Digital Forensic Science

[CFP] Call for Papers ICDF2C 2016

8th International Conference on Digital Forensics and Cyber Crime

<div class="separator" style="clear: both; text-align: center;"></div>
Location: Manhattan, New York, U.S.
Conference Date: September 28 - 30, 2016
Paper Submission: April 13, 2016
Notification: July 1, 2016
Camera-ready: August 1, 2016

See the full call for papers here.

The International Conference on Digital Forensics and Cyber Crime (ICDF2C) brings together leading researchers, practitioners, and educators from around the world to advance the state of the art in digital forensic and cyber crime investigation.

ICDF2C 2016 will be held September 28 - 30, 2016 in Manhattan, New York. We invite contributions for completed research papers, research-in-progress papers, industrial talks, panel and tutorial proposals, and round table discussions. Research papers are evaluated through a double-blind, peer-reviewing process and accepted research papers will be published in the Journal of Digital Forensics, Security and Law (JDFSL).

JDFSL is an open access journal with a solid indexing including Thomson Reuters ISI Web of Science. Accepted papers will be indexed in: a) Google Scholar b) DBLP c) ProQuest d) EBSCO Host just to name a few. Articles will be available for readers online at no cost given the open access nature of the journal. To learn more about JDFSL you can visit: http://www.jdfsl.org/.

Special Themes
This year, we have two themes that we intend to embrace. Authors are encouraged to submit papers relating to these themes:

<ul><li>Usage and implications of machine learning in digital forensics</li><li>Big data and digital forensics</li></ul>

SCOPE
The Internet has made it easier to perpetrate crimes by providing criminals an avenue for launching attacks with relative anonymity. The increased complexity of global communication and networking infrastructure and devices makes investigation of cybercrimes difficult. Clues of illegal activities are often buried in large volumes of data that need to be sifted through in order to detect crimes and collect evidence. The field of digital forensics and cybercrime investigation has become very important for law enforcement, national security, and information assurance. Digital forensics and cybercrime investigations are multidisciplinary areas that encompasses law, computer science, finance, telecommunications, data analytics, policing and more. ICDF2C brings together practitioners and researchers from diverse fields providing opportunities for business and intellectual engagement among attendees.

Open Source Tools Accepted in Court

Reply to an email I received:<div class="separator" style="clear: both; text-align: center;"></div><div>
<div>
<div><div>Is it possible to use Linux live CDs (or open source software) without trouble in court?</div><div>
</div><div>The answer is yes, certainly.</div><div>
</div><div>First, there is precedent in North America and Europe. See this, relatively old article from Italy [http://nannibassetti.com/digitalforensicsreport2007.pdf].</div><div>
</div><div>For a full discussion about open source tools in court, I highly recommend the following paper: http://www.digital-evidence.org/papers/opensrc_legal.pdf</div><div>
</div><div>Very basically, to have evidence obtained using open source tools / Linux live CDs accepted in court, you need to prove that the tools give ‘correct’ results and do not modify potential evidence. Check local court rules for any additional standards that need to be met. If you need any help with tool testing, please contact me.</div><div>
</div><div>For example, if your courts already accept EnCase and you want to compare acquisition and hashing, you can do the following:</div><div>1) acquire the data with EnCase and create a hash of the data</div><div>2) acquire the data with an open source tool and create a hash of the data</div><div>3) compare the hashes of the suspect data (should be the same)</div><div>4) repeat with 5+ different exhibits to show that the same result is always found</div><div>
</div><div>If your courts accept EnCase, and you can demonstrate that an open source tool produces the same result, then the open source tool must also be accepted.</div><div>
</div><div>A procedure for tool testing should be created in your unit, if it does not already exist.</div><div>
</div><div>You might also be interested in the Open Source Digital Forensics Conference in the U.S.: http://www.osdfcon.org/</div><div>
</div><div>Please let me know if you need any help with testing, or if you have any further questions.</div></div></div></div>

Finding private IP addresses in Email Headers

In some cases it may be necessary or helpful to find the private IP of a suspect. This can be difficult, especially since NAT is common in most networks. However, if a suspect is sending emails from a local client, the private, as well as public, address may be available in the email header.

If gmail is used with a local client (like Thunderbird, Outlook, etc.) then the email header should have the private IP address. Note that it is possible that some of the information is stripped by the client or client network before reaching the SMTP server. Take a look below:

—– Mail sent from Thunderbird using googlemail SMTP —–
Received: from [10.0.0.101] ([211.111.111.111]) <— here you can see the private (10.0.0.101) and public (211.111.111.111) IP address of the sender connecting to the SMTP server.
by smtp.googlemail.com with ESMTPSA id <– this line tells you that the message was received by SMTP
for <[email protected]>
Mon, 02 Nov 2015 23:01:38 -0800 (PST)
To: Joshua James <[email protected]>
From: “Joshua I. James” <[email protected]>

If the email is sent from the Gmail web interface (in the browser), the private IP address is NOT available. Google’s server only sees the suspect’s public IP address access the google web server.

——- Sent from gmail web interface ——
Received: by 10.50.10.233 with HTTP; <—- “with HTTP” means received via web interface on server 10.50.10.233 (google). The sender’s IP is not shown.
Date: Tue, 3 Nov 2015 16:08:03 +0900
Subject: test2
From: “Joshua I. James” <[email protected]>
To: “Joshua I. James” <[email protected]>

If the header is only showing google’s address, then the suspect must have been accessing the web interface (check for “with HTTP”). In that case, google will only have the public IP of the suspect.

ICDF2C 2015 in Seoul, South Korea Final Program Now Available

The 7th EAI International Conference on Digital Forensics & Cyber Crime will be held OCTOBER 6–8, 2015 in SEOUL, SOUTH KOREA.

