Help us understand Mutual Legal Assistance and win a FIREBrick Write Blocker
Please help DigitalFIRE Labs understand the current state of Mutual Legal Assistance Requests relating to digital evidence, and be entered for a chance to win a FIREBrick write-blocker or an Amazon gift card.
The survey on Mutual Legal Assistance Requests Concerning Digital Evidence can be found here: http://goo.gl/gnrJtN
This survey has been commissioned by the United Nations Office on Drugs and Crime (UNODC) in conjunction with the Digital Forensic Investigation Research Laboratory (DigitalFIRE) to assess existing approaches to requesting and obtaining electronic evidence in international cooperation under the conditions of Mutual Legal Assistance Treaties.
The survey consists of 36 questions, which will take approximately 20 minutes to complete.
For any questions or comments about the following survey, please email [email protected]
To help improve the effectiveness of mutual legal assistance requests, please share this survey with your colleagues, thank you.
Image courtesy of mrpuen / FreeDigitalPhotos.net
[BoB] Indicators of Anti-Forensics Investigator Survey (Korean)
The following survey results are from Korean Digital Forensic Investigators concerning the use of anti-forensics observed in their investigations. This survey has been conducted by the KITRI Best of the Best (BoB) ‘Indicators of Anti-forensics’ project group.
1. 포렌식 분석 업무 기간이 어떻게 되시나요?
2. 포렌식 분석 시 증거물 1개당 혹은 디스크 하나 당 평균 얼마의 시간이 소요되나요?
3. 안티 포렌식 탐지 툴에 대하여 들어보신 적이 있으십니까?
4. 포렌식 분석 시 안티 포렌식 툴이 사용된 시스템을 분석하신 경험이 있으신가요?
5. 안티 포렌식 툴이 사용 된 시스템을 분석하셨다면 그렇지 않은 시스템을 분석할 때 보다 어느정도의 시간소비가 더 있으신가요?
6. 안티 포렌식 탐지 툴의 필요성에 대해서 느끼신 적이 있으신가요?
7. 분석 전 안티포렌식 행위를 탐지 할 수 있다면 분석에 용이하다고 생각하십니까?
8. 안티포렌식 탐지 툴에 있었으면하는 기능이 있다면 무엇인가요?
9. 분석시에 가장 많이 보였던 안티포렌식 툴은 무엇인가요?
<table border="0" cellspacing="0" cols="9"> <colgroup span="9" width="127"></colgroup> <tbody><tr> <td align="LEFT" bgcolor="#EEEEEE" height="17" sdnum="1033;1033;General" valign="BOTTOM">3년 이상</td> <td align="LEFT" bgcolor="#EEEEEE" sdnum="1033;1033;General" valign="BOTTOM">‘4-5일</td> <td align="LEFT" bgcolor="#EEEEEE" sdnum="1033;1033;General" valign="BOTTOM">있다</td> <td align="LEFT" bgcolor="#EEEEEE" sdnum="1033;1033;General" valign="BOTTOM">있다</td> <td align="LEFT" bgcolor="#EEEEEE" sdnum="1033;1033;General" valign="BOTTOM">예상할 수 없음</td> <td align="LEFT" bgcolor="#EEEEEE" sdnum="1033;1033;General" valign="BOTTOM">있다</td> <td align="LEFT" bgcolor="#EEEEEE" sdnum="1033;1033;General" valign="BOTTOM">용이하다</td> <td align="LEFT" bgcolor="#EEEEEE" sdnum="1033;1033;General" valign="BOTTOM">안티포렌식의 범위가 어느 정도인지 모르겠음암호 프로그램의 사용부터 전문삭제 프로그램의 사용 또는 steaganography까지 사용하는 것을 전제로 하는 것인지 명확한 정의가 필요할 것 같음.해당 목적에 따라 안티포렌식 탐지 툴이 개별적으로 만들어지고 그것을 마지막에 통합하는 것이 가장 좋을 듯 싶네요.