SHANG Shi-ze,KONG Xiang-wei,YOU Xin-gang

DOI: https://doi.org/10.3969/j.issn.1671-1122.2015.04.011

2015-01-01

Abstract:The examination of forged and altered document is an important part in judicial expertise. The traditional examination methods need professional testers and devices, the disadvantages include high cost, long testing time, damage on the documents, etc. In recent years, the digital passive lossless forensics on forged and altered document has been developed which only uses scanner and computer. In this paper, we first introduce the life-cycle of document and its forging and altering methods. Then, we summarize the passive lossless forensics on forged and altered document, and describe the technologies on device identiifcation, copy paper identiifcation and authenticity detection, respectively. We give a detailed description on the characteristics introduced by devices and altering methods, and their forensics methods. Finally, we describe the questions and challenges on digital passive lossless forensics on documents.

Weidong Qiu,Run Zhu,Jie Guo,Xiaoming Tang,Bozhong Liu,Zheng Huang

DOI: https://doi.org/10.1109/BIBE.2014.31

2014-01-01

Abstract:Traditional file recovery methods rely on file system information, which are ineffective when file system information isn't available. File carving is a file recovery method that recovers files according to their structure and content without file system information, which is widely used in digital forensics. As the important carriers of digital information, multimedia files are important digital evidence. In this paper, a new multimedia file carving approach is proposed to improve the recovery accuracy of high entropy file fragments. The fragmented files can be recovered by a hierarchical carving process, including file header identification via entropy, file fragment type classification, and file reassembly via parallel unique path approach. A new file type classification method is constructed based on support vector machine, by using the features of BFD (byte frequency distribution) and ROC (rate of change). Four different datasets, such as DFRWS 2006/2007 challenge datasets, dataset simulating actual disk, dataset with randomly disordered fragments, and dataset with biomedical images, are employed in our experiments. The results show that JPEG recovery accuracy is improved greatly compared with that of Photo Rec tool. Our method performs best in the situation where the order of fragments is completely confusing.

Xiangwei Kong,Bo Wang,Mingliang Yang,Yue Feng

DOI: https://doi.org/10.1007/978-981-10-1536-6_66

2016-01-01

Abstract:Since image processing software is widely used to tamper or embed data into JPEG images, the forensics of tampered JPEG images now plays a considerable important role. However, most existing forensics methods that use binary classification can hardly deal with multiclass image forensics problems properly under network environments. In this paper, we propose a hierarchical forensics scheme against multiple heterogeneous JPEG images. We introduce a compression identifier based on Markov model of DCT coefficients as the first hierarchical section and then develop a tampering detection and steganalyzer separately as the second phase. We conduct a series of experiments to testify the validity of the proposed method.

Fang Wangsheng,Shao Liping,Zhang Kejun

DOI: https://doi.org/10.3969/j.issn.1008-0570.2006.33.028

2006-01-01

Abstract:According to the structure characters of portable executable file format, the methods taking advantages of redundant spaces, redundant structures and static spaces allocated to strings to embed information into PE file are introduced in this paper. To prevent the embedded data from being understood and modified, a method is provided there, which make use of translating data in other forms to disguise information. To recover the original information, a method being availed of secret sharing schemas is also given. When some embedded informations are damaged, others can be used to recover the original embedded information to keep the em- bedded data completely.

Sari Ali Sari,Kamaruddin Malik Mohamad

DOI: https://doi.org/10.1088/1742-6596/1529/5/052011

2020-05-01

Journal of Physics: Conference Series

Abstract:Abstract Digital Forensics is a platform that helps in assisting investigation carried out in computer crimes through the recovery of material that is found in digital devices. Material is recovered through a method known as file carving that helps to recover data from storage media. Moreover, it also retrieves the extract hidden, overwritten or deleted files. File carving enables the file recovery without knowledge about contextual information such as file system metadata. Due to recent expansion in the research of information technology, file carving has become an essential technique for general data recovery and digital forensics investigations. Therefore, considering the important role played by file carving the present study conducted a survey of the previous literature to find out various data carving techniques. Results, from the previous literature helped to provide several algorithms for image construction which are based on graph theoretic techniques. Furthermore, the present study classifies the file carving techniques for JPEG file into two categories namely basic carving technique and advanced carving technique. The paper concludes by providing limitations in the present study which could be helpful for future investigations associated with the fragmentation problem of data files.

