SHANG Shi-ze,KONG Xiang-wei,YOU Xin-gang

DOI: https://doi.org/10.3969/j.issn.1671-1122.2015.04.011

2015-01-01

Abstract:The examination of forged and altered document is an important part in judicial expertise. The traditional examination methods need professional testers and devices, the disadvantages include high cost, long testing time, damage on the documents, etc. In recent years, the digital passive lossless forensics on forged and altered document has been developed which only uses scanner and computer. In this paper, we first introduce the life-cycle of document and its forging and altering methods. Then, we summarize the passive lossless forensics on forged and altered document, and describe the technologies on device identiifcation, copy paper identiifcation and authenticity detection, respectively. We give a detailed description on the characteristics introduced by devices and altering methods, and their forensics methods. Finally, we describe the questions and challenges on digital passive lossless forensics on documents.

Yongjian Lou,Peng Wang,Ming Xu,Ning Zheng

DOI: https://doi.org/10.1109/ICISE.2009.351

2009-01-01

Abstract:Rapidly retrieving valuable information is vital in computer forensic, especially information with respect to the computer system itself. Attentions on the system information such as registry and event log have increasingly promoted the forensic researches. Event log is a very import file in computer, which contains a large amount of available information about what happened on the system observed, but current forensic tool on event log only can repair corrupted log files and has no effect on the situation that event log file has been fragmented. To address this problem, this paper presents an algorithm which allows search for windows event log file data fragments based solely on their data contents, without the need of any meta data. The algorithm is based on searching the signature in log file combining with computing the entropy difference between neighboring clusters. A tool was developed to automate recovery and parse of Windows NT5 (XP and 2003) event logs for computer forensic. This tool automates repair of multiple event logs and parse the recovered files without user intervention. The evaluation of this method shows an average accuracy of 82.5%, with lower false positive.

QIAN Qin,DONG Bu-yun,TANG Zhe,FU Xiao,MAO Bing

DOI: https://doi.org/10.3969/j.issn.1000-3428.2014.08.058

2014-01-01

Abstract:Traditional methods of memory acquisition focus on the persistent data of disk or hard disk in the attacked computers. However,as the growing use of encryption routines or rapidly increasing storage capabilities of hard drives,it is very difficult to get data in time with the original method that is meant for persistent data. So in the field of computer forensics,people start to change the data source and focus on the volatile information in RAM. This paper specifically describes the prevailing methods of memory acquisition and analysis and the process of memory forensics. It explains the characteristics of each method and gives the advantage and disadvantage of them. In the end,it concludes all these methods and gives some suggestions of the future of computer forensics.

Boyang Ma,Yilin Yang,Jinku Li,Fengwei Zhang,Wenbo Shen,Yajin Zhou,Jianfeng Ma

DOI: https://doi.org/10.1145/3576915.3616665

2023-01-01

Abstract:Ransomware has evolved from an economic nuisance to a national security threat nowadays, which poses a significant risk to users. To address this problem, we propose RansomTag, a tag-based approach against crypto ransomware with fine-grained data recovery. Compared to state-of-the-art SSD-based solutions, RansomTag makes progress in three aspects. First, it decouples the ransomware detection functionality from the firmware of the SSD and integrates it into a lightweight hypervisor of Type I. Thus, it can leverage the powerful computing capability of the host system and the rich context information, which is introspected from the operating system, to achieve accurate detection of ransomware attacks and defense against potential targeted attacks on SSD characteristics. Further, RansomTag is readily deployed onto desktop personal computers due to its parapass-through architecture. Second, RansomTag bridges the semantic gap between the hypervisor and the SSD through the tag-based approach proposed by us. Third, RansomTag is able to keep 100% of the user data overwritten or deleted by ransomware, and restore any single or multiple user files to any versions based on timestamps. To validate our approach, we implement a prototype of RansomTag and collect 3,123 recent ransomware samples to evaluate it. The evaluation results show that our prototype effectively protects user data with minimal scale data backup and acceptable performance overhead. In addition, all the attacked files can be completely restored in fine-grained.