</td> <td align="LEFT" bgcolor="#EEEEEE" sdnum="1033;1033;General" valign="BOTTOM">패스워드 설정 암호화</td> </tr><tr> <td align="LEFT" bgcolor="#EEEEEE" height="17" sdnum="1033;1033;General" valign="BOTTOM">1년 이상 ~ 3년 미만</td> <td align="RIGHT" bgcolor="#EEEEEE" sdnum="1033;1033;General" sdval="10" valign="BOTTOM">10</td> <td align="LEFT" bgcolor="#EEEEEE" sdnum="1033;1033;General" valign="BOTTOM">없다</td> <td align="LEFT" bgcolor="#EEEEEE" sdnum="1033;1033;General" valign="BOTTOM">있다</td> <td align="RIGHT" bgcolor="#EEEEEE" sdnum="1033;1033;General" sdval="48" valign="BOTTOM">48</td> <td align="LEFT" bgcolor="#EEEEEE" sdnum="1033;1033;General" valign="BOTTOM">있다</td> <td align="LEFT" bgcolor="#EEEEEE" sdnum="1033;1033;General" valign="BOTTOM">용이하다</td> <td align="LEFT" bgcolor="#EEEEEE" sdnum="1033;1033;General" valign="BOTTOM">방식과 설치 혹은 실행 날짜해당 방식에 대한 영향을 미치는 범위에 대한 안내</td> <td align="LEFT" bgcolor="#EEEEEE" sdnum="1033;1033;General" valign="BOTTOM">루팅툴</td> </tr><tr> <td align="LEFT" bgcolor="#EEEEEE" height="17" sdnum="1033;1033;General" valign="BOTTOM">1년 이상 ~ 3년 미만</td> <td align="LEFT" bgcolor="#EEEEEE" sdnum="1033;1033;General" valign="BOTTOM">24~48</td> <td align="LEFT" bgcolor="#EEEEEE" sdnum="1033;1033;General" valign="BOTTOM">있다</td> <td align="LEFT" bgcolor="#EEEEEE" sdnum="1033;1033;General" valign="BOTTOM">있다</td> <td align="LEFT" bgcolor="#EEEEEE" sdnum="1033;1033;General" valign="BOTTOM">24시간 이상</td> <td align="LEFT" bgcolor="#EEEEEE" sdnum="1033;1033;General" valign="BOTTOM">있다</td> <td align="LEFT" bgcolor="#EEEEEE" sdnum="1033;1033;General" valign="BOTTOM">용이하다</td> <td align="LEFT" bgcolor="#EEEEEE" sdnum="1033;1033;General" valign="BOTTOM">- 기존의 삭제된 파일의 정보(제목, 시간, 등)- 안티포렌식 도구 정보</td> <td align="LEFT" bgcolor="#EEEEEE" sdnum="1033;1033;General" valign="BOTTOM">spaceEraser</td> </tr><tr> <td align="LEFT" bgcolor="#EEEEEE" height="17" sdnum="1033;1033;General" valign="BOTTOM">3년 이상</td> <td align="LEFT" bgcolor="#EEEEEE" sdnum="1033;1033;General" valign="BOTTOM">500G기준 4시간</td> <td align="LEFT" bgcolor="#EEEEEE" sdnum="1033;1033;General" valign="BOTTOM">있다</td> <td align="LEFT" bgcolor="#EEEEEE" sdnum="1033;1033;General" valign="BOTTOM">없다</td> <td align="LEFT" bgcolor="#EEEEEE" sdnum="1033;1033;General" valign="BOTTOM">1-2시간정도</td> <td align="LEFT" bgcolor="#EEEEEE" sdnum="1033;1033;General" valign="BOTTOM">있다</td> <td align="LEFT" bgcolor="#EEEEEE" sdnum="1033;1033;General" valign="BOTTOM">용이하다</td> <td align="LEFT" bgcolor="#EEEEEE" sdnum="1033;1033;General" valign="BOTTOM">
</td> <td align="LEFT" bgcolor="#EEEEEE" sdnum="1033;1033;General" valign="BOTTOM">
