SHANG Shi-ze,KONG Xiang-wei,YOU Xin-gang

DOI: https://doi.org/10.3969/j.issn.1671-1122.2015.04.011

2015-01-01

Abstract:The examination of forged and altered document is an important part in judicial expertise. The traditional examination methods need professional testers and devices, the disadvantages include high cost, long testing time, damage on the documents, etc. In recent years, the digital passive lossless forensics on forged and altered document has been developed which only uses scanner and computer. In this paper, we first introduce the life-cycle of document and its forging and altering methods. Then, we summarize the passive lossless forensics on forged and altered document, and describe the technologies on device identiifcation, copy paper identiifcation and authenticity detection, respectively. We give a detailed description on the characteristics introduced by devices and altering methods, and their forensics methods. Finally, we describe the questions and challenges on digital passive lossless forensics on documents.

赵倩,曹天杰,耿涛

DOI: https://doi.org/10.3969/j.issn.1671-0428.2008.08.020

IF: 5.105

2008-01-01

Computers & Security

Abstract:With the development of information technology, more and more computer crimes occur. It has been the focus that people pay attention to how to use computer forensics collect electronic evidence to punish the crime. The paper mainly introduced the concept, principle and process of computer forensics, also introduced some common tools especially Encase.

JI Yu-chen,FU Xiao,SHI Jin,LUO Bin,ZHAO Zhi-hong

DOI: https://doi.org/10.3969/j.issn.1000-3428.2014.01.068

2014-01-01

Abstract:According to characteristics of computer intrusion forensic evidence, such as easy revise, easy loss, numerous sources, multifarious content, this paper discusses the current developing states about intrusion event reconstruction, analyzes intrusion event reconstruction source from the system layer object/event and the operate system layer object/event, and introduces the main intrusion event reconstruction tools. It reviews the existing methods for intrusion event reconstruction, including log analysis based on timestamp, semantic integrity checking, tracking technologies based on operate system layer object, event reconstruction models based on finite state machine and so on, evaluates their performance in terms of several metrics, such as reconstruction efficiency, false positives rate, credibility of evidence, authenticity of evidence, reconstruction environment, and summarizes the pros and cons of each method. Some important future research directions in the field of intrusion event reconstruction of computer intrusion forensic are discussed.

LI Yan,QIU Wei-dong,LU Zhi-xu,WANG Xing-nan

DOI: https://doi.org/10.3969/j.issn.1009-8054.2010.04.034

2010-01-01

Abstract:The key to computer forensics is to find out the potential electronic evidence quickly and accurately. In this paper, some methods for how to extract in-depth electronic evidence from the hard disk are discussed, and the efficiencies of several pattern matching algorithms are compared(including BF, KMP, BM and BMH algorithms) under different buffer sizes. This could serve as a theoretical foundation for practical computer forensic cases.

DENG Nan,CAI Neng-bin,HUANG Xiao-chun,DING Jian-xun,DONG Zao-li,LU Hong-tao

DOI: https://doi.org/10.3969/j.issn.1671-2072.2011.05.016

2011-01-01

Abstract:There are some disputes on digital imaging as evidence.This article proposes and establishes an anti-counterfeiting information system for forensic digital imaging based on watermarking techniques.The system,which can ensure the evidence effectiveness of digital images,consists of encrypting and anti-counterfeiting subsystem,information management subsystem and verification subsystem for encrypting information.

Wei Q. Yan,Jarrett Chambers

DOI: https://doi.org/10.1109/ISCAS.2013.6572507

2013-01-01

Circuits and Systems

Abstract:The banknote manufacturing industry is shrouded in secrecy, fundamental mechanics of security components are closely guarded trade secrets. Currency forensics is the application of systematic methods to determine authenticity of questioned currency. However, forensic analysis is a difficult task requiring specially trained examiners, the most important challenge is automating the analysis process reducing human error and time. In this study, an empirical approach for automated currency forensics is formulated and a prototype is developed. A two parts feature vector is defined comprised of color features and texture features. Finally the note in question is classified by a Feedforward Neural Network (FNN) and a measurement of the similarity between template and suspect note is output.