Yan WANG,Lingdi PING

2011-01-01

Abstract:IP traceback is the technology to control Internet crime. A promising solution to IP traceback is probabilistic packet marking (PPM). In this paper we present a novel and practical IP traceback algorithm which can improve the PPM convergency and computational overhead. This scheme may also reduce the deployment overhead without requiring the participation of all routers on the attack path. It has been used not only to trace Distributed Denial of Service (DDoS) attacking packets but also to enhance filtering attacking traffic. It has wide applications for other security systems. To the best of our knowledge, this thesis is the first of its kind considering the impact of packet loss in designing packet marking scheme.

JI Yu-chen,FU Xiao,SHI Jin,LUO Bin,ZHAO Zhi-hong

DOI: https://doi.org/10.3969/j.issn.1000-3428.2014.01.068

2014-01-01

Abstract:According to characteristics of computer intrusion forensic evidence, such as easy revise, easy loss, numerous sources, multifarious content, this paper discusses the current developing states about intrusion event reconstruction, analyzes intrusion event reconstruction source from the system layer object/event and the operate system layer object/event, and introduces the main intrusion event reconstruction tools. It reviews the existing methods for intrusion event reconstruction, including log analysis based on timestamp, semantic integrity checking, tracking technologies based on operate system layer object, event reconstruction models based on finite state machine and so on, evaluates their performance in terms of several metrics, such as reconstruction efficiency, false positives rate, credibility of evidence, authenticity of evidence, reconstruction environment, and summarizes the pros and cons of each method. Some important future research directions in the field of intrusion event reconstruction of computer intrusion forensic are discussed.

Junghoon Oh,Sangjin Lee,Hyunuk Hwang

DOI: https://doi.org/10.1109/access.2024.3395644

IF: 3.9

2024-05-28

IEEE Access

Abstract:File system forensics is one of the most important areas of digital forensic investigations. To date, various file system forensic methods have been studied, of which anti-forensic countermeasures include deleted file recovery, metadata recovery, and metadata manipulation detection. In particular, manipulation detection of timestamps, which are important file metadata, is one of the key techniques in digital forensic investigations. Existing detection methods for file timestamp manipulation in the New Technology File System (NTFS) have been studied based on various file system and operating system artifacts. This paper compares and analyzes the features and limitations of various existing detection methods and confirms that the NTFS journal-based detection method is the most effectively way to detect timestamp manipulation. However, previous NTFS journal-based detection methods have limitations such as incorrectly identifying normal events as manipulation or detecting manipulation only in limited cases. Therefore, we propose a new detection algorithm that can overcome these limitations. The proposed detection algorithm was implemented as a tool and verified through performance comparison experiments with existing detection methods. The results of experiment showed that the proposed detection algorithm has significantly improved performance by detecting timestamp manipulations that were not detected by previous detection methods and identifying normal events that were misidentified by existing detection methods. Finally, we introduce a case in which existing detection methods and the proposed detection algorithm are applied to malware that performs file timestamp manipulation in real-world advanced persistent threat attacks. The results of which confirm the superiority of the proposed detection algorithm.

computer science, information systems,telecommunications,engineering, electrical & electronic