</td> </tr><tr> <td align="LEFT" bgcolor="#EEEEEE" height="17" sdnum="1033;1033;General" valign="BOTTOM">3년 이상</td> <td align="RIGHT" bgcolor="#EEEEEE" sdnum="1033;1033;General" sdval="24" valign="BOTTOM">24</td> <td align="LEFT" bgcolor="#EEEEEE" sdnum="1033;1033;General" valign="BOTTOM">있다</td> <td align="LEFT" bgcolor="#EEEEEE" sdnum="1033;1033;General" valign="BOTTOM">있다</td> <td align="RIGHT" bgcolor="#EEEEEE" sdnum="1033;1033;General" sdval="10" valign="BOTTOM">10</td> <td align="LEFT" bgcolor="#EEEEEE" sdnum="1033;1033;General" valign="BOTTOM">있다</td> <td align="LEFT" bgcolor="#EEEEEE" sdnum="1033;1033;General" valign="BOTTOM">용이하다</td> <td align="LEFT" bgcolor="#EEEEEE" sdnum="1033;1033;General" valign="BOTTOM">Install 여부, Portable 실행여부, 총 실행 횟수 및 삭제된 영역 확인 등</td> <td align="LEFT" bgcolor="#EEEEEE" sdnum="1033;1033;General" valign="BOTTOM">CCleaner</td> </tr><tr> <td align="LEFT" bgcolor="#EEEEEE" height="17" sdnum="1033;1033;General" valign="BOTTOM">3년 이상</td> <td align="RIGHT" bgcolor="#EEEEEE" sdnum="1033;1033;General" sdval="24" valign="BOTTOM">24</td> <td align="LEFT" bgcolor="#EEEEEE" sdnum="1033;1033;General" valign="BOTTOM">있다</td> <td align="LEFT" bgcolor="#EEEEEE" sdnum="1033;1033;General" valign="BOTTOM">없다</td> <td align="LEFT" bgcolor="#EEEEEE" sdnum="1033;1033;General" valign="BOTTOM">-</td> <td align="LEFT" bgcolor="#EEEEEE" sdnum="1033;1033;General" valign="BOTTOM">있다</td> <td align="LEFT" bgcolor="#EEEEEE" sdnum="1033;1033;General" valign="BOTTOM">용이하다</td> <td align="LEFT" bgcolor="#EEEEEE" sdnum="1033;1033;General" valign="BOTTOM">메모리 해킹 탐토르 네트워크 탐지</td> <td align="LEFT" bgcolor="#EEEEEE" sdnum="1033;1033;General" valign="BOTTOM">timestomp</td> </tr><tr> <td align="LEFT" bgcolor="#EEEEEE" height="17" sdnum="1033;1033;General" valign="BOTTOM">3년 이상</td> <td align="RIGHT" bgcolor="#EEEEEE" sdnum="1033;1033;General" sdval="6" valign="BOTTOM">6</td> <td align="LEFT" bgcolor="#EEEEEE" sdnum="1033;1033;General" valign="BOTTOM">있다</td> <td align="LEFT" bgcolor="#EEEEEE" sdnum="1033;1033;General" valign="BOTTOM">있다</td> <td align="RIGHT" bgcolor="#EEEEEE" sdnum="1033;1033;General" sdval="6" valign="BOTTOM">6</td> <td align="LEFT" bgcolor="#EEEEEE" sdnum="1033;1033;General" valign="BOTTOM">있다</td> <td align="LEFT" bgcolor="#EEEEEE" sdnum="1033;1033;General" valign="BOTTOM">용이하다</td> <td align="LEFT" bgcolor="#EEEEEE" sdnum="1033;1033;General" valign="BOTTOM">타임라인 수정</td> <td align="LEFT" bgcolor="#EEEEEE" sdnum="1033;1033;General" valign="BOTTOM">final eraser</td> </tr><tr> <td align="LEFT" bgcolor="#EEEEEE" height="17" sdnum="1033;1033;General" valign="BOTTOM">6개월 이하</td> <td align="RIGHT" bgcolor="#EEEEEE" sdnum="1033;1033;General" sdval="6" valign="BOTTOM">6</td> <td align="LEFT" bgcolor="#EEEEEE" sdnum="1033;1033;General" valign="BOTTOM">있다</td> <td align="LEFT" bgcolor="#EEEEEE" sdnum="1033;1033;General" valign="BOTTOM">없다</td> <td