. They have conducted experiments in three different settings [16].
1. They extracted the hardware components and analysed them in lab [16].2. They elevated the car on jack stand and conducted various experiments to ensure safety [16].3. They drove the wireless vehicle on decommissioned airport runway and conducted various experiments to ensure safety [16].
International Journal of Cyber-Security and Digital Forensics (IJCSDF) 3(4): 200-208
205
The Society of Digital Information and Wireless Communications, 2014 (ISSN: 2305-0012)
They have also summarised the results of various experiments. Also they have discussed about the key security challenges in CAN such as broadcast nature, fragility to Denial of Service, no authenticator fields, and weak access controls [16]. In future, this work could be used as the base to design prevention techniques that would help to improve the security of wireless vehicles.
In 2011, Kleberger et al have reviewed various research related to 'in – vehicle network' and identified five categories of research. They were problems in the In – Vehicle network, architectural security features, Intrusion Detection Systems (IDS), Honeypots, and Threats and attacks [17]. They identified problems in the In – Vehicle network such as lack of sufficient bus protection, weak authentication, misuse of protocols, poor protocol implementation, and information leakage. They suggested to investigate IDS for FlexRay because both specification based and anomaly based IDS have been suggested for CAN [17]. This research did not provide any security solutions but this could be used as the base for designing security solutions for the In – Vehicle network.
In 2012, Schweppe, and Roudier proposed a system with taint tracking tools that would help to monitor data that flows between ECUs in the In – Vehicle network. Using taint tracking tools in auto-mobile guarantees privacy and security [18]. This system could be used with Rouf et al wireless Tire Pressure Monitoring System (TPMS) to prevent spoof attacks thereby ensuring security, and safety of that system.
In 2012, Onishi focussed on potential risks involved with wireless vehicles and assessed their severity using Common Vulnerability Scoring System (CVSS) [19]. They have identified that Carry – In – Devices (CID) creates major risks in wireless vehicles because virus, and malware could invade the system [19]. They have suggested to use certification - authority which would help to verify the content of CID and issue certificates for CID without any malicious contents [19]. They
have summarised the limitations of ECU such as low computational power, low memory, and online software update issues. They suggested that it is difficult to monitor CID always due to low computational power. But a few years back Nilsson et al prioritized ECU categories based on their Safety Integrity Level (SIL) which could be used with this research. Protecting powertrain and vehicle safety ECUs from virus, malware ensures vehicle to be in controllable state even if virus, malware invades infotainment ECUs. Onishi suggested to send warning alerts to driver if virus, malware invades highly safety critical ECUs which would help to prevent major accidents [19].We have identified several key issues by exploring various research conducted in 'In – Vehicle Network'. They are:
'Securing Gateway ECU' as it is the entry ➔ point for attackers. Successful attacks would give an opportunity for attackers to gain full control of the vehicle.
'Securing Communication Links' which ➔ could help us to prevent attacks like eavesdropping, interception, and modifying messages.
'Ensuring confidentiality, and privacy' in ➔ the system.
'Securing attackers' information at the➔ processing centre' as the information gathered using honeypot to be analysed at the processing centre lacks security.
'Monitoring Carry – In – Devices always' ➔ to ensure safety and security of the wireless vehicle.
We have also identified several open research questions. They are:
'How to configure firewall in the wireless➔ gateway?'
'How to improve the security of CAN,➔ FlexRay?'
'How to implement Intrusion Detection ➔ System in the In – Vehicle Network?'
'How to monitor Carry – In – Devices ➔ always in wireless vehicle?'
'How to shield the communication link from➔ attacks?'
International Journal of Cyber-Security and Digital Forensics (IJCSDF) 3(4): 200-208
206
The Society of Digital Information and Wireless Communications, 2014 (ISSN: 2305-0012)
4 CONCLUSION
After reviewing various research conducted in 'Cyber security of a Wireless Vehicle', we have identified four categories such as 'Firmware updates Over The Air (FOTA) and Wireless Diagnostics, Digital Forensic Investigation, In – Vehicle Network, and Vehicle – Vehicle Communication'. We focussed on 'In -Vehicle Network' and identified several key issues by reviewing various research conducted. It is evidentthat security lacks in the 'In – Vehicle network' from this work. We have also identified various research problems that have not been adequately addressed. This work could be used as a starting point in the future to address the identified open research questions and improve security in the 'In –Vehicle Network' as it highlights various security problems.
5 REFERENCES
1. C. Ribeiro, “Bringing Wireless Access to the Automobile: A Comparison of Wi-Fi, WiMAX, MBWA, and 3G”, 21st Computer Science Seminar, pp. 1–7, 2005.
2. A. Gandhi, and B.T. Jadhav, “Role of Wireless Technology for Vehicular Network,” International Journal of Computer Science & Information Technologies (IJCSIT), Vol. 3, No. 4, pp. 4823–4828, 2012.
3. P. Parikh, M.G. Kanabar, and T.S. Sidhu, “Opportunities and Challenges of Wireless Communication Technologies for Smart Grid Applications,” IEEE Power and Energy Society General Meeting, pp. 1-7, July 2010.
4. S.M. Mahmud, S. Shanker, and I. Hossain, “Secure Software Upload in an Intelligent Vehicle via Wireless Communication Links,” Proceedings of the IEEE Intelligent Vehicles Symposium, pp. 588–593, 2005.
5. D.K. Nilsson, and U.E. Larson, “Secure Firmware Updates over the Air in Intelligent Vehicles,” Communications Workshops, 2008. IEEE International Conference on, pp. 380–384, May 2008.
6. D.K. Nilsson, U.E. Larson, and E. Jonsson, “Creating a Secure Infrastructure for Wireless Diagnostics and Software Updates in Vehicles,” Proceedings of the 27th international conference on Computer Safety, Reliability, and Security, Vol. 5219/2008, pp. 207–220, 2008.
7. M.S. Idrees, H. Schweppe, Y. Roudier, M. Wolf, D. Scheuermann, and O. Henniger, “Secure Automotive On- Board Protocols : A Case of Over-the-Air Firmware Updates,” Proceedings of the third International Workshop on Communication Technologies for Vehicles,Vol. 6596, pp. 224–238, 2011.
8. B.D. Carrier and E.H. Spafford, “An Event-Based Digital Forensic Investigation Framework*,” Digital Forensic Research Workshop, pp. 1–12, 2004.
9. D.K. Nilsson and U.E. Larson, “Conducting Forensic Investigations of Cyber Attacks on Automobile In-Vehicle Networks,” International Journal of Digital Crime and Forensics, vol. 1, no. 2, pp. 28–41, 2009.
10. S.M. Mahmud and S. Shanker, “Security of Wireless Networks in Intelligent Vehicle Systems,” Proceedings of 3rd Annual Intelligent Vehicle Systems Symposium, NDIA, pp. 83–86, 2003.
11. U.E. Larson, D.K. Nilsson, and E. Jonsson, “An approach to specification-based attack detection for invehicle networks,” IEEE Intelligent Vehicles Symposium, pp. 220–225, June 2008.
12. V. Verendel, D.K. Nilsson, U.E. Larson, and E. Jonsson, “An Approach to using Honeypots in In-Vehicle Networks,” 68th IEEE Vehicular Technology Conference, pp. 1207–1211, 2008.
13. D.K. Nilsson, P.H. Phung, and U.E. Larson, “Vehicle ECU Classification Based on Safety – Security Characteristics,” Proceedings of 13th International Conference on Road Transport and Information Control (RTIC), pp. 1–7, 2008.
14. D.K. Nilsson, U.E. Larson, F. Picasso, and E. Jonsson, “A First Simulation of Attacks in the Automotive Network Communication Protocol FlexRay,” Proceedings of the International Workshop on Computational Intelligence in Security for Information Systems (CISIS'08), Vol. 53, pp. 84-91, 2009.
15. I. Rouf, R. Miller, H. Mustafa, T. Taylor, S. Oh, W. Xu, M. Gruteser, W. Trappe, and I. Seskar, “Security and Privacy Vulnerabilities of In-Car Wireless Networks : A Tire Pressure Monitoring System Case Study,” Proceedings of 19th USENIX Security Symposium, pp. 323 – 338, 2010.
16. K. Koscher, A. Czeskis, F. Roesner, S. Patel, T. Kohno, S. Checkoway, D. McCoy, B. Kantor, D. Anderson, H. Shacham, and S. Savage, “Experimental Security Analysis of a Modern Automobile,” IEEE Symposium on Security and Privacy, pp. 447–462, 2010.
International Journal of Cyber-Security and Digital Forensics (IJCSDF) 3(4): 200-208
207
The Society of Digital Information and Wireless Communications, 2014 (ISSN: 2305-0012)
17. P. Kleberger, T. Olovsson, and E. Jonsson, “Security aspects of the in-vehicle network in the connected car,” IEEE Intelligent Vehicles Symposium (IV), pp. 528–533, June 2011.
18. H. Schweppe and Y. Roudier, “Security and privacy for in-vehicle networks,” 1st IEEE International Workshop on Vehicular Communications, Sensing, and Computing (VCSC), pp. 12–17, June 2012.
19. H. Onishi, “Paradigm Change of Vehicle Cyber Security,” Proceedings of 4th International Conference on Cyber Conflict (CYCON), pp. 1-11, 2012.
20. S.M. Mahmud, S. Shanker, and S.R. Mosra, “Secure Inter-Vehicle Communications,” Proceedings of SAE World Congress, pp. 8-11, 2004.
21. L. Hu and D. Evans, “Using Directional Antennas to Prevent Wormhole Attacks,” Proceedings of Network and Distributed System Security Symposium (NDSS), pp. 1 - 11, 2004.
22. M. Raya, P. Papadimitratos, and J. Hubaux, “Intervehicular Communications – Securing Vehicular Communications,” IEEE Wireless Communications, Vol. 13, No. 5, pp. 8–15, 2006.
23. H. Moustafa, G. Bourdon, and Y. Gourhant, “Providing Authentication and Access Control in Vehicular Network Environment,” Proceedings of IFIP TC-11 21st International Information Security Conference (SEC), Vol.201, pp. 62–73, 2006.
24. M. Gerlach, A. Festag, T. Leinmuller, G. Goldacker, and C. Harsch, “Security Architecture for Vehicular Communication,” Proceedings of International Workshop on Intelligent Transportation (WIT), pp. 1 – 6, 2007.
25. L.R. Halme, and K.R. Bauer. “AINT Misbehaving: A taxonomy of anti-intrusion techniques,” Proceedings of 18th
National Information Systems Security Conference, pp. 163– 172, 1995.
26. U.E. Larson, and D.K. Nilsson, “Securing vehicles against cyber-attacks,” Proceedings of the 4th annual workshop on Cyber security and informaiton intelligence research: developing strategies to meet the cyber security and information intelligence challenges ahead – CSIIRW, pp. 1 – 3, 2008.
27. D. Anurag, S. Ghosh, S. Bandyopadhyay, "GPS based vehicular collision warning system using IEEE 802.15.4 MAC/PHY standard," 8th International Conference on ITS Telecommunications (ITST), pp.154-159, 2008.
28. K.P. Tripathi, “An Essential of Security in Vehicular Ad hoc Network,” International Journal of Computer Applications, Vol. 10, No. 2, pp. 11-16, 2010.
29. K. Amirtahmasebi and R.S. Jalalinia, “Vehicular Networks – Security , Vulnerabilities and Countermeasures,” Master of Science Thesis in the program Networks and Distributed Systems, Chalmers University of Technology, pp. 1–55, June 2010.
International Journal of Cyber-Security and Digital Forensics (IJCSDF) 3(4): 200-208
208
The Society of Digital Information and Wireless Communications, 2014 (ISSN: 2305-0012)
A Survey on Digital Forensics Trends
1Mohsen Damshenas,
2*Ali Dehghantanha,
3Ramlan Mahmoud
1, 2, 3 Faculty of Computer Science and Information Technology, University Putra Malaysia
*Corresponding Author
[email protected], {alid, ramlan}@upm.edu.my
1. ABSTRACT Digital forensic has evolved from addressing
minor computer crimes to investigation of
complex international cases with massive effect
on the world. This paper studies the evolution of
the digital forensic; its origins, its current
position and its future directions. This paper sets
the scene with exploring past literature on digital
forensic approaches followed by the assessment
and analysis of current state of art in both
industrial and academic digital forensics
research. The obtained results are compared and
analyzed to provide a comprehensive view of the
current digital forensics landscape. Furthermore,
this paper highlights critical digital forensic
issues that are being overlooked and not being
addressed as deserved. The paper finally
concludes with offering future research
directions in this area.
Keywords Digital Forensic, Mobile Device Forensic,
Forensic Framework, Network Forensic, String
Analysis
2. INTRODUCTION The term computer crime, first used in 1976 in a
book by Donn Parker titled “crime in computer”
[1],[2] stepped into the legal system by Florida
Computer Crimes Act 1978 dealing with
unauthorized deletion or modification of data in
a computer system [3]. However, the first actual
computer analysis and response team was
established by FBI in 1984 to conduct advanced
digital forensic investigation of the crime scenes
[4].
One of the first complicated digital forensic
investigation cases was performed in 1986,
pursuing a hacker named Markus Hess [5]. Hess
had gained unauthorized access to Lawrence
Berkeley National Laboratory (LBL) and was
detected and investigated by Mr. Clifford Stoll.
At the time of the incident, there was not any
standard digital forensic investigation
framework in place so Clifford had to do the
investigation on his own. As Clifford’s objective
was discovering the identity of the hacker, he
did not change anything in the system and only
collect the possible traces. By tracking the
hacker for months using so called alarms which
send notification when the attacker was active,
he finally managed to discover the identity and
location of the attacker by cooperation with the
FBI and the Telco Company. Since the case was
involved different military, academic and
individual bodies in U.S and Germany the
jurisdiction of the case became a big issue [6].
The day by day improvement of digital devices
makes digital crime way more complicated than
it was back in 1986. Nowadays crimes are
happening over cloud which mandates cross
national forensic investigation. It is therefore an
essential demand for the security experts to
realize their strengths in investigation of
complex digital crimes via studying the history
and current trends in the field. Specialists need
to understand that digital forensics is not about
looking at the past because of having an attack
history; neither looking at the present in fear of
being attacked; nor about looking at the future
with uncertainty about what might befall us but
about to being ready all the times for the moving
target.
This survey offers a critical review and
investigation over:
Origins of digital forensics
its evolvement to its current the current
position
And its future trends and directions
Vividly, using a map without knowing the
current position is difficult; realizing the future
can only be possible if the current and the past
are clear. Hence, section 2 of this paper rectifies
history of events and researches in the field in
International Journal of Cyber-Security and Digital Forensics (IJCSDF) 3(4): 209-234
209
The Society of Digital Information and Wireless Communications, 2014 (ISSN: 2305-0012)
the period of 2002 to 2007 while section 3
concentrates only on recent research works in
the period of 2008 and 2013 and offers
categorization of major fields and a statistical
comparison between industrial and academic in
the field. Finally, we look into overlooked issues
and offer several future research directions in the
field.
3. DIGITAL FORENSICS: THEN The formal beginning of academic community
research in the area of digital forensic
investigation was in 2002 with an article called
“Network Forensics Analysis” authored by
Corey et al. [7] who studied Network Forensic
Analysis Tool (NFAT) and highlighted its
benefits in regard to traffic capture, traffic
analysis and security issues.
In 2004, Stevens [8] illuminated the issue of
comparing and correlating time stamps between
different time sources and proposed a clock
model to address these timing issues by
simulating the behavior of each independent
time stamp (A.K.A independent clock). This
model can be used to remove the expected clock
errors from time stamps and develop a more
accurate timeline analysis of the events. Forte
[9] studied tools and techniques which were
widely used for digital forensic investigation
namely “GLIMPSE” and “GREP” and explained
their syntax and applications. GREP as one of
the most popular text search tool was covered
comprehensively in this article. Carrier and
Grand [10] studied the essential requirements for
volatile memory acquisition and proposed a
hardware based method to acquire memory data
with the least possible changes. This method
employed a hardware expansion card (PCI slot
card) to create a forensic image of volatile
memory with the push of a button. However,
this technique required pre-installation of the
card on the victim machine. Mocas [11]
identified basic properties and abstractions of
digital forensic investigation process and
proposed a comprehensive framework for
unifying all characteristics of digital forensic.
Vaughan [12] presented a methodology for
evaluating the evidential value of an Xbox game
console system. Moreover, he proposed a
methodology for evidence extraction and
examination from a suspect Xbox system.
Nikkel [13] outlined the forensic investigation
analysis of IP networks and domain names. This
article defined point of concerns of a presence
which automatically collects evidences related to
the Internet presences, time-stamped these
evidences, store the evidences in a neat manner,
generate the integrity hash checksum of the
evidence and finally produced an official report
of the discovered information. Buchholz and
Spafford [14] studied the effects of metadata on
digital forensics to find out which information
can be useful in a computer forensic
investigation. Moreover, they demonstrated
potentials of metadata in computer forensic
investigation and analyzed issues in obtaining
and storing these data.
In 2005, Francia and Clinton [15] outlined the
required resources and procedures to establish a
forensic lab and presented a cost efficient
Computer Security and Forensic Analysis
(CSFA) experimental lab design and
implementation. Nikkel [16] discussed forensic
investigation challenges in file and contents
recovery of magnetic tape data acquisition and
analysis and proposed a methodology for
determination of tapes content. Jansen and Ayers
[17] provided an overview of the available
forensic investigation tools for Personal Digital
Assistants (PDA) devices and PDAs software
and hardware. They utilized some basic
scenarios to evaluate those tools in a simulated
environment using simulated evidentiary
situations and offered a snapshot of how these
tools work under provided situations. Bedford
[18] explained the forensic investigation
challenges of Host Protected Area (HPA) in IDE
drives. The HPA is a part of a hard drive that is
hidden from the operating system and the user
whichis often used to hide sensitive data and as
such is a good source of evidence.
In 2006, Harrison [19] described a project for
explaining real-life issues in digital forensic
investigation and utilized a group-based project
for practicing computer investigation in
academic environments. Laurie [20] studied
well-known Bluetooth security flaws and
available techniques and tools to exploit those
flaws; and then discussed the effects of these
attacks on common digital forensic investigation
practices. Nikkel [21] described concepts of
distributed network-based evidences, forensic
International Journal of Cyber-Security and Digital Forensics (IJCSDF) 3(4): 209-234
210
The Society of Digital Information and Wireless Communications, 2014 (ISSN: 2305-0012)
techniques of evidence acquisition over the
network and the weaknesses of these techniques.
In addition, he suggested some improvements to
conquer challenges in network data collection.
Ieong [22] highlighted major principles of
digital forensic investigation and outlined eight
roles with their responsibilities in common
digital investigation frameworks. The paper
proposed a framework named FORZA which is
based on Zachman’s framework [23]. Harris
[24] studied and analyzed several anti-forensic
techniques and classified them to achieve a
standard method for addressing anti-forensics
issues and then outlined general strategies to
preserve forensic integrity during investigation.
Garfinkel [25] proposed Forensic Feature
Extraction (FFE) and Cross Drive Analysis
(CDA) techniques to analyze large data sets of
disk images and other types of forensic data.
