-
Preliminary Study of a Google Home Mini
Authors:
Min Jin Park,
Joshua I. James
Abstract:
Many artificial intelligence (AI) speakers have recently come to market. Beginning with Amazon Echo, many companies producing their own speaker technologies. Due to the limitations of technology, most speakers have similar functions, but the way of handling the data of each speaker is different. In the case of Amazon echo, the API of the cloud is open for any developers to develop their API. The A…
▽ More
Many artificial intelligence (AI) speakers have recently come to market. Beginning with Amazon Echo, many companies producing their own speaker technologies. Due to the limitations of technology, most speakers have similar functions, but the way of handling the data of each speaker is different. In the case of Amazon echo, the API of the cloud is open for any developers to develop their API. The Amazon Echo has been around for a while, and much research has been done on it. However, not much research has been done on Google Home Mini analysis for digital investigations. In this paper, we will conduct some initial research on the data storing and security methods of Google Home Mini.
△ Less
Submitted 13 January, 2020;
originally announced January 2020.
-
A Feature Comparison of Modern Digital Forensic Imaging Software
Authors:
Jiyoon Ham,
Joshua I. James
Abstract:
Fundamental processes in digital forensic investigation, such as disk imaging, were developed when digital investigation was relatively young. As digital forensic processes and procedures matured, these fundamental tools, that are the pillars of the reset of the data processing and analysis phases of an investigation, largely stayed the same. This work is a study of modern digital forensic imaging…
▽ More
Fundamental processes in digital forensic investigation, such as disk imaging, were developed when digital investigation was relatively young. As digital forensic processes and procedures matured, these fundamental tools, that are the pillars of the reset of the data processing and analysis phases of an investigation, largely stayed the same. This work is a study of modern digital forensic imaging software tools. Specifically, we will examine the feature sets of modern digital forensic imaging tools, as well as their development and release cycles to understand patterns of fundamental tool development. Based on this survey, we show the weakness in current digital investigation fundamental software development and maintenance over time. We also provide recommendations on how to improve fundamental tools.
△ Less
Submitted 1 January, 2020;
originally announced January 2020.
-
Update Thresholds of More Accurate Time Stamp for Event Reconstruction
Authors:
Joshua I. James,
Yunsik Jang
Abstract:
Many systems rely on reliable timestamps to determine the time of a particular action or event. This is especially true in digital investigations where investigators are attempting to determine when a suspect actually committed an action. The challenge, however, is that objects are not updated at the exact moment that an event occurs, but within some time-span after the actual event. In this work…
▽ More
Many systems rely on reliable timestamps to determine the time of a particular action or event. This is especially true in digital investigations where investigators are attempting to determine when a suspect actually committed an action. The challenge, however, is that objects are not updated at the exact moment that an event occurs, but within some time-span after the actual event. In this work we define a simple model of digital systems with objects that have associated timestamps. The model is used to predict object update patterns for objects with associated timestamps, and make predictions about these update time-spans. Through empirical studies of digital systems, we show that timestamp update patterns are not instantaneous. We then provide a method for calculating the distribution of timestamp updates on a particular system to determine more accurate action instance times.
△ Less
Submitted 21 March, 2018;
originally announced March 2018.
-
United Nations Digital Blue Helmets as a Starting Point for Cyber Peacekeeping
Authors:
Nikolay Akatyev,
Joshua I. James
Abstract:
Prior works, such as the Tallinn manual on the international law applicable to cyber warfare, focus on the circumstances of cyber warfare. Many organizations are considering how to conduct cyber warfare, but few have discussed methods to reduce, or even prevent, cyber conflict. A recent series of publications started developing the framework of Cyber Peacekeeping (CPK) and its legal requirements.…
▽ More
Prior works, such as the Tallinn manual on the international law applicable to cyber warfare, focus on the circumstances of cyber warfare. Many organizations are considering how to conduct cyber warfare, but few have discussed methods to reduce, or even prevent, cyber conflict. A recent series of publications started developing the framework of Cyber Peacekeeping (CPK) and its legal requirements. These works assessed the current state of organizations such as ITU IMPACT, NATO CCDCOE and Shanghai Cooperation Organization, and found that they did not satisfy requirements to effectively host CPK activities. An assessment of organizations currently working in the areas related to CPK found that the United Nations (UN) has mandates and organizational structures that appear to somewhat overlap the needs of CPK. However, the UN's current approach to Peacekeeping cannot be directly mapped to cyberspace. In this research we analyze the development of traditional Peacekeeping in the United Nations, and current initiatives in cyberspace. Specifically, we will compare the proposed CPK framework with the recent initiative of the United Nations named the 'Digital Blue Helmets' as well as with other projects in the UN which helps to predict and mitigate conflicts. Our goal is to find practical recommendations for the implementation of the CPK framework in the United Nations, and to examine how responsibilities defined in the CPK framework overlap with those of the 'Digital Blue Helmets' and the Global Pulse program.