Yanbin Tang,Junbin Fang,K. P. Chow,S. M. Yiu,Jun Xu,Bo Feng,Qiong Li,Qi Han

DOI: https://doi.org/10.1016/j.diin.2016.04.016

2016-01-01

Digital Investigation

Abstract:File carving from damaged file system plays an important role in file recovery for identifying evidence in digital forensics. In this paper, we focus on JPEG file carving, with an emphasis on heavily fragmented cases. The difficulty lies on how to order fragmented pieces into a complete picture without sufficient decoding information. We provide a framework to tackle this problem, which consists of the following key components: (i) a new similarity metric (CED) to evaluate if two data blocks are consecutive in the same JPEG file and a fragmentation point detection algorithm based on CED; and (ii) an overall recovery algorithm to reconstruct the JPEG file from fragmented pieces. The proposed framework was verified on an image dump from a SD card of a digital camera. The results were compared to Adroit Photo Forensic (APF), a commonly used photo carving tool. In our experiments, our tool can automatically recover 97% fragmented JPEG files (versus 79% by APF).

Nebojša Škrbina,Toni Stojanovski

DOI: https://doi.org/10.48550/arXiv.1205.0103

2012-05-01

Abstract:File carving is one of the most important procedures in Digital Forensic Investigation (DFI). But it is also requires the most computational resources. Parallel processing on Graphics Processing Units have proven to be many times faster than when executed on standard CPU. This paper is inspecting the algorithms and methods to use parallel processing for development of file carving tools that will do their job much faster than the conventional DFI tools.

Cryptography and Security

Dabin Joo,Jiwon Lee,Doowon Jeong

DOI: https://doi.org/10.1111/1556-4029.15240

Abstract:Anti-forensic technology can play an effective role in protecting information, but it can make forensic investigations difficult. Specifically, file-wiping permanently erases evidence, making it challenging for investigators to determine whether a file ever existed and prolonging the investigation process. To address this issue, forensic researchers have studied anti-forensic techniques that detect file-wiping activities. Many previous studies have focused on the effects of file-wiping tools on $MFT, $LogFile, and $DATA, rather than on Windows artifacts. Additionally, previous studies that have examined Windows artifacts have considered different artifacts, making it difficult to study them in a comprehensive manner. To address this, we focused on analyzing traces in 13 Windows artifacts of 10 file-wiping tools' operations in the Windows operating system comprehensively. For our experiments, we installed each file-wiping tool on separate virtual machines and checked the traces that the tools left behind in each artifact. We then organized the results in a database format. Our analysis revealed that most of the tools left traces on other artifacts, except for JumpList, Open&SavePidlMRU, and lnk. There were also some cases where traces remained on the other three artifacts. Based on our research, forensic investigators can quickly identify whether a file-wiping tool has been used, and it can assist in decision-making for evidence collection and forensic triage.

QIAN Qin,DONG Bu-yun,TANG Zhe,FU Xiao,MAO Bing

DOI: https://doi.org/10.3969/j.issn.1000-3428.2014.08.058

2014-01-01

Abstract:Traditional methods of memory acquisition focus on the persistent data of disk or hard disk in the attacked computers. However,as the growing use of encryption routines or rapidly increasing storage capabilities of hard drives,it is very difficult to get data in time with the original method that is meant for persistent data. So in the field of computer forensics,people start to change the data source and focus on the volatile information in RAM. This paper specifically describes the prevailing methods of memory acquisition and analysis and the process of memory forensics. It explains the characteristics of each method and gives the advantage and disadvantage of them. In the end,it concludes all these methods and gives some suggestions of the future of computer forensics.

Yongjian Lou,Peng Wang,Ming Xu,Ning Zheng

DOI: https://doi.org/10.1109/ICISE.2009.351

2009-01-01

Abstract:Rapidly retrieving valuable information is vital in computer forensic, especially information with respect to the computer system itself. Attentions on the system information such as registry and event log have increasingly promoted the forensic researches. Event log is a very import file in computer, which contains a large amount of available information about what happened on the system observed, but current forensic tool on event log only can repair corrupted log files and has no effect on the situation that event log file has been fragmented. To address this problem, this paper presents an algorithm which allows search for windows event log file data fragments based solely on their data contents, without the need of any meta data. The algorithm is based on searching the signature in log file combining with computing the entropy difference between neighboring clusters. A tool was developed to automate recovery and parse of Windows NT5 (XP and 2003) event logs for computer forensic. This tool automates repair of multiple event logs and parse the recovered files without user intervention. The evaluation of this method shows an average accuracy of 82.5%, with lower false positive.