These two methods were used for prioritizing
and systematically identifying social networks
usage in the suspect’s system. Schuster [26]
explored the structure of memory containing
processes’ data and then proposed a search
pattern to scan the whole memory dump for
traces of physical memory objects independent
of kernel’s list of memory objects. As a proof of
concept, an implementation of the technique
successfully revealed some hidden and
terminated processes and threads even after
rebooting the system. Jeyaraman and Atallah
[27] proposed an approach to examine the
accuracy and effectiveness of automated event
reconstruction techniques based on their
capabilities to identify relations between case
entities. They then quantified the rate of false
positives and false negatives and scalability in
terms of both computational burden and
memory-usage. Alink et. al., [28] introduced a
novel XML based approach for storing and
retrieving forensic traces derived from digital
evidences which was implemented in a
prototype system called XIRAF. This system
runs the available forensic analysis tools against
the evidence file and then exports the result in an
XML database. Johnston and Reust [29] outlined
procedures for investigation of an attack which
includes compromising of several systems with
sensitive data and discussed challenges involved
in this process. Mead [30] studied the National
Software Reference Library (NSRL) repository
of known software, file profiles, and file
signatures by examining the uniqueness of the
signatures produced in NSLR repository. This
repository is essentially vital for digital forensic
investigators to improve the speed of data
analysis by omitting the file analysis of trusted
files according to the retrieved hash checksum
from NSRL. Nikkel [31] presented a forensic
evidence collector tool using promiscuous
packet capture on an embedded hardware using
open source software. This tool operates as a
standalone tool in different modesandcan be pre-
configured by the investigator.
In 2007, Wang et al. [32] analyzed methods and
applications of cryptography in digital forensic
investigation, and highlighted differences
between these methods. Afterwards, the authors
discussed the weaknesses of SHA-1 and
approaches to crack SHA-1 in order to highlight
the issue of potential clashes in checksum
verification and possible effects on related
applications. Peisert et al. [33] presented the
importance of examining the order of function
calls for forensic analysis and showed its
usefulness in isolating the causes and effects of
the attack through intrusion detection systems.
This analysis, not only detects unexpected
events in the order of function calls, but also
detects absence of expected events. Castiglione
et al. [34] investigated the issues of hidden
metadata in compound documents that use
opaque format and could be exploited by any
third party. The authors proposed a
steganography system for Microsoft Office
documentsand introduced FTA and StegOle as
tools to improve the forensic analysis of
Microsoft Office documents. Murphey [35]
proposed a method to automatically recover,
repair and analyze Windows NT5 (XP and 2003)
events logs. Authors implemented a proof of
concept code to repair common corruptions of
multiple event logs in one simple step without
any manual user intervention. Spruill and Pavan
[36] studied the U3 technology for portable
applications and illustrated different artifacts left
behind from a committed crime through a
portable application. This research also
investigated some of the common applications
used on U3 drives. Turner [37] questioned
usefulness of the common digital forensic
investigation approaches in live incident
International Journal of Cyber-Security and Digital Forensics (IJCSDF) 3(4): 209-234
211
The Society of Digital Information and Wireless Communications, 2014 (ISSN: 2305-0012)
investigation and demonstrated the applications
of Digital Evidence Bag (DEB) storage format
in dynamic environments. Richard et al. [38]
explained Data Evidence Container (DEC)
format to bundle arbitrary metadata associated
with evidence along with the actual evidences.
Authors then explored the challenges of utilizing
this container and proposed Forensic Discovery
Auditing Module (FDAM) as a complementary
mechanism Nikkel [39] demonstrated digital
forensic investigation principles for IPv6
networks and discussed about IPv6 addressing,
packet structure, supported protocols and
information collection from public registrars
such as WHOIS. They finally presented some
IPv6 tools for collection and analysis of network
traffic and investigation of remote IPv6 nodes.
Masters and Turner [40] demonstrated
techniques of magnetic swipe card data
manipulation in different types of devices and
proposed the application of Digital Evidence
Bag (DEB) as a suitable format for bulking the
evidences obtained from a magnetic swipe card.
Lyle and Wozar [41] studied challenges in
making a forensic image of a hard disk and
addressed practical problems like resolving
some faulty sectors causing difficulties in
imaging process. Arasteh et al. [42] proposed a
formal model checking technique for forensic
analysis of system logs and provided a proof of
concept system using tableau-based proof
checking algorithm. Arasteh and Debbabi [43]
presented a forensic analysis method to extract
threads history by using threads stack. The
technique used a process model to retrieve data
from a thread stack and then compared against
an assembly model to verify extracted
properties. Schatz [44] proposed a technique for
obtaining volatile memory from arbitrary
operating systems and provide a “point in time”
snapshot of the volatile memory. Body Snatcher,
an implementation of this method was used for
presenting the proof of concept of the proposed
technique. Barik et al. [45] studied the issues of
Ex2 file system in terms of authenticity of the
OS created timestamps andproposed a solution
to preserve authentic date and time stamp for the
studied issues using Loadable Kernel Modules
(LKMs).
An overview of the above mentioned researches,
as indicated in Figure 1, shows a smooth growth
in the number of digital forensic investigation
research articles published in main relevant
journals namely "Digital Investigation",
"Information Forensics and Security, IEEE
Transactions on", "Computers & Security",
"Computer Law & Security Review",
"Multimedia Tools and Applications",
"Computer Standards & Interfaces", "Computers
& Mathematics with Applications",
"Information Sciences", "Selected Areas in
Communications, IEEE Journal on".
Figure 1: number of articles in digital forensics in the period of 2002 – 2008
(No articles matched our search criteria in 2003)
International Journal of Cyber-Security and Digital Forensics (IJCSDF) 3(4): 209-234
212
The Society of Digital Information and Wireless Communications, 2014 (ISSN: 2305-0012)
All the studied articles are extracted by
searching the term “forensic” in the abstract of 4
main computer science indexing services known
as Science Direct, Springer, IEEE and ACM;
though the search was limited only to articles
published in computer science during the period
of 2002 – 2008.
4. NOW From the very first days of digital forensic
investigation’s life up to now, there were vast
improvements in digital forensics techniques
ranging from recovering deleted evidences and
searching the megabytes storage devices to deal
with petabytes storage devices [46], cloud based
investigations [47], mobile device examinations
[48], wireless network investigations [49], and
database forensics [50]. Generally, the current
perspective of digital forensic investigation can
be categorized into four main types namely
Computer Forensic, Smart Device Forensic,
Network Forensic and Database Forensic.
Among mentioned categories, computer
forensics has attracted the most attention of
academicians and professionals. On the other
hand, digital criminals and intruders are trying to
minimize footprints of their actions utilizing
anti-forensic techniques. Some of the common
approaches of anti-forensics are using
cryptography [51], steganography [52], meta-
data tempering [53], program packing [54],
generic data-hiding [52], and even disk
sanitizing [55], [56].
In spite of all studies in the field of digital
forensic investigation we are yet to have a
comprehensive reliable study which offers
analysis of related scientific research trends in
the field. To address the aforementioned issue,
we started this survey with searching in
computer science research journals indexed by
four main scientific database namely Science
Direct, Springer, IEEE and ACM for papers
published in the period of Jan 2008- Mar 2013
that include “forensic” as an author keyword or
in the paper abstract. The result of the search
contained articles published in main journals in
the field namely "Digital Investigation",
"Information Forensics and Security, IEEE
Transactions on", "Computers & Security",
"Computer Law & Security Review",
"Multimedia Tools and Applications",
"Computer Standards & Interfaces", "Computers
& Mathematics with Applications",
"Information Sciences", "Selected Areas in
Communications, IEEE Journal on".
After several brainstorming sessions to identify
main journals in the field, it was decided to keep
our focus only on journals which published 2 or
more papers in our searching period as shown in
Table 1.
Table 1 – Final result of participated Journals with number of related papers in each
Journal Name Number of Related Papers
Digital Investigation 117
IEEE Transactions on Information Forensics and Security 20
Computers & Security 9
Computer Law & Security Review 4
Multimedia Tools and Applications 3
ACM Computing Surveys 2
Computer Standards & Interfaces 2
Computers & Mathematics with Applications 2
Information Sciences 2
Personal and Ubiquitous Computing 2
IEEE Journal on Selected Areas in Communications 2
International Journal of Cyber-Security and Digital Forensics (IJCSDF) 3(4): 209-234
213
The Society of Digital Information and Wireless Communications, 2014 (ISSN: 2305-0012)
Figure 2 – Number of forensics relevant papers from Jan2008 –to Mar2013
Figure 2 offers a ratio of the position; “Digital
Investigation” journal (indexed in “Science
Direct”) with 117 published articles (66% of
total articles in the studied period) has the
highest number of published articles followed by
“IEEE Transactions on Information Forensics
and Security” journal (indexed in “IEEE”) with
20 published articles (12% of total articles in the
studied period) and “Computers & Security”
journal (indexed in “Science Direct”) with 9
articles (5% of total articles in the studied
period).
Not being an exception, this research faced some
limitations. The main limitation of this study
was to include all perspectives of digital forensic
using trust worthy sources. The most important
selection factor for us was creditability of our
sources so we can provide a trustable review of
current forensics landscape. As such, we just
selected papers from reputable sources which
indirectly implicates that we ignored possibly
relevant papers which were not published in
reputable sources. Selecting journals was not
only based on the mere number of articles they
published (2 or more) in a specific period (2008-
2013), but to make sure only papers of very
relevant journals which are reflecting realistic
view of the field are selected. Moreover, to
improve the reliability of the given perspective
in addition to reputable academic sources some
articles from the SANS reading room were
included as the representative of the industrial
research.
4.1. Results Obtained The data collection process began with
brainstorming among authors to identify major
types of digital forensic investigation to classify
and rank research papers appropriately. For
example, all topics related to smartphone
investigation, iPad data acquisition, GPS data
analysis and similar subjects were categorized
under mobile forensics. ISO9660 analysis, meta-
data analysis, cluster and all investigations
relevant to the science of file systems grouped as
file system forensics. The same approach was
taken for all other categories as well as shown in
Figure 3. Finally, papers in topics like digital
audio forensics, malware forensics [57],
database forensic and cloud forensic which were
not fall in previously mentioned categories and
there were 5 or lesser papers in those topics were
grouped as “Others” as shown in Figure 4.
Identification of general categories was more
difficult than it was expected as there were
difficulties in categorizing inter-disciplinary
papers or papers with wide range of focus. For
example, papers under collecting volatile
International Journal of Cyber-Security and Digital Forensics (IJCSDF) 3(4): 209-234
214
The Society of Digital Information and Wireless Communications, 2014 (ISSN: 2305-0012)
memory of mobile phones could be categorized
in both volatile memory acquisition and in
mobile phones investigation category.
Obviously, we could not count a paper multiple
times and in such cases, the team carefully read
the paper thoroughly to find out the major focus
of the paper with specific attention to the paper
abstract, keywords and conclusion. Afterwards,
we categorized the paper in the most relevant
category. It is notable that, the classification of
this study is exclusively the opinion of the
authors and although all relevant scientific and
statistical techniques were employed to ensure
correctness and comprehensiveness of the study
but all conclusions are subjective to author’s
view-points only. Moreover, there were several
publications contain news section or discussion
that cannot be qualified to be called full article.
Each of these papers were analyzed carefully
and included in this survey if they offer valuable
knowledge or results about the current state of
the art in digital forensic.
When investigating each of the journals
separately, it is interesting to note different
topics emphasized in each journal. Table 2 lists
the number of publications in each journal in
each topic. Outstanding result indicates that the
“Digital Image Forensic” topic took the lead
with 20 articles, followed by “Mobile Device
Forensic” with 14 articles, “forensic framework”
at 12, “forensic tools” and “file system forensic”
both at 9 that constitute the top six topics. In
“IEEE Transactions on Information Forensics
and Security”, articles on anti-forensics were
more than all other categories (3 articles),
followed by “digital image forensic”, “forensic
tools” and “string analysis” with only 1.
Figure 3 – Digital forensic investigation categories in period of 2008 - 2013
International Journal of Cyber-Security and Digital Forensics (IJCSDF) 3(4): 209-234
215
The Society of Digital Information and Wireless Communications, 2014 (ISSN: 2305-0012)
Figure 4 – Digital forensic investigation topics with less than 5 papers (“Other” category)
Table 2 – List of journals and number of published articles grouped by the category
International Journal of Cyber-Security and Digital Forensics (IJCSDF) 3(4): 209-234
216
The Society of Digital Information and Wireless Communications, 2014 (ISSN: 2305-0012)
4.1.1. Topics covered by SANS This subsection of the study analyzes articles
published in the SANS reading room as a well-
established organization known as a pioneer in
non-academic digital forensic investigation
research. SANS papers are considered as a
reliable source for studying industrial digital
forensic research trends. However, the quantitiy
of SANS forensics articles is just a few in
compare to the academic journals as publication
is not included in the main duties of the
forensics practitioners.
We have identified 24 papers in SANS reading
room and categorize them similar to the
academic papers. The outcome includes “File
Forensic”, “File System investigation”,
“Forensic Framework Development”, “Forensic
Tools Investigation”, “Legal Aspects of Digital
Forensics”, “Mobile Device Investigation”,
“Operation System Investigation”, “Database
Investigation”, “Network Investigation”,
“Steganography” and “String Analysis”
categories as shown in Figure 5.
Figure 5 – Categories of SANS articles
The further analysis of the SANS articles
indicates the differences between academic and
industrial research trends. The results show that
the share of forensic framework, network
forensic and forensic tools from overall SANS
articles is %21, %17 and %17; while they have
only %8, %5 and %8 of academic journals. On
the other hand, in academic environment, digital
image forensic, mobile device forensic and
forensic tools were the leading topics.
Figure 6 is the result of comparing the common
topics between SANS and academic journals
while the SANS topics lacks some of the topics
covered in academic environments. Figure 7
clearly indicate the results by providing the
share of each topic in SANS and academic
journals.
International Journal of Cyber-Security and Digital Forensics (IJCSDF) 3(4): 209-234
217
The Society of Digital Information and Wireless Communications, 2014 (ISSN: 2305-0012)
Figure 6 – Comparison of common categories in academic and SANS publications in term of number of
articles
Figure 7 – SANS vs. Academic Journals (the “Other” in academic journals indicates the topics which
were not covered in SANS articles)
International Journal of Cyber-Security and Digital Forensics (IJCSDF) 3(4): 209-234
218
The Society of Digital Information and Wireless Communications, 2014 (ISSN: 2305-0012)
4.2. Discussion and Analysis In this section, we offer detailed analysis of
each of 10 most categories identified in the
previous sections namely digital image forensic,
mobile device forensic, forensic tools, volatile
memory forensics, network forensics, anti-
forensic, data recovery, application forensics,
file system forensics and forensic frameworks.
We critically analyze trends and current state of
the art in each category and rectify possible
future trends.
4.2.1. Digital Image Forensics Since the wild increase in usage of digital
images, the crimes involving digital images such
as image forgery are increased consequently and
detection of the image tampering brought many
difficulties to forensic investigators and forensic
researchers. The major detectable research
topics in digital image forensics are image
authenticity, image correction, steganography,
image processing and source detection.
Image authenticity as the most popular topic in
Digital Image Forensic category concerns about
the reliability of the evidence. Amerini et al.
[58] proposed a SIFT based algorithm to detect
multiple copy-move attacks on an image. This
technique extracts and matches the image
features to identify similar local region on the
image and then makes a hierarchical cluster of
the extracted features to identify the cloned
areas. In case the image is classified as
unauthentic, the geometrical transformation will
be identified to discover the original area and the
copy-moved area. Gou et al. [59] introduced a
source identification technique with the ability
of recognizing various post-processing
operations on scanned image. Utilizing the noise
analyses through wavelet analysis, neighborhood
detection and image de-noising, made this
approach capable of detecting the model of
scanner used to scan the image and type of the
image source (scanner, digital camera or
computer generated). Chen et al. [60] introduced
a source digital camera identification technique
with integrity verification capability based on
Photo Response Non-uniformity Noise (PRNU)
imaging sensor fingerprint. The PRNU is
generated through the maximum likelihood
principle derived from normalized model of the
sensor output and then compare to a pre-
generated experimental dataset. Yuan [61]
introduced a novel method for detection of
median filtering in digital images. The key
points of this method were the capability of
median filtering detection for low resolution,
JPEG compressed images, and tampering
detection in case a median-filtered part is
inserted in a non-median-filtered image and vice
versa. Mahdian and Saic [62] studied the
addition of locally random noise to tampered
image regions for anti-forensic purposes and
introduced a segmentation technique for
dividing the digital image into various partitions
based on homogenous noise levels. Their novel
approach utilized tiling the high pass wavelet
coefficients at the highest resolution with non-
overlapping blocks, to estimate the local noise
level and median based method to estimate the
standard noise level of the image. Farid and
Bravo [63] introduced a novel methodology for
computer aided differentiation of photorealistic
computer generated images and photographic
image of people using images with different
resolution, JPEG compression, and color
mixture of the image. Kornblum [64] studied the
quantization tables in JPEG compression and
explained how quantization tables can be used
for differentiating between images processed by
software and intact images. Authors utilized
other factors such as the presence or absence of
EXIF data, signatures of known programs, and
color signatures of real skin to increase the
success rate of the detections. Mahalakshmi et
al. [65] proposed an approach for detection of
image manipulations through available
interpolation related spectral signature method.
This method could detect common forgeries like
re-sampling (rotation, rescaling), contrast
enhancement and histogram equalization.
Moreover, a set of techniques were introduced
for detection of global and local contrast
enhancement and histogram equalization.
Source detection explicitly tries to identify the
source device with which the image is taken or
edited. Tsai et al. [66], the author employed
support vector machines and decision fusion to
identify the camera source model of an image.
The evaluation result of the proposed model
indicates 91.66% accuracy for images take by 26
cameras. Choi et al. [67] proposed a new
approach for color laser printer identification of
International Journal of Cyber-Security and Digital Forensics (IJCSDF) 3(4): 209-234
219
The Society of Digital Information and Wireless Communications, 2014 (ISSN: 2305-0012)
an unknown printed image, based on the noisy
texture analysis and support vector machine.
This method identifies the invisible noises of the
schema according to wiener-filter and the 2D
Discrete Wavelet Transform (DWT) filter and
then the texture of the noise is analyzed via gray
level co-occurrence matrix (GLCM).
Image processing involves the analysis of the
image to find specific patterns for variety of
purposes. Islam et al. [68] proposed a framework
for detection of children skin in images which
utilized a novel vision model based on the
Markov Random Fields (MRF) prior by
employing a skin model and human affine-
invariant geometric descriptor to identify skin
regions containing pornographic. Steel and Lu
[69] proposed a system called Automated
Impersonator Image Identification System
(AIIIS), which tracks the used image in
impersonation attack back to the original source
by employing digital watermarking technique.
This technique it encoded access details of the
image (like IP address, server and the download
date-time) and download them to the image. In
[70], the author utilized demosaicing artifacts to
identify the digital camera model. The process
includes estimating demosaicing parameters,
extracting periodicity features of the image for
the purpose of detecting simple forms of
demosaicing and finally defining a set of image
characteristics as features to be used for
designing classifiers that distinguish between
digital cameras.
Image correction as another hot topic in image
forensic, mainly intends to ease the analysis of
the image. Tang et al. [71] developed a
Knowledge Based (KB) approach to remove
JPEG blocking artifacts in skin images. The
approach utilized a Markov model based
algorithm and a one-pass algorithm to
implement the inference; plus a block synthesis
algorithm for handling the cases with no prior
record in dataset. Moreover, in order to reduce
the search time in the dataset, the author
proposed a multi-dimension indexing algorithm.
Lin et al. [72] introduced a method for detecting
the image source encoder alongside the
estimation of all coding parameters based on the
intrinsic fingerprints of the image source
encoder. The evaluation of this approach
indicated the success rate of more than 90% for
transform-based encoders, sub-band encoders,
and DPCM encoders when PSNR is higher than
36dB.
Steganography as one of anti-forensic
techniques in digital images plays a significant
role for identification of the evidence. Huang
[73] provided a solution for detection of double
JPEG compression using the “proper” randomly
perturbed ratio. This approach is highly
dependent on finding the correct ratio; thus a
novel random perturbation strategy is utilized on
the JPEG coefficients of the recompressed
image. Kirchner and Bohme [74] challenged the
current image tampering detection techniques by
presenting types of image transformation
operation that cannot be detected using the
available resampling detection tools. Among
these attacks, resampling with edge-modulated
geometric distortion and the dual-path approach
are nearly impossible to be detected.