align="RIGHT" bgcolor="#EEEEEE" sdnum="1033;1033;General" sdval="3" valign="BOTTOM">3</td> <td align="LEFT" bgcolor="#EEEEEE" sdnum="1033;1033;General" valign="BOTTOM">있다</td> <td align="LEFT" bgcolor="#EEEEEE" sdnum="1033;1033;General" valign="BOTTOM">용이하다</td> <td align="LEFT" bgcolor="#EEEEEE" sdnum="1033;1033;General" valign="BOTTOM">먼저 안티포렌식 툴이 실행되는 것을 탐지할 것인지, 실행된 흔적을 탐지할 것인지에서 기능들이 달라지겠지만, 전자의 기준으로 보았을 때, 활성시스템 상태에서 현재 실행중인 프로세스에 대한 검사를 통해 탐지를 하는 퀵서치, 디스크내의 설치된 프로그램을 확인하는 정밀 검사 등의 기능이 있으면 좋을 듯 합니다.</td> <td align="LEFT" bgcolor="#EEEEEE" sdnum="1033;1033;General" valign="BOTTOM">일반적인 클리너, Wipe</td> </tr><tr> <td align="LEFT" bgcolor="#EEEEEE" height="17" sdnum="1033;1033;General" valign="BOTTOM">1년 이상 ~ 3년 미만</td> <td align="RIGHT" bgcolor="#EEEEEE" sdnum="1033;1033;General" sdval="72" valign="BOTTOM">72</td> <td align="LEFT" bgcolor="#EEEEEE" sdnum="1033;1033;General" valign="BOTTOM">있다</td> <td align="LEFT" bgcolor="#EEEEEE" sdnum="1033;1033;General" valign="BOTTOM">있다</td> <td align="LEFT" bgcolor="#EEEEEE" sdnum="1033;1033;General" valign="BOTTOM">상황에따라 다름</td> <td align="LEFT" bgcolor="#EEEEEE" sdnum="1033;1033;General" valign="BOTTOM">있다</td> <td align="LEFT" bgcolor="#EEEEEE" sdnum="1033;1033;General" valign="BOTTOM">용이하다</td> <td align="LEFT" bgcolor="#EEEEEE" sdnum="1033;1033;General" valign="BOTTOM">
</td> <td align="LEFT" bgcolor="#EEEEEE" sdnum="1033;1033;General" valign="BOTTOM">ccleaner</td> </tr><tr> <td align="LEFT" bgcolor="#EEEEEE" height="17" sdnum="1033;1033;General" valign="BOTTOM">6개월 이상 ~ 1년 미만</td> <td align="RIGHT" bgcolor="#EEEEEE" sdnum="1033;1033;General" sdval="80" valign="BOTTOM">80</td> <td align="LEFT" bgcolor="#EEEEEE" sdnum="1033;1033;General" valign="BOTTOM">있다</td> <td align="LEFT" bgcolor="#EEEEEE" sdnum="1033;1033;General" valign="BOTTOM">없다</td> <td align="RIGHT" bgcolor="#EEEEEE" sdnum="1033;1033;General" sdval="0" valign="BOTTOM">0</td> <td align="LEFT" bgcolor="#EEEEEE" sdnum="1033;1033;General" valign="BOTTOM">있다</td> <td align="LEFT" bgcolor="#EEEEEE" sdnum="1033;1033;General" valign="BOTTOM">용이하다</td> <td align="LEFT" bgcolor="#EEEEEE" sdnum="1033;1033;General" valign="BOTTOM">
</td> <td align="LEFT" bgcolor="#EEEEEE" sdnum="1033;1033;General" valign="BOTTOM">
</td> </tr><tr> <td align="LEFT" bgcolor="#EEEEEE" height="17" sdnum="1033;1033;General" valign="BOTTOM">1년 이상 ~ 3년 미만</td> <td align="RIGHT" bgcolor="#EEEEEE" sdnum="1033;1033;General" sdval="120" valign="BOTTOM">120</td> <td align="LEFT" bgcolor="#EEEEEE" sdnum="1033;1033;General" valign="BOTTOM">없다</td> <td align="LEFT" bgcolor="#EEEEEE" sdnum="1033;1033;General" valign="BOTTOM">인지한적 없다</td> <td align="LEFT" bgcolor="#EEEEEE" sdnum="1033;1033;General" valign="BOTTOM">1.3배 정도</td> <td align="LEFT" bgcolor="#EEEEEE" sdnum="1033;1033;General" valign="BOTTOM">있다</td> <td align="LEFT" bgcolor="#EEEEEE" sdnum="1033;1033;General" valign="BOTTOM">용이하다</td> <td align="LEFT" bgcolor="#EEEEEE" sdnum="1033;1033;General" valign="BOTTOM">완전삭제 탐지, 레지스트리 정보 및 인터넷 삭제 흔적</td> <td align="LEFT" bgcolor="#EEEEEE" sdnum="1033;1033;General" valign="BOTTOM">고클린</td> </tr></tbody></table>