Jaehyeok Han,Jungheum Park,Hyunji Chung,Sangjin Lee

DOI: https://doi.org/10.48550/arXiv.2002.12506

2020-02-28

Abstract:Telemetry is the automated sensing and collection of data from a remote device. It is often used to provide better services for users. Microsoft uses telemetry to periodically collect information about Windows systems and to help improve user experience and fix potential issues. Windows telemetry service functions by creating RBS files on the local system to reliably transfer and manage the telemetry data, and these files can provide useful information in a digital forensic investigation. Combined with the information derived from traditional Windows forensics, investigators can have greater confidence in the evidence derived from various artifacts. It is possible to acquire information that can be confirmed only for live systems, such as the computer hardware serial number, the connection records for external storage devices, and traces of executed processes. This information is included in the RBS files that are created for use in Windows telemetry. In this paper, we introduced how to acquire RBS files telemetry and analyzed the data structure of these RBS files, which are able to determine the types of information that Windows OS have been collected. We also discussed the reliability and the novelty by comparing the conventional artifacts with the RBS files, which could be useful in digital forensic investigation.

Cryptography and Security

Jin Liu,Hefei Ling,Fuhao Zou,Weiqi Yan,Zhengding Lu

DOI: https://doi.org/10.4018/jdcf.2010100103

2010-01-01

International Journal of Digital Crime and Forensics

Abstract:In this paper, the authors investigate the prospect of using multi-resolution histograms (MRH) in conjunction with digital image forensics, particularly in the detection of two kinds of copy-move manipulations, i.e., cloning and splicing. To the best of the authors’ knowledge, this is the first work that uses the same feature in both cloning and splicing forensics. The experimental results show the simplicity and efficiency of using MRH for the purpose of clone detection and splicing detection.

Edward L Amoruso,Richard Leinecker,Cliff C Zou

DOI: https://doi.org/10.3390/s24165106

2024-08-06

Abstract:The Windows registry contains a plethora of information in a hierarchical database. It includes system-wide settings, user preferences, installed programs, and recently accessed files and maintains timestamps that can be used to construct a detailed timeline of user activities. However, these data are unencrypted and thus vulnerable to exploitation by malicious actors who gain access to this repository. To address this security and privacy concern, we propose a novel approach that efficiently encrypts and decrypts sensitive registry data in real time. Our developed proof-of-concept program intercepts interactions between the registry's application programming interfaces (APIs) and other Windows applications using an advanced hooking technique. This enables the proposed system to be transparent to users without requiring any changes to the operating system or installed software. Our approach also implements the data protection API (DPAPI) developed by Microsoft to securely manage each user's encryption key. Ultimately, our research provides an enhanced security and privacy framework for the Windows registry, effectively fortifying the registry against security and privacy threats while maintaining its accessibility to legitimate users and applications.

HUANG Jia-shun,ZHAO Xin-yu,LUO Shun,QIU Wei-dong

DOI: https://doi.org/10.3969/j.issn.1009-8054.2013.02.032

2013-01-01

Abstract:The computer system check marks and forensics is the process,by certain techniques and methods,to collect all kinds of information in the target computer as clues and evidence. The analysis and interpretation of USN journal on NTFS file system could be used in computer crime investigation and forensic,and the research on computer crime investigation technologies is helpful to acquisition of crime clues and evidence in USN journal. Meanwhile some examples and explanations are also given in this paper.

Jiazhou Chen,Wenwen Hu,Yongwei Miao,Minyan Chen,Qunsheng Peng

DOI: https://doi.org/10.3969/j.issn.1003-9775.2016.09.009

2016-01-01

Abstract:To support efficient editing, reuse and individual design of papercutting textures, we propose a novel approach of pattern analysis and hierarchical modeling for texture patterns on papercutting works. First a vectori-zation process is applied to decompose the image of a papercutting work into individual texture shapes, these textures are then categorized based on their shape similarities using an improved shape context descriptor, finally the spatial distribution mode of each categorized texture pattern is identified, therefore converting the initial pa-percutting image into a hierarchical tree structure composed of a primitive layer, a similarity elements layer, a decorative pattern layer and a root node. Our modeling method corresponds closely to the characteristics of con-ventional papercutting texture including pattern repetition and modularization, and facilitates fast examination of geometric connection of the entire textures. Experiments show that our method can greatly reduce the difficulty for individual papercutting design while increase the editing efficiency.