Yeonghun Shin,Taeshik Shon

DOI: https://doi.org/10.1016/j.fsidi.2024.301799

IF: 1.805

2024-07-15

Forensic Science International Digital Investigation

Abstract:Most modern digital devices with storage utilize a file system to manage files and directories. Consequently, when digital forensic investigators derive evidence from such devices, they collect and analyze data stored on them through file system analysis. However, there are numerous types of file systems, with new ones continually being developed. Each file system possesses a distinct metadata structure and file management system. Therefore, investigators must possess prior knowledge of the specific file system being examined. Nevertheless, it is challenging for practitioners to be knowledgeable about all existing file systems. To address this issue, forensic software such as The Sleuth Kit (TSK), an open-source forensic tool, is employed for investigations. However, even these tools may not offer complete support for relatively recent file systems. Hence, we propose a structure for integrating a new file system into the open-source forensic tool TSK. Additionally, to validate this proposed structure, we demonstrate that support for five file systems (Ext4, XFS, Btrfs, F2FS, and Hikvision) can be added following this framework. To achieve this, we conducted an analysis of the metadata and file management scheme for these five file systems. Furthermore, we examined the operational procedures of the TSK framework. Based on these analyses, investigation capabilities for the five file systems have been incorporated into TSK. Moreover, reliability verification experiments were conducted on the developed tools; and performance evaluation was carried out in comparison with other commercial digital forensic tools. The findings of this study can serve as a foundation for future forensic studies based on file systems. Additionally, the TSK developed based on the proposed structure can assist investigators in conducting digital forensics effectively.

computer science, information systems, interdisciplinary applications

X. Fu,X. Du,B. Luo

DOI: https://doi.org/10.1002/sec.1337

IF: 1.968

2015-01-01

Security and Communication Networks

Abstract:Memory forensics is an important technique for protecting network security and fighting against computer crimes. It has developed greatly in the past decade, because memory can provide more reliable information that other evidence sources do not contain. However, nowadays, when investigating network criminal cases, the Gigabyte GB and even Terabyte TB level memory and many such dumps have made memory analysis a difficult task. And investigators usually have to deal with complex operating system OS data structures, which they have little knowledge of. So how to analyze memory evidence automatically so as to find the hidden criminal behavior and reconstruct the scenario in an understandable way has become an important problem. This paper presents an automatic memory analysis methodology based on data correlation. Through analyzing key OS data structures and utilizing a clustering algorithm, this methodology can discover the relationships among processes, files, users, Dynamic-link library DLLs, and network connections. By describing these relationships as correlation graphs, our methods can reorganize these independent memory evidences and disclose their meanings in a high semantic level. Experiments have proved that these correlation graphs can help investigators find hidden criminal behavior and reconstruct the criminal scenarios. And as we know, now, little work is in this field. Copyright © 2015 John Wiley & Sons, Ltd.

顾正义,黄皓

DOI: https://doi.org/10.16208/j.issn1000-7024.2009.14.050

2009-01-01

Abstract:To solve the problem of file encryption storage in Windows system, the system's lack of Windows EFS is analyzed. In-depth studied key technologies used on development of a file system filter driver, including data processing of I/O request packet in the filter driver, tracing file statues, avoid the system re-entry. Using the teelmology of file system filter driver, a new enerypting file system is designed and implemented. The system is completely transparent to the users. It encrypt specified files, folders or a certain type of files according to the policy placed flexibly by the users. It supports different kinds of file system such as NTFS and FAT. It can also select the encryption algorithm according to the policy. Experiments show that the system has good performance and extend the Windows EFS in both features and applications.

Tala Tafazzoli,Elham Salahi,Hossein Gharaee

DOI: https://doi.org/10.48550/arXiv.1508.01890

2015-08-08

Cryptography and Security

Abstract:Cybercrime is increasing at a faster pace and sometimes causes billions of dollars of business- losses so investigating attackers after commitment is of utmost importance and become one of the main concerns of network managers. Network forensics as the process of Collecting, identifying, extracting and analyzing data and systematically monitoring traffic of network is one of the main requirements in detection and tracking of criminals. In this paper, we propose an architecture for network forensic system. Our proposed architecture consists of five main components: collection and indexing, database management, analysis component, SOC communication component and the database. The main difference between our proposed architecture and other systems is in analysis component. This component is composed of four parts: Analysis and investigation subsystem, Reporting subsystem, Alert and visualization subsystem and the malware analysis subsystem. The most important differentiating factors of the proposed system with existing systems are: clustering and ranking of malware, dynamic analysis of malware, collecting and analysis of network flows and anomalous behaviour analysis.