[Survey] Investigation Prioritization of Crimes Involving Digital Evidence
The following survey is being conducted by Joshua James of the Digital Forensic Investigation Research Laboratory (DigitalFIRE) to assess public opinion on the investigation prioritization of crimes involving digital evidence.
This survey consists of 10 questions, which will take approximately 5 minutes to complete.
English version: http://goo.gl/qbpo77
Korean version: http://goo.gl/AKIhV1
Please share!
[CFP] DFRWS EU 2014
From http://dfrws.org/2014eu/cfp.shtml
The DFRWS-EU Conference that will be held in Amsterdam on the 7-9 May 2014.
Important Dates
Submission deadline: December 9, 2013 (any time zone). This is a firm deadline.
Author notification: March 1, 2014
Final draft and speaker registration: March 30, 2014
Conference dates: May 7-9, 2014
The DFRWS is dedicated to the sharing of knowledge and ideas about digital forensics research. Ever since it organized the first open workshop in 2001, the DFRWS continues to bring academics and practitioners together in an informal environment. The digital forensics community is rapidly growing worldwide. To better serve the needs of the community, the DFRWS is starting a sister conference in Europe. The new conference will continue the DFRWS tradition of publishing high quality research outcomes selected in a thorough peer review process. The proceedings will be published on the DFRWS Website as well as in traditional the DFRWS proceedings format. DFRWS-EU will act as a focal point for the European digital forensic community allowing practitioners and researchers meet and exchange ideas without the need to pay for a transatlantic flight.
Installing Cinnamon 2.0 on Linux Mint 14
The major consideration for me is ‘Cinnamon 2.0’ - the Gnome replacement desktop with Linux Mint. Cinnamon 2.0 has a lot of features and fixes that I have been looking forward to that were not pushed down. The other major piece of software I am looking for is a good desktop search tool.
If you are already running Linux Mint with a prior version of Cinnamon, it will not be upgraded automatically to 2.0. You can upgrade the following way:
<blockquote class="tr_bq">sudo add-apt-repository ppa:gwendal-lebihan-dev/cinnamon-stable</blockquote>Then add the following to /etc/apt/preferences
<blockquote>Package: *
Pin: release o=LP-PPA-gwendal-lebihan-dev-cinnamon-stable
Pin-Priority: 800 </blockquote>Do a apt-get update, and apt-get dist-upgrade.