4.2.2. Mobile Device Forensics Due to the wild incline in usage of mobile
devices such as smart phones, tablets and GPS
devices, investigation of such devices is
significantly vital; thus obtaining and analyzing
the evidence from mobile devices has a great
value. In continue Mobile live memory, Mobile
forensic framework, Mobile forensic tools and
Mobile on-scene triage topics are discussed.
Mobile live memory concerns about imaging
and analyzing mobile devices volatile memory.
In [75] the authors presented a novel approach to
obtain forensic image of an Apple iPad device
through iPad camera connection kit and a USB
storage device. The results of the evaluation
indicated that this method can obtain image up
to 30 times faster than acquiring image through
the usual method utilizing Wi-Fi channel. Thing
et al. [76] proposed a system for real-time digital
forensic analysis of mobile memory with
focusing on dynamic properties of memory. The
system evaluation consists of investigation of
different communication variables (i.e. message
length, message interval, dump interval, key-
press interval) which resulted in 95.6% and
97.8% for dump intervals of 40 and 60 seconds.
Sylve et al. [77] illustrated the process of live
memory collection of the android devices, the
new memory dump module (named DMD or
LiME (Linux Memory Extractor)) and the
challenges of device independent memory
International Journal of Cyber-Security and Digital Forensics (IJCSDF) 3(4): 209-234
220
The Society of Digital Information and Wireless Communications, 2014 (ISSN: 2305-0012)
acquisition; it then proposed a memory
collection method which can dump memory to
SD card or network storage. The proposed
method operates via “rooting” the android
device with methods like “Rage against the
Cage” and other privilege escalation techniques.
Depends on the type of device, utilizing the right
mobile forensic tool always plays a noteworthy
role. In [78] authors enriched their previously
published methodology for smartphone evidence
acquisition (Mobile Internal Acquisition Tool) in
term of improvements and assessments. The
MIAT can be executed from a memory card like
MMC and explores recursively the file system
tree and copy each entry to a backup volume.
The behavior of MIAT is also evaluated by
comparing to Paraben Device Seizure as a well-
known tool. Vidas et al. [79] illustrated the
digital forensics collection method of Android
device via a modified boot loader from recovery
bootimg. The advantage of this method is
mainly because it only slightly changes the
recovery partition and no user or system
partition is affected during the collection stage
of the investigation unlike normal approaches
which “root” the android device for image
acquisition.
Mobile forensic framework discusses different
procedures and frameworks for mobile device
forensics. In [80], the authors investigated the
use of mobile phone flash boxes in a forensic
framework and proposed a validation procedure
to ensure the integrity of the acquired evidence
in this new method. Unfortunately using mobile
phone flash boxes do not provide forensically
sound evidence; even though this proposed
method increased the percentage of the
reliability of the evidence, it still lacks the
sufficient evidence integrity proof and demand
to be lifted up by further research. Owen and
Thomas [81] studied the available framework
for mobile forensic investigations and
highlighted the lacks and strength of each in
comparison with the common digital forensic
investigation practices of hard disk drives.
Grispos et al. [82] compared the available
mobile forensic toolkit for discovering to what
extend these tools can operate and how much
they are reliable. The result of this comparison
indicated the limitations of using file carvers for
information recovery, conflicts of diverse
methods of information recovery, several
differences between the documented capabilities
of the CUFED and its actual performance, and
the fragility of existing mobile forensic toolkits
when recovering data from partially corrupted
file system images.
Mobile on-scene triage determines the priority
of evidence collection in mobile devices. In [48],
the author presented a methodology for
obtaining and analyzing evidences in webOS
system partition; the article provides solution for
obtaining different types of evidence (i.e. Call
logs, contacts, calendar events and etc.). The
article also provided approaches for recovering
deleted files from a webOS operating system.
Eijk and Roeloffs [83] discussed the challenges
of obtaining evidence from TomTom GPS
device and approaches to acquire volatile
memory of the device via either JTAG signals or
loading a small Linux distribution to the GPS
memory. The article described the structure of
data on GPS device and technique for analyzing
the obtained data. In [84] the author studied the
available framework for forensic investigation of
windows mobile equipped mobile phones and
showed the similarities of windows mobile
investigation with normal windows investigation
on PC systems. This work demonstrated that
Windows mobile phone investigation obeys the
common digital forensic investigation
framework and the analysis of collected data is
very much similar to windows operating system.
Mislan et al. [85] studied the on-scene triage of
mobile devices and compare its requirements
with common digital forensic investigation
requirements; it formalized the on-scene triage
process and provides guidelines for
standardization of the process. At the end, it
defined the basic requirements of an automated
on-scene triage.
4.2.3. Forensic Tools Employing different tools in the process of
digital forensic is inevitable for the investigator,
yet choosing the most suitable tool can affect the
result of the investigation. The identified
research topics of this category would be as
forensic formats, new forensic tools, and
forensic tools examination.
This topic, new forensic tools, reviews novel
tools discussed in forensic articles. In [86]
authors presented a forensic investigation tool
International Journal of Cyber-Security and Digital Forensics (IJCSDF) 3(4): 209-234
221
The Society of Digital Information and Wireless Communications, 2014 (ISSN: 2305-0012)
named Cyber Forensic Time Lab which help the
investigator to sort all evidences according to
their time variables for generating Temporal
analysis of the crime. Klaver [87] introduced the
forensic application of available tools on
Windows CE (Windows Mobile) after studying
the typical hardware information and software
components. The author explained the usage of
current tools for forensic investigation of
Windows CE mobile phones. Joyce et al. [88]
discussed the Mac OS x forensic investigation
approaches and introduced MEGA, a
comprehensive tool for analyzing Mac OS x
files from an image. MEGA offers ease of
access to Spotlight metadata, content search and
FileVault encrypted home directories. In [89],
authors described their novel techniques to
develop a memory analysis tool for variety of
operating systems. Inoue et al. [90] provided a
new tool for volatile memory imaging of the
Mac OS x and then compared it using four
metrics of completeness, correctness, speed and
interference. Moreover, a visualization method
called the density plot is introduced for
indicating the density of repeated pages in an
image.
There is always a demand for testing approaches
to examine the performance and accuracy of the
tools. In [91] the first generation of computer
forensic tools is challenged by the authors as
they have limitations and flaws in processing
speed, data design, auditability, task analysis,
automation and data abstraction; and then the
second generation tools requirements is
discussed and some available tools is suggested
for handling each deficiency. Pan and Batten
[92] presented a performance testing approach
for digital forensic tools offering testing with
good quality via a limited number of
observations. The proposed method is specially
designed for forensic tool testing and claimed of
being the best available software among forensic
tool performance testers.
Choosing the forensic format of the evidence has
an important role in the forensic investigation
process; in continue four novel forensic formats
are proposed by different authors. In [46], the
author introduced a redesign of the Advanced
Forensic Format (AFF) based on the ZIP file
format specification. This file format support
full compatibility with previous versions of AFF
while it offers the capability of storing multiple
type of evidence from various devices in one
archive and an improved separation between the
underlying storage mechanism and forensic
software. Garfinkel [93] studied the Digital
Forensic XML (DFXML) language and
discussed motivations, design and utilization of
this language in processing forensic
investigation information. Levine and Liberatore
[94] introduced DEX, an XML format for
recording digital evidence provenance, which
enable investigators to use the raw image file
and reproduced the evidence by other tools with
same functionality. Conti et al. [95] studied
automated tools of mapping large binary objects
like physical memory, disk image and
hibernation files via classifying of regions using
a multi-dimensional, information-theoretic
technique.
4.2.4. Volatile Memory Forensics Extracting potential evidences from volatile
memories is another challenge for forensic
investigators as the basic requirements of
knowing the structure of memory is not
satisfied. The detectable volatile memory
forensic topics are data extraction from volatile
memory, volatile memory mapping and forensic
imaging of volatile memory.
Data extraction from volatile memory involves
utilizing different tools and techniques to
analyze and obtain available evidences. In [96],
authors studied the tools and techniques of
extracting Windows registry data directly from
physical memory dump and then presented an
attack against on-disk registry analysis
techniques by modifying the cashed registry
values in physical memory. Maartmann-Moe et
al. [51] proposed a novel technique for
identification of cryptographic keys stored in
volatile memory and support the method by a
proof of concept, Interrogate, which can identify
AES, Serpent and Twofish cryptography keys.
Baar et al. [97] described a novel approach for
identifying and recovering files mapped in
physical memory to recognize the source of the
data and the usage of them via three different
algorithms (carving allocated file-mapping
structures, unallocated file-mapping structures
and unidentified file pages). Schuster [98]
studied nonpaged pool area of the physical
memory and its potential in containing massive
International Journal of Cyber-Security and Digital Forensics (IJCSDF) 3(4): 209-234
222
The Society of Digital Information and Wireless Communications, 2014 (ISSN: 2305-0012)
amount of information about the cunning and
even closed processes. In continue the author
demonstrated the Microsoft Windows operating
system pool allocation technique.
Volatile memory mapping is an essential
research area as it is the primary requirement for
volatile memory analysis and data extraction. In
[99], the author described an algorithm for
detecting paging structure of processes in
physical memory dump; this method is based on
hardware layer and works on both Windows and
Linux with minor tweaking. Stevens and Casey
[100] introduced a methodology for recognizing
and extracting user command line history in
Microsoft Windows operating system after
studying the structure of command line data on
physical memory dumps. At the end authors
provided a proof of concept tool for Microsoft
Windows XP. Hejazi et al. [101] introduced a
unique technique for collecting case-sensitive
information from extracted memory content
based on analyzing the call stack and security
sensitive APIs. The method is limited to
Microsoft Windows XP (SP1, SP2). In [102],
authors explained the debugging structures in
physical memory and Microsoft Program’s
Database (PDB) to extract configurations,
network activities and processes information
from any Windows NT family operating system.
J. Okolica and Peterson [103] demonstrated the
significance of the clipboard information in
digital forensic investigation and described the
structure and the procedure of retrieving
copy/paste information from Microsoft
Windows XP, Vista, and 7. This technique can
obtain information from the software which the
data have copied from (i.e. Notepad or
WordPad). J. Okolica and Peterson [104]
proposed a novel efficient methodology for
reverse engineering the Windows drivers and
dynamic link libraries. In addition, the authors
have revealed the network connection
information structure on physical memory which
eases the analysis part of the investigation.
Even though there is a lack of scientific forensic
imaging technique for volatile memories, there
is only one research found in the scope of this
survey. Rabaiotti and Hargreaves [105]
presented a novel method for obtaining forensic
image of an embedded device by exploiting a
buffer overflow vulnerability and execute
customized code for creating the image of the
console memory. The current work only covered
Microsoft Xbox gaming console while the idea
is applicable to any type of embedded device.
4.2.5. Network Forensics Obtaining evidences from network traffics is a
great challenge for investigators mainly due to
the live characteristic of network packets.
Beverly et al. [106] showed that IP packets,
Ethernet frames and other network related data
is available in physical memory and these data
can be retrieved from hibernation files or
memory images. Additionally, the authors
proposed the network carving algorithm,
techniques and essential tools to identify and
extract the information. Thonnard and Dacier
[107] presented an analysis framework for
extracting known attack patterns from massive
amount of honeynet data sets. This method
allows the analyst to select different feature
vectors and appropriate similarity metrics for
creating clusters. Shebaro and Crandall [108]
described the privacy related challenges of
network flow recording for different purposes
and then introduced a network flow recording
technique by utilizing identity based
cryptography and privacy preserving semantics.
Zhu [109] introduced an iterative algorithm to
discover network based attack patterns via
network traffic logs; this method used a unique
feedback mechanism to propagate the chance of
being under attack or suspicious score and then
pass it to the next iteration without any
dependency to human supervision (i.e. defining
threshold).
Tracking the source of traffic in networks is
another challenge when network address
translation and other types of network services
interfere in the communication. In [110], the
author studied the forensic investigation
challenges of Network Address Translation
(NAT) service enabled networks and proposed a
model and algorithm for discovering of observed
traffic into the source behind the NAT; the
model used specific correlation of NAT gateway
artifacts left overs to identify the source.
Takahashi et al. [49] focused on reviewing IEEE
802.11 wireless network characteristics based on
the traffic pattern of nodes; in order to recognize
user fingerprints, rogue access points and media
access control protocol missuses. Hsu et al.
International Journal of Cyber-Security and Digital Forensics (IJCSDF) 3(4): 209-234
223
The Society of Digital Information and Wireless Communications, 2014 (ISSN: 2305-0012)
[111] proposed a forensic approach for
identifying the voice over IP (VoIP) call source
via network operators (NWO) and service
providers (SvP) without depending on routers
logs.
4.2.6. Anti-Forensic The procedure of forensic investigation can be
affected by the criminals via anti-forensic
action; researchers challenge the integrity of
forensic process by demonstrating new types of
anti-forensic method. Evidence collection and
common attacks are two identified topics in this
area. Distefano et al. [112] analyzed anti-
forensic attacks on mobile devices and presented
some fully automated examples of these attacks.
The authors then examined the effectiveness and
strength of the implementations, by using them
against cursory examination of the device and
tools for obtaining the internal memory image.
Sun et al. [113] proposed two anti-forensic
steganography approaches based on exploiting
modification direction (EMD) technique for
storing and extracting data in image. The
highlight of EMD (HoEMD) and the adaptive
EMD (AdEMD) are high efficient and high
quality methods introduced in this work. Stamm
and Liu [114] introduced anti-forensic
approaches for removing forensically important
indicators of compression such as image
compression history from an image. This
technique utilized a novel approach to identify
and omit the compression fingerprints of an
image’s transform coefficients. Khan et al. [115]
presented a novel approach to hide data in a
deniable way (to use plausible deniability) by
storing sensitive data on a cluster based
filesystem; to do so, a covert channel encodes
the data via altering the fragmentation pattern in
the cluster distribution of the secret file.
Rekhis and Boudriga [116] studied the digital
forensic investigation techniques of anti-forensic
attacks and then characterized secure evidence,
provable and non-provable attacks. As the main
contribution of this research, the authors
developed an anti-forensic attack aware forensic
approach using a state-based logic. Casey et al.
[117] explained the challenges of full disk
encryption (FDE) for digital forensic
investigators and provided a guidance to take
necessary items from the crime scene, to ease
the access to encrypted data or live forensic
acquisition of the running system. The provided
measures can help obtaining evidences in an
unencrypted state or finding the encryption key
or passphrase.
4.2.7. Data Recovery As one of the most essential stage of evidence
identification and collection, data recovery can
be affected by different variables like file system
type; below some of the data recovery
techniques are reviewed. In [118], the author
analyzed the main properties of the Firefox
SQLite database and its use in forensic
investigation. Moreover, a novel algorithm is
proposed to recover deleted records from
unallocated space based on the fact that Firefox
utilizes temporary transaction files. Jang et al.
(Jang et al., 2012) described the integrity issue
of forensic image corruption after acquisition
and provided a novel algorithm for recovering
and protecting the evidence image using
recovery blocks. The recovery process is
applicable when data blocks (generate by
recovery blocks) are damaged. Yoo et al. [119]
highlighted the challenges of multimedia file
carving and NTFS compressed file carving; and
proposed solutions for these challenges. The
solution for multimedia file carvings is based on
the characteristics of AVI, WAV and MP3 files.
In [120], the author discussed the structure of
Windows registry data and the behavior of
Windows in deleting the registry records. In
continue a technique is developed for identifying
the deleted Windows registry records and
recovery of deleted keys, values and other
attributes of records. Garfinkel et al. [121]
studied the usage of cryptographic hashes of
data blocks for finding data in sectors and
introduced the concept of “distinct disk sector”.
Moreover it provided some approaches for better
detection of JPEG, MPEG and other compressed
data files. Chivers and Hargreaves [122]
explored the structure of Windows search
database and the challenge of recovering the
deleted records after the file is deleted; it then
proposed a novel record carving approach for
identifying and recovering the deleted database
records from database unused space or
filesystem. King and Vidas [123] compared the
solid state disk (SSD) with normal HDD and
proved the TRIM command can affect the
investigation process. The analysis from 16
International Journal of Cyber-Security and Digital Forensics (IJCSDF) 3(4): 209-234
224
The Society of Digital Information and Wireless Communications, 2014 (ISSN: 2305-0012)
different disks shows that TRIM enabled disks
has almost 0% recoverable data while the SSDs
with disabled TRIM has the average of %100
success rate.
4.2.8. Application Forensics The forensic investigation of applications is
quite advantageous as these applications usually
store specific evidences. Identifying and
collecting these evidences demands for prior
research on the application behavior. In [124],
the authors studied Internet Download Manager
(IDM) activities recorded and effects on
different files such as log files, Windows
registry and history from artifacts point of view.
This study demonstrated approaches and told to
detect different attributes of download requests
like URL, download time and login credentials.
Garfinkel (Garfinkel, 2012b) shared the
experience of construction a Korean Reference
Data Set (KRDS) based on National Software
Reference Library RDS (NSRL RDS) and
developed a model for both effective importing
of NSRL data sets and adding Korean specific
data sets. Lallie and Briggs [125] explored three
well-known peer-to-peer network clients
(BitTorrent, µTorrent and Vuze) and analyzed
their artifacts on Windows registry using the
effects created by installation and working with
these clients.
In [126], the authors outlined the significance of
web browsers in forensic investigation and
proposed a methodology for evidence collection
and analysis from web browsers log files.
Lewthwaite and Smith [127] looked into the
Limewire artifacts remained in Windows
registry and other log files. It also has developed
a tool, AScan, to identify and recover evidences
from unallocated spaces and slack spaces of hard
disk drives. Fellows [128] described the
significance of recovering the WinRAR
temporary files and studied the behavior of
WinRAR in creating these temporary files. The
results of this research indicated that there is a
chance to detect and recover the evidence file
from deleted temporary folders while the
original file is protected by cryptographic
solutions.
4.2.9. File System Forensics Conducting research on file systems structures
and attributes is extremely important mainly due
to the need to extract evidence from these file
system which can be failed in case of unknown
file systems. In [53], the authors studied the
structure of file time attributes in the NTFS file
system and analyzed the modifications in access,
modification and creation time attributes of
files/folders by the user under different
operating system. Grier [129] proposed a
methodology for examining filesystems and
detecting emergent patterns unique to copying
via stochastically modeling filesystem behavior
through routine activity and emergent patterns in
MAC timestamps. Beebe et al. [130] explained
the functionality, architecture and disk layout of
ZFS file system and then discussed the forensic
investigation methods available for ZFS. This
work also brought some of the forensic
challenges of ZFS to light. Carrier [131]
investigated the credibility of ISO9660 file
system in forensic investigation and the fact that
this file system can be used for data hiding. The
details of data hiding process is studied and then
used to create an image with hidden data for
examining the available forensic toolkits.
In [132], authors presented a novel approach to
identify the disk cluster size without relying on
meta data of file system; instead, by detecting
the difference between the entropy difference
distributions of the non-cluster boundaries and
cluster boundaries. Kavallaris and Katos [133]
introduced a technique for identification of past
pod slurping type of attacks using information
stored in filesystem time stamp. This technique
infers a file’s transfer rate from access time
attribute and correlate it to the common rate of
the suspicious USB (obtained from Windows
registry) to identify the victim USB device.
4.2.10. Forensic Frameworks Obviously, the forensic frameworks are the basis
of the forensic process and developing new
frameworks can guarantee the adaptation of
forensic science with new technologies. In
[134], authors made an extensive survey of
available network forensic framework
implementations and proposed a generic digital
forensic investigation model with comparison to
the available models. Finally, the
implementation techniques of the proposed
model are discussed. Beckett and Slay [135]
highlighted the demand for adapting the new
technologies with the science of forensic
investigation so the digital forensics becomes a
International Journal of Cyber-Security and Digital Forensics (IJCSDF) 3(4): 209-234
225
The Society of Digital Information and Wireless Communications, 2014 (ISSN: 2305-0012)
true forensic science. This article examined the
roots of scientific methods to establish principles
of digital forensic as a science.