Rahul Chandran,Wei Q. Yan

DOI: https://doi.org/10.4018/ijdcf.2014010103

2014-01-01

International Journal of Digital Crime and Forensics

Abstract:The development of technology in computer networks has boosted the percentage of cyber-attacks today. Hackers are now able to penetrate even the strongest IDS and firewalls. With the help of anti-forensic techniques, attackers defend themselves, from being tracked by destroying and distorting evidences. To detect and prevent network attacks, the main modus of operandi in network forensics is the successful implementation and analysis of attack graph from gathered evidences. This paper conveys the main concepts of attack graphs, requirements for modeling and implementation of graphs. It also contributes the aspect of incorporation of anti-forensic techniques in attack graph which will help in analysis of the diverse possibilities of attack path deviations and thus aids in recommendation of various defense strategies for better security. To the best of our knowledge, this is the first time network anti-forensics has been fully discussed and the attack graphs are employed to analyze the network attacks. The experimental analysis of anti-forensic techniques using attack graphs were conducted in the proposed test-bed which helped to evaluate the model proposed and suggests preventive measures for the improvement of security of the networks.

ZENG Jianping,GUO Donghui

DOI: https://doi.org/10.3969/j.issn.1000-3428.2006.06.051

2006-01-01

Abstract:Audit mechanism provides a main way to get the users’ operation record,but there still exists some deficiency in audit mechanism.So a new audit mechanism is proposed based on Markov model.The mechanism can predict the access mode and log files are grouped into three grades according the prediction result,and this can lead to smaller storage and shorter time to get witness.

Zhen Chen,Lingyun Ruan,Junwei Cao,Yifan Yu,Xin Jiang

DOI: https://doi.org/10.1109/tst.2013.6574679

2013-01-01

Tsinghua Science & Technology

Abstract:The archiving of Internet traffic is an essential function for retrospective network event analysis and forensic computer communication. The state-of-the-art approach for network monitoring and analysis involves storage and analysis of network flow statistic. However, this approach loses much valuable information within the Internet traffic. With the advancement of commodity hardware, in particular the volume of storage devices and the speed of interconnect technologies used in network adapter cards and multi-core processors, it is now possible to capture 10 Gbps and beyond real-time network traffic using a commodity computer, such as n2disk. Also with the advancement of distributed file system （such as Hadoop, ZFS, etc.） and open cloud computing platform （such as OpenStack, CloudStack, and Eucalyptus, etc.）, it is practical to store such large volume of traffic data and fully in-depth analyse the inside communication within an acceptable latency. In this paper, based on well- known TimeMachine, we present TIFAflow, the design and implementation of a novel system for archiving and querying network flows. Firstly, we enhance the traffic archiving system named TImemachine+FAstbit （TIFA） with flow granularity, i.e., supply the system with flow table and flow module. Secondly, based on real network traces, we conduct performance comparison experiments of TIFAflow with other implementations such as common database solution, TimeMachine and TIFA system. Finally, based on comparison results, we demonstrate that TIFAflow has a higher performance improvement in storing and querying performance than TimeMachine and TIFA, both in time and space metrics.

Fei Ye,Yunzhi Zheng,Xiao Fu,Bin Luo,Xiaojiang Du,Mohsen Guizani

DOI: https://doi.org/10.1002/ett.4178

IF: 3.6

2020-01-01

Transactions on Emerging Telecommunications Technologies

Abstract:Cloud forensics has become increasingly critical in cloud computing security in recent years. A fundamental problem in cloud forensics is how to safely and effectively obtain, preserve, and analyze evidence. With massive cloud forensic systems and tools having been proposed over the years, we identify one challenge that is not adequately addressed in the current literature. The problem is "credibility of cloud evidence"; this is where the evidence collected in the cloud is unreliable due to its multitenancy and the multiple participants in the forensic process. In this paper, we develop a new Cloud Forensics Tamper-Proof Framework (TamForen) for cloud forensics, which can be used in an untrusted and multitenancy cloud environment. This framework relies on the cloud forensics system independent of the daily cloud activities and is implemented based on the Multilayer Compressed Counting Bloom Filter. Unlike existing cloud forensics methods that depend on the support and trust of cloud service providers, TamForen takes into account the untrustworthiness of participants in the forensics process and conducts tamper-proof protection of data in a decentralized way without violating users' privacy. We simulate a cloud forensics environment to evaluate TamForen, and the results show that TamForen is feasible.