The final program is now available at http://d-forensics.org/2015/show/program-final
Be sure to register so you don’t miss the exiting talks and tutorials!

Keynote speakers include Max Goncharov from Trend Micro, Inc, and Dr. Dave Dampier from Mississippi State University:

<div class="separator" style="clear: both; text-align: center;"></div>Max Goncharov is a senior security Virus Analyst with Trend Micro Inc., and is responsible for cybercrime investigations, security consulting to business partners (internal, external), creation of security frameworks, designing technical security architecture, overseeing the build out of an enterprise incident response process, and creation of the enterprise risk management program. During his 15 years with Trend Micro Inc, he has participated as a speaker in various conferences and training seminars on the topic of cybercrime and related issues. He has especially focues on cyberterrorism, cybersecurity, underground economy; such as DeepSec, VB, APWG, etc.

Dr. Dave Dampier is a Professor of Computer Science & Engineering at Mississippi State University specializing in Digital Forensics and Information Security. He currently serves as Director of the Distributed Analytics and Security Institute, the university level research center charged with Cyber Security Research. In his current capacity, Dr. Dampier is the university lead for education and research in cyber security. Prior to joining MSU, Dr. Dampier spent 20 years active duty as an Army Automation Officer. He has a B.S. Degree in Mathematics from the University of Texas at El Paso, and M.S. and Ph.D. degrees in Computer Science from the Naval Postgraduate School. His research interests are in Cyber Security, Digital Forensics and Software Engineering.

There will also be three tutorials on investigation, open source hardware for digital investigations and setting up a research environment for mobile malware research:

<ul><li>Tutorial 1: DUZON – Desktop Exercise: Crafting Information from Data</li><li>Tutorial 2: Pavel Gladyshev – FIREBrick; an open forensic device</li><li>Tutorial 3: Nikolay Akatyev – Researching mobile malware</li></ul><div>After the first day of the conference we are also holding a special discussion session with Seoul Tech Society called “Safe Cyberspace”, with the panel consisting of the winners of the ICDF2C/STS essay contest. Everyone is welcome to join!</div><div>
</div><div>I hope to see you at ICDF2C in Seoul, South Korea! Don’t miss this exciting opportunity.</div>

“Child Predator Social Experiment” Another Form of Child Abuse?

I recently found a video claiming to be a 'child predator social experiment'. The idea is that children have access to different types of social media, and trust communications on those platforms even if they have never actually met the person in real life. The video shows different situations in which young boys (in this case) are lured into vans or strangers' houses based on online texting with a grown man posing as a young girl.

Apparently, the parents of these kids had 'warned them of stranger danger' before, but this was supposed to teach them some sort of lesson. The parents, apparently, were willing to subject their children to this form of torture.

As a teacher who deals will many different personalities on a daily basis, I find it very difficult to justify terrorizing children to teach them a lesson (dictatorships don't last forever). Article 5 of the Universal Declaration of Human Rights: No one shall be subjected to torture or to cruel, inhuman or degrading treatment or punishment.

In the video below, one scenario involved a mother who immediately came in and started yelling at her child. If you are willing to lie to your kid to show them that you are right... well this seems like the best way to do it.

The other scenarios, the child was actually pulled into a van while yelling for help, and another locked in a room (and held down) with two half-naked men. Do you think the children were terrified? Is creating a situation in which the child believes he or she may be raped and/or murdered cruel, inhuman treatment? I think yes.

Children definitely need proper education about the dangers of the Internet. But in this case, the parents are taking lazy, disgusting way out.

There are many ways to monitor your child's activities on and offline. It is a mistake to believe that unfettered Internet access is a right for the child in your home. Talking to your children is a great first step, but parents also need to become Internet-literate, and know how to exert some sort of control over Internet access - other than on and off. Then, when the child demonstrates responsibility on the Internet the parent could give the kids more trust and more freedom online. But currently parents are all or nothing because they don't know how the technologies work. In such a case, the parent is 'forced' to take extreme measures to get a point across, because they were too lazy to learn how to control the situation.

Parents: if you care about your kids, take the time to learn. Giving them knowledge is much better than giving them rules that they don't understand.

[Webinar] EnCase & Python – Extending Your Investigative Capabilities

EnCase & Python – Extending Your Investigative Capabilities

Date: Wednesday September 9th, 2015 
Time: 11:00am PDT / 2:00pm EDT / 7:00pm BST 

Presenters: Chet Hosmer, Founder of Python Forensics, Inc. and author of Python Forensics; James Habben, Master Instructor, Guidance Software Training; Robert Bond, Product Marketing Manager, Guidance Software

Digital forensic investigators are quickly becoming familiar with the power of Python. The open source programming language named after Monty Python has been around for approximately 20 years and is fairly simple to read and learn. While EnCase users have used the EnScripting language for 15 years to extend the capabilities of EnCase and create the 130+ EnScripts on EnCase App Central, Python has the ability to add additional powerful investigative capabilities. 

In this webinar, Chet Hosmer, Founder of Python Forensics, Inc. and James Habben, Master Instructor at Guidance Software will demonstrate examples of those capabilities in an investigation demonstration using EnCase. Whether you are performing single-mortem investigation, executing live triage, extracting evidence from mobile devices or cloud services, or you are collecting and processing evidence from a network, Python forensic implementations can fill in the gaps.

Register now at https://encase.webex.com/encase/onstage/g.php?MTID=e8f1fdc29d4fc150f6c935f4ab3b9b95b

Also, FYI Autopsy 2 supports custom python extensions (and is awesome).