For me on Linux Mint 14, the package ‘mint-translations’ did not want to install, so I had to re-run apt-get dist-upgrade with ‘-f’.
<blockquote class="tr_bq">sudo apt-get dist-upgrade -f</blockquote>Once installed, reboot.
On reboot the theme and background are changed, but all my settings were saved. Even conky still worked fine. Date and time settings were reset, however, and there is no app to change them back. Time and calendar still work, but you have to manually configure them.
The first thing I noticed, however, is that Cinnamon 2.0’s default settings are not as pretty as 1.8. To change it back to Mint’s old Cinnamon look (which is more sleek IMO), right click on menu -> ‘system settings’ -> ‘themes’ -> ‘other settings tab’. From there, I changed the controls, icons, etc. to ‘Mint-X’. From the ‘installed’ tab, you can also change the applied theme.
Overall Cinnamon 2.0 is much more responsive than 1.8. Even without reformatting I am seeing noticeably better performance. The look and feel is a bit more clean and polished.
Comparing Similarity of Images using SIFT Features
I’ve been playing around with VLFeat, and specifically SIFT to compare images using sift feature extraction. A while back I was looking at comparing files and images using sdhash and ssdeep, and they did not work well with images (which completely makes sense sense!).
So I was looking at some computer vision implementations, and found programming computer vision with python. From a basic example in the book, we can now visually compare similarity on the kitty corpus used last time.
5a762d8cdf4f1beae208595e79990a01 /corpus/kitty_hex.jpg
1704cd46c5c0f994278769e533015525 /corpus/kitty_sm.jpg
bcbed42be68cd81b4d903d487d19d790 /corpus/kitty_text.jpg
6d5663de34cd53e900d486a2c3b811fd /corpus/kitty_orig.jpg
4312932e8b91b301c5f33872e0b9ad98 /corpus/kitty_whirl.jpg
comparing corpus/kitty_text.jpg corpus/kitty_sm.jpg number of matches = 107
comparing corpus/kitty_text.jpg corpus/kitty_orig.jpg number of matches = 375
comparing corpus/kitty_text.jpg corpus/kitty_hex.jpg number of matches = 375
comparing corpus/kitty_text.jpg corpus/kitty_whirl.jpg number of matches = 358
comparing corpus/kitty_sm.jpg corpus/kitty_orig.jpg number of matches = 108
comparing corpus/kitty_sm.jpg corpus/kitty_hex.jpg number of matches = 108
comparing corpus/kitty_sm.jpg corpus/kitty_whirl.jpg number of matches = 88
comparing corpus/kitty_orig.jpg corpus/kitty_hex.jpg number of matches = 389
comparing corpus/kitty_orig.jpg corpus/kitty_whirl.jpg number of matches = 343
comparing corpus/kitty_hex.jpg corpus/kitty_whirl.jpg number of matches = 343
Just extracting SIFT features and comparing which features match we can do pretty well at identifying similar images. As a reference, see an unrelated image compared to a kitty image:
comparing corpus/kitty_text.jpg corpus/cheese.jpg number of matches = 0
It is interesting to note that even if the image is modified, the swirled face for example, similarity to the original image is still relatively high. The lowest performance was seen when the image size was reduced, which is probably because fewer features would be extracted from the smaller image. Note in this experiment the only image pre-processing we are doing is conversion to gray scale. We are not resizing, doing PCA or anything like that.
I also want to point out something:
comparing corpus/kitty_text.jpg corpus/cheese_text.jpg number of matches = 2
In this case there are two different images that have a small bit of text inserted into the image. Feature detection was able to determine some similarity (the text looked the same) on completely different images. This could potentially be used to determine if a string or watermark was added to a group of pictures in a directory.