Zhou Tian-Shu,Li Jing-Song,Zhang Xiao-Guang,Hu Zhen,Yu Hai-Yan,Chen Huan

DOI: https://doi.org/10.1109/ITIME.2009.5236451

2009-01-01

Abstract:A diverse child nodes hash tree method was proposed to make the digest structure more flexible, improving the data authenticity verification efficiency in regional health information network which has a great number of medical documents. The new hash tree method changes the former hash list from one-layer digest to a tree structure, using category search to enormously accelerate verification processes, and locating multi- "error file" at the same time. According to the current hardware, we designed experiments to obtain the curves of "hash tree computing time-child nodes" and "hash tree verification time-child nodes". Based on the two curves, a weight analysis method was proposed to determine the number of child nodes, making the entire system more efficient. By increasing a small amount of data redundancy, the diverse child nodes hash tree method greatly enhances the verification efficiency.

LI Yan,QIU Wei-dong,LU Zhi-xu,WANG Xing-nan

DOI: https://doi.org/10.3969/j.issn.1009-8054.2010.04.034

2010-01-01

Abstract:The key to computer forensics is to find out the potential electronic evidence quickly and accurately. In this paper, some methods for how to extract in-depth electronic evidence from the hard disk are discussed, and the efficiencies of several pattern matching algorithms are compared(including BF, KMP, BM and BMH algorithms) under different buffer sizes. This could serve as a theoretical foundation for practical computer forensic cases.

Zoe Lin Jiang,Jun-bin Fang,Lucas Chi Kwong Hui,SiuMing Yiu,Kam Pui Chow,Meng-meng Sheng

DOI: https://doi.org/10.1631/jzus.c1000425

2011-01-01

Abstract:Verifying the integrity of a hard disk is an important concern in computer forensics, as the law enforcement party needs to confirm that the data inside the hard disk have not been modified during the investigation. A typical approach is to compute a single chained hash value of all sectors in a specific order. However, this technique loses the integrity of all other sectors even if only one of the sectors becomes a bad sector occasionally or is modified intentionally. In this paper we propose a k-dimensional hashing scheme, kD for short, to distribute sectors into a kD space, and to calculate multiple hash values for sectors in k dimensions as integrity evidence. Since the integrity of the sectors can be verified depending on any hash value calculated using the sectors, the probability to verify the integrity of unchanged sectors can be high even with bad/modified sectors in the hard disk. We show how to efficiently implement this kD hashing scheme such that the storage of hash values can be reduced while increasing the chance of an unaffected sector to be verified successfully. Experimental results of a 3D scheme show that both the time for computing the hash values and the storage for the hash values are reasonable.

Qiming Teng,Xiangqun Chen,Xia Zhao,Wei Zhu,Lu Zhang

DOI: https://doi.org/10.1109/CMPSAC.2004.1342887

2004-01-01

Abstract:Reverse engineering of legacy systems is a knowledge-intensive process to reconstruct the understanding of a system. A semi-automatic process that can extract architecture level structure from legacy systems is introduced in this paper. Exact facts related to cross-references among ELF objects are extracted from files automatically, and then partitioned into hierarchical groups by close cooperation between domain experts and an assistant tool DEREF. By resolving the cross references among these groups, the architectural structure is reconstructed and then visualized using auto-layout techniques. A case study on three embedded operating system demonstrates that this process can be used to obtain a comprehensive understanding about legacy systems even without any a priori knowledge about its design.

Junbin Fang,Jiang, Zoe L.,Yiu, S.M.,Hui, L.C.K.

DOI: https://doi.org/10.1109/csa.2009.5404206

2009-01-01

Abstract:In this paper, we describe the problem of verifying the integrity of a hard disk especially for forensics investigation after the computer of a suspect has been seized.Existing solutions do not provide a satisfactory solution to solve the problem.They either require a huge amount of storage to store the hash values of the sectors or may not be able to cope with the situation in an effective way in case some sectors have been modified (e.g.become bad sectors or deleted due to being part of the Legal Professional Privilege items).We introduce to use Thierry-Mieg[15]'s combinatorial group testing scheme, which seems to be an unrelated topic, to design a scheme to compute the hash values for the sectors of a hard disk.The storage for hash values in our scheme can be significantly fewer than the best existing solution while requiring similar amount of execution time.And our scheme can accurately point out the sectors which have been modified while existing solutions cannot guarantee this.