In [136], authors discussed the lack of
standardized data sets, corpora, as a necessary
requirement of forensic research; and presented
a taxonomy for defining several available
corpora. Guo et al. [137] studied the scientific
description of computer forensic characteristics
via identifying the basic functionalities of
computer forensic investigation procedure; and
introduced a functionality oriented validation
and verification framework for digital forensic
tools by using function mapping approach.
Shields et al. [138] proposed PROOFS, a
continuous forensic evidence collection tool,
which utilizes data retrieval methods on file
system forensic. PROOFS generate and save
signature for files that are copied, deleted or
altered6 over the network.
In [139], the authors analyzed the possible
effects of a fictitious P2P model on committing
a copyright violation crime while dealing with
the illegal distribution of digital contents. Cohen
et al. [140] introduced an open-source enterprise
forensic investigation tool that provides remote
access to memory and raw disk on multiple
platforms. In continue, it described the
architecture of the tool and how it performs
enterprise forensic investigation regularly.
Kahvedžić and Kechadi [141] presented a novel
digital investigation ontology (DIALOG) for the
management, reuse and analysis of digital
investigation knowledge via creating a general
vocabulary capable of describing the
investigation at any level. Case et al. [142]
explained the issue of correlation between
digital investigation tools and then proposed a
framework for automatic evidence identification
with support of different targets. The
implemented prototype presents the integrated
analysis of configuration log file, memory
image, disk image and network traffic captures.
In [143], the author shared the experience of
forensic investigation of a commercial closed
circuit television digital video recorder by using
raw disk analysis of the storage disk. The result
of investigation showed that with extra effort on
processing the raw video data, it might be
possible to extract the evidence in cases where
the recording device is not functional. Kao et al.
[144] proposed three analytical tools for
clarifying forensic investigation issues of
cybercrime using three strategies: Multi-faceted
Digital Forensics Analysis (MDFA), Ideal Log
and M-N model; in same order, they covered the
basic elements of cyber-crime using new
definitions of the forensic investigation,
traceable elements of the evidence, and finally
the ISP log records. Serrano et al. [145]
designed a multi-agent system (MAS)
debugging framework for developing a forensic
analysis (in cases where MASs indicate complex
tissues of connection among agents) by utilizing
the pathfinder networks (PFNETs).
4.3. Critical overlooked issues Privacy issues caused by digital forensic
investigation is one of the topics which deserves
more research in future as the issue rises where
the investigation can threat the secrecy of
unrelated data. The same challenge became even
more complicated when the cloud computing
and massive shared resources get involved.
Neglect in conducting effective researches may
lead to a direct conflict with citizens` right of
privacy can cause the digital forensic face a
deadlock where the law enforcers cannot
differentiate between potential evidences and
other private data. Studying the available works
in users right of privacy shows that the solution
can be in successful identification of related
evidence objects based on existing privacy
policies. The current feasible solution is using
formal method to tag pieces if data according to
the privacy policy and only then start collecting
evidences [146], [147].
Thanks to cloud computing concept, many
conflicts introduced to the digital forensic
investigation [148]–[150]. The jurisdiction of
the data is one of the most challenging topics
which seem to be overlooked. The digital
forensic community should realize that this
conflict will cause massive obstacle in legal
aspects of the investigation. Developing a
suitable cross national low is one of the solution
which has been working on in the past couple of
years but it demands much more affords to be
feasible [151], [152].
Moreover, only a few articles discuss digital
forensic investigation science and digital
forensic awareness. It is utterly vital to
International Journal of Cyber-Security and Digital Forensics (IJCSDF) 3(4): 209-234
226
The Society of Digital Information and Wireless Communications, 2014 (ISSN: 2305-0012)
understand that the bests of forensic frameworks
may have conflicts with the true nature of
forensic science; the majority of these conflicts
end up affecting the integrity of precious
evidence. As an instance, imaging the physical
memory in a forensic manner is one of the
challenges which did not attract much of the
researchers` attention. It is for this reason that
forensic science has emerged as a significant
aspect of digital forensics. A well-conducted
awareness campaign can help teach and make
digital investigators and forensic researchers
aware of these challenges. This may also help to
update the investigators about the latest
technologies and their new conflicts with
forensic investigation disciplines on a regular
bases; not only a once-off exercise.
5. CONCLUSION AND FUTURE WORKS Digital crime is a moving target, from the era of
telephone hackers up to the current state of the
complex malware intrusions. With new
developments and innovations, new types of
crime came along. This survey result has shown
that as we entered the twenty-first century, the
scope of digital forensic investigation has
widened and its focus is fast shifting toward
mobile device and cloud based investigations.
Digital forensics now requires a more
coordinated and focused effort from the national
and international society, governments and the
private sector. It is no coincidence that the study
shows a shift towards mobile device and cloud
forensic while the true nature of forensic science
becomes the essence of investigation
frameworks. This survey results have also
shown that most of today’s forensic challenges
are to a greater extent in direct conflict with
common digital forensic practices. All indicators
points to a scientific approach in the future
development of the digital forensic discipline.
However, as we move forward to address the
new challenges it is also critical that we continue
strengthening the technologies. Finally, New
research efforts is required that minimize the gap
between regulatory issues and technical
implementations.
6. REFERENCES [1] M. Pollitt, “A History of Digital
Forensics,” in Advances in Digital
Forensics VI, vol. 337, K.-P. Chow and
S. Shenoi, Eds. Berlin, Heidelberg:
Springer Berlin Heidelberg, 2010, pp. 3–
15.
[2] D. B. Parker, Crime by computer.
Scribner, 1976.
[3] E. Casey, Digital Evidence and
Computer Crime. Academic Press, 2004.
[4] P. Sommer, “The future for the policing
of cybercrime,” Computer Fraud &
Security, vol. 2004, no. 1, pp. 8–12, Jan.
2004.
[5] S. L. Garfinkel, “Digital forensics
research: The next 10 years,” Digital
Investigation, vol. 7, Supplement, pp.
S64 – S73, 2010.
[6] C. Stoll, “Stalking the wily hacker,”
Communications of the ACM, vol. 31, no.
5, pp. 484–497, May 1988.
[7] V. Corey, C. Peterman, S. Shearin, M. S.
Greenberg, and J. Van Bokkelen,
“Network forensics analysis,” IEEE
Internet Computing, vol. 6, no. 6, pp. 60
– 66, Dec. 2002.
[8] M. W. Stevens, “Unification of relative
time frames for digital forensics,” Digital
Investigation, vol. 1, no. 3, pp. 225–239,
Sep. 2004.
[9] D. Forte, “The importance of text
searches in digital forensics,” Network
Security, vol. 2004, no. 4, pp. 13–15,
Apr. 2004.
[10] B. D. Carrier and J. Grand, “A hardware-
based memory acquisition procedure for
digital investigations,” Digital
Investigation, vol. 1, no. 1, pp. 50–60,
Feb. 2004.
[11] S. Mocas, “Building theoretical
underpinnings for digital forensics
research,” Digital Investigation, vol. 1,
no. 1, pp. 61–68, Feb. 2004.
[12] C. Vaughan, “Xbox security issues and
forensic recovery methodology (utilising
Linux),” Digital Investigation, vol. 1, no.
3, pp. 165–172, Sep. 2004.
[13] B. J. Nikkel, “Domain name forensics: a
systematic approach to investigating an
internet presence,” Digital Investigation,
vol. 1, no. 4, pp. 247–255, Dec. 2004.
[14] F. Buchholz and E. Spafford, “On the
role of file system metadata in digital
International Journal of Cyber-Security and Digital Forensics (IJCSDF) 3(4): 209-234
227
The Society of Digital Information and Wireless Communications, 2014 (ISSN: 2305-0012)
forensics,” Digital Investigation, vol. 1,
no. 4, pp. 298–309, Dec. 2004.
[15] G. A. Francia and K. Clinton, “Computer
forensics laboratory and tools,” Journal
of Computing Sciences in Colleges, vol.
20, no. 6, pp. 143–150, Jun. 2005.
[16] B. J. Nikkel, “Forensic acquisition and
analysis of magnetic tapes,” Digital
Investigation, vol. 2, no. 1, pp. 8–18, Feb.
2005.
[17] W. Jansen and R. Ayers, “An overview
and analysis of PDA forensic tools,”
Digital Investigation, vol. 2, no. 2, pp.
120–132, Jun. 2005.
[18] M. Bedford, “Methods of discovery and
exploitation of Host Protected Areas on
IDE storage devices that conform to
ATAPI-4,” Digital Investigation, vol. 2,
no. 4, pp. 268–275, Dec. 2005.
[19] W. Harrison, “A term project for a course
on computer forensics,” Journal on
Educational Resources in Computing,
vol. 6, no. 3, p. 6–es, Sep. 2006.
[20] A. Laurie, “Digital detective –
Bluetooth,” Digital Investigation, vol. 3,
no. 1, pp. 17–19, Mar. 2006.
[21] B. J. Nikkel, “Improving evidence
acquisition from live network sources,”
Digital Investigation, vol. 3, no. 2, pp.
89–96, Jun. 2006.
[22] R. S. C. Ieong, “FORZA–Digital
forensics investigation framework that
incorporate legal issues,” digital
investigation, vol. 3, pp. 29–36, 2006.
[23] J. P. Zachman, “The Zachman
FrameworkTM
Evolution,” EA Articles
(page intentionally left blank), 2009.
[24] R. Harris, “Arriving at an anti-forensics
consensus: Examining how to define and
control the anti-forensics problem,”
Digital Investigation, vol. 3, Supplement,
pp. 44–49, Sep. 2006.
[25] S. L. Garfinkel, “Forensic feature
extraction and cross-drive analysis,”
Digital Investigation, vol. 3, Supplement,
pp. 71–81, Sep. 2006.
[26] A. Schuster, “Searching for processes
and threads in Microsoft Windows
memory dumps,” Digital Investigation,
vol. 3, Supplement, pp. 10–16, Sep.
2006.
[27] S. Jeyaraman and M. J. Atallah, “An
empirical study of automatic event
reconstruction systems,” Digital
Investigation, vol. 3, Supplement, pp.
108–115, Sep. 2006.
[28] W. Alink, R. A. F. Bhoedjang, P. A.
Boncz, and A. P. de Vries, “XIRAF –
XML-based indexing and querying for
digital forensics,” Digital Investigation,
vol. 3, Supplement, pp. 50–58, Sep.
2006.
[29] A. Johnston and J. Reust, “Network
intrusion investigation – Preparation and
challenges,” Digital Investigation, vol. 3,
no. 3, pp. 118–126, Sep. 2006.
[30] S. Mead, “Unique file identification in
the National Software Reference
Library,” Digital Investigation, vol. 3, no.
3, pp. 138–150, Sep. 2006.
[31] B. J. Nikkel, “A portable network
forensic evidence collector,” Digital
Investigation, vol. 3, no. 3, pp. 127–135,
Sep. 2006.
[32] S.-J. Wang, H.-J. Ke, J.-H. Huang, and
C.-L. Chan, “Concerns about Hash
Cracking Aftereffect on Authentication
Procedures in Applications of
Cyberspace,” IEEE Aerospace and
Electronic Systems Magazine, vol. 22,
no. 1, pp. 3 –7, Jan. 2007.
[33] S. Peisert, M. Bishop, S. Karin, and K.
Marzullo, “Analysis of Computer
Intrusions Using Sequences of Function
Calls,” IEEE Transactions on
Dependable and Secure Computing, vol.
4, no. 2, pp. 137 –150, Jun. 2007.
[34] A. Castiglione, A. De Santis, and C.
Soriente, “Taking advantages of a
disadvantage: Digital forensics and
steganography using document
metadata,” Journal of Systems and
Software, vol. 80, no. 5, pp. 750–764,
May 2007.
[35] R. Murphey, “Automated Windows event
log forensics,” Digital Investigation, vol.
4, Supplement, pp. 92–100, Sep. 2007.
[36] A. Spruill and C. Pavan, “Tackling the
U3 trend with computer forensics,”
Digital Investigation, vol. 4, no. 1, pp. 7–
12, Mar. 2007.
International Journal of Cyber-Security and Digital Forensics (IJCSDF) 3(4): 209-234
228
The Society of Digital Information and Wireless Communications, 2014 (ISSN: 2305-0012)
[37] P. Turner, “Applying a forensic approach
to incident response, network
investigation and system administration
using Digital Evidence Bags,” Digital
Investigation, vol. 4, no. 1, pp. 30–35,
Mar. 2007.
[38] G. G. Richard, V. Roussev, and L.
Marziale, “Forensic discovery auditing of
digital evidence containers,” Digital
Investigation, vol. 4, no. 2, pp. 88–97,
Jun. 2007.
[39] B. J. Nikkel, “An introduction to
investigating IPv6 networks,” Digital
Investigation, vol. 4, no. 2, pp. 59–67,
Jun. 2007.
[40] G. Masters and P. Turner, “Forensic data
recovery and examination of magnetic
swipe card cloning devices,” Digital
Investigation, vol. 4, Supplement, pp. 16–
22, Sep. 2007.
[41] J. R. Lyle and M. Wozar, “Issues with
imaging drives containing faulty sectors,”
Digital Investigation, vol. 4, Supplement,
pp. 13–15, Sep. 2007.
[42] A. R. Arasteh, M. Debbabi, A. Sakha,
and M. Saleh, “Analyzing multiple logs
for forensic evidence,” Digital
Investigation, vol. 4, Supplement, pp. 82–
91, Sep. 2007.
[43] A. R. Arasteh and M. Debbabi, “Forensic
memory analysis: From stack and code to
execution history,” Digital Investigation,
vol. 4, Supplement, pp. 114–125, Sep.
2007.
[44] B. Schatz, “BodySnatcher: Towards
reliable volatile memory acquisition by
software,” Digital Investigation, vol. 4,
Supplement, pp. 126–134, Sep. 2007.
[45] M. S. Barik, G. Gupta, S. Sinha, A.
Mishra, and C. Mazumdar, “An efficient
technique for enhancing forensic
capabilities of Ext2 file system,” Digital
Investigation, vol. 4, Supplement, pp. 55–
61, Sep. 2007.
[46] M. Cohen, S. Garfinkel, and B. Schatz,
“Extending the advanced forensic format
to accommodate multiple data sources,
logical evidence, arbitrary information
and forensic workflow,” Digital
Investigation, vol. 6, Supplement, pp.
S57 – S68, 2009.
[47] M. Taylor, J. Haggerty, D. Gresty, and D.
Lamb, “Forensic investigation of cloud
computing systems,” Network Security,
vol. 2011, no. 3, pp. 4 – 10, 2011.
[48] E. Casey, A. Cheval, J. Y. Lee, D. Oxley,
and Y. J. Song, “Forensic acquisition and
analysis of palm webOS on mobile
devices,” Digital Investigation, vol. 8, no.
1, pp. 37 – 47, 2011.
[49] D. Takahashi, Y. Xiao, Y. Zhang, P.
Chatzimisios, and H.-H. Chen, “IEEE
802.11 user fingerprinting and its
applications for intrusion detection,”
Computers & Mathematics with
Applications, vol. 60, no. 2, pp. 307 –
318, 2010.
[50] M. S. Olivier, “On metadata context in
Database Forensics,” Digital
Investigation, vol. 5, no. 3–4, pp. 115 –
123, 2009.
[51] C. Maartmann-Moe, S. E. Thorkildsen,
and A. Årnes, “The persistence of
memory: Forensic identification and
extraction of cryptographic keys,” Digital
Investigation, vol. 6, Supplement, pp.
S132 – S140, 2009.
[52] B. R. Mallio, “Message hiding using
steganography, and forensic approaches
for discovery,” J. Comput. Sci. Coll., vol.
23, no. 3, pp. 6–6, Jan. 2008.
[53] J. Bang, B. Yoo, and S. Lee, “Analysis of
changes in file time attributes with file
manipulation,” Digital Investigation, vol.
7, no. 3–4, pp. 135 – 144, 2011.
[54] V. G. Cerf, “Defense against the Dark
Arts,” IEEE Internet Computing, vol. 16,
no. 1, p. 96, Feb. 2012.
[55] A. Savoldi, M. Piccinelli, and P. Gubian,
“A statistical method for detecting on-
disk wiped areas,” Digital Investigation,
vol. 8, no. 3–4, pp. 194 – 214, 2012.
[56] F. N. Dezfoli, A. Dehghantanha, R.
Mahmoud, N. F. B. M. Sani, and F.
Daryabar, “DIGITAL FORENSIC
TRENDS AND FUTURE,” International
Journal of Cyber-Security and Digital
Forensics (IJCSDF), vol. 2, no. 2, pp.
48–76, 2013.
[57] M. Damshenas, A. Dehghantanha, and R.
Mahmoud, “A SURVEY ON
MALWARE PROPAGATION,
International Journal of Cyber-Security and Digital Forensics (IJCSDF) 3(4): 209-234
229
The Society of Digital Information and Wireless Communications, 2014 (ISSN: 2305-0012)
ANALYSIS, AND DETECTION,”
International Journal of Cyber-Security
and Digital Forensics (IJCSDF), vol. 2,
no. 4, pp. 10–29, 2013.
[58] I. Amerini, L. Ballan, R. Caldelli, A. Del
Bimbo, and G. Serra, “A SIFT-Based
Forensic Method for Copy–Move Attack
Detection and Transformation
Recovery,” Information Forensics and
Security, IEEE Transactions on, vol. 6,
no. 3, pp. 1099–1110, 2011.
[59] H. Gou, A. Swaminathan, and M. Wu,
“Intrinsic sensor noise features for
forensic analysis on scanners and scanned
images,” Information Forensics and
Security, IEEE Transactions on, vol. 4,
no. 3, pp. 476–491, 2009.
[60] M. Chen, J. Fridrich, M. Goljan, and J.
Lukás, “Determining image origin and
integrity using sensor noise,” Information
Forensics and Security, IEEE
Transactions on, vol. 3, no. 1, pp. 74–90,
2008.
[61] H. D. Yuan, “Blind forensics of median
filtering in digital images,” Information
Forensics and Security, IEEE
Transactions on, vol. 6, no. 4, pp. 1335–
1345, 2011.
[62] B. Mahdian and S. Saic, “Using noise
inconsistencies for blind image
forensics,” Image and Vision Computing,
vol. 27, no. 10, pp. 1497 – 1503, 2009.
[63] H. Farid and M. J. Bravo, “Perceptual
discrimination of computer generated and
photographic faces,” Digital
Investigation, vol. 8, no. 3–4, pp. 226 –
235, 2012.
[64] J. D. Kornblum, “Using JPEG
quantization tables to identify imagery
processed by software,” Digital
Investigation, vol. 5, Supplement, pp.
S21 – S25, 2008.
[65] S. D. Mahalakshmi, K. Vijayalakshmi,
and S. Priyadharsini, “Digital image
forgery detection and estimation by
exploring basic image manipulations,”
Digital Investigation, vol. 8, no. 3–4, pp.
215 – 225, 2012.
[66] M.-J. Tsai, C.-S. Wang, J. Liu, and J.-S.
Yin, “Using decision fusion of feature
selection in digital forensics for camera
source model identification,” Computer
Standards & Interfaces, vol. 34, no.
3, pp. 292 – 304, 2012.
[67] J. H. Choi, H. Y. Lee, and H. K. Lee,
“Color laser printer forensic based on
noisy feature and support vector machine
classifier,” Multimedia Tools and
Applications, pp. 1–20, 2011.
[68] M. Islam, P. A. Watters, and J.