△ Less
Submitted 13 November, 2017;
originally announced November 2017.
-
A Case Study of the 2016 Korean Cyber Command Compromise
Authors:
Kyong Jae Park,
Sung Mi Park,
Joshua I. James
Abstract:
On October 2016 the South Korean cyber military unit was the victim of a successful cyber attack that allowed access to internal networks. Per usual with large scale attacks against South Korean entities, the hack was immediately attributed to North Korea. Also, per other large-scale cyber security incidents, the same types of 'evidence' were used for attribution purposes. Disclosed methods of att…
▽ More
On October 2016 the South Korean cyber military unit was the victim of a successful cyber attack that allowed access to internal networks. Per usual with large scale attacks against South Korean entities, the hack was immediately attributed to North Korea. Also, per other large-scale cyber security incidents, the same types of 'evidence' were used for attribution purposes. Disclosed methods of attribution provide weak evidence, and the procedure Korean organizations tend to use for information disclosure lead many to question any conclusions. We will analyze and discuss a number of issues with the current way that South Korean organizations disclose cyber attack information to the public. A time line of events and disclosures will be constructed and analyzed in the context of appropriate measures for cyber warfare. Finally, we will examine the South Korean cyber military attack in terms previously proposed cyber warfare response guidelines. Specifically, whether any of the guidelines can be applied to this real-world case, and if so, is South Korea justified in declaring war based on the most recent cyber attack.
△ Less
Submitted 13 November, 2017;
originally announced November 2017.
-
Determining Training Needs for Cloud Infrastructure Investigations using I-STRIDE
Authors:
Joshua I. James,
Ahmed F. Shosha,
Pavel Gladyshev
Abstract:
As more businesses and users adopt cloud computing services, security vulnerabilities will be increasingly found and exploited. There are many technological and political challenges where investigation of potentially criminal incidents in the cloud are concerned. Security experts, however, must still be able to acquire and analyze data in a methodical, rigorous and forensically sound manner. This…
▽ More
As more businesses and users adopt cloud computing services, security vulnerabilities will be increasingly found and exploited. There are many technological and political challenges where investigation of potentially criminal incidents in the cloud are concerned. Security experts, however, must still be able to acquire and analyze data in a methodical, rigorous and forensically sound manner. This work applies the STRIDE asset-based risk assessment method to cloud computing infrastructure for the purpose of identifying and assessing an organization's ability to respond to and investigate breaches in cloud computing environments. An extension to the STRIDE risk assessment model is proposed to help organizations quickly respond to incidents while ensuring acquisition and integrity of the largest amount of digital evidence possible. Further, the proposed model allows organizations to assess the needs and capacity of their incident responders before an incident occurs.
△ Less
Submitted 18 February, 2015;
originally announced February 2015.