Yangyang Mei,Weihong Han,Shudong Li,Kaihan Lin,Zhihong Tian,Shumei Li

DOI: https://doi.org/10.1109/tits.2024.3360260

IF: 8.5

2024-01-01

IEEE Transactions on Intelligent Transportation Systems

Abstract:The Internet now plays a pivotal role in the social and economic landspace, providing individuals and businesses with access to essential daily services and tasks. However, it has also become a breeding ground for conflicts. Advanced Persistent Threats (APTs) pose a formidable chanllenge when directed at organizations and governments, exposing the entire network to substantial security risks. Employing network fornesics for attributing cyber-attacks and acquiring timely, credible forensic results is a fundamental challenge in maintaining cyber security. This paper introduces a Deep Learning-based network forensics framework for digitally identifying and tracking network attacks, providing a comprehensive overview of the network forensics process. Specifically, we extract network traffic and employ encryption to ensure the integrity and security of data. Subsequently, we apply feature filtering techniques to retain essential traceability information, and Deep Learning model parameters are automatically optimized using hyperparameter optimization techniques. Lastly, we develop a Multi-Layer Perceptual Deep Neural Network (MLP DNN) model with perceptual capabilities for detecting anomalous events within the network. We evaluated the framework’s effectiveness using the UNSW-NB15 dataset. The experiments demonstrate that the proposed framework is applicable to APT attack forensics scenarios. In comparison to other AI methods, our framework excels in discovering and tracking network attack events with high performance.

engineering, electrical & electronic,transportation science & technology, civil

LIN Guo-yuan,HUANG Hao

DOI: https://doi.org/10.3321/j.issn:1002-8331.2006.27.042

2006-01-01

Abstract:In this article,we analyze the condition of computer forensics and point out dynamic forensics is its trend. After reasoning the feasibility of adopting IDS into dynamic forensics,a dynamic forensics system model is presented and expounded in detail.Since it is the combo of IDS and justice parsing technique,it will be instructive for the dynamic forensics of computer crime.

王浩,陈平,茅兵

DOI: https://doi.org/10.3969/j.issn.1006-6675-B.2012.02.045

2012-01-01

Abstract:Identifying instances of kernel data structures from memory imageis very important in many security fields. Existing points-to Graph based Signature faced void pointer, NULL pointer and isomorphism etc problems. This paper presents a new forensic technology, whose signature distinguish doubly Comparing with the previously work, the new such as accuracy, sneed, robust etc. linked list pointers from general pointers. forensic technology has some advantages,

Yuzhe Chen,Xiao Fu,Bin Luo,Xiaojiang Du,Mohsen Guizani

DOI: https://doi.org/10.1109/globecom42002.2020.9348005

2020-01-01

Abstract:With the development of cloud computing and wireless networks, cloud storage services are widely used in daily life. People can get access to cloud storage anytime and anywhere. Cloud storage forensics is a computer forensic scenario that currently appears frequently. In this paper, we first briefly introduce the general methods of traditional cloud storage forensics and then introduce forensic investigations that are conducted on three cloud storage services: BaiduNetDisk, 115yun, and WeiYun. The findings of the forensic analysis are presented in detail to help the development of forensics for cloud storage services.

Zhu Rong,Zheng Jianhua

DOI: https://doi.org/10.3969/j.issn.2095-2163.2006.01.029

2006-01-01

Abstract:After analyzing file organization mode of Windows OS,the paper prompts the theory of file deleting,then points outthat in a general way file deleting just changes the File Allocation Table or File Directory Table and the data in data area do not change.This theory provides the feasibility of reacuing data.In the end the paper gives two piece of advice how to use the theory effectively.