Yearwood, “Real-time detection of
children’s skin on social networking sites
using Markov random field modelling,”
Information Security Technical Report,
vol. 16, no. 2, pp. 51 – 58, 2011.
[69] C. M. S. Steel and C.-T. Lu,
“Impersonator identification through
dynamic fingerprinting,” Digital
Investigation, vol. 5, no. 1–2, pp. 60 – 70,
2008.
[70] S. Bayram, H. T. Sencar, and N. Memon,
“Classification of digital camera-models
based on demosaicing artifacts,” Digital
Investigation, vol. 5, no. 1–2, pp. 49 – 59,
2008.
[71] C. Tang, A. W. K. Kong, and N. Craft,
“Using a Knowledge-Based Approach to
Remove Blocking Artifacts in Skin
Images for Forensic Analysis,”
Information Forensics and Security,
IEEE Transactions on, vol. 6, no. 3, pp.
1038–1049, 2011.
[72] W. S. Lin, S. K. Tjoa, H. V. Zhao, and K.
J. R. Liu, “Digital image source coder
forensics via intrinsic fingerprints,”
Information Forensics and Security,
IEEE Transactions on, vol. 4, no. 3, pp.
460–475, 2009.
[73] F. Huang, J. Huang, and Y. Q. Shi,
“Detecting double JPEG compression
with the same quantization matrix,”
Information Forensics and Security,
IEEE Transactions on, vol. 5, no. 4, pp.
848–856, 2010.
[74] M. Kirchner and R. Bohme, “Hiding
traces of resampling in digital images,”
Information Forensics and Security,
IEEE Transactions on, vol. 3, no. 4, pp.
582–592, 2008.
[75] L. Miralles and J. Moreno, “Versatile
iPad forensic acquisition using the Apple
Camera Connection Kit,” Computers
International Journal of Cyber-Security and Digital Forensics (IJCSDF) 3(4): 209-234
230
The Society of Digital Information and Wireless Communications, 2014 (ISSN: 2305-0012)
& Mathematics with Applications,
vol. 63, no. 2, pp. 544 – 553, 2012.
[76] V. L. L. Thing, K.-Y. Ng, and E.-C.
Chang, “Live memory forensics of
mobile phones,” Digital Investigation,
vol. 7, Supplement, pp. S74 – S82, 2010.
[77] J. Sylve, A. Case, L. Marziale, and G. G.
Richard, “Acquisition and analysis of
volatile memory from android devices,”
Digital Investigation, vol. 8, no. 3–4, pp.
175 – 184, 2012.
[78] A. Distefano and G. Me, “An overall
assessment of Mobile Internal
Acquisition Tool,” Digital Investigation,
vol. 5, Supplement, pp. S121 – S127,
2008.
[79] T. Vidas, C. Zhang, and N. Christin,
“Toward a general collection
methodology for Android devices,”
Digital Investigation, vol. 8, Supplement,
pp. S14 – S24, 2011.
[80] K. Jonkers, “The forensic use of mobile
phone flasher boxes,” Digital
Investigation, vol. 6, no. 3–4, pp. 168 –
178, 2010.
[81] P. Owen and P. Thomas, “An analysis of
digital forensic examinations: Mobile
devices versus hard disk drives utilising
ACPO & NIST guidelines,” Digital
Investigation, vol. 8, no. 2, pp. 135 – 140,
2011.
[82] G. Grispos, T. Storer, and W. B. Glisson,
“A comparison of forensic evidence
recovery techniques for a windows
mobile smart phone,” Digital
Investigation, vol. 8, no. 1, pp. 23 – 36,
2011.
[83] O. van Eijk and M. Roeloffs, “Forensic
acquisition and analysis of the Random
Access Memory of TomTom GPS
navigation systems,” Digital
Investigation, vol. 6, no. 3–4, pp. 179 –
188, 2010.
[84] F. Rehault, “Windows mobile advanced
forensics: An alternative to existing
tools,” Digital Investigation, vol. 7, no.
1–2, pp. 38 – 47, 2010.
[85] R. P. Mislan, E. Casey, and G. C.
Kessler, “The growing need for on-scene
triage of mobile devices,” Digital
Investigation, vol. 6, no. 3–4, pp. 112 –
124, 2010.
[86] J. Olsson and M. Boldt, “Computer
forensic timeline visualization tool,”
Digital Investigation, vol. 6, Supplement,
pp. S78 – S87, 2009.
[87] C. Klaver, “Windows Mobile advanced
forensics,” Digital Investigation, vol. 6,
no. 3–4, pp. 147 – 167, 2010.
[88] R. A. Joyce, J. Powers, and F. Adelstein,
“MEGA: A tool for Mac OS X operating
system and application forensics,”
Digital Investigation, vol. 5, Supplement,
pp. S83 – S90, 2008.
[89] A. Case, L. Marziale, and G. G. R. III,
“Dynamic recreation of kernel data
structures for live forensics,” Digital
Investigation, vol. 7, Supplement, pp.
S32 – S40, 2010.
[90] H. Inoue, F. Adelstein, and R. A. Joyce,
“Visualization in testing a volatile
memory forensic tool,” Digital
Investigation, vol. 8, Supplement, pp.
S42 – S51, 2011.
[91] D. Ayers, “A second generation computer
forensic analysis system,” Digital
Investigation, vol. 6, Supplement, pp.
S34 – S42, 2009.
[92] L. Pan and L. M. Batten, “Robust
performance testing for digital forensic
tools,” Digital Investigation, vol. 6, no.
1–2, pp. 71 – 81, 2009.
[93] S. Garfinkel, “Digital forensics XML and
the DFXML toolset,” Digital
Investigation, vol. 8, no. 3–4, pp. 161 –
174, 2012.
[94] B. N. Levine and M. Liberatore, “DEX:
Digital evidence provenance supporting
reproducibility and comparison,” Digital
Investigation, vol. 6, Supplement, pp.
S48 – S56, 2009.
[95] G. Conti, S. Bratus, A. Shubina, B.
Sangster, R. Ragsdale, M. Supan, A.
Lichtenberg, and R. Perez-Alemany,
“Automated mapping of large binary
objects using primitive fragment type
classification,” Digital Investigation, vol.
7, Supplement, pp. S3 – S12, 2010.
[96] B. Dolan-Gavitt, “Forensic analysis of
the Windows registry in memory,”
International Journal of Cyber-Security and Digital Forensics (IJCSDF) 3(4): 209-234
231
The Society of Digital Information and Wireless Communications, 2014 (ISSN: 2305-0012)
Digital Investigation, vol. 5, Supplement,
pp. S26 – S32, 2008.
[97] R. B. van Baar, W. Alink, and A. R. van
Ballegooij, “Forensic memory analysis:
Files mapped in memory,” Digital
Investigation, vol. 5, Supplement, pp.
S52 – S57, 2008.
[98] A. Schuster, “The impact of Microsoft
Windows pool allocation strategies on
memory forensics,” Digital Investigation,
vol. 5, Supplement, pp. S58 – S64, 2008.
[99] K. Saur and J. B. Grizzard, “Locating
×86 paging structures in memory
images,” Digital Investigation, vol. 7, no.
1–2, pp. 28 – 37, 2010.
[100] R. M. Stevens and E. Casey, “Extracting
Windows command line details from
physical memory,” Digital Investigation,
vol. 7, Supplement, pp. S57 – S63, 2010.
[101] S. M. Hejazi, C. Talhi, and M. Debbabi,
“Extraction of forensically sensitive
information from windows physical
memory,” Digital Investigation, vol. 6,
Supplement, pp. S121 – S131, 2009.
[102] J. Okolica and G. L. Peterson, “Windows
operating systems agnostic memory
analysis,” Digital Investigation, vol. 7,
Supplement, pp. S48 – S56, 2010.
[103] J. Okolica and G. L. Peterson,
“Extracting the windows clipboard from
physical memory,” Digital Investigation,
vol. 8, Supplement, pp. S118 – S124,
2011.
[104] J. S. Okolica and G. L. Peterson,
“Windows driver memory analysis: A
reverse engineering methodology,”
Computers & Security, vol. 30, no.
8, pp. 770 – 779, 2011.
[105] J. R. Rabaiotti and C. J. Hargreaves,
“Using a software exploit to image RAM
on an embedded system,” Digital
Investigation, vol. 6, no. 3–4, pp. 95 –
103, 2010.
[106] R. Beverly, S. Garfinkel, and G.
Cardwell, “Forensic carving of network
packets and associated data structures,”
Digital Investigation, vol. 8, Supplement,
pp. S78 – S89, 2011.
[107] O. Thonnard and M. Dacier, “A
framework for attack patterns’ discovery
in honeynet data,” Digital Investigation,
vol. 5, Supplement, pp. S128 – S139,
2008.
[108] B. Shebaro and J. R. Crandall, “Privacy-
preserving network flow recording,”
Digital Investigation, vol. 8, Supplement,
pp. S90 – S100, 2011.
[109] Y. Zhu, “Attack Pattern Discovery in
Forensic Investigation of Network
Attacks,” Selected Areas in
Communications, IEEE Journal on, vol.
29, no. 7, pp. 1349–1357, 2011.
[110] M. I. Cohen, “Source attribution for
network address translated forensic
captures,” Digital Investigation, vol. 5,
no. 3–4, pp. 138 – 145, 2009.
[111] H.-M. Hsu, Y. S. Sun, and M. C. Chen,
“Collaborative scheme for VoIP
traceback,” Digital Investigation, vol. 7,
no. 3–4, pp. 185 – 195, 2011.
[112] A. Distefano, G. Me, and F. Pace,
“Android anti-forensics through a local
paradigm,” Digital Investigation, vol. 7,
Supplement, pp. S83 – S94, 2010.
[113] H. M. Sun, C. Y. Weng, C. F. Lee, and C.
H. Yang, “Anti-forensics with
steganographic data embedding in digital
images,” Selected Areas in
Communications, IEEE Journal on, vol.
29, no. 7, pp. 1392–1403, 2011.
[114] M. C. Stamm and K. J. R. Liu, “Anti-
forensics of digital image compression,”
Information Forensics and Security,
IEEE Transactions on, vol. 6, no. 3, pp.
1050–1065, 2011.
[115] H. Khan, M. Javed, S. A. Khayam, and F.
Mirza, “Designing a cluster-based covert
channel to evade disk investigation and
forensics,” Computers & Security,
vol. 30, no. 1, pp. 35 – 49, 2011.
[116] S. Rekhis and N. Boudriga, “A System
for Formal Digital Forensic Investigation
Aware of Anti-Forensic Attacks,”
Information Forensics and Security,
IEEE Transactions on, vol. 7, no. 2, pp.
635–650, 2012.
[117] E. Casey, G. Fellows, M. Geiger, and G.
Stellatos, “The growing impact of full
disk encryption on digital forensics,”
Digital Investigation, vol. 8, no. 2, pp.
129 – 134, 2011.
International Journal of Cyber-Security and Digital Forensics (IJCSDF) 3(4): 209-234
232
The Society of Digital Information and Wireless Communications, 2014 (ISSN: 2305-0012)
[118] M. T. Pereira, “Forensic analysis of the
Firefox 3 Internet history and recovery of
deleted SQLite records,” Digital
Investigation, vol. 5, no. 3–4, pp. 93 –
103, 2009.
[119] B. Yoo, J. Park, S. Lim, J. Bang, and S.
Lee, “A study on multimedia file carving
method,” Multimedia Tools and
Applications, pp. 1–19, 2012.
[120] T. D. Morgan, “Recovering deleted data
from the Windows registry,” Digital
Investigation, vol. 5, Supplement, pp.
S33 – S41, 2008.
[121] S. Garfinkel, A. Nelson, D. White, and V.
Roussev, “Using purpose-built functions
and block hashes to enable small block
and sub-file forensics,” Digital
Investigation, vol. 7, Supplement, pp.
S13 – S23, 2010.
[122] H. Chivers and C. Hargreaves, “Forensic
data recovery from the Windows Search
Database,” Digital Investigation, vol. 7,
no. 3–4, pp. 114 – 126, 2011.
[123] C. King and T. Vidas, “Empirical
analysis of solid state disk data retention
when used with contemporary operating
systems,” Digital Investigation, vol. 8,
Supplement, pp. S111 – S117, 2011.
[124] M. Yasin, A. R. Cheema, and F. Kausar,
“Analysis of Internet Download Manager
for collection of digital forensic
artefacts,” Digital Investigation, vol. 7,
no. 1–2, pp. 90 – 94, 2010.
[125] H. S. Lallie and P. J. Briggs, “Windows 7
registry forensic evidence created by
three popular BitTorrent clients,” Digital
Investigation, vol. 7, no. 3–4, pp. 127 –
134, 2011.
[126] J. Oh, S. Lee, and S. Lee, “Advanced
evidence collection and analysis of web
browser activity,” Digital Investigation,
vol. 8, Supplement, pp. S62 – S70, 2011.
[127] J. Lewthwaite and V. Smith, “Limewire
examinations,” Digital Investigation, vol.
5, Supplement, pp. S96 – S104, 2008.
[128] G. Fellows, “WinRAR temporary folder
artefacts,” Digital Investigation, vol. 7,
no. 1–2, pp. 9 – 13, 2010.
[129] J. Grier, “Detecting data theft using
stochastic forensics,” Digital
Investigation, vol. 8, Supplement, pp.
S71 – S77, 2011.
[130] N. L. Beebe, S. D. Stacy, and D. Stuckey,
“Digital forensic implications of ZFS,”
Digital Investigation, vol. 6, Supplement,
pp. S99 – S107, 2009.
[131] B. D. Carrier, “Different interpretations
of ISO9660 file systems,” Digital
Investigation, vol. 7, Supplement, pp.
S129 – S134, 2010.
[132] M. Xu, H.-R. Yang, J. Xu, Y. Xu, and N.
Zheng, “An adaptive method to identify
disk cluster size based on block content,”
Digital Investigation, vol. 7, no. 1–2, pp.
48 – 55, 2010.
[133] T. Kavallaris and V. Katos, “On the
detection of pod slurping attacks,”
Computers & Security, vol. 29, no.
6, pp. 680 – 685, 2010.
[134] E. S. Pilli, R. C. Joshi, and R. Niyogi,
“Network forensic frameworks: Survey
and research challenges,” Digital
Investigation, vol. 7, no. 1–2, pp. 14 – 27,
2010.
[135] J. Beckett and J. Slay, “Scientific
underpinnings and background to
standards and accreditation in digital
forensics,” Digital Investigation, vol. 8,
no. 2, pp. 114 – 121, 2011.
[136] S. Garfinkel, P. Farrell, V. Roussev, and
G. Dinolt, “Bringing science to digital
forensics with standardized forensic
corpora,” Digital Investigation, vol. 6,
Supplement, pp. S2 – S11, 2009.
[137] Y. Guo, J. Slay, and J. Beckett,
“Validation and verification of computer
forensic software tools—Searching
Function,” Digital Investigation, vol. 6,
Supplement, pp. S12 – S22, 2009.
[138] C. Shields, O. Frieder, and M. Maloof,
“A system for the proactive, continuous,
and efficient collection of digital forensic
evidence,” Digital Investigation, vol. 8,
Supplement, pp. S3 – S13, 2011.
[139] S.-J. Wang, D.-Y. Kao, and F. F.-Y.
Huang, “Procedure guidance for Internet
forensics coping with copyright
arguments of client-server-based P2P
models,” Computer Standards &
Interfaces, vol. 31, no. 4, pp. 795–800,
Jun. 2009.
International Journal of Cyber-Security and Digital Forensics (IJCSDF) 3(4): 209-234
233
The Society of Digital Information and Wireless Communications, 2014 (ISSN: 2305-0012)
[140] M. I. Cohen, D. Bilby, and G. Caronni,
“Distributed forensics and incident
response in the enterprise,” Digital
Investigation, vol. 8, Supplement, pp.
S101 – S110, 2011.
[141] D. Kahvedžić and T. Kechadi,
“DIALOG: A framework for modeling,
analysis and reuse of digital forensic
knowledge,” Digital Investigation, vol. 6,
Supplement, pp. S23 – S33, 2009.
[142] A. Case, A. Cristina, L. Marziale, G. G.
Richard, and V. Roussev, “FACE:
Automated digital evidence discovery
and correlation,” Digital Investigation,
vol. 5, Supplement, pp. S65 – S75, 2008.
[143] N. R. Poole, Q. Zhou, and P. Abatis,
“Analysis of CCTV digital video
recorder hard disk storage system,”
Digital Investigation, vol. 5, no. 3–4, pp.
85 – 92, 2009.
[144] D.-Y. Kao, S.-J. Wang, and F. F.-Y.
Huang, “SoTE: Strategy of Triple-E on
solving Trojan defense in Cyber-crime
cases,” Computer Law & Security
Review, vol. 26, no. 1, pp. 52 – 60, 2010.
[145] E. Serrano, A. Quirin, J. Botia, and O.
Cordón, “Debugging complex software
systems by means of pathfinder
networks,” Information Sciences, vol.
180, no. 5, pp. 561 – 583, 2010.
[146] A. Dehghantanha, N. Udzir, and R.
Mahmod, “Evaluating user-centered
privacy model (UPM) in pervasive
computing systems,” Computational
Intelligence in Security for Information
Systems, pp. 272–284, 2011.
[147] C. Sagaran, A. Dehghantanha, and R.
Ramli, “A User-Centered Context-
sensitive Privacy Model in Pervasive
Systems,” in Communication Software
and Networks, 2010. ICCSN’10. Second
International Conference on, 2010, pp.
78–82.
[148] S. Biggs and S. Vidalis, “Cloud
Computing: The impact on digital
forensic investigations,” in Internet
Technology and Secured Transactions,
2009. ICITST 2009. International
Conference for, 2009, pp. 1 –6.
[149] M. Damshenas and A. Dehghantanha,
“Forensics Investigation Challenges in
Cloud Computing Environments,”
presented at the The International
Conference on Cyber Security, Cyber
Warfare and Digital Forensic, Kuala
Lumpur, Malaysia, 2012, pp. 190–194.
[150] F. Daryabar, A. Dehghantanha, N. I.
Udzir, N. F. binti M. Sani, and S. bin
Shamsuddin, “A REVIEW ON
IMPACTS OF CLOUD COMPUTING
ON DIGITAL FORENSICS,”
International Journal of Cyber-Security
and Digital Forensics (IJCSDF), vol. 2,
no. 2, pp. 77–94, 2013.
[151] T. Hasani and A. Dehghantanha, “A
Guideline to Enforce Data Protection and
Privacy Digital Laws in Iran,”
Proceedings of International Conference
on Software and Computer Applications
(ICSCA 2011), pp. 3–6, 2011.
[152] P. Hunton, “The stages of cybercrime
investigations: Bridging the gap between
technology examination and law
enforcement investigation,” Computer
Law & Security Review, vol. 27, no.
1, pp. 61 – 67, 2011.
International Journal of Cyber-Security and Digital Forensics (IJCSDF) 3(4): 209-234
234
The Society of Digital Information and Wireless Communications, 2014 (ISSN: 2305-0012)
e-Fraud Forensics Investigation Techniques with
Formal Concept Analysis
1WAZIRI, Victor Onomza,
2Abdullahi Umar,
3MORUFU Olalere,
1,,3Cyber Security Science Department,
2Department of Computer Science
School of Information and Communication Technology
Federal University of Technology,
Minna-Nigeria
Abstract
One of the cardinal impacts of Cyber Security (CS) is the combating of financial e-fraud and other
related crimes. Formal Concept Analysis (FCA) could serve as a great useful weapon in the
detection and retrieving of various crime activities perpetrated on the cyberspace. This paper
proposes a CS-based investigation process through visualization and data analysis of mobile
communication devices using the formal Concept Analysis which is a data analysis technique based
on lattice theory and propositional Calculus. The method to be employed visualizes the lattice that
maybe conceived as a set of common and distinct attributes of data in such a way that classifications
are done based on related data with respect to time and events of the crime performance within a
some Internet geographical space. The lattices were then built using Galicia 3.2 Lattice building
software using the data connected of criminal activities that were collected from the mobile phones,
Laptops etc.. The results obtained were used in building a more defined and conceptualized system
for analysis of e-fraud data in the cyberspace that could be easily visualized and intelligently
analysed by the cyberspace computational systems processes.