-
Measuring Accuracy of Automated Parsing and Categorization Tools and Processes in Digital Investigations
Authors:
Joshua I. James,
Alejandra Lopez-Fernandez,
Pavel Gladyshev
Abstract:
This work presents a method for the measurement of the accuracy of evidential artifact extraction and categorization tasks in digital forensic investigations. Instead of focusing on the measurement of accuracy and errors in the functions of digital forensic tools, this work proposes the application of information retrieval measurement techniques that allow the incorporation of errors introduced by…
▽ More
This work presents a method for the measurement of the accuracy of evidential artifact extraction and categorization tasks in digital forensic investigations. Instead of focusing on the measurement of accuracy and errors in the functions of digital forensic tools, this work proposes the application of information retrieval measurement techniques that allow the incorporation of errors introduced by tools and analysis processes. This method uses a `gold standard' that is the collection of evidential objects determined by a digital investigator from suspect data with an unknown ground truth. This work proposes that the accuracy of tools and investigation processes can be evaluated compared to the derived gold standard using common precision and recall values. Two example case studies are presented showing the measurement of the accuracy of automated analysis tools as compared to an in-depth analysis by an expert. It is shown that such measurement can allow investigators to determine changes in accuracy of their processes over time, and determine if such a change is caused by their tools or knowledge.
△ Less
Submitted 18 February, 2015;
originally announced February 2015.
-
Practical and Legal Challenges of Cloud Investigations
Authors:
Joshua I. James,
Yunsik Jang
Abstract:
An area presenting new opportunities for both legitimate business, as well as criminal organizations, is Cloud computing. This work gives a strong background in current digital forensic science, as well as a basic understanding of the goal of Law Enforcement when conducting digital forensic investigations. These concepts are then applied to digital forensic investigation of cloud environments in b…
▽ More
An area presenting new opportunities for both legitimate business, as well as criminal organizations, is Cloud computing. This work gives a strong background in current digital forensic science, as well as a basic understanding of the goal of Law Enforcement when conducting digital forensic investigations. These concepts are then applied to digital forensic investigation of cloud environments in both theory and practice, and supplemented with current literature on the subject. Finally, legal challenges with digital forensic investigations in cloud environments are discussed.
△ Less
Submitted 4 February, 2015;
originally announced February 2015.
-
Automated Inference of Past Action Instances in Digital Investigations
Authors:
Joshua I. James,
Pavel Gladyshev
Abstract:
As the amount of digital devices suspected of containing digital evidence increases, case backlogs for digital investigations are also increasing in many organizations. To ensure timely investigation of requests, this work proposes the use of signature-based methods for automated action instance approximation to automatically reconstruct past user activities within a compromised or suspect system.…
▽ More
As the amount of digital devices suspected of containing digital evidence increases, case backlogs for digital investigations are also increasing in many organizations. To ensure timely investigation of requests, this work proposes the use of signature-based methods for automated action instance approximation to automatically reconstruct past user activities within a compromised or suspect system. This work specifically explores how multiple instances of a user action may be detected using signature-based methods during a post-mortem digital forensic analysis. A system is formally defined as a set of objects, where a subset of objects may be altered on the occurrence of an action. A novel action-trace update time threshold is proposed that enables objects to be categorized by their respective update patterns over time. By integrating time into event reconstruction, the most recent action instance approximation as well as limited past instances of the action may be differentiated and their time values approximated. After the formal theory if signature-based event reconstruction is defined, a case study is given to evaluate the practicality of the proposed method.
△ Less
Submitted 21 July, 2014;
originally announced July 2014.
-
Measuring digital crime investigation capacity to guide international crime prevention strategies
Authors:
Joshua I. James,
Yunsik Jake Jang
Abstract:
This work proposes a method for the measurement of a country's digital investigation capacity and saturation for the assessment of future capacity expansion. The focus is on external, or international, partners being a factor that could negatively affect the return on investment when attempting to expand investigation capacity nationally. This work concludes with the argument that when dealing wit…
▽ More
This work proposes a method for the measurement of a country's digital investigation capacity and saturation for the assessment of future capacity expansion. The focus is on external, or international, partners being a factor that could negatively affect the return on investment when attempting to expand investigation capacity nationally. This work concludes with the argument that when dealing with digital crime, target international partners should be a consideration in expansion, and could potentially be a bottleneck of investigation requests.
△ Less
Submitted 29 August, 2013;
originally announced August 2013.