Dr. Oghene Augustine Onome,

DOI: https://doi.org/10.35940/ijese.g2552.0611723

2023-06-30

International Journal of Emerging Science and Engineering

Abstract:The field of computer forensics emerged in response to the substantial increase in computer-related crimes occurring annually. This rise in criminal activity can be attributed to the rapid expansion of the internet, which has provided perpetrators with increased opportunities for illicit actions. When a computer system is compromised and an intrusion is detected, it becomes crucial for a specialized forensics team to investigate the incident with the objective of identifying and tracing the responsible party. The outcome of such forensic efforts often leads to legal action being taken against those accountable for the wrongdoing. The methodology employed in computer forensics continually evolves alongside advancements in crime approaches, particularly as attackers leverage emerging technologies. To ensure the accuracy of forensic investigations, it is imperative that the scientific knowledge underlying the forensic process be complemented by the integration of technological tools. A plethora of hardware and software options are available to facilitate the analysis and interpretation of forensic data, thereby enhancing the efficiency and effectiveness of investigations. While the fundamental objectives of computer forensics primarily involve the seamless preservation, identification, extraction, documentation, and analysis of data, the widespread adoption of this discipline is contingent upon the law enforcement community's ability to keep pace with advancements in computing technology. Furthermore, the prevalence of diverse computer devices resulting from the emergence of microcomputer technology also plays a crucial role in shaping the field of computer forensics. This research paper aims to provide a comprehensive overview of computer forensics, encompassing advanced methodologies and detailing various technology tools that facilitate the forensic process. Specific areas of focus include the analysis of encrypted drives, disk analysis techniques, analysis toolkits, investigations involving volatile memory, and the examination of captured network packets. By exploring these aspects, this paper aims to contribute to the existing body of knowledge in the field of computer forensics and support practitioners in their pursuit of effective investigative techniques.

CAI Neng-bin,DENG Nan,HUANG Xiao-chun,LU Hong-tao,DING Jian-xun

DOI: https://doi.org/10.3969/j.issn.1001-0270.2011.06.07

2011-01-01

Abstract:This paper researches on the anti-counterfeiting technology for evidence digital images,presenting a blind watermarking algorithm based on Lab color space template and establishes an anti-counterfeiting information system.To maintain the credibility of evidence digital images provides an effective technology solutions,and the information system has been successfully applied in judicial practice.

LIU Zai-Qiang,LIN Dong-Dai,FENG Deng-Guo

DOI: https://doi.org/10.1360/jos182635

2007-01-01

Journal of Software

Abstract:Network forensics is an important extension to present security infrastructure,and is becoming the research focus of forensic investigators and network security researchers.However many challenges still exist in conducting network forensics:The sheer amount of data generated by the network;the comprehensibility of evidences extracted from collected data;the efficiency of evidence analysis methods,etc.Against above challenges,by taking the advantage of both the great learning capability and the comprehensibility of the analyzed results of decision tree technology and fuzzy logic,the researcher develops a fuzzy decision tree based network forensics system to aid an investigator in analyzing computer crime in network environments and automatically extract digital evidence.At the end of the paper,the experimental comparison results between our proposed method and other popular methods are presented.Experimental results show that the system can classify most kinds of events (91.16% correct classification rate on average),provide analyzed and comprehensible information for a forensic expert and automate or semi-automate the process of forensic analysis.

ZENG Jianping,GUO Donghui

DOI: https://doi.org/10.3969/j.issn.1000-3428.2006.06.051

2006-01-01

Abstract:Audit mechanism provides a main way to get the users’ operation record,but there still exists some deficiency in audit mechanism.So a new audit mechanism is proposed based on Markov model.The mechanism can predict the access mode and log files are grouped into three grades according the prediction result,and this can lead to smaller storage and shorter time to get witness.

X. Fu,X. Du,B. Luo

DOI: https://doi.org/10.1002/sec.1337

IF: 1.968

2015-01-01

Security and Communication Networks

Abstract:Memory forensics is an important technique for protecting network security and fighting against computer crimes. It has developed greatly in the past decade, because memory can provide more reliable information that other evidence sources do not contain. However, nowadays, when investigating network criminal cases, the Gigabyte GB and even Terabyte TB level memory and many such dumps have made memory analysis a difficult task. And investigators usually have to deal with complex operating system OS data structures, which they have little knowledge of. So how to analyze memory evidence automatically so as to find the hidden criminal behavior and reconstruct the scenario in an understandable way has become an important problem. This paper presents an automatic memory analysis methodology based on data correlation. Through analyzing key OS data structures and utilizing a clustering algorithm, this methodology can discover the relationships among processes, files, users, Dynamic-link library DLLs, and network connections. By describing these relationships as correlation graphs, our methods can reorganize these independent memory evidences and disclose their meanings in a high semantic level. Experiments have proved that these correlation graphs can help investigators find hidden criminal behavior and reconstruct the criminal scenarios. And as we know, now, little work is in this field. Copyright © 2015 John Wiley & Sons, Ltd.