Keywords: Financial Crime, lattice Theory, Formal Concepts analysis, data analysis and
visualization
1. INTRODUCTION
Radim (2008), propounded Formal Concept
Analysis (FCA) as a method of data analysis
that describes relationship between a particular
set of objects and a particular set of attributes.
FCA produces two kinds of attributes from the
input data. The first is concept lattice which is
a collection of formal concept in the data that
are hierarchically ordered by a sub-concept-
superconcept relationship.
The formal concepts are particularly clusters
which represent natural human-like concepts
such as may be visualized in an international
network of botnet syndicates. The second
output of FCA consists of attributes
implication which describes a particular
dependency that is valid in the data in the
syndicate cycle of operations. The most
important feature of FCA is the integration of
three components (a, b, c) (where ―a‖ signifies
Discovery, ―b‖ reasoning and ―c‖ output) of
conceptual processing of data and knowledge.
These FCA components are Discovery and
Reasoning which underlines the formation of
concepts in data lattices or a network
syndicate. Discovery and Reasoning involve
dependencies in database; visualizing of the
database, picturing the conceptualization of
International Journal of Cyber-Security and Digital Forensics (IJCSDF) 3(4): 235-245
235
The Society of Digital Information and Wireless Communications, 2014 (ISSN: 2305-0012)
the dependencies with the current folding or
unfolding capabilities outputs. This could be
visualized conceptually as in figure 1:
Figure 1: Concept Lattice that shows a
visualized construe of FCA. This could be
construed as a botnet syndicate over some
specified geographical space
Virtually, all societies in the modern world
are troubled by some related fraud activities
such as e-fraud in some abstracted cybercrime
environment in this modern cyberspace
advancement. Most of these cybercrimes are
carried out by individuals or organized groups
in the form of syndicate over large
geographical territories. While cybercrime
rate may vary from one country to another
and from one region to another, black hackers
behaviour remains a case for concern
amongst most members of the public
commercial and governmental institutions;
thus hinder e-Governance and e-commerce
efficient utilization of administrative secret
information and gaining substantial benefits
in financial realizations respectively.
Cybercrime prevention and control have been
government’s prerogatives through various
enacted law enforcement agencies. With the
increasing use of the computerized systems to
track cybercrimes penetrations and malware
detections, computer data analysis have
begun to assist law enforcement agencies and
detectives to speed up the process of
preventing crimes in various ramifications
especially in digital forensics analysis.
The most efficient and effective way of
fighting cybercrimes today cannot be
construed without geographical profiling.
Black Hacks activities have become very
complex in such a way that rapid monitory
can only be achieved by using intelligent
sensors within geographical components
(Kester, 2013) and analyzing using analytical
efficient tools. Digital Forensic investigative
approaches are needed to analyse connected
series of crimes data on the Internet to
determine the most probable area of offender
residence (but this could be difficult due to
the application of proxies used by botnet
masters). By incorporating both qualitative
and quantitative methods, we shall assist in
understanding spatial behaviour of an
offender and focussing the investigation to a
smaller area of the local network.
Typically used in cases of serial murder or
theft, the technique could help the police
detectives to prioritize information in large-
scale major crime investigations that often
involve hundreds of interconnected nodes and
informants (Wikipedia 2013). A criminal
pattern of network computer analysis in some
given location on the Internet is very crucial
in cybercrimes detection. Discovering the
relationship between Computer systems on
the Local networks have to be engaged in
order to gather and interpret intelligence so as
to control the network interrelationship
connectivity as well as influence effective
decision making as can be conceptualized
International Journal of Cyber-Security and Digital Forensics (IJCSDF) 3(4): 235-245
236
The Society of Digital Information and Wireless Communications, 2014 (ISSN: 2305-0012)
below diagrammatically in figure
Figure2: Pattern analysis theory
Figure 2 describes some unary binary relationship that exists between some crime pivotal spot as the root for discovery through Intelligence analysis being applied to decipher the crime, therefore, deduces some intelligence decision that would make impacts over the crime interoperable scene and the root.
This paper proposes a CS-based digital
forensic investigation for some abstractive
abstractive e-fraud environment by
visualizing and analyzing data of mobile
communication devices using Formal context
and Galois lattices, a data analysis technique
based on Lattice Theory Propositional
Calculus. This method considered the set of
common and distinct attributes of data in such
a way that categorizations are done based on
related data found on evidence nodes with
respect to time and events. All these
deductions are done without concrete adduced
dataset.
This will help in building a more defined and
efficient conceptualized systems for analysis
of digital forensics data that could easily be
intelligently analyzed and visualized by
computer systems on the mobile computing
space.
The rest of the paper is structured as follows:
Section 2 reviews some literatures on ground,
section 3 gives an in-depth theoretical
Methodology of the FCA, Section 4 depicts
some experimental evidences of section 3 and
their interpretations, giving three basic
visualization figures for an intelligent
abstraction, section 5 summarizes the
research through some short statements and
some vital recommendations for future
research work.
2.0 RELATED WORKS
Cyber Crimes activities are geospatial
phenomena through the Internet and as such
are geospatially, thematically and temporally
correlated. Thus, Cyber crime datasets must
be interpreted and analysed in conjunction
with various factors that can contribute to the
formulation of some specific crime on the
Internet. Discovering these correlations
allows a deeper insight into the complex
nature of Cyber criminal behavioural pattern
(McGarrell & Schlegel, 1993). There are
challenges faced in today’s world in terms of
Cyber crime analysis when it comes to
graphical visualization of the crime patterns.
Geographical representation of cybercrime
scenes and crime types has become very
important in gathering intelligence about
crimes. This provides a very dynamic and
easy way of monitoring cyber criminal
activities and analysing them as well as
producing effective countermeasures and
preventive measures in solving them.
Kester, (ibid) proposed a new method of
visualizing and analysing crime patterns
based on geographical crime data. In the
United States, the FBI collaborates with local
law enforcement and prosecutors to share
intelligence and efforts through teamwork has
demonstrated effectiveness in addressing
traditional crime involving drugs, weapons,
gangs, and violence (McGarrell & Schlegel,
1993; Russell-Einhorn, 2004). By extension,
many scholars and practitioners has asserted
International Journal of Cyber-Security and Digital Forensics (IJCSDF) 3(4): 235-245
237
The Society of Digital Information and Wireless Communications, 2014 (ISSN: 2305-0012)
the importance of forming comparable teams
to combat digital forensics crime with the
hope of similar positive outcomes (Conly &
McEwen, 1990).
Rogerson and Sun (2001) described a new
procedure for testing changes over time in the
spatial pattern of point events, combining the
nearest neighbour statistic and cumulative
sum methods. The method results in the rapid
detection of deviations from expected
geographical patterns. The method was
illustrated using 1996 arson data from the
Buffalo, NY, Police Department. The
appearance of patterns could be found in
different modalities of a domain, where the
different modalities refer to the data sources
that constitute different aspects of a domain.
Particularly, the domain that refers to crime
and the different modalities refer to different
data sources within the crime domain such as
offender data, Weapon data, etc. In addition,
patterns also exist in different levels of
granularity for each modality. In order to
have a thorough understanding of a domain, it
is important to reveal hidden patterns through
the data explorations at different levels of
granularity and for each modality. Therefore,
Yee Ling Boo and Alahakoon, D presented a
new model for identifying patterns that exist
in different levels of granularity for different
modes of crime data.
A hierarchical clustering approach – growing
self organizing maps (GSOM) has been
deployed. The model was further enhanced
with experiments that exhibit the significance
of exploring data at different granularities
(Boo and Alahakoon, 2008).
Formal Concept Analysis (FCA) is a method
of data analysis with growing popularity
across various domains that can easily be
extended to the cyberspace similarity. FCA
analyses data that describes relationship
between a particular set of objects and a
particular set of attributes. Such data
commonly appear in many areas of human
activities.
FCA produces two kinds of output from the
input data. The first is a concept lattice. As
concept lattice is a collection of formal
concepts in the data which is hierarchically
ordered by a sub-concept super concept
relations. Formal concepts are particular
clusters which represent natural human-like
concepts such as ―organism living in the
water‖, ―car with all wheel drive system‖,
―number divisible by 3 and 4‖, etc. The
second output of FCA is a collection of so-
called attribute implications. An attributes
implication describes a particular dependency
which is valid in the data such as ―every
number divisible by 3 and 4 is divisible by 6‖,
every respondent with age over 60 is retired‖,
etc (Radim, 2008).
Modern police organizations and intelligence
services are adopting the use of FCA in crime
pattern analysis for tracking down criminal
suspects through the integration of
heterogeneous data sources and visualising
this information so that a human expert can
gain insight in the data (Russsell and Einhorn,
2004).
3.0 METHODOLOGY
In this section, we give a detail mathematical
theory representation of the FCA analysis
[12]. It could also be used in data analysis,
information retrieval ( a useful tool for Digital
Forensics and Internet Network Security
analyses), and Knowledge discovery. It could
also be useful in the application as a a
conceptual clustering method, which clusters
simultaneously objects and gives formative
clearance for their descriptions. It is
International Journal of Cyber-Security and Digital Forensics (IJCSDF) 3(4): 235-245
238
The Society of Digital Information and Wireless Communications, 2014 (ISSN: 2305-0012)
applicable for efficiently computing
association rules. Thus, FCA makes concepts
as units of thoughts, that consists of two main
parts:
a. The extension consists of all objects
belonging to the concept; and
b. The intension consists of all attributes
common to all those objects
Thus as outlined [12, 13] we present the FCA
Algorithm as follow:
In FCA as a formal concept consists
of a set of objects, G, a set of
attributes, M, and a relation between
G and M, I ⊑ G × M; where I is a
binary relation of G and M. A formal
concept is a pair (A, B) where A ⊑ G
and B ⊑ M. Every object in A has
every attribute in B. For every
object in G that is not in A, there
is an attribute in B that object does
not have. For every attribute in M
that is not in B, there is an object
in A that does not have that
attribute. A is called the extent of
the concept and B is called the
intent of the concept. Abstractive
details of FCA runs as these:
If g ∈ A and m ∈ B then <g, m> ∈ I,
or g I m.
A formal concept is a triple <G, M,
I>; where
G is a set of object;
M is a set of attributes; and
•I is a relation between G and
M.
<g, m> ∈ I is read as
―object g has attribute m‖.
For A ⊆ G, we define
A´:= {m ∈ M | ⩝g ∈ A :< g, m> ∈ I
}.
For B ⊆ M, we define dually
B´:= {g ∈ G | ⩝m ∈ B :< g, m> ∈I }.
For A, A1, A2 ⊆ G holds:
A - A
B - B
A formal concept is a pair (A, B)
where
• A is a set of objects (the extent
of the concept),
• B is a set of attributes (the
intent of the concept),
•A—— B and B —— A
The concept lattice of a formal context (G,
I) is the set of all formal concepts of (G,
I)
Together with the partial order
(A1, B1)
B is a set of attributes (the
intent of the concept),
A – B and B – A.
The concept lattice of a formal context (G, M,
I) is the set of all formal concepts of (G, M, I)
together with the partial order
(A1, B1) ≤ (A2, B2): - A1 ⊑ A2 (
B1⊑ B2)
The concept lattice is denoted by (G, M, I)
Theorem: The concept lattice is a lattice,
i.e. for two concepts (A1, B1) and (A2,
B2), there is always;
A greatest common super-concept:
(A1⋂A2, (B1⋃ B2) ´´)
International Journal of Cyber-Security and Digital Forensics (IJCSDF) 3(4): 235-245
239
The Society of Digital Information and Wireless Communications, 2014 (ISSN: 2305-0012)
And a least common super-concept:
((A1 ⋃ A2) ´´, B1⋂B2)
More general, it is even a complete lattice, i.e. the
greatest common sub-concept and the least
common super-concept exist for all (finite and
infinite) sets of concepts.
Corollary: The set of all concept intents of a
formal context is a closure system. The
corresponding closure operator is h(X):= X``.
An implication X→Y holds in a context, if every
object having all attributes in Y also has all
attributes in X.
Def.: Let X ⊆M. The attributes in Y are
independent, if there are no trivial dependencies
between them.
4.0 EXPERIMENTAL RESULTS
Let us consider e-fraud events such that F is
the set of events and E1, E2….En are subsets
off. Let figure E = [E1, E2……En] =
(Financial fraud, Money Laundering, ATM
Bombing, ...). Let the objects be the events in
some sub-geographical jurisdiction regions
(internet network) for thr e-fraud (in case the
e-fraud is Covered by some syndicates that
involves different geographical regions
through hacking connectivity arrangement
such as botnet) in which the events
occurrence is a set depected by the zombie
nodes (A, B, C, D, E, F, G, H, I, J and K) as
indicated on the Figure 3 map. Note that each
cluster in figure 3 may consist of zombies; a
set of compromised computational nodes. Let
P be the set of suspects intending to be
investigated and PI, P2…..Pn are the elements
that belong to P.
The concept lattice of context <G, M, I> as
shown n figure 4, is the set of all formal
concepts of <G, M, I> which are aggregated to
form clusters
Figure 3: e-Fraud Syndicate Network Connectivity
Table1: Events x (Geographical locations and Persons)
International Journal of Cyber-Security and Digital Forensics (IJCSDF) 3(4): 235-245
240
The Society of Digital Information and Wireless Communications, 2014 (ISSN: 2305-0012)
Figure 4: Galois lattices of Intent and Extent
International Journal of Cyber-Security and Digital Forensics (IJCSDF) 3(4): 235-245
241
The Society of Digital Information and Wireless Communications, 2014 (ISSN: 2305-0012)
Figure 5: Galois lattice of <G, M, I>
INTERPRETATION
Galois lattice (graph) is generated from the input
data table (formal context) in figure 2. The object
(Event or Crime etc) is represented in a row and
attributes (Suspects/persons) are represented in a
column. The symbol X indicates a binary relation
between the objects and the attributes.
The numbers 1, 2, 3…….n in the column represents
the objects or Crime and letters a, b, c……. k
represents geographical locations where the
offences are commuted as can be seen from figure
1, and P1, P2……..Pn represents the suspects
involved in the various crime.
The graph (Galois lattice) is made up of the
following features:
The concept in hierarchical order represented
by values in small ellipse
The line diagram showing the relationship
The objects (Event or crime) otherwise called
―Extent‖ (E)
The attributes (people involved in the crime)
otherwise called ―Intent‖ (I)
The geographical locations a, b, e, f…….. k.
Note:
Concept – represents the set of Events sharing the
same values for certain set of attributes.
In this paper, we consider the attributes of the
concepts, 24, 25, 26, and 49 in relation to the
attributes of concept 28 from figure 3, as indicated
in the second hierarchy of the concept. Thus;
International Journal of Cyber-Security and Digital Forensics (IJCSDF) 3(4): 235-245
242
The Society of Digital Information and Wireless Communications, 2014 (ISSN: 2305-0012)
Figure 6: Extraction of figure 3
works. FCA tools need further improvement since
those used today were designed in the early 20’s.
It is hoped that past knowledge can be assimilated
with current observations of computer-related
criminality to inform and guide the science of
police investigations in the future.
Formal Concept Analysis (FCA) was used to
analyze crime data-based on information gathered
from suspects’ mobile communication devices
such as mobile phone, tablets etc. Visualization of
relationships between the occurrences of various
crime events within different geographical areas
was achieved successfully. This method
considered the set of common and distinct
attributes of data in such away that categorization
was done based on relationships between
concepts. The result from the approach will help
in building a more defined and conceptual
systems that will make data relationships to be
easily visualized and intelligently analyzed by
ICT-based investigation systems.
5.0 RECOMMENDATION/ CONCLUSION
Nowadays, Cybercrimes are increasing over all
over the Internet are increasing by leaps.
Cybercrimes require more intelligent law
enforcement departments toward successfully
identifying and retrieving details from the
harddisks for scientific analysis and preparing
them for comprehensive presentations in the
courts of law. Nonetheless, retrieving the crimes
deatails needs some development of efficient
software through intensive research
References
[1] Hinduja, S. (2007): Computer crime
investigations in the United States:
leveraging Knowledge from the past to
address the future. International Journal of
Cyber Criminology, 1(1), 1-26.
[2] QA Kester (2013): Visualization and
analysis of geographical crime patterns
using formal concept analysis.
International Journal of Remote Sensing
and Geo-science (IJRSG) 2 (1), 30-35
[3] A Geographic profiling retrieved from
http://en.wikipedia.org/wiki/Geographicgrof
iling #citeref-2
[4] Russell-Einhorn, M. L. (2004): Federal-
Local Law Enforcement Collaboration in
Investigating and Prosecuting Urban Crime,
1982-1999: Drugs, Weapons, and Gangs
(No. NCJ201782): National Institute of
Justice.
McGarrell, E. F & Schlegel, K. (1993): The
implementation of federally funded multi
International Journal of Cyber-Security and Digital Forensics (IJCSDF) 3(4): 235-245
243
The Society of Digital Information and Wireless Communications, 2014 (ISSN: 2305-0012)
jurisdictional taskforces: Organizational
structure and inter agency relationships.
Journal of Criminal Justice, 21(3), 231-244.
[6] Conley, C. H., & McEwen, J. T. (1990):
Computer crime, U.S. Department of
Justice. National Institute of Justice.
[7] P. Rogerson, Y. Sun (November, 2001,)
Spatial monitoring of geographic patterns:
an application to crime analysis
Computers, Environment and Urban
Systems, Volume 25, Issue 6, Pages 539—
556
Yee Ling Boo; Alahakoon, D (Dec. 2008),
"Mining Multi-modal Crime Patterns at
Different Levels of Granularity Using
Hierarchical Clustering, "Computational
Intelligence for Modelling Control &
Automation, 2008 International
Conference on, vol., no., pp.1268-
1273,10- 12
[9] Radimb ―Elohl Avek introduction to
formal concept analysis Olomouc; 2008.
[10] Security Informatics, Special issues on
Formal Concept Analysis in Intelligence and
Security Informatics Springer, 2012.
[11] Analysis Home page from:
http://www.upriss.org.uk/tea/tea.html
[12] Gard Stumme [2002]: A Tutorial on
Formal Concept Analysis
[13] Radim, Belohlavek (2008): Introduction to
Concept Analysis, Department of Computer
Science, Palacky University, Olomouc
Bibliography
Dr. Victor O. Waziri is an Associate Professor in the
Department of Cyber Security, Federal Federal
University of Technology, Minna-Nigeria. His
Computational Research is based on Computational
Intelligence with Applications on Cyber Security
related problems. In most cases, Matlab, Maple and
Mathematica are the basis for his accessory in
modeling and Simulations in Modern Cryptographic
analyses. His researches area also extends into
Computational Optimization and in Zero-day
Malware Detections. He has published many papers
in reputable Journals at both International and Local
Levels. He Lectures various courses in the
Department that include Cryptography, Network
Security, Clouds Security, Data Mining,
Computational Theory, Automata and Programming
Languages
Morufu Olalere was born in Ode-omu, Osun state, Nigeria in 1980. He has B.Tech Industrial
mathematics/computer science and M.Sc. in
Computer science (Biometrics) from Federal
University of Technology, Akure and University of
Ilorin, Nigeria in 2005 and 2011 respectively. He is
a LECTURER from department of Cyber Security
Science, Federal University of Technology Minna,
Nigeria and currently on study fellowship as a PhD
student in the faculty of computer Science and
Information Technology, University Putra Malaysia.