-
An Assessment Model for Cybercrime Investigation Capacity
Authors:
Joshua I. James,
Yunsik Jake Jang
Abstract:
Digital technologies are constantly changing, and with it criminals are finding new ways to abuse these technologies. Cybercrime investigators, then, must also keep their skills and knowledge up to date. This work proposes a holistic training development model - specifically focused on cybercrime investigation - that is based on improving investigator capability while also considering the capacity…
▽ More
Digital technologies are constantly changing, and with it criminals are finding new ways to abuse these technologies. Cybercrime investigators, then, must also keep their skills and knowledge up to date. This work proposes a holistic training development model - specifically focused on cybercrime investigation - that is based on improving investigator capability while also considering the capacity of the investigator or unit. Along with a training development model, a cybercrime investigation capacity assessment framework is given for attempting to measure capacity throughout the education process. First, a training development model is proposed that focuses on the expansion of investigation capability as well as capacity of investigators and units. Next, a capacity assessment model is given to evaluate the effectiveness of the training program. A description of how the proposed model is being applied to the development of training programs for cybercrime investigators in developing countries will then be given, as well as already observed challenges. Finally, concluding remarks as well as proposed future work is discussed.
△ Less
Submitted 29 June, 2013;
originally announced July 2013.
-
Challenges with Automation in Digital Forensic Investigations
Authors:
Joshua I. James,
Pavel Gladyshev
Abstract:
The use of automation in digital forensic investigations is not only a technological issue, but also has political and social implications. This work discusses some challenges with the implementation and acceptance of automation in digital forensic investigation, and possible implications for current digital forensic investigators. Current attitudes towards the use of automation in digital forensi…
▽ More
The use of automation in digital forensic investigations is not only a technological issue, but also has political and social implications. This work discusses some challenges with the implementation and acceptance of automation in digital forensic investigation, and possible implications for current digital forensic investigators. Current attitudes towards the use of automation in digital forensic investigations are examined, as well as the issue of digital investigators knowledge acquisition and retention. The argument is made for a well planned, careful use of automation going forward that allows for a more efficient and effective use of automation in digital forensic investigations while at the same time attempting to improve the overall quality of expert investigators. Targeting and carefully controlling automated solutions for beginning investigators may improve the speed and quality of investigations while at the same time letting expert digital investigators spend more time utilizing expert level knowledge required in manual phases of investigations. By considering how automated solutions are being implemented into digital investigations, investigation unit managers can increase the efficiency of their unit while at the same time maximizing their return on investment for expert level digital investigator training.
△ Less
Submitted 19 March, 2013;
originally announced March 2013.
-
Signature Based Detection of User Events for Post-Mortem Forensic Analysis
Authors:
Joshua I. James,
Pavel Gladyshev,
Yuandong Zhu
Abstract:
This paper introduces a novel approach to user event reconstruction by showing the practicality of generating and implementing signature-based analysis methods to reconstruct high-level user actions from a collection of low-level traces found during a post-mortem forensic analysis of a system. Traditional forensic analysis and the inferences an investigator normally makes when given digital eviden…
▽ More
This paper introduces a novel approach to user event reconstruction by showing the practicality of generating and implementing signature-based analysis methods to reconstruct high-level user actions from a collection of low-level traces found during a post-mortem forensic analysis of a system. Traditional forensic analysis and the inferences an investigator normally makes when given digital evidence, are examined. It is then demonstrated that this natural process of inferring high-level events from low-level traces may be encoded using signature-matching techniques. Simple signatures using the defined method are created and applied for three popular Windows-based programs as a proof of concept.
△ Less
Submitted 10 February, 2013;
originally announced February 2013.
-
Analysis of Evidence Using Formal Event Reconstruction
Authors:
Joshua I. James,
Pavel Gladyshev,
Mohd Taufik Abdullah,
Yuandong Zhu
Abstract:
This paper expands upon the finite state machine approach for the formal analysis of digital evidence. The proposed method may be used to support the feasibility of a given statement by testing it against a relevant system model. To achieve this, a novel method for modeling the system and evidential statements is given. The method is then examined in a case study example.
This paper expands upon the finite state machine approach for the formal analysis of digital evidence. The proposed method may be used to support the feasibility of a given statement by testing it against a relevant system model. To achieve this, a novel method for modeling the system and evidential statements is given. The method is then examined in a case study example.
△ Less
Submitted 10 February, 2013;
originally announced February 2013.