Lu Jun,Liu Daxin,Ding Dayong

DOI: https://doi.org/10.3969/j.issn.1000-386X.2006.06.016

2006-01-01

Abstract:This paper summarized methods of detecting file modification.We put forward log-watching one another by using affixed log for defending internal attack.Watching log and affixed log watch each other,so they can inspect malicious attack from internal skill attacker.To multilevel-log method,log-watching method economizes more resource and system spending.It is more efficiently.

Jing-Sha,Bingsheng He,Gongzheng,Shaohui Liu,Fuqiang Zhao,Xue-Jiao,Wan,Biao Huang

2015-01-01

Abstract:In forensic investigations,it is vital that the authenticity of digital evidence should be ensured. In addition,technical means should be provided to ensure that digital evidence collected cannot be misused for the purpose of perjury. In this paper,we present a method to ensure both authenticity and non-misuse of data extracted from wireless mobile devices. In the method,the device ID and a timestamp become a part of the original data and the Hash function is used to bind the data together. Encryption is applied to the data,which includes the digital evidence,the device ID and the timestamp. Both symmetric and asymmetric encryption systems are employed in the proposed method where a random session key is used to encrypt the data while the public key of the forensic server is used to encrypt the session key to ensure security and efficiency. With the several security mechanisms that we show are supported or can be implemented in wireless mobile devices such as the Android,we can ensure the authenticity and non-misuse of data evidence in digital forensics.

Qin-Ying Lin,Xiao-Lin Gui,De-Qin Shi,Xiao-Ping Wang

2015-01-01

Abstract:"Security, controllability, high efficiency" are becoming the increasingly significant issue on the development of the network. Study on security defending method in the intranet is becoming more and more popular currently. In this paper, a key resources forensics -based network security surveillance system are designed, implemented and tested The results show that this system has such advantages as requesting less system resource, easy to control and excellent expansibility. It has a very good future to be applied in government, business, military and other confidential agency.

Nikita Rana,Gunjan Sansanwal,Kiran Khatter,Sukhdev Singh

DOI: https://doi.org/10.48550/arXiv.1709.06529

2017-08-17

Abstract:In today's world of computers, any kind of information can be made available within few clicks for different endeavors. The information may be tampered by changing the statistical properties and can be further used for criminal activities. These days, Cyber crimes are happening at a very large scale, and possess big threats to the security of an individual, firm, industry and even to developed countries. To combat such crimes, law enforcement agencies and investment institutions are incorporating supportive examination policies, procedures and protocols to address the complete investigation process. The paper entails a detailed review of several cyber crimes followed by various digital forensics processes involved in the cyber crime investigation. Further various digital forensics tools with detail explanation are discussed with their advantages, disadvantages, challenges, and drawbacks. A comparison among all the selected tools is also presented. Finally the paper recommends the need of training programs for the first res ponder and judgement of signature based image authentication.

Computers and Society,Cryptography and Security

Xiang Lin,Jian-Hua Li,Shi-Lin Wang,Alan-Wee-Chung Liew,Feng Cheng,Xiao-Sa Huang

DOI: https://doi.org/10.1016/j.eng.2018.02.008

IF: 12.834

2018-01-01

Engineering

Abstract:With the development of sophisticated image editing and manipulation tools, the originality and authenticity of a digital image is usually hard to determine visually. In order to detect digital image forgeries, various kinds of digital image forensics techniques have been proposed in the last decade. Compared with active forensics approaches that require embedding additional information, passive forensics approaches are more popular due to their wider application scenario, and have attracted increasing academic and industrial research interests. Generally speaking, passive digital image forensics detects image forgeries based on the fact that there are certain intrinsic patterns in the original image left during image acquisition or storage, or specific patterns in image forgeries left during the image storage or editing. By analyzing the above patterns, the originality of an image can be authenticated. In this paper, a brief review on passive digital image forensic methods is presented in order to provide a comprehensive introduction on recent advances in this rapidly developing research area. These forensics approaches are divided into three categories based on the various kinds of traces they can be used to track—that is, traces left in image acquisition, traces left in image storage, and traces left in image editing. For each category, the forensics scenario, the underlying rationale, and state-of-the-art methodologies are elaborated. Moreover, the major limitations of the current image forensics approaches are discussed in order to point out some possible research directions or focuses in these areas.