His research interest includes biometric, network
security, cryptography and security in Bring Your
Own Devices. Mr. Olalere is a member of Computer
Professionals Registration Council of Nigeria (CPN),
a member of Nigeria Computer Society (NCS) and a
member of Association for Information Systems
(AIS). he is a certified ethical hacker.
International Journal of Cyber-Security and Digital Forensics (IJCSDF) 3(4): 235-245
244
The Society of Digital Information and Wireless Communications, 2014 (ISSN: 2305-0012)
Abdullahi Bn Umar is a lecturer in the department of computer science Federal College of Education, Kano. He bagged PGDE, TRCN, B. TECH in Computer Physics from Federal University of Technology, Minna and currently undergoing M. TECH degree program in computer science in the same University (FUTMIN). Abdullahi Bn Umar is a member of African Educational Research Network (AERN) and has contributed to literature through article publications in reputable journals.
International Journal of Cyber-Security and Digital Forensics (IJCSDF) 3(4): 235-245
245
The Society of Digital Information and Wireless Communications, 2014 (ISSN: 2305-0012)
Security Breaches, Network Exploits and Vulnerabilities: A Conundrum and an Analysis
Oredola A. Soluade
Iona College Hogan School of Business
New Rochelle - New York 10801 [email protected]
Emmanuel U Opara College of Business
Prairie View A&M University Prairie View - Texas U.S.A.
ABSTRACT
Enterprise systems are continuously on cyber-attacks as struggle for solutions are sort. Today, these organizations spend over $70 billion on IT security, but are unable to protect the organization since cyber criminals routinely discover exploits and breach those defenses with zero-day attacks that bypass traditional technologies. These attacks occur during the vulnerability window that exists in the time between when a loophole is first exploited and when software developers start to develop and publish a counter to that threat. Many organizations had been breached by the zero-day attack concept. This means that at least one attacker had bypassed all layers of organization defense-in depth architecture. Using data from our survey of 202 participants, this study analyses how attacks are changing the cyber platform and why traditional and legacy defenses are functioning below par and expectations.
KEYWORDS: Security Breaches, Vulnerabilities, Threats, Malware, Adware, Exploits.
1 INTRODUCTION
Enterprise systems function in a globally-connected world, which constantly are witnessing globally-distributed cyber threats. Study has indicated, these threats are not restricted by geographical boundaries, but are targeted at all technologies, hardware/software/service providers, end-users, consumers, private and the public sector alike. The cost and frequency of these incidences are on the rise. There threats have evolved as a new dimension of interest and concerns, gaining political and societal attention. Understanding the exponential growth and magnitude of cyber threats, the future tasks and responsibilities associated with cybersecurity is critical to enterprise systems competitiveness, survival and profitability.
Cyber-attacks are now facts of organizational concerns because the rates of occurrences are growing exponentially [1]. Today's security defenses are failing because organization's legacy platforms leverage technologies have been dependent on signatures as security authentication mechanisms. These platforms may be good at blocking basic malware that
International Journal of Cyber-Security and Digital Forensics (IJCSDF) 3(4): 246-261
246
The Society of Digital Information and Wireless Communications, 2014 (ISSN: 2305-0012)
are known and documented, however legacy platform technologies do not stand a chance against today's sophisticated, dynamic cyber-attacks that occur across multiple vectors and stages of the cyber platform. Examples are biological weaponries, nukes, climate change, zero-day attacks, and transactional crimes. An example for bio-threats is the public health community’s dream making the arrival and spread of communicable diseases as easy to predict and track as weather. This study found that potential exploits, and threat levels have escalated to the point that with time, motivation, and funding, a resolute criminal will likely be able to penetrate any system that is accessible directly from the Internet
In 2013, Hackers concentrated on placing malware content on enterprise systems and organization’s Websites as a means to gain entrance into the network. These criminals employ “drive-by-downloads” from fake websites as well as “water hole to exploit potential vulnerabilities. Also in same year, a press report describes pages on an official U.S. Government website that contain content promoting third-parties products that were enriched with malicious payloads. As these threats evolve, they could infiltrate the interior of the network, the core, the distribution layer and the user access edge where the defense and visibility is minimal. Once inside a system, the payload quietly target specific assets and individuals in the enterprise system. Most of the objectives of such attacks are to collect and exfiltrate intellectual property of state/trade secrets for competitive advantage within industry, and use for economy and sociopolitical ends [2].
The fact remains that current antivirus solutions are not capable of eradicating
targeted attacks. Study has shown that organization’s Industrial Control System [ICS] platforms are targets for cyber attackers. These include automation, process control, access control devices, system accounts and asset information that are considered valuable to attackers. Cyber criminals can leverage the lack of corporate security policies, procurement languages, asset inventory that are present in many Industrial Control Systems [ICS]. A coordinated and known security exploit can be combated by a structured and adequately designed security infrastructure that includes preventive mechanisms such as intrusion prevention, antivirus, content security and internal and external firewalls. However, targeted threats designed for specific exploits could pose a tougher challenge. Further attackers could come from nation states, insiders and other trusted parties such as contractors or vendors. Hacktivists or politically motivated attackers and script kiddies are also included in this group. Based on these facts, the potential-risk and challenges are very high.
The key in this study is to identify what’s at stake and the key challenges in gaining visibility to customized threats. Also to create threat awareness in areas where systems could be vulnerable. These include but not limited to the following areas: [I] Network Access: Malware can spread vertically through the network by trusted system to system connections of VPN because it is easy for it to maneuver undetected through a controlled platform. [II] System Management; when there are extensive delays by security professionals in patching and operating systems upgrades, attackers can exploit such systems. Further, criminals can leverage default usernames and
International Journal of Cyber-Security and Digital Forensics (IJCSDF) 3(4): 246-261
247
The Society of Digital Information and Wireless Communications, 2014 (ISSN: 2305-0012)
passwords or weak authentication mechanism. [III] Supply Chain; Criminals can attack third party vendors, contractors or integrator in an attempt to exploit an ICS environment asset owner or multiple enterprise systems. [IV]Interconnects; Criminals can attack ICS systems by exploiting applications that communicate through network segmentation because many ICS platforms are susceptible to network-based Man in the Middle attacks. This study will provide actionable intelligence to ensure enterprise systems breach discover and mitigate exploits as they occur in the organization.
In our survey questions 8 – 22 [appendix 1], we asked in the survey, who the top cyber-threats, that are facing their organization? This question was raised because, most members of security teams, do not agree on what constitutes the significant threats to their organizations. We also asked survey respondents the type of proactive tools they use to counter zero-day attacks and Advanced Persistent Threat [APT]. This is a commonly use term to define remote attacks employed by sophisticated threats actors. These actors could be nation states or their intelligence services. Some of the intelligence services include these:
• Malware • Outbound Traffic • Rogue Device • Geolocation of IP Traffic • Distribution intrusion detection
systems (DIDS) • Deep Packet Inspection [DPI] • External Footprint • Co-operating security managers
(CSM) • Watermarking/tagging
The findings from this study, will articulate the current cyber security measures enterprise systems will have to deploy to counter vulnerabilities, potential breaches and threats.
2 LITERATURE REVIEW
In 2013, study showed that at least ten major banks were attacked by “hacktivists: These attacks were motivated by individuals whose exploit achievement is to destroy the reputation of the firm or its principals by employing techniques such as defacing websites to leaking enterprise private content. JPMorgan Chase, Bank of America, Citigroup, Wells Fargo and others have faced such attacks [3]. Baldor [4] in their study noted that a data security breach at Montana State health records compromised the social security numbers and other important information of about 1.5 people. These cyber-criminal gained access to a computer server tied to the Montana Department of Public Health and Human Services, exposing sensitive or confidential information of current and former medical patients, health agency employees and contractors. Oyemade [5], among others, cited that information technology faces a constant flood of alerts from every system, challenging organization’s security expert’s to find the critical threats in a sea of false alerts or insignificant events. They noted that ultimate protection means the near elimination of false positive and remediation of infected endpoints. Tester, [6]) in their report noted that more zero-day vulnerabilities were discovered in 2013 than any other year. The 26 zero-day
International Journal of Cyber-Security and Digital Forensics (IJCSDF) 3(4): 246-261
248
The Society of Digital Information and Wireless Communications, 2014 (ISSN: 2305-0012)
vulnerabilities discovered represent an 81 percent increase over 2012 and are more than the three previous years combined. Zero-day vulnerabilities are coveted because they give attackers the means to silently infect their victim without depending on social engineering. Target Corp and Neiman Marcus as a study summarized are not the only U.S. retailers whose networks were breached over the holiday shopping season last year, however, it reported that smaller breaches on of at least three other well-known U.S. retailers took place and were conducted using similar techniques as the one on Target, [13]. A recent study found that restaurant chain “P.F. Chang's China Bistro” had a breach on its card processing systems that could have resulted in theft of customer payment card information at 33 of its 210 U.S. locations. The potentially stolen data includes card numbers, cardholder's name and/or the card's expiration date and other relevant information [7].
In another report [8], it was stated that the 9/11 Commission, in its 10th anniversary report, cautions Americans and the U.S. government to treat cyber threats more seriously than they did terrorist threats in the days and weeks leading to Sept. 11, 2001.
Steinbart [13], in their study also indicated that baby monitors, security cameras and routers, were famously hacked in 2013. Furthermore, security researchers demonstrated attacks against smart televisions, automobiles and medical equipment. This gives this study a preview of the security challenge presented by the rapid adoption of the Internet of Things (IoT).
Later studies, [9], [10], among others summarized that data shows that companies are learning from past cyber-attacks and breaches. There is evidence companies are becoming better at managing the costs incurred to resolve a data breach incident and for the first time in seven years both the organization cost of a data breach and the cost per lost or stolen record declined in 2012.
According to a study by [12], citing rising number of high profile cyber-attacks — most recently at Twitter, LinkedIn and Yahoo— it was noted that governmental agencies are stepping up its scrutiny of cyber security. This is leading to increased calls for legislation and regulation, placing the burden on companies to demonstrate that the information provided by customers and clients is properly safeguarded online. Another studies by [10], also summarized that despite the fact that cyber risks and cyber security are widely acknowledged to be a serious threat, a majority of companies today still do not purchase cyber risk insurance, though this is changing. Their study suggests that more companies are now purchasing cyber coverage and that insurance has a key role to play as companies and individuals look to better manage and reduce their potential financial losses from cyber risks in future. 3 METHODOLOGY
In order to pilot test the cyber-security concerns, the authors constructed, distributed and collected responses from survey questionnaires at a cyber-security business professional conference in May 2013 at San Antonio Texas. The survey population comprises of professionals who publish research findings and work in their respective fields. These are
International Journal of Cyber-Security and Digital Forensics (IJCSDF) 3(4): 246-261
249
The Society of Digital Information and Wireless Communications, 2014 (ISSN: 2305-0012)
experts with extensive history in teaching and in the business world. Survey data was distributed to senior IT professionals from midmarket (100 to 999 employees) and enterprise-class (1000 employees or more] organizations. The survey questionnaires were distributed to 320 attendees. The number completed and returned was 202. Overall, we consider these as an equitable representative random sample. Most of the survey items were Likert scale types, yes/no responses or categorical, ordinal items, gender, ranks of personnel. The study conducted a survey of 24 questions covering a range of security issues that are of importance and of concern to IT and security administrators in small and medium size businesses [SMBs]. The questions were designed and conducted to obtain a snapshot of the state of security issues in SMBs and to confirm issues that have been raised in other security studies.
4 FINDINGS/RESULTS A series of hypotheses were tested to determine the extent of awareness of potential threats to data at rest. and attitude of the respondents to security in their organization. The first hypothesis is to determine the extent to which the respondent’s attitude to hackers, current and former employees, foreign nation-states, organized crime, malware analysis, Geolocation of IP traffic, Subscription Services, External footprints, and Document Watermarking and Tagging on the other affect their feeling of security in their organization. H0: There is no dependence between feeling secure in an organization on the one hand, and their attitude to hackers, current and former employees, foreign nation-states, organized crime, malware analysis, Geolocation of IP traffic, Subscription Services, External
footprints, and Document Watermarking and Tagging on the other. H1: The sense of feeling secure in an organization depends on a number of factors – including: their attitude to hackers, current and former employees, foreign nation-states, organized crime, malware analysis, Geolocation of IP traffic, Subscription Services, External footprints, and Document Watermarking and Tagging. Conclusion: Attitude to hackers, current and former employees, foreign nation-states, organized crime, malware analysis, Geolocation of IP traffic, Subscription Services, External footprints, and Document Watermarking and Taggings, do not significantly impact the feeling of respondents about the security in their organization. The second hypothesis is to determine the extent to which the male respondent’s attitude to hackers, current and former employees, foreign nation-states, organized crime, malware analysis, Geolocation of IP traffic, Subscription Services, External footprints, and Document Watermarking and Tagging on the other affect their feeling of security in their organization. H0: For male respondents, there is no dependence between feeling secure in an organization on the one hand, and their attitude to hackers, current and former employees, foreign nation-states, organized crime, malware analysis, Geolocation of IP traffic, Subscription Services, External footprints, and Document Watermarking and Tagging on the other. H1: For male respondents, the sense of feeling secure in an organization depends on a number of factors – including: their attitude to hackers, current and former employees, foreign nation-
International Journal of Cyber-Security and Digital Forensics (IJCSDF) 3(4): 246-261
250
The Society of Digital Information and Wireless Communications, 2014 (ISSN: 2305-0012)
states, organized crime, malware analysis, Geolocation of IP traffic, Subscription Services, External footprints, and Document Watermarking and Tagging. Conclusion: When this analysis is controlled for gender, it turns out that male respondents, who have confidence in their company network, also believe that Rogue Device Scanning is the most proactive activity/technique to counter persistent threats to their organization. This dependency is found to be significant at the 1% significance level with a p-value of 0.008) The third hypothesis is to determine the extent to which the female respondent’s attitude to hackers, current and former employees, foreign nation-states, organized crime, malware analysis, Geolocation of IP traffic, Subscription Services, External footprints, and Document Watermarking and Tagging on the other affect their feeling of security in their organization. H0: For female respondents, the sense of feeling secure in an organization depends on a number of factors – including: their attitude to hackers, current and former employees, foreign nation-states, organized crime, malware analysis, Geolocation of IP traffic, Subscription Services, External footprints, and Document Watermarking and Tagging. H1: For female respondents, the sense of feeling secure in an organization depends on a number of factors – including: their attitude to hackers, current and former employees, foreign nation-states, organized crime, malware analysis, Geolocation of IP traffic, Subscription Services, External footprints, and Document Watermarking and Tagging. Conclusion: When this analysis is controlled for gender, it turns out that female respondents who have confidence in their company
network is independent of their attitude to hackers, current and former employees, foreign nation-states, organized crime, malware analysis, Geolocation of IP traffic, Subscription Services, External footprints, and Document Watermarking and Tagging. In order to determine whether there is dependence between the assessments of the effectiveness of an organization’s network system on the one hand, and their attitude to hackers, current and former employees, foreign nation-states, organized crime, malware analysis, Geolocation of IP traffic, Subscription Services, External footprints, and Document Watermarking and Tagging on the other, the following hypothesis was tested. H0: There is no dependence between the assessment of the effectiveness of an organization’s network system on the one hand, and their attitude to hackers, current and former employees, foreign nation-states, organized crime, malware analysis, Geolocation of IP traffic, Subscription Services, External footprints, and Document Watermarking and Tagging on the other. H1: There is dependence between the assessment of the effectiveness of an organization’s network system on the one hand, and their attitude to hackers, current and former employees, foreign nation-states, organized crime, malware analysis, Geolocation of IP traffic, Subscription Services, External footprints, and Document Watermarking and Tagging on the other. Conclusion: Attitude of respondents to hackers, current and former employees, foreign nation-states, organized crime, malware analysis, Geolocation of IP traffic, Subscription Services, External footprints, and Document Watermarking and Tagging, does not significantly impact the assessment of the effectiveness of an organization’s
International Journal of Cyber-Security and Digital Forensics (IJCSDF) 3(4): 246-261
251
The Society of Digital Information and Wireless Communications, 2014 (ISSN: 2305-0012)
network system and their feelings about the security in their organization. The hypothesis was then tested for a subset of male respondents. The result is as follows: H0: There is no dependence between the assessment by male respondents, of the effectiveness of an organization’s network system on the one hand, and their attitude to hackers, current and former employees, foreign nation-states, organized crime, malware analysis, Geolocation of IP traffic, Subscription Services, External footprints, and Document Watermarking and Tagging on the other. H1: There is dependence between the assessment by male respondents, of the effectiveness of an organization’s network system on the one hand, and their attitude to hackers, current and former employees, foreign nation-states, organized crime, malware analysis, Geolocation of IP traffic, Subscription Services, External footprints, and Document Watermarking and Tagging on the other. Conclusion: Attitude of male respondents to hackers, current and former employees, foreign nation-states, organized crime, malware analysis, Geolocation of IP traffic, Subscription Services, External footprints, and Document Watermarking and Taggings, does not significantly impact the assessment of the effectiveness of an organization’s network system and their feelings about the security in their organization. When the hypothesis was tested for a subset of female respondents, the result is as follows: H0: There is no dependence between the assessment by female respondents, of the effectiveness of an organization’s network system on the one hand, and their attitude to
hackers, current and former employees, foreign nation-states, organized crime, malware analysis, Geolocation of IP traffic, Subscription Services, External footprints, and Document Watermarking and Tagging on the other. H1: There is dependence between the assessment by female respondents, of the effectiveness of an organization’s network system on the one hand, and their attitude to hackers, current and former employees, foreign nation-states, organized crime, malware analysis, Geolocation of IP traffic, Subscription Services, External footprints, and Document Watermarking and Tagging on the other. Conclusion: Attitude of female respondents to hackers, current and former employees, foreign nation-states, organized crime, malware analysis, Geolocation of IP traffic, Subscription Services, External footprints, and Document Watermarking and Taggings, does not significantly impact the assessment of the effectiveness of an organization’s network system and their feelings about the security in their organization. Another hypothesis that was tested is to determine if there is dependence between Investment in cybersecurity as best solution for cyber-attacks on the one hand, and their attitude to hackers, current and former employees, foreign nation-states, organized crime, malware analysis, Geolocation of IP traffic, Subscription Services, External footprints, and Document Watermarking and Tagging on the other. The resultant test is as follows: H0: There is no dependence between Investment in cybersecurity as best solution for cyber-attacks on the one hand, and their attitude to hackers, current and former
International Journal of Cyber-Security and Digital Forensics (IJCSDF) 3(4): 246-261
252
The Society of Digital Information and Wireless Communications, 2014 (ISSN: 2305-0012)
employees, foreign nation-states, organized crime, malware analysis, Geolocation of IP traffic, Subscription Services, External footprints, and Document Watermarking and Tagging on the other. H1: There is dependence between Investment in cybersecurity as best solution for cyber-attacks on the one hand, and their attitude to hackers, current and former employees, foreign nation-states, organized crime, malware analysis, Geolocation of IP traffic, Subscription Services, External footprints, and Document Watermarking and Tagging on the other. Conclusion: Attitude of respondents to hackers, current and former employees, foreign nation-states, organized crime, malware analysis, Geolocation of IP traffic, Subscription Services, External footprints, and Document Watermarking and Taggings, do not significantly impact Investment in cybersecurity as best solution for cyber-attacks. The hypothesis was then tested for a subset of male respondents. The result is as follows:
H0: There is no dependence between male Investment in cybersecurity as best solution for cyber-attacks on the one hand, and their attitude to hackers, current and former employees, foreign nation-states, organized crime, malware analysis, Geolocation of IP traffic, Subscription Services, External footprints, and Document Watermarking and Tagging on the other. H1: There is dependence between male Investment in cybersecurity as best solution for cyber-attacks on the one hand, and their attitude to hackers, current and former employees, foreign nation-states, organized crime, malware analysis, Geolocation of IP traffic, Subscription Services, External footprints, and Document Watermarking and Tagging on the other. Conclusion: At the 5% significance level, it is determined that the attitude of male respondents to foreign nation-states, do significantly impact male Investment in cybersecurity as best solution for cyber-attacks.
Table 1. Regression output of attitude of male respondents to Foreign Nation-States
Coefficients
Unstandardized Coefficients
Standardized Coefficients t Sig.
B Std.
Error Beta Var014: Foreign Nation-states are perceived as the groups that pose the greatest cybersecurity threat to the organizations of male respondents -0.398 0.173 -0.23 -2.301 0.024
When the hypothesis was tested for a subset of female respondents, the result is as follows: H0: There is no dependence between female Investment in cybersecurity as best solution
for cyber-attacks on the one hand, and their attitude to hackers, current and former employees, foreign nation-states, organized crime, malware analysis, Geolocation of IP traffic, Subscription Services, External
International Journal of Cyber-Security and Digital Forensics (IJCSDF) 3(4): 246-261
253
The Society of Digital Information and Wireless Communications, 2014 (ISSN: 2305-0012)
footprints, and Document Watermarking and Tagging on the other. H1: There is dependence between female Investment in cybersecurity as best solution for cyber-attacks on the one hand, and their attitude to hackers, current and former employees, foreign nation-states, organized crime, malware analysis, Geolocation of IP traffic, Subscription Services, External
footprints, and Document Watermarking and Tagging on the other. Conclusion: At the 5% significance level, it is determined that the attitude of female respondents to organized crime do significantly impact Investment in cybersecurity as best solution for cyber-attacks in their organization.
Table 2. Regression output of attitude of female respondents to Organized Crime groups
Coefficientsa
Model
Unstandardized Coefficients
Standardized Coefficients
t Sig. B Std.
Error Beta (Constant) -1.426 3.282 -.434 .665
Var015: Organized crime groups are perceived as the groups that pose the greatest cybersecurity threat the organizations of female respondents
.384 .128 .345 3.003 .004
a. Dependent Variable: Var005: Do you agree that investment in cybersecurity in 2013-2014....will provide the best systems solutions to thwart cyber-attacks?
Another hypothesis that was tested is to determine if there is dependence between Rating Downtime as the greatest IT concern of their organization on the one hand, and their attitude to hackers, current and former employees, foreign nation-states, organized crime, malware analysis, Geolocation of IP traffic, Subscription Services, External footprints, and Document Watermarking and Tagging on the other. The result of that test is as follows: H0: There is no dependence between Rating Downtime as the greatest IT concern of their organization on the one hand, and their attitude to hackers, current and former employees, foreign nation-states, organized crime, malware analysis, Geolocation of IP traffic, Subscription Services, External
footprints, and Document Watermarking and Tagging on the other. H1: There is dependence between Rating Downtime as the greatest IT concern of their organization on the one hand, and their attitude to hackers, current and former employees, foreign nation-states, organized crime, malware analysis, Geolocation of IP traffic, Subscription Services, External footprints, and Document Watermarking and Tagging on the other. Conclusion: At the 5% significance level, it is determined that the attitude of respondents to hackers (p-value 0.047) and organized crime (p-value 0.037) do significantly impact Rating Downtime as the greatest IT concern of their organization.
International Journal of Cyber-Security and Digital Forensics (IJCSDF) 3(4): 246-261
254
The Society of Digital Information and Wireless Communications, 2014 (ISSN: 2305-0012)
Table 3. Regression output of attitude of respondents to Hackers and Organized Crime groups
Coefficientsa
Model
Unstandardized Coefficients
Standardized Coefficients
t Sig. B Std.
Error Beta 1 (Constant) 4.219 .815 5.175 .000
Var012: Hackers are the groups that pose the greatest cybersecurity threat to your organization
.098 .049 .141 2.002 .047
Var015: Organized crime are the groups that pose the greatest cybersecurity threat to your organization
-.076 .036 -.153 -2.097 .037
a. Dependent Variable: Var006: Rate your company's IT concerns with regard to Downtime
The hypothesis was then tested for a subset of male respondents. The result is as follows: H0: There is no dependence between male Rating Downtime as the greatest IT concern of their organization on the one hand, and their attitude to hackers, current and former employees, foreign nation-states, organized crime, malware analysis, Geolocation of IP traffic, Subscription Services, External footprints, and Document Watermarking and Tagging on the other. H1: There is dependence between male Rating Downtime as the greatest IT concern of their
organization on the one hand, and their attitude to hackers, current and former employees, foreign nation-states, organized crime, malware analysis, Geolocation of IP traffic, Subscription Services, External footprints, and Document Watermarking and Tagging on the other. Conclusion: At the 5% significance level, it is determined that the attitude of male respondents to hackers (p-value 0.029) does significantly impact Rating Downtime as the greatest IT concern of their organization
International Journal of Cyber-Security and Digital Forensics (IJCSDF) 3(4): 246-261
255
The Society of Digital Information and Wireless Communications, 2014 (ISSN: 2305-0012)
Table 4. Regression output of attitude of male respondents to Hackers Coefficientsa
Model
Unstandardized Coefficients
Standardized Coefficients
t Sig. B Std. Error Beta (Constant) 3.421 1.344 2.545 .013
Var012: Hackers are perceived as the group that poses the greatest cybersecurity threat to the organizations of male respondents
.164 .074 .235 2.214 .029
a. Dependent Variable: Var006: Rate your company's IT concerns with regard to Downtime
When the hypothesis was tested for a subset of female respondents, the result is as follows: H0: There is no dependence between female Rating Downtime as the greatest IT concern of their organization on the one hand, and their attitude to hackers, current and former employees, foreign nation-states, organized crime, malware analysis, Geolocation of IP traffic, Subscription Services, External footprints, and Document Watermarking and Tagging on the other.
H1: There is dependence between female Rating Downtime as the greatest IT concern of their organization on the one hand, and their attitude to hackers, current and former employees, foreign nation-states, organized crime, malware analysis, Geolocation of IP traffic, Subscription Services, External footprints, and Document Watermarking and Tagging on the other. Conclusion: At the 5% significance level, it is determined that the attitude of female respondents to organized crime (p-value 0.020) does significantly impact Rating Downtime as the greatest IT concern of their organization.
Table 5. Regression output of attitude of male respondents to Hackers
Coefficientsa
Model
Unstandardized Coefficients
Standardized Coefficients
t Sig. B Std.
Error Beta 1 (Constant) 4.393 1.169 3.758 .000
Var015: Organized crime is perceived as the group that poses the greatest cybersecurity threat to the organizations of female respondents.
-.108 .046 -.279 -2.378 .020
a. Dependent Variable: Var006: Rate your company's IT concerns with regard to Downtime
International Journal of Cyber-Security and Digital Forensics (IJCSDF) 3(4): 246-261
256
The Society of Digital Information and Wireless Communications, 2014 (ISSN: 2305-0012)
Another hypothesis that was tested is to determine if there is dependence between Rating of Compliance as the greatest IT concern of their organization on the one hand, and their attitude to hackers, current and former employees, foreign nation-states, organized crime, malware analysis, Geolocation of IP traffic, Subscription Services, External footprints, and Document Watermarking and Tagging on the other. The result is as follows: H0: There is no dependence between Rating of Compliance as the greatest IT concern of their organization on the one hand, and their attitude to hackers, current and former employees, foreign nation-states, organized crime, malware analysis, Geolocation of IP traffic, Subscription Services, External footprints, and Document Watermarking and Tagging on the other. H1: There is dependence between Rating of Compliance as the greatest IT concern of their organization on the one hand, and their attitude to hackers, current and former employees, foreign nation-states, organized
crime, malware analysis, Geolocation of IP traffic, Subscription Services, External footprints, and Document Watermarking and Tagging on the other. Conclusion: Attitude of respondents to hackers, current and former employees, foreign nation-states, organized crime, malware analysis, Geolocation of IP traffic, Subscription Services, External footprints, and Document Watermarking and Taggings, do not significantly impact Rating Compliance as the greatest IT concern of their organization The hypothesis was then tested for a subset of male respondents. The result is as follows: H0: There is no dependence between male Rating of Compliance as the greatest IT concern of their organization on the one hand, and their attitude to hackers, current and former employees, foreign nation-states, organized crime, malware analysis, Geolocation of IP traffic, Subscription Services, External footprints, and Document Watermarking and Tagging on the other.
H1: There is dependence between male Rating of Compliance as the greatest IT concern of their organization on the one hand, and their attitude to hackers, current and former employees, foreign nation-states, organized crime, malware analysis, Geolocation of IP traffic, Subscription Services, External footprints, and Document Watermarking and Tagging on the other. Conclusion: Attitude of respondents to hackers, current and former employees, foreign nation-states, organized crime, malware analysis, Geolocation of IP traffic, Subscription Services, External footprints, and Document Watermarking and Taggings, does not significantly impact male Rating
Compliance as the greatest IT concern of their organization. When the hypothesis was tested for a subset of female respondents, the result is as follows: H0: There is no dependence between female Rating of Compliance as the greatest IT concern of their organization on the one hand, and their attitude to hackers, current and former employees, foreign nation-states, organized crime, malware analysis, Geolocation of IP traffic, Subscription Services, External footprints, and Document Watermarking and Tagging on the other. H1: There is dependence between female Rating of Compliance as the greatest IT
International Journal of Cyber-Security and Digital Forensics (IJCSDF) 3(4): 246-261
257
The Society of Digital Information and Wireless Communications, 2014 (ISSN: 2305-0012)
concern of their organization on the one hand, and their attitude to hackers, current and former employees, foreign nation-states, organized crime, malware analysis, Geolocation of IP traffic, Subscription Services, External footprints, and Document Watermarking and Tagging on the other.
Conclusion: At the 5% significance level, it is determined that the attitude of female respondents to Penetration Testing (p-value 0.021), and Examination of External Footprints (p-value 0.050) as the most proactive activity/techniques used to counter persistent threats to their organization, significantly impact Rating Compliance as the greatest IT concern of their organization.
Table 6. Regression output of attitude of female respondents to Penetration Testing & External Footprints
Coefficientsa
Model
Unstandardized Coefficients
Standardized Coefficients
t Sig. B Std.
Error Beta 1 (Constant) 4.705 1.037 4.536 .000
Var017: Penetration Testing is the most proactive activity/technique used to counter persistent threats to your organization
.219 .093 .253 2.357 .021
Var022: Examining External Footprint is the most proactive activity/technique used to counter persistent threats to your organization
-.144 .072 -.230 -1.992 .050
a. Dependent Variable: Var007: Rate your company's IT concerns with regard to Compliance
5 OVERALL CONCLUSION
Despite the tremendous amount of money organizations pour into traditional security measures every year, attackers are able to penetrate security defenses and compromising networks at will. As this study shows, it doesn’t matter what vendor or combination of security in-depth tools an organization employs, hackers will continue to hack a system when they can exploit vulnerabilities in a network. At a minimum, organizations should include reducing waste
on redundancy, backward-looking technologies and redeploying those resources on defenses designed to find and stop today’s zero-day and advanced attacks.
6 IMPLICATION FOR PRACTIONERS AND RESEARCHERS
As this study has indicated, today’s attacks often involve malware tailored to compromise a single vector. When such attack commences, they never stop until the objective is achieved. Typical security in-depth architecture
International Journal of Cyber-Security and Digital Forensics (IJCSDF) 3(4): 246-261
258
The Society of Digital Information and Wireless Communications, 2014 (ISSN: 2305-0012)
comprising of framework of discrete layers that include anti-virus software, intrusion-prevention systems, next generation firewalls, Web gateways, are poorly equipped to combat today’s advanced attacks. However, without a comprehensive and cohesive analysis across all attack vectors, the current defense mechanism can miss the signs that an attacker has breached organization defenses.
7 CHALLENGES A bigger challenge is foundational. The reason is because the cores in the typical architecture rely on a mix of binary signatures, blacklists, and reputation to identify threats. As the study showed, signatures are ineffective because antivirus (AV) vendors are not able to keep up with the speed of new malware binaries. This is because the malware is custom-made for specific target and as result, AV vendors will never be able to detect the malware and create signature for its defense. Other concerns include many attacks that exploit zero-day vulnerabilities and application blacklist that are blind to attacks because it uses encrypted binaries or hijack legitimate apps and processes. Further, reputable defenses such as Web gateways and IPS are not poised to stop
attacks from newly setup universal resource locators [URLs] or compromised websites that are used as drive-by-downloads.
8 SUMMARY AND CONCLUSIONS The study reveals that IT professionals were generally optimistic about the levels of their policies, technical control and mitigation implementation strategies; however, our finding proved that organizations could better align its investments and resources in order to cope with the advanced exposures and attacks as they develop. Phishing attacks, compliance policy violations, unsanctioned device and applications use, unauthorized data access, comprise the top list issues of concerns. Network device intelligence and system integrity, core components of all compliance frameworks and security best practices should be beefed up. The study concludes by noting that without a security policy, the availability of a network can be compromised. An adequate policy comprises of assessment of the risk to the network, organizing a response team, implementing a security change management practice, monitoring the network for security violations, maintaining a review process that modifies the existing policy and adapt to lessons learned.
International Journal of Cyber-Security and Digital Forensics (IJCSDF) 3(4): 246-261
259
The Society of Digital Information and Wireless Communications, 2014 (ISSN: 2305-0012)
9 REFERENCES
1. Anderson, Kerry A.; “A Case for a Partnership Between Information Security and Records Information Management,” ISACA Journal, vol. 2, 2012, www.isaca.org/archives
2. Ashford, Warwick; (2013), “Why Has DLP
Never Taken Off?,” Computer Weekly, 22 January 2013, www.computerweekly.com/news/2240176414/Why-has-DLP-never-taken-off
3. Steinbart, Paul John; Robyn L. Raschke;
Graham Gal; William N. Dilla; “Information Security Professionals’ Perceptions about the Relationship between the Information Security and Internal Audit Functions,” forthcoming in the Journal of Information Systems, 2013
4. Baldor, Lolita C. (2013), ““US Ready to Strike
Back Against China Cyberattacks,” Yahoo News, 19 February 2013, http://news.yahoo.com/us-ready-strike-back-against-china-cyberattacks-225730552--finance.html
5. Oyemade, Ronke; “Effective IT Governance
Through the Three Lines of Defense, Risk IT and COBIT,” ISACA Journal, volume 1, 2012, www.isaca.org/archives
6. Tester, Darlene; “Is the TJ Hooper Case
Relevant for Today’s Information Security Environment?” ISACA Journal, vol. 2, 2013
7. Constantin, Lucian; “South Carolina Reveals Massive Data Breach,” PC World, 27 October 2012, www.pcworld.com/article/2013186/south-carolina-reveals-massive-data-breach.html
8. Forrester,(2012), “Rethinking DLP:
Introducing the Forrester DLP Maturity Grid,” September 2012, www.forrester.com/Rethinking+DLP+Introducing+The+Forrester+DLP+Maturity+Grid/fulltext/-/E-RES61231
9. Gelbstein, Ed; “Strengthening Information
Security Governance,” ISACA Journal, vol. 2, 2012, www.isaca.org/archives
10. Mashable, “How Much Does Identity Theft
Cost?,” 28 January 2011, http://mashable.com/2011/01/28/identity-theft-infographic
11. Romanosky, Sasha; David Hoffman,
Alessandro Acquisti, (2014), “Empirical Analysis of Data Breach Litigation,” Temple University Beasley School of Law, Legal Studies research paper no. 2012-29, 2012, https://papers.ssrn.com/sol3/papers.cfm?abstract_id=1986461
12. Goldman, C. FreeWave Technologies.
www.elp.com/articles/powergrid_international/print/volume-17/, 2012.
13. Steinbart, Paul John; Robyn L. Raschke;
Graham Gal; William N. Dilla; “The Influence of Internal Audit on Information Security Effectiveness: Perceptions of Internal Auditors,” working paper, 2013
International Journal of Cyber-Security and Digital Forensics (IJCSDF) 3(4): 246-261
260
The Society of Digital Information and Wireless Communications, 2014 (ISSN: 2305-0012)
1 2 3 4 5
Var001: Gender Male Female
Var002: Executive or Senior IT Administrator? Exec Snr. IT
Var003: How secure is the company network? Very Secure Secure Somewhat Secure Not Very Secure Don't Know
Var004: How effective is the network security system of your organization? Extremely Effective
Moderately Effective Effective Not Effective Don't Know
Var005: Do you agree that investment in cybersecurity in 2013-2014....will provide the best systems solutions to thwart cyberattacks? Extremely Agree Moderately
Agree Agree Disagree Don't Know
Var006: Downtime is the greatest IT concern of my organization Strongly Disagree Disagree Not Sure Agree Strongly Agree
Var007: Compliance is the greatest IT concern of my organization Strongly Disagree Disagree Not Sure Agree Strongly Agree
Var008: eDiscovery is the greatest IT concern of my organization Strongly Disagree Disagree Not Sure Agree Strongly Agree
Var009: Security Issues is the greatest IT concern of my organization Strongly Disagree Disagree Not Sure Agree Strongly Agree
Var010: Network Growth is the greatest IT concern of my organization Strongly Disagree Disagree Not Sure Agree Strongly Agree
Var011: User support is the greatest IT concern of my organization Strongly Disagree Disagree Not Sure Agree Strongly Agree
Var012: Hackers are the groups that pose the greatest cybersecurity threat to your organization
Strongly Disagree Disagree Not Sure Agree Strongly Agree
Var013: Current & former employees are the groups that pose the greatest cybersecurity threat to your organization
Strongly Disagree Disagree Not Sure Agree Strongly Agree
Var014: Foreign Nation-states are the groups that pose the greatest cybersecurity threat to your organization
Strongly Disagree Disagree Not Sure Agree Strongly Agree
Var015: Organized crime are the groups that pose the greatest cybersecurity threat to your organization
Strongly Disagree Disagree Not Sure Agree Strongly Agree
Var016: Malware Analysis is the most proactive activity/technique used to counter persistent threats to your organization
Strongly Disagree Disagree Not Sure Agree Strongly Agree
Var017: Penetration Testing is the most proactive activity/technique used to counter persistent threats to your organization
Strongly Disagree Disagree Not Sure Agree Strongly Agree
Var018: Rogue Device Scanning is the most proactive activity/technique used to counter persistent threats to your organization
Strongly Disagree Disagree Not Sure Agree Strongly Agree
Var019: Analysis & Geolocation of IP Traffic is the most proactive activity/technique used to counter persistent threats to your organization
Strongly Disagree Disagree Not Sure Agree Strongly Agree
Var020: Subscription Services is the most proactive activity/technique used to counter persistent threats to your organization
Strongly Disagree Disagree Not Sure Agree Strongly Agree
Var021: Deep Packet Inspection is the most proactive activity/technique used to counter persistent threats to your organization
Strongly Disagree Disagree Not Sure Agree Strongly Agree
Var022: Examining External Footprint is the most proactive activity/technique used to counter persistent threats to your organization
Strongly Disagree Disagree Not Sure Agree Strongly Agree
Var023: Don't Know/Not Sure of the most proactive activity/technique used to counter persistent threats to your organization
Strongly Disagree Disagree Not Sure Agree Strongly Agree
Var024: Document Watermarking & Tagging is the most proactive activity/technique used to counter persistent threats to your organization
Strongly Disagree Disagree Not Sure Agree Strongly Agree
Appendix I: Cybersecurity Survey Questionnaire
International Journal of Cyber-Security and Digital Forensics (IJCSDF) 3(4): 246-261
261
The Society of Digital Information and Wireless Communications, 2014 (ISSN: 2305-0012)