Hai-Cheng Chu,Gai-Ge Wang,Der-Jiunn Deng

DOI: https://doi.org/10.1002/sec.1729

IF: 1.968

2016-01-01

Security and Communication Networks

Abstract:Digital forensics-related investigations have been a relative competitive research area by the computer specialists or law enforcement agency officers to confirm or refuse the assumptions with respect to the cybercrime scenes. WeChat is one of the most popular instant messaging application programs in contemporary age. While applying WeChat, there is precious information deposited in the computing devices that could be supportive evidences in a court of law. Hence, this research is focusing on the application of WeChat on the desktop PC under Windows 7 by means of the acquisition of volatile digital evidences in order to provide supporting information for some cybercrime cases. This paper provides generic investigation methods conducting forensic sound analysis on WeChat from the aspect of data volatility of the computing devices. By means of the proposed methodologies, the digital forensics specialists should be able to gather critical digital traces to confirm the previous actions of a WeChat user or even to reconstruct the crime scene to prove the suspect is guilty or innocent in a court of law. Copyright (C) 2017 John Wiley & Sons, Ltd.

YU Yang,YANG Ze-hong,JIA Pei-fa

DOI: https://doi.org/10.3969/j.issn.1000-3428.2007.24.051

2007-01-01

Abstract:As information security is challenged by the development of information technology,computer monitor system may be an effective solution to this problem.A monitor process is composed of data collection and analysis,rule-based discrimination,possible danger interception and whole process log recording.Its key features are the monitor technology for file,text and user operations.By experiments of comparing and analyzing,a research is made on the theory and application of the key features.Research of the key technologies will improve the efficiency and stability of the system.

Jian Zhang,Xiao Fu,Xiaojiang Du,Bin Luo,Zhihong Zhao

DOI: https://doi.org/10.1109/ICDCSW.2013.7

2013-01-01

Abstract:An important data source for intrusion forensics is various types of logs from the systems and networks being investigated. However, there are still many problems when using these logs for forensic analysis. Firstly, with the development of computers and Internet, intrusion behaviors involve more types and more quantities of logs, and these massive and complex log evidences make forensics analyst overwhelmed. Secondly, among the large number of logs that investigators need to analyze, the data related to criminal behaviors only accounts for a very small proportion and most of the rest data are useless records resulted from normal behaviors. Large amount of forensic data and high proportion of useless records make it very difficult to investigate and collect evidences. In addition, this makes criminal behaviors that submerged in a large amount of useless records easily overlooked. This paper introduces a new method for the reduction of candidate log evidences for intrusion forensics. Its main idea is to extract the key attribute fields as features of log records and assign a score to each log record. This score is used to indicate the degree of redundancy of the record. The greater the score is, the more likely the records are redundant. Our experiments based on Darpa2000 and Snort real-world data show that this method can significantly reduce the interference caused by useless data for forensic analysis: it removes 57% and 82% useless data in Darpa2000 and the Snort real-world data, respectively.

Rongrong Huang,Jiwu Shu,Da Xiao,Kang Chen

2009-01-01

Journal of Computer Research and Development

Abstract:Network file systems facilitate data sharing but also introduce new vulnerabilities.Audit logs that trace the changes of file system data to prevent fraudulent manipulation of data have great value in evaluating system security.Current systems cannot satisfy the requirement of users because they fail to ensure the security of audit logs.The powerful insider adversary can modify the audit logs covertly to erase evidence of illegal modification directly via device drivers.A data integrity protection method is presented for network file systems based on secure audit logs.Every file and directory has an authenticator to ensure the integrity of data.All changes to data are traced and the corresponding audit logs are generated.At a later time,an auditor may verify the data of a file according to the authenticators and audit logs.A trusted hardware is introduced to manage audit key and to enable the generation and trustworthiness of authenticators and audit logs.A prototype of Nfsd-log is implemented based on the NFS server in Linux and its performance iS evaluated. SSH-build benchmark test shows that the total time overhead of Nfsd-log only increase by 9.2% comparing with original